Catch the recent “Politics, Power, and Preventative Action” podcast interview with RTJ founder Mark Mateski.

Strategic Red Teaming: The Systems Perspective

This post complements the recent RTJ post on the ongoing need for strategic red teaming within the commercial enterprise. In that post we emphasized the importance of hiring a strategic red team leader, someone to motivate, guide, and marshal the enterprise’s strategic red teaming capability. In this post we emphasize the interconnected nature of systems security, and, as a result, the need to adopt a strategic point of view.
      The diagram below summarizes at least a portion of the relevant interconnections. Note how cybersecurity—the traditional focus of corporate red teaming—links both upstream and downstream to other elements of security and preparedness.

Read on …

Strategic Red Teaming: The Job Description

Conference room.Over the past few years, we’ve read a lot of red team job postings. The vast majority of them were for pentesting positions. That’s well and good, but there’s a different, broader sort of red teaming we believe enterprises should also be conducting. We call it “strategic red teaming,” and it addresses security-related risks across the enterprise from a systems-oriented perspective. It involves much more than pentesting, and we believe more and more enterprises will adopt it in the near future. To aid enterprises in finding the right sort of person to lead a strategic red teaming position, we’ve created the notional job description below. (And just to be clear, we’re not hiring for this position; this is strictly notional—the sort of position we believe enterprises should be considering.)

Update: One wag on Twitter said something to the effect of “This looks like someone who’s looking for a job.” How true! That’s the point. Most red teamers I know have more work than they can handle but are still looking for something like this because they believe in it.

Read on …

The Day Before

When it comes to haunting events, we tend to remember the date: Dec. 7 (Pearl Harbor), Nov. 22 (Kennedy assassination), Sept. 11 (World Trade Center attack). As risk and security professionals, we also tend to start working on the problem retroactively the next day, doing our best to make sure something like it doesn’t happen again. What we don’t think about nearly as much is what was happening the day before.
      Ask yourself, “What would a red team have said on Dec. 6, Nov. 21, or Sept. 10?” How would the team have characterized the risk landscape? Would it have identified the approaching attack vector? Would it have characterized the vector as likely or unlikely? Would anyone have listened? Of course, it’s impossible to answer these questions, but by expressing them, we expose some of the inherent limitations of (some? most? all?) red teaming—limitations we should do our best as red teamers to address before the next event, whatever or whenever that might be.

Red Teaming, A to Z

Ask 26 red teamers to generate 26 random thoughts on red teaming, and the permutations that would ensue are such that you’d walk away before reading just a small fraction of the total. Just thinking about it is exhausting, so why not read just one (this one)?

A: The “red” in “red teaming” traditionally refers to the adversary of interest—the adversary the red team emulates.

B: Systems thinking is among the core set of key red teaming skills.

C: Many pentesters are red teamers, but not all red teamers are pentesters. Read on …

Syria: Asking the Right Questions (Before and After)

The recent U.S. decision to hit a Syrian air field with cruise missiles has triggered a flurry of questions, both in the United States and abroad. It reminds me of RTJ Red Teaming Law #34 (“Question”):

In many ways, the art of red teaming is actually the art of asking the right questions, from the right perspective, at the right time. Ask the wrong questions, and it almost doesn’t matter how well your red team performs.

In this context, it’s worth adding, “Ask the wrong questions or fail to appreciate the right ones, and it almost doesn’t matter how well your cruise missiles perform.” Read on …

When to Red Team: Balancing Costs and Uncertainty

In my last Red Teaming 101 Webinar, I shared a concept that I often discuss in my red teaming courses. It involves the issue of when you should red team the system of interest, where the system is some combination of people, technology, or processes. Like many issues connected with red teaming, the short answer is “it depends,” the middling answer is “it’s a tradespace,” and the long answer, well—it’s a longer answer. During the Webinar, one of the participants asked if I’d posted the concept on RTJ; I hadn’t to that point, so I assembled this post. Read on …

The 2017 Red Teamer’s Watchlist (Call for Titles)

The 2017 Red Teamer’s Bookshelf was so popular, we’re going to try something new this year: a red teamer’s “watchlist”—or a list of the movies, TV shows, and videos you believe other red teamers should see. Contact us to let us know what you think should be on the list. As with the bookshelf, we’ll compile the titles and share them with you and your fellow red teamers.

The 2017 Red Teamer’s Bookshelf

A picture of booksIt’s been a couple of months since we first announced that Red Team Journal,, and OODALoop would be compiling the latest “Red Teamer’s Bookshelf” jointly. For those of you who’ve been waiting, the list is finally here. It’s larger than previous years, so we’ve organized the titles by category (and yes, some of these titles would fit in more than one category). The titles address a range of red teaming activities and skills, with a noticeable increase in special operations books this year. Thank you to everyone who submitted titles. (You can also find the the list here.) Read on …

The False Client

It’s one thing to red team; it’s another thing entirely for a red team to facilitate useful change. All red teaming is embedded within a culture, and savvy red teamers learn quickly that not all red team engagements are what they appear to be. Sometimes a client hires a red team to validate what the client already “knows” (typically then tying the red team’s hands through a set of overly constrained rules of engagement). For the experienced red team, this usually yields a level of frustration that’s best avoided by simply not taking the job.
      In a roundabout way, the quote below from Jorge Luis Borges reminds us of the red team client who feigns interest in uncovering the uncomfortable truths. Read on …