Red team methodology is a five-stage attack lifecycle, reconnaissance, initial access, establishing a foothold, lateral movement and privilege escalation, and actions on the objective, that mirrors how a real adversary works through a network toward a goal. Each stage maps cleanly to MITRE ATT&CK tactics, which is what lets a defender translate 'the red team got in' into 'here are the specific techniques we failed to detect at each step'.
This is the structure most professional red teams use, whether the engagement is a covert exercise or a threat-led test under TIBER-EU. Below, each stage is broken down with the techniques and tooling involved, kept at the methodology level rather than as an operational playbook, plus the detection opportunities a blue team should be building at each one.
The five stages are reconnaissance, initial access, establishing a foothold (command and control), lateral movement and privilege escalation, and actions on the objective with reporting. Together they form an iterative attack lifecycle that takes the team from zero knowledge of the target to a specific goal, while staying below the detection threshold.
The stages are not strictly linear. Once inside, operators return to internal reconnaissance constantly, discovering new hosts and credentials that open new paths. The methodology is a loop, not a straight line, and it shares its backbone with the standard penetration testing process, extended for stealth and goal-orientation.
Reconnaissance is where the red team builds an external picture of the target before touching anything that triggers an alert. It splits into passive and active recon. Passive recon gathers intelligence without contacting the target directly: OSINT on employees and tech stack via LinkedIn and job postings, subdomain and asset discovery, leaked-credential checks, and certificate-transparency logs. Active recon probes the attack surface directly, port and service scanning of external infrastructure, but carefully, because noisy scanning is itself a detectable event.
The output is a target map: which people are likely phishing targets, which services are exposed, and which technologies might offer a way in. In ATT&CK terms this is the Reconnaissance and Resource Development tactics. AI-assisted attack-surface discovery is increasingly part of this stage, continuously mapping exposed assets the way an agentic pentesting system would. For defenders, the lesson is that most of this is invisible, so reducing your external footprint matters more than trying to detect the recon itself.
Initial access is the transition from outside to inside, and for most red teams it comes through people rather than raw exploits. The most common vector is spear-phishing, a crafted email or message that delivers a payload or harvests credentials, which is why social engineering is so central to red teaming. Other paths include exploiting an exposed, vulnerable service on the perimeter, abusing valid credentials found in a breach dump, or in some engagements physical entry to plant a device.
This stage maps to the Initial Access tactic in MITRE ATT&CK. The defensive value is high here: email security, multi-factor authentication, and user-awareness training are exactly what determines whether this stage succeeds. A red team that cannot phish its way in tells you your awareness program is working. One that lands a foothold on the first attempt tells you where to invest. The goal is a single reliable entry point, not breadth, so the team needs only one user to click.
Once inside, the team establishes a foothold by setting up a command-and-control (C2) channel, then expands access by moving laterally and escalating privileges toward the objective. The C2 channel, run through frameworks like Cobalt Strike, Sliver, or Mythic, gives operators a persistent, controlled connection to the compromised host that is designed to blend into normal traffic. Persistence mechanisms ensure the foothold survives a reboot or logout.
From there the work becomes internal:
This is where most of the engagement's time goes, and where detection engineering pays off. Each technique, mapped to ATT&CK, is a chance for the blue team to catch the operator mid-campaign rather than after the objective is reached.
Actions on objective is the final stage where the team demonstrates it can achieve the agreed goal, then proves and documents it without causing real harm. The objective might be exfiltrating a marked dataset, reaching a specific database, or showing the ability to trigger a fraudulent transaction. Critically, the team demonstrates capability rather than causing actual damage: it shows it could exfiltrate by moving a benign marker file, not by stealing real customer data.
Reporting is where the engagement delivers its value. A strong red team report is not a vulnerability list; it is an attack narrative with a timeline, every action mapped to MITRE ATT&CK, a clear account of what the blue team detected and missed, and prioritized recommendations. The debrief, ideally run as a purple team session, turns the operation into concrete detection improvements. Without that translation step, the engagement is just a story; with it, it becomes a measurable upgrade to your detection and response. See our guide on what a strong offensive security engagement should deliver for how this fits a broader testing program.
