Red team vs pentest: TTPs, cells, and Lockheed Martin kill chain
Foundations program engagement: briefed leadership on why vulnerability assessments and loud pentests do not measure detection; defined red/blue/white cells, crown jewels, TTPs, and mapped Mimikatz to Installation on the Lockheed Martin cyber kill chain.
- Case files
- Red team vs pentest: TTPs, cells, and Lockheed Martin kill chain
Contrasted VA/pentest limitations with APT-driven red team goals; documented cell roles and kill-chain placement for a sample engagement artifact.
Documented engagement vocabulary and Lockheed Martin stage answers used in the client brief.
Engagement summary
Contrasted VA/pentest limitations with APT-driven red team goals; documented cell roles and kill-chain placement for a sample engagement artifact.
RED TEAM FUNDAMENTALS was a program-design briefing for stakeholders who conflate scanning with resilience. Vulnerability assessments identify weaknesses host-by-host — they do not prepare defenders to detect a live adversary (Nay). Conventional pentests often stay loud, skip social/physical vectors, and may relax controls for time — operators are not primarily concerned with client detection (Nay). Highly organized skilled adversaries are Advanced Persistent Threats. Red team engagements emulate attacker TTPs (Tactics, Techniques and Procedures) against crown jewels / flags, prioritizing stealth and detection measurement over host coverage (main objective is not max vulns — Nay). Cells: red cell (offense), blue cell (defense), white cell (trusted agent / referee). Lockheed Martin kill chain: Mimikatz deployment maps to Installation; Exploitation is the technique that executes code on the target. Sample engagement walkthrough closed with THM{RED_TEAM_ROCKS}.
Business impact
Buying only VA/pentest leaves detection and response untested. Without crown-jewel goals and white-cell ROE, exercises become scoreboard fights. Map every red action to kill-chain stages so blue can tune controls per phase.
Cells, TTPs, and kill-chain mapping
Documented engagement vocabulary and Lockheed Martin stage answers used in the client brief.
ENGAGEMENT MODEL
red-team-model.txt
VA → identify vulns (not detection)
Pentest → exploit + impact (often loud)
Red team → emulate TTPs → measure detect/respond
Goals → crown jewels / flags
Cells → red (offense) | blue (defense) | white (trusted agent)
Kill chain (LM): Recon → Weaponize → Deliver → Exploit
→ Install → C2 → Actions on Objectives
Mimikatz → Installation
Code exec → ExploitationANALYST · PROGRAM
savvy@lab:~$ cat engagement/red_team_artifact.txt
THM{RED_TEAM_ROCKS}
Remediation
Schedule assumed-breach and full-scope red exercises with written ROE. Keep blue uninformed of timing when measuring true detection. Feed kill-chain mapped findings into SOC playbooks and control owners — not only into patch tickets.