Back to docs
Recipe

Recipe: Red-team exercise design

A structured framework for designing adversary emulation exercises that test detection engineering coverage, IR playbooks, and blue-team readiness.

Ingredients

  • Threat intelligence report or MITRE ATT&CK technique list
  • Lab environment with logging pipeline (Splunk, Elastic, or similar)
  • Atomic Red Team or custom payload harness
  • Detection-as-code repo (Sigma rules, SPL queries)
  • Runbook for IR escalation paths

Steps

  1. 1Define objectives. Scope the exercise — are you testing a specific detection rule, validating IR playbook timing, or stress-testing log aggregation latency?
  2. 2Select TTPs. Map adversary behaviors to ATT&CK technique IDs. Prioritize techniques relevant to your threat model.
  3. 3Build the test plan. Sequence techniques into a kill chain narrative. Document expected telemetry for each step.
  4. 4Execute in isolation. Run each atomic test individually first. Confirm telemetry fires before chaining.
  5. 5Run the full scenario. Execute end-to-end. Blue team should operate blind — no advance notice of timing or technique list.
  6. 6Debrief and gap-fill. Compare expected vs actual detections. File tickets for missing coverage. Update runbooks.

Notes

Run exercises quarterly at minimum. Rotate adversary profiles to avoid overfitting detections to a single TTP set. Always capture raw logs alongside SIEM alerts — gaps often hide in parsing layers, not detection logic.

Need a lab environment to run these exercises? Start with the quickstart guide →