Phases of a Red Team exercise: how it works from start to finish

A Red Team exercise isn't a longer pentest: it's a process structured into distinct phases, each with its own objectives and risks, that can span several weeks or months. Understanding each phase helps set realistic expectations before hiring one.

Phase 1: objective definition and rules of engagement

Before any technical action, the concrete business objective (crown jewel), the systems strictly out of scope, the time window and, crucially, the emergency stop protocol are agreed with leadership or the CISO — never with the defensive team, who must not know. This phase also sets whether in-person social engineering is allowed or only digital vectors.

Phase 2: threat intelligence and reconnaissance

The team builds a realistic attack profile based on the tactics, techniques and procedures (TTPs) of threat actors relevant to the organization's sector — not generic techniques — and maps the exposed surface: domains and subdomains, employees and their roles, technologies in use, credentials leaked in previous breaches. This phase is purely passive: it doesn't touch the organization's systems yet.

Phase 3: initial intrusion

The agreed entry vector is executed: spear phishing targeted at specific employees, exploitation of an exposed service identified during reconnaissance, or a social engineering vector. The goal of this phase is to gain an initial foothold — a valid credential, code execution on a machine — with as little noise as possible, avoiding early alerts that would ruin the rest of the exercise.

Phase 4: post-exploitation, lateral movement and evasion

With the initial foothold, the team escalates privileges, moves laterally across systems toward the objective set in phase 1, and establishes persistence, all while actively evading EDR, antivirus and SOC detection rules. It's the longest phase of the exercise: speed is deliberately sacrificed in favor of stealth, because being detected too early invalidates the real measurement the exercise is looking for.

Phase 5: objective achievement, closure and purple teaming

The team reaches (or documents why it didn't reach) the agreed business objective. A joint report is delivered with the full attack timeline mapped to MITRE ATT&CK, what the blue team detected and when, and what it missed. Many exercises close with a purple teaming session: the red and blue teams review together, technique by technique, what failed in detection and how to fix it.

FAQ

How long does a full Red Team exercise take, start to finish?

Typically between 4 and 12 weeks, depending on the complexity of the objective, the size of the organization and the required level of stealth. The post-exploitation phase is usually the longest because it prioritizes staying undetected over speed.

What happens if phase 3 doesn't gain any initial foothold?

That's a legitimate outcome that still provides valuable information: it means the exposed perimeter and phishing awareness are solid. In that case, an assisted starting point (assumed breach) is usually agreed with the client to still be able to assess the later phases.