Ya'll Secure — Security Consulting

The Early Days

When I started in offensive security, a "red team" was often just a more aggressive penetration test. Scope was narrow, timelines were short, and success was measured by shells obtained rather than by how much of the organisation's detection and response capability we tested.

A lot has changed.

Intelligence-Led Operations

The shift that has had the most impact on how I approach red team work is the widespread adoption of intelligence-led frameworks. CBEST in the UK, TIBER-EU for European financial institutions, and increasingly CORIE for Australian banks — these frameworks mandate that red team scenarios are grounded in real threat intelligence about the adversaries most likely to target the organisation.

This changes the entire framing of a red team. Instead of "what vulnerabilities can we find?", the question becomes "can this organisation detect and respond to the tactics of a specific threat actor?". The TTPs become constrained by threat intelligence, and success metrics shift to measuring blue team performance.

The Rise of Assumed Breach

I now default to proposing at least one assumed-breach scenario in every red team engagement. The rationale is simple: modern organisations have invested heavily in perimeter controls. Spending three weeks trying to get a foothold that a nation-state actor could achieve in minutes (via a supply-chain compromise or zero-day) is often a poor use of the client's budget.

Starting from an assumed-breach position — with an implant already deployed in the environment — lets us focus on what happens after the attacker has a foothold. Can the blue team detect lateral movement? Can they identify credential harvesting? Can they respond before the simulated attacker reaches the crown jewels?

EDR Everywhere (and the Arms Race That Followed)

Five years ago, getting past endpoint detection was relatively straightforward. Today, mature EDR products are genuinely difficult to evade, and the tradecraft required to operate beneath their detection thresholds has become significantly more sophisticated.

This is good for defenders. It also means that red teamers who haven't kept up with modern evasion research are producing assessments that no longer reflect genuine adversary capability.

Techniques I now factor into all engagements:

Indirect syscalls and hardware breakpoints to avoid userland hooks
Process injection via thread hijacking rather than CreateRemoteThread
Living-off-the-land (LOLBins) for post-exploitation wherever possible
C2 traffic that blends into normal SaaS usage patterns

What Hasn't Changed: People

For all the technical sophistication, humans remain the most reliable attack vector. Phishing continues to work. Vishing works even better. The combination of a well-crafted pretextual phone call followed by a targeted phishing email — what some call "hybrid social engineering" — achieves code execution on a hardened endpoint more reliably than most technical exploits.

The implication for defenders: technology controls alone are never sufficient. Security culture, ongoing training, and exercised incident response procedures remain as important as ever.

Looking Ahead

Two trends I'm watching closely:

AI-augmented social engineering. We're already seeing spear-phishing emails that are indistinguishable in quality from legitimate business communications. The barrier to crafting a convincing pretext is falling rapidly.
Cloud-native attack paths. As workloads shift to cloud-native architectures, the attack surface changes fundamentally. Traditional network segmentation thinking doesn't translate well to IAM-based access controls and service meshes. Red team methodology needs to evolve accordingly.

If you're planning a red team exercise in 2025, I'd encourage you to push your provider on these points. The assessment should reflect the threat landscape as it exists today — not as it existed five years ago.