A red teamer exists because organizations fall in love with their own plans. Groupthink, hierarchy, optimism, and sunk cost make a team the worst possible judge of whether its scheme survives contact with a thinking opponent. The red teamer is the licensed adversary inside the wire: paid to attack the home side's assumptions and defenses the way a real enemy would, surfacing the fatal flaw while it is cheap to fix — in a wargame or a code review, not in the field or the breach report. The product is not destruction; it is an organization that can no longer fool itself.
\n","wordCount":101},{"heading":"Core Mission","id":"core-mission","markdown":"Find your own side's decisive failure before the adversary does, by adopting the adversary's goals and freedom of action, and report it so the plan's owner can fix it.","html":"Find your own side's decisive failure before the adversary does, by adopting the adversary's goals and freedom of action, and report it so the plan's owner can fix it.
\n","wordCount":29},{"heading":"Primary Responsibilities","id":"primary-responsibilities","markdown":"The visible work is \"breaking things\"; the real work is manufacturing the dissent a healthy organization needs but cannot produce on its own. A red teamer plays the adversary in wargames (the OPFOR role); runs alternative analysis against the staff's preferred course of action; attacks plans and intelligence estimates for the gaps the planners are blind to; emulates a specific threat actor rather than running a generic vulnerability sweep; and writes findings a defensive team will act on. Underneath sits one discipline: separating what the home side knows from what it merely believes, and proving the difference matters.","html":"The visible work is "breaking things"; the real work is manufacturing the dissent a healthy organization needs but cannot produce on its own. A red teamer plays the adversary in wargames (the OPFOR role); runs alternative analysis against the staff's preferred course of action; attacks plans and intelligence estimates for the gaps the planners are blind to; emulates a specific threat actor rather than running a generic vulnerability sweep; and writes findings a defensive team will act on. Underneath sits one discipline: separating what the home side knows from what it merely believes, and proving the difference matters.
\n","wordCount":98},{"heading":"Guiding Principles","id":"guiding-principles","markdown":"- **Attack the plan, never the planner.** The target is the idea and the assumption behind it; the moment it reads as an attack on the team, the finding is rejected.\n- **Adopt the adversary's goals, not your own cleverness.** A real enemy wins by the cheapest path available to *them*, not the most elegant exploit you can devise.\n- **The unstated assumption is the real target.** Plans rarely fail on the risks everyone listed; they fail on the premise nobody questioned because \"everyone knows\" it.\n- **Be wrong about your own side on purpose.** Argue the case the organization is structurally incapable of arguing for itself, whether or not you personally believe it.\n- **A finding nobody fixes is one you failed to land.** Rigor the blue team dismisses is theater; the deliverable is changed behavior, not a report.\n- **Independence is the whole value.** A team that reports to the people it critiques, or wants to be liked, is already captured.","html":"A red team is only valuable embedded against — and ultimately for — the people it attacks. With planners and commanders, it provides the dissent the staff cannot generate internally, reporting through an independent channel so candor survives. With the blue team and security engineers, it works adversary-to-defender and, in purple-team mode, turns each finding into a detection or control. With leadership, it trades on credibility earned by landing fixes. The standing tension: independent enough to stay honest, close enough to be heard — and the moment the team is loved, it has stopped doing its job.
\n","wordCount":97},{"heading":"Ethics","id":"ethics","markdown":"The red teamer holds a charter to attack its own side, and that license is why restraint defines the professional. The duties: operate strictly within the agreed scope and ROE, because an off-charter win betrays the trust the role runs on; attack ideas and never people, since the goal is a better plan, not a humiliated colleague; protect the findings, which map the home side's weaknesses and are devastating in the wrong hands; and tell the truth even when it is that a beloved plan is fatally flawed. The hardest edge is candor without cruelty — delivering the worst news so it gets fixed, not buried.","html":"The red teamer holds a charter to attack its own side, and that license is why restraint defines the professional. The duties: operate strictly within the agreed scope and ROE, because an off-charter win betrays the trust the role runs on; attack ideas and never people, since the goal is a better plan, not a humiliated colleague; protect the findings, which map the home side's weaknesses and are devastating in the wrong hands; and tell the truth even when it is that a beloved plan is fatally flawed. The hardest edge is candor without cruelty — delivering the worst news so it gets fixed, not buried.
\n","wordCount":106},{"heading":"Scenarios","id":"scenarios","markdown":"**A unanimous staff and a plan nobody doubts.** The staff has converged on one course of action with no dissent. Chartered as devil's advocate, the red teamer runs a pre-mortem: assume it failed, write how. The story hinges on a logistics assumption — a key route stays open — treated as given because it had held before. The home side has confused \"it worked before\" with \"it will work.\" Rather than ambush the briefing, the red teamer takes it privately to the operations chief, who adds a branch plan. It landed because it attacked the assumption, not the planners.\n\n**A security engagement that could become a scanner run.** A company asks for a red-team test; the easy move is to scan the perimeter and ship a CVE report. The red teamer refuses and emulates a threat actor whose intent matches — a group that phishes finance staff. They phish a junior accountant and reach the payment system through a forgotten service account, bypassing the hardened front-end the budget went to. The finding isn't a CVE list; it's that the company defended the wrong threat — landed by pre-empting the dodge (\"that account is being decommissioned\") with logs showing it authenticated last week.\n\n**Knowing when to stop.** Mid-engagement, the decisive failure is proven: the adversary reaches the objective cheaply and undetected. More attacking would surface flaws but only deepen the home team's defensiveness without changing the obvious decision. The red teamer stands down, consolidates the one finding that matters, and resists running up the score — restraint that preserves the relationship the next engagement needs.","html":"A unanimous staff and a plan nobody doubts. The staff has converged on one course of action with no dissent. Chartered as devil's advocate, the red teamer runs a pre-mortem: assume it failed, write how. The story hinges on a logistics assumption — a key route stays open — treated as given because it had held before. The home side has confused "it worked before" with "it will work." Rather than ambush the briefing, the red teamer takes it privately to the operations chief, who adds a branch plan. It landed because it attacked the assumption, not the planners.
\nA security engagement that could become a scanner run. A company asks for a red-team test; the easy move is to scan the perimeter and ship a CVE report. The red teamer refuses and emulates a threat actor whose intent matches — a group that phishes finance staff. They phish a junior accountant and reach the payment system through a forgotten service account, bypassing the hardened front-end the budget went to. The finding isn't a CVE list; it's that the company defended the wrong threat — landed by pre-empting the dodge ("that account is being decommissioned") with logs showing it authenticated last week.
\nKnowing when to stop. Mid-engagement, the decisive failure is proven: the adversary reaches the objective cheaply and undetected. More attacking would surface flaws but only deepen the home team's defensiveness without changing the obvious decision. The red teamer stands down, consolidates the one finding that matters, and resists running up the score — restraint that preserves the relationship the next engagement needs.
\n","wordCount":264},{"heading":"Related Occupations","id":"related-occupations","markdown":"A red teamer is the offensive mirror of the security engineer, who defends the systems against the attacks the red team invents. The cyber-warfare-specialist runs the same techniques under a state mandate rather than an internal charter. The military-intelligence-analyst shares the discipline of testing assumptions and resisting mirror-imaging. The penetration tester is the narrower technical cousin, hunting vulnerabilities rather than emulating a full adversary campaign.","html":"A red teamer is the offensive mirror of the security engineer, who defends the systems against the attacks the red team invents. The cyber-warfare-specialist runs the same techniques under a state mandate rather than an internal charter. The military-intelligence-analyst shares the discipline of testing assumptions and resisting mirror-imaging. The penetration tester is the narrower technical cousin, hunting vulnerabilities rather than emulating a full adversary campaign.
\n","wordCount":70},{"heading":"References","id":"references","markdown":"- *Red Team: How to Succeed by Thinking Like the Enemy* — Micah Zenko\n- *Psychology of Intelligence Analysis* — Richards J. Heuer Jr.\n- *The Applied Critical Thinking Handbook* (Red Team Handbook) — University of Foreign Military and Cultural Studies, U.S. Army\n- *Sources of Power* and the pre-mortem method — Gary Klein\n- *Boyd: The Fighter Pilot Who Changed the Art of War* — Robert Coram (the OODA loop)\n- MITRE ATT&CK framework — attack.mitre.org","html":"