In the first half of 2025, phishing accounted for nearly 45% of all ransomware attacks. With such a high proportion of breaches beginning with stolen credentials, mastering red team scenarios is essential for spotting and shutting down real adversaries before they can cause damage.
Red team operations are full-spectrum simulations of real-world adversaries, carrying out probing, exploiting, persisting and exfiltrating. The following five scenarios reflect some of the most advanced tactics in a red team’s arsenal, inspired by the HADESS Playbook. Let’s break them down and expose the cracks in even environments considered most secure.
5 Red Teaming Scenarios
Red team scenarios aren’t mere penetration tests—they’re full-spectrum simulations that mirror how real-world attackers think, probe, persist, and exfiltrate. Below are five red teaming scenarios reflecting some of the most advanced tactics from the adversary playbook.
1. Scenario 1: Spray → Phish → PS Remote Session
The attack begins with a subtle password spray on an external login portal. A single weak credential falls, followed by a well-crafted phishing payload. One clicks later; the attacker initiates a PowerShell remote session – silently executing commands within the network.
Why It Works: PowerShell is native, flexible, and often trusted. When paired with phishing, it bypasses a surprising number of defences.
2. Scenario 2: Phish → Share → KeePass
After initial access via phishing, the attacker stumbles upon a mapped network share. There, hidden in plain sight, sits a KeePass database. It’s exfiltrated, cracked offline, and suddenly the red team has VPN credentials, service accounts, even domain admin.
Red Team Tip: Users love KeePass. Attackers love unattended KeePass files even more.
3. Scenario 3: AI Endpoint → SQL Injection
What starts as a chatbot query quickly becomes an injection payload. A vulnerable AI integration accepts user input directly into database queries – no sanitization. The attacker dumps tables, escalates privileges, and begins stealthy exfiltration.
Warning: AI isn’t magic. Treat every integration like a public API. Because to attackers, it is.
4. Scenario 4: SVN Leak → Web Shell
A public SVN repo contains outdated code and – jackpot – hardcoded credentials. Using those, the red team deploys a web shell on an internal-facing server, pivoting into the network and escalating rapidly.
Key Insight: Developers are often the weakest link. Old credentials in legacy repos are gold for attackers.
5. Scenario 5: RDP → DCSync → Golden Ticket
An exposed RDP host is brute-force and compromised. Once inside, the red team targets the Domain Controller with DCSync to extract password hashes. With a forged Golden Ticket, they establish indefinite domain persistence – invisible to standard monitoring.
Hard Truth: If you’re not detecting DCSync behaviour, you’re not seeing your own domain bleed.
Essential Tools and Resources for Red Teaming Scenarios
Every powerful red team scenario is backed by the right tools and intelligence. The goal is to emulate real-world adversaries – not just test configurations. A well-equipped toolkit ensures realism, depth, and measurable outcomes. Key tools and resources include:
- MITRE ATT&CK: Framework to structure adversary tactics and techniques.
- Cobalt Strike / Metasploit: For exploitation, persistence, and lateral movement.
- GoPhish: To craft realistic phishing campaigns.
- TruffleHog / GitLeaks: Detect secrets and credentials in repositories.
- Verizon DBIR / CrowdStrike Reports: Stay updated with attacker trends.
The right mix of intelligence and red team tools transform red team scenarios into dynamic, threat-relevant exercises.
Good Practices for Executing Red Team Scenarios
Running a red team exercise is only half the mission – the real value lies in how findings are applied. Effective planning, safety, and follow-through separate mature programs from mere testing. Best practices include:
- Define clear scope and objectives to prevent disruption and ensure accountability.
- Collaborate with blue and purple teams to review detection, response, and communication gaps.
- Document and prioritize remediation with assigned owners and deadlines.
- Update scenarios regularly to reflect evolving tactics like AI-based phishing or cloud exploits.
- Integrate insights into training to build awareness and long-term readiness.
When done right, red teaming scenarios become a cycle of continuous learning and resilience.
Conclusion
These five red team scenarios reveal the adversary mindset in action-exploiting human behaviour, trusted tools, legacy systems and detection gaps. Since nearly half of ransomware incidents start with phishing, defending effectively means simulating these exact steps.
Challenge Yourself:
- Simulate phishing against your environment.
- Hunt for credential artifacts on network shares.
- Test your chatbot inputs.
- Audit legacy repositories.
- Monitor for replication behaviour from non-DC machines.
If your blue team isn’t training with realistic red team scenarios, you’re not defending – you’re hoping. Commit to continuous testing, enhance detection, and adopt an adversary-informed security strategy. Because once you think like the attacker, you can stop thinking like the victim.
Our red teaming services simulate real world cyber-attacks and reveal emerging dangers that could damage your business. Plus, our experts offer proactive solutions to fix security vulnerabilities and boost the security posture of your business. Contact us today.
Red Team Scenarios FAQs
How do red teaming scenarios prepare organizations for real-world attacks?
They go beyond checking for vulnerabilities – they test your people, processes, and technology under realistic pressure. By mirroring the creativity and persistence of real attackers, they reveal how your defences perform in the chaos of an actual breach.
Are red team scenarios only for large enterprises?
Not at all. While big corporations may have dedicated budgets for red team exercises, smaller organizations often benefit even more. A single well-executed scenario can uncover critical weaknesses that, if exploited, could be catastrophic for a small business’s survival.
What’s the biggest mistake companies make when running red team scenarios?
Treating them as a “tick-box” exercise. The real value comes from post-engagement analysis—documenting how the attack unfolded, why defences failed or succeeded, and embedding those lessons into ongoing security strategy.
How can you ensure red team scenarios stay relevant to emerging threats?
Keep your scenarios tied to current threat intelligence. This means incorporating the latest attacker techniques – such as targeting AI-powered endpoints or abusing trusted cloud services – so your defences are tested against what adversaries are using today, not just yesterday’s tactics.
