What a Red Team Operator Actually Does in a Week
Red teaming is not Hollywood hacking. It is methodical adversary simulation, reconnaissance, initial access, persistence, lateral movement, OPSEC, and reporting. Inside a real working week of a professional red team operator and the skills it actually takes to build the career.
Inside the most misunderstood role in cybersecurity
The popular image of the red team operator involves dramatic music, lines of scrolling code, and a hooded figure doing something mysterious in a dark room. The actual job involves reading documentation, reviewing engagement plans, running automated scans patiently, hitting roadblocks, thinking carefully, and writing reports.
Red teaming is one of the most technically demanding and intellectually engaging roles in cybersecurity. It is also one of the most methodical, careful, and process-driven. The professionals who are most effective at it are the ones who understand that patience and precision matter more than the ability to move fast.
This article is a day-by-day account of what a red team operator on a typical engagement actually spends their time doing across a working week.
The difference between a penetration test and a red team engagement is not the tools or the techniques. It is the objective and the timeline. A pen test finds vulnerabilities. A red team exercise tests whether the organisation's detection, response, and recovery capability would survive a real adversary. The operator's job is to behave like that adversary, not just like a scanner.
Before the Week Starts: What Preparation Looks Like
A red team engagement begins long before any tool is run or any system is touched. The preparation phase is where the quality of the operator is most visible.
The engagement plan
Every red team engagement begins with a signed, legally reviewed engagement plan. This document defines the scope, which systems are in scope, which are out of scope, what actions are permitted, what is explicitly prohibited, and the emergency contact procedures if something goes wrong. An operator who acts outside the engagement plan is not a red teamer. They are a criminal. The document is read, understood, and referred back to throughout the engagement.
Threat intelligence and target research
Before touching any system in scope, the operator researches the target organisation using only open-source intelligence. Job postings reveal the technology stack. LinkedIn reveals the team structure and key individuals. Public-facing infrastructure reveals entry points. DNS records reveal the network topology. GitHub repositories sometimes reveal credentials or configuration files. This passive reconnaissance phase takes hours or days and produces the intelligence that directs the active phase.
Adversary simulation planning
Red team engagements are conducted against a defined threat scenario. Which adversary are we simulating? What are their known tactics, techniques, and procedures? MITRE ATT&CK provides the framework. The operator builds a campaign plan that mirrors the TTPs of a realistic threat actor for this target, not a generic attack playbook.
The red team operator who skips the planning phase to start running tools is the one who produces a penetration test report that looks like a red team report. The planning is what makes the exercise realistic.
A Typical Engagement Week
Red team engagements vary in length from one week to several months for mature simulations. This is a typical week in the middle of a four-week engagement.
MON | Initial Access Attempts Active exploitation phase | The operator begins active attempts to gain initial access to the target environment. These are not automated scanner runs dumped into a report. They are deliberate, carefully chosen attempts based on the intelligence gathered in reconnaissance. A phishing campaign targeting specific individuals identified in OSINT. A web application attack against a vulnerability identified in passive scanning. An attack against an exposed VPN or remote access service. The objective is a single foothold inside the perimeter. The operator may spend an entire day on this with no success and try a different vector tomorrow. Patience is not optional. |
|---|
TUE | Establishing Persistence Post-exploitation phase | Following a successful initial access, the operator's first priority is persistence. A single shell is fragile. If the process crashes, the VPN resets, or the user logs off, access is lost. Persistence means establishing a mechanism that survives these events: a scheduled task, a registry key, a service, a web shell in a path the application loads on startup. The persistence mechanism is chosen to blend with legitimate activity in the target environment, not to be conspicuous. This is OPSEC. Everything the operator does from this point must avoid triggering the detection tools the defender has deployed. |
|---|
WED | Lateral Movement Expanding access | With a foothold established, the operator begins moving through the environment. The target is not the initial system. It is the crown jewel, the domain controller, the financial system, the database containing the sensitive data defined in the engagement objective. Lateral movement requires understanding how the target network is structured, which credentials are available from the compromised host, and which trust relationships can be exploited. BloodHound maps Active Directory relationships. Mimikatz or similar tools extract credentials. Pass-the-hash or Kerberoasting attacks leverage those credentials. Every step is logged in the operator's engagement journal. |
|---|
THU | Objective Achievement and Evidence Collection Mission phase | The operator reaches the engagement objective, domain administrator access, access to the target system defined in the scope, exfiltration of a defined sensitive file. Evidence is collected systematically, including screenshots with timestamps, command outputs saved to log files, network traffic captures. The evidence must prove definitively that the objective was achieved, in a way that the client can verify and that the report can reference precisely. This is not bragging. It is professional documentation of what a real attacker could have done. |
|---|
FRI | OPSEC Review and Report Drafting Documentation phase | Friday is largely documentation. The operator reviews everything they did across the week, checking that all activity was within scope, that evidence is complete, and that the engagement journal is accurate enough to support the report. The draft report begins not the vulnerability list, but the narrative. What did the attacker do? In what order? What detection opportunities did the defender miss? Where did the blue team nearly catch the red team? This narrative is the most valuable part of the deliverable, and it is written while the memory is fresh. |
|---|
The Skills That Actually Matter
The red team operator role is often described in terms of tools. Metasploit. Cobalt Strike. BloodHound. Impacket. The tools matter, but they are not the skill. The skill is what the operator does when the tools fail or when the obvious approach is blocked.
Creative problem-solving under constraint
Real environments are not CTF challenges. The textbook exploitation path rarely works without modification. Modern EDR solutions catch known Metasploit payloads. Egress filtering blocks common C2 channels. The specific environment has quirks that the operator discovers in the middle of the engagement. The operator who can adapt, improvise a custom payload, find an alternative network path, or chain a series of low-severity findings into a high-impact attack chain is the one who produces a meaningful result.
Report writing
The most technically brilliant red team engagement is worthless if the report cannot communicate what happened and why it matters to a CISO who was not in the room. Red team reports have two audiences: the technical team who needs to understand what to fix, and the executive team who needs to understand what risk they are accepting. Writing for both simultaneously is a specific skill that takes significant practice to develop. Most red teamers are better at the technical work than the writing. The ones who are exceptional at both are rare.
OPSEC discipline
Operational security is the discipline of not getting caught. For a red teamer, getting caught before the objective is achieved represents a partial failure. The engagement measures whether a real attacker could achieve the objective, not just whether they could get in. OPSEC discipline means thinking about every action through the lens of what it would look like in a SIEM, what artefacts it leaves behind, and whether those artefacts would trigger the detection rules the defender has deployed.
The red teamer who gets caught on day two and considers the engagement complete has not tested the security programme. They have demonstrated that the perimeter is not impenetrable, which is rarely in doubt. The value is in what happens after initial access, which requires staying in long enough to demonstrate it.
What It Takes to Build This Career
Red teaming is a senior specialism. Very few professionals enter cybersecurity directly into red team roles. The typical path runs through several stages.
Foundation: Security+ or equivalent, basic networking and OS knowledge, home lab with CTF practice
Pen testing fundamentals: CEH or XEHP level, web application and network testing experience, first professional assessment engagements
Intermediate: OSCP or equivalent, Active Directory attack techniques, reporting discipline developed through real client work
Advanced red team: XART or equivalent, C2 framework proficiency, adversary simulation planning, MITRE ATT&CK-based campaign design
The timeline is typically three to five years from entry level to effective red team operator. The professionals who accelerate through this progression are the ones who practise deliberately rather than casually, seek feedback on their reports rather than treating them as administrative overhead, and study real attack campaigns rather than generic certification content.
Red teaming is not a role you get straight from a certification. It is a role you grow into through accumulated technical experience, deliberate practice, and a commitment to understanding how real adversaries operate. The certification validates the capability. The capability takes years to build.
Build Advanced Red Team Capability With Xcademia Xcademia's XART programme covers advanced red team methodology, adversary simulation planning, C2 infrastructure, OPSEC tradecraft, Active Directory attacks, evasion techniques, and professional campaign reporting. Ten instructor-led days. Practitioner-assessed. Verifiable at xcademia.com/verify. Explore XART |
|---|
Ready to go deeper?
Professional Training
Hands-on, mentor-led training aligned with industry certifications.
About the Author
Sharper every day
Daily tutorials, analysis, and career playbooks across all 12 Xcademia disciplines, straight to your inbox. No spam.
