Vid Grosek

Expertise

Red Team Operations

Q: What is the difference between a penetration test and a red team engagement?

A penetration test aims to find as many vulnerabilities as possible in a defined scope and timeframe. A red team engagement simulates a real attacker with specific objectives (e.g., access CEO's email, exfiltrate customer data) using any means — including social engineering, physical access, and multi-stage attacks over weeks or months.

Q: How long does a red team engagement last?

A red team engagement typically lasts 2-6 weeks of active testing, plus time for reconnaissance and reporting. Unlike a pentest's 1-2 week timeframe, red teams operate at a slower pace to avoid detection, test the blue team's response capabilities, and simulate realistic attacker behavior patterns.

Red Team vs Pentest vs Audit - no marketing lies.

Security vendors often mix up terms. An audit isn't a pentest. A pentest isn't a red team. And none of them is "the solution to all problems". Understanding the differences is key to choosing the right service.

What's What - Clear Definitions

Audit

Goal: Checking compliance with standards (ISO 27001, PCI-DSS, SOC2)
Method: Documentation review, interviews, checklist
Result: Compliance report
Limitation: Tells you if you're compliant - not if you're secure

Penetration Test

Goal: Finding technical vulnerabilities in a defined scope
Method: Active testing of systems, applications, network
Result: List of vulnerabilities with PoC and remediation
Limitation: Time-limited, focused on technical flaws

Red Team

Goal: Simulating a real attacker with a defined objective
Method: All techniques (OSINT, social engineering, physical access, technical attacks)
Result: Proof of what an attacker can actually do
Limitation: More expensive, longer, requires mature security organization

Red Team Phases

1. Reconnaissance (OSINT)

Gathering information about the target without direct contact.

Passive OSINT: LinkedIn, social media, public databases, Google dorks
Active OSINT: DNS enumeration, certificate transparency, subdomain discovery
Technical OSINT: Shodan, Censys, leaked credentials, code repositories
Human OSINT: Organizational structure, key people, habits

What I Look For

Email formats (name.surname@domain.com)
Technology used (LinkedIn posts, GitHub, job ads)
Key people (IT admin, finance, HR)
Physical locations, working hours, visits
Business partners, suppliers

2. Initial Access

Gaining first access to target environment.

Social Engineering

Spear phishing: Targeted phishing emails with researched pretexts
Vishing: Phone calls to obtain information or actions
Smishing: SMS attacks
Pretexting: False identity to gain trust

Technical Approaches

Exposed services: VPN, email gateway, web applications
Password spraying: Common passwords against known users
Credential stuffing: Credentials from previous breaches
Supply chain: Compromising a supplier

Physical Access

Tailgating: Following an employee through doors
Impersonation: Posing as delivery person, maintenance
USB drop: Dropping infected USB drives
Lock bypass: Lock picking, badge cloning

3. Execution & Persistence

Executing code and ensuring persistent access.

Payload delivery: Macro documents, HTA, ISO, LNK
C2 establishment: Establishing command & control communication
Persistence: Registry, scheduled tasks, services, startup folders
Backup access: Multiple independent paths back into environment

4. Lateral Movement

Moving between systems toward objective.

Credential harvesting: Mimikatz, LSASS dump, cached credentials
Pass-the-hash/ticket: Using hashes instead of passwords
Remote execution: PSExec, WMI, WinRM, DCOM
Network pivoting: SOCKS proxy, port forwarding, tunneling

5. Objective Completion

Achieving defined objective.

Data exfiltration: Stealing sensitive data
Domain dominance: Domain Admin, Enterprise Admin
Business impact: Simulating ransomware, business disruption
Proof: Screenshots, documents, hashes as evidence

Threat Intelligence-led Red Team

Advanced approach based on real threats.

Threat modeling: Identifying relevant threat actors
TTP mapping: MITRE ATT&CK techniques they use
Emulation: Mimicking specific attacker (APT group)
Purple team: Collaboration with blue team to improve detection

When You Need Red Team

Red team isn't for everyone. You need:

Mature security organization: If you don't have basic security, start with pentest
SOC/SIEM: Someone must detect attacks
Incident response process: Ability to respond to findings
Management buy-in: Understanding it's a realistic simulation
Budget and time: Red team takes weeks to months

Typical Red Team Objectives

Domain access (Domain Admin)
Access to critical data (finance, HR, IP)
Compromise of specific system (CEO laptop, production DB)
Ransomware attack simulation
Incident response capability test

My Approach

Realistic simulation: I don't look for all vulnerabilities - I look for path to objective
OPSEC: Avoiding detection like a real attacker
Documentation: Every step documented for post-mortem
Control: Clear stop conditions, out-of-band communication
Ethics: No actual harmful actions

Need a Red Team Simulation?

Find out what an attacker can actually do in your environment.

Contact Me