Executing Red Team Engagement Planning

Overview

Red team engagement planning is the foundational phase that defines scope, objectives, rules of engagement (ROE), threat model selection, and operational timelines before any offensive testing begins. A well-structured engagement plan ensures the red team simulates realistic adversary behavior while maintaining safety guardrails that prevent unintended business disruption.

Objectives

Define clear engagement scope including in-scope and out-of-scope assets, networks, and personnel
Establish Rules of Engagement (ROE) with emergency stop procedures, communication channels, and legal boundaries
Select appropriate threat profiles from the MITRE ATT&CK framework aligned to the organization's threat landscape
Create a detailed attack plan mapping adversary TTPs to engagement objectives
Develop deconfliction procedures with the organization's SOC/blue team
Produce a comprehensive engagement brief for stakeholder approval

Core Concepts

Engagement Types

Type	Description	Scope
Full Scope	Complete adversary simulation with physical, social, and cyber vectors	Entire organization
Assumed Breach	Starts from initial foothold, focuses on post-exploitation	Internal network
Objective-Based	Target specific crown jewels (e.g., domain admin, PII exfiltration)	Defined targets
Purple Team	Collaborative with blue team for detection improvement	Specific controls

Rules of Engagement Components

Scope Definition: IP ranges, domains, physical locations, personnel
Restrictions: Systems/networks that must not be touched (e.g., production databases, medical devices)
Communication Plan: Primary and secondary contact channels, escalation procedures
Emergency Procedures: Code word for immediate cessation, incident response coordination
Legal Authorization: Signed authorization letters, get-out-of-jail letters for physical tests
Data Handling: How sensitive data discovered during testing will be handled and destroyed
Timeline: Start/end dates, blackout windows, reporting deadlines

Threat Profile Selection

Map organizational threats using MITRE ATT&CK Navigator to select relevant adversary profiles:

APT29 (Cozy Bear): Government/defense sector targeting via spearphishing, supply chain
APT28 (Fancy Bear): Government organizations, credential harvesting, zero-days
FIN7: Financial sector, POS malware, social engineering
Lazarus Group: Financial institutions, cryptocurrency exchanges, destructive malware
Conti/Royal: Ransomware operators, double extortion, RaaS model

Implementation Steps

Phase 1: Pre-Engagement

Conduct initial scoping meeting with stakeholders
Identify crown jewels and critical business assets
Review previous security assessments and audit findings
Define success criteria and engagement objectives
Draft Rules of Engagement document

Phase 2: Threat Modeling

Identify relevant threat actors using MITRE ATT&CK
Map threat actor TTPs to organizational attack surface
Select primary and secondary attack scenarios
Define adversary emulation plan with specific technique IDs
Establish detection checkpoints for purple team opportunities

Phase 3: Operational Planning

Set up secure communication channels (encrypted email, Signal, etc.)
Create operational security (OPSEC) guidelines for the red team
Establish infrastructure requirements (C2 servers, redirectors, phishing domains)
Develop phased attack timeline with go/no-go decision points
Create deconfliction matrix with SOC/IR team

Phase 4: Documentation and Approval

Compile engagement plan document
Review with legal counsel
Obtain executive sponsor signature
Brief red team operators on ROE and restrictions
Distribute emergency contact cards

Tools and Resources

MITRE ATT&CK Navigator: Threat actor TTP mapping and visualization
VECTR: Red team engagement tracking and metrics platform
Cobalt Strike / Nighthawk: C2 framework planning and infrastructure design
PlexTrac: Red team reporting and engagement management platform
SCYTHE: Adversary emulation platform for attack plan creation

Validation Criteria

[ ] Signed Rules of Engagement document
[ ] Defined scope with explicit in/out boundaries
[ ] Selected threat profile with mapped MITRE ATT&CK techniques
[ ] Emergency stop procedures tested and verified
[ ] Communication plan distributed to all stakeholders
[ ] Legal authorization obtained and filed
[ ] Red team operators briefed and acknowledged ROE

Common Pitfalls

Scope Creep: Expanding testing beyond approved boundaries during execution
Inadequate Deconfliction: SOC investigating red team activity as real incidents
Missing Legal Authorization: Testing without proper signed authorization
Unrealistic Threat Models: Simulating threats irrelevant to the organization
Poor Communication: Failing to maintain contact with stakeholders during engagement

performing-open-source-intelligence-gathering
conducting-adversary-simulation-with-atomic-red-team
performing-assumed-breach-red-team-exercise
building-red-team-infrastructure-with-redirectors

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add executing-red-team-engagement-planning

# Or load dynamically via MCP
grc.load_skill("executing-red-team-engagement-planning")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Executing Red Team Engagement Planning

Overview

Objectives

Define clear engagement scope including in-scope and out-of-scope assets, networks, and personnel
Establish Rules of Engagement (ROE) with emergency stop procedures, communication channels, and legal boundaries
Select appropriate threat profiles from the MITRE ATT&CK framework aligned to the organization's threat landscape
Create a detailed attack plan mapping adversary TTPs to engagement objectives
Develop deconfliction procedures with the organization's SOC/blue team
Produce a comprehensive engagement brief for stakeholder approval

Core Concepts

Engagement Types

Type	Description	Scope
Full Scope	Complete adversary simulation with physical, social, and cyber vectors	Entire organization
Assumed Breach	Starts from initial foothold, focuses on post-exploitation	Internal network
Objective-Based	Target specific crown jewels (e.g., domain admin, PII exfiltration)	Defined targets
Purple Team	Collaborative with blue team for detection improvement	Specific controls

Rules of Engagement Components

Scope Definition: IP ranges, domains, physical locations, personnel
Restrictions: Systems/networks that must not be touched (e.g., production databases, medical devices)
Communication Plan: Primary and secondary contact channels, escalation procedures
Emergency Procedures: Code word for immediate cessation, incident response coordination
Legal Authorization: Signed authorization letters, get-out-of-jail letters for physical tests
Data Handling: How sensitive data discovered during testing will be handled and destroyed
Timeline: Start/end dates, blackout windows, reporting deadlines

Threat Profile Selection

Map organizational threats using MITRE ATT&CK Navigator to select relevant adversary profiles:

APT29 (Cozy Bear): Government/defense sector targeting via spearphishing, supply chain
APT28 (Fancy Bear): Government organizations, credential harvesting, zero-days
FIN7: Financial sector, POS malware, social engineering
Lazarus Group: Financial institutions, cryptocurrency exchanges, destructive malware
Conti/Royal: Ransomware operators, double extortion, RaaS model

Implementation Steps

Phase 1: Pre-Engagement

Conduct initial scoping meeting with stakeholders
Identify crown jewels and critical business assets
Review previous security assessments and audit findings
Define success criteria and engagement objectives
Draft Rules of Engagement document

Phase 2: Threat Modeling

Identify relevant threat actors using MITRE ATT&CK
Map threat actor TTPs to organizational attack surface
Select primary and secondary attack scenarios
Define adversary emulation plan with specific technique IDs
Establish detection checkpoints for purple team opportunities

Phase 3: Operational Planning

Set up secure communication channels (encrypted email, Signal, etc.)
Create operational security (OPSEC) guidelines for the red team
Establish infrastructure requirements (C2 servers, redirectors, phishing domains)
Develop phased attack timeline with go/no-go decision points
Create deconfliction matrix with SOC/IR team

Phase 4: Documentation and Approval

Compile engagement plan document
Review with legal counsel
Obtain executive sponsor signature
Brief red team operators on ROE and restrictions
Distribute emergency contact cards

Tools and Resources

MITRE ATT&CK Navigator: Threat actor TTP mapping and visualization
VECTR: Red team engagement tracking and metrics platform
Cobalt Strike / Nighthawk: C2 framework planning and infrastructure design
PlexTrac: Red team reporting and engagement management platform
SCYTHE: Adversary emulation platform for attack plan creation

Validation Criteria

[ ] Signed Rules of Engagement document
[ ] Defined scope with explicit in/out boundaries
[ ] Selected threat profile with mapped MITRE ATT&CK techniques
[ ] Emergency stop procedures tested and verified
[ ] Communication plan distributed to all stakeholders
[ ] Legal authorization obtained and filed
[ ] Red team operators briefed and acknowledged ROE

Common Pitfalls

Scope Creep: Expanding testing beyond approved boundaries during execution
Inadequate Deconfliction: SOC investigating red team activity as real incidents
Missing Legal Authorization: Testing without proper signed authorization
Unrealistic Threat Models: Simulating threats irrelevant to the organization
Poor Communication: Failing to maintain contact with stakeholders during engagement

performing-open-source-intelligence-gathering
conducting-adversary-simulation-with-atomic-red-team
performing-assumed-breach-red-team-exercise
building-red-team-infrastructure-with-redirectors

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC4.1 (Monitoring & Evaluation), CC7.1 (Monitoring)
ISO 27001: A.14.2 (Secure Development), A.18.2 (Information Security Reviews)
NIST 800-53: CA-8 (Penetration Testing), RA-5 (Vulnerability Scanning)
NIST CSF: ID.RA (Risk Assessment), PR.IP (Information Protection)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add executing-red-team-engagement-planning

# Or load dynamically via MCP
grc.load_skill("executing-red-team-engagement-planning")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Executing Red Team Engagement Planning

Overview

Objectives

Core Concepts

Engagement Types

Rules of Engagement Components

Threat Profile Selection

Implementation Steps

Phase 1: Pre-Engagement

Phase 2: Threat Modeling

Phase 3: Operational Planning

Phase 4: Documentation and Approval

Tools and Resources

Validation Criteria

Common Pitfalls

Related Skills

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Conducting Pass the Ticket Attack

Conducting Spearphishing Simulation Campaign

Performing Open Source Intelligence Gathering

Exploiting Active Directory with BloodHound

Exploiting Ms17 010 Eternalblue Vulnerability

Performing Kerberoasting Attack

Executing Red Team Engagement Planning

Overview

Objectives

Core Concepts

Engagement Types

Rules of Engagement Components

Threat Profile Selection

Implementation Steps

Phase 1: Pre-Engagement

Phase 2: Threat Modeling

Phase 3: Operational Planning

Phase 4: Documentation and Approval

Tools and Resources

Validation Criteria

Common Pitfalls

Related Skills

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Conducting Pass the Ticket Attack

Conducting Spearphishing Simulation Campaign

Performing Open Source Intelligence Gathering

Exploiting Active Directory with BloodHound

Exploiting Ms17 010 Eternalblue Vulnerability

Performing Kerberoasting Attack