RTW Methodology
Act

The "Act" Phase of a Red Team Engagement

After the doors have been opened in Get In, and the operators have learned to live quietly inside during Stay In, comes the most decisive moment: Act.

This third and final stage of the Red Team methodology is where intent turns into impact. It is here that a Red Team demonstrates, in tangible and often unsettling ways, what a determined adversary could accomplish against an organization.

⚔️ The "Act" phase is not about proving technical skill for its own sake—it is about simulating a real adversarial impact to test how an organization truly stands against persistent and capable threats.

Prerequisites Before Acting

The "Act" phase doesn’t begin in isolation—it is the culmination of everything that came before.

  1. Successful Completion of Previous Phases

    • Get In: Initial foothold obtained.
    • Stay In: Persistence secured, stealth maintained.
      Without both foundations, acting prematurely risks detection or collapse of the engagement.

  2. Planning and Authorization

    • Rules of Engagement (ROE) clearly define what can and cannot be done.
    • Engagement Control Group (ECG) approves objectives and ensures risk is acceptable.
    • Trusted Agent (TA) inside the client provides oversight, prevents collateral damage, and assists with deconfliction.

  3. Risk Management
    Acting against live production systems carries weight. Every step must balance realism with safety. The Red Team Lead applies operational discipline; the ECG carries ultimate accountability.

  4. Strategic Buy-in
    Organizations must accept that real insight requires real risk. When leadership embraces full-scale simulated impacts, they gain lessons that no tabletop exercise can provide.

Core Concepts of the "Act" Phase

What Are Operational Impacts?

Operational impacts are deliberate actions designed to measure how well an organization can detect, respond, and recover when faced with a determined adversary.

Unlike a penetration test focused on vulnerabilities, the "Act" phase focuses on effects:

  • How does the organization react when its crown jewels are touched?
  • Can operations continue under stress?
  • Do defenders recognize the threat in time?

Examples of Impacts

  • Denial of Service on a critical application to test continuity plans
  • Exfiltration of sensitive files to measure data loss prevention
  • Manipulation of ICS equipment in an industrial context to simulate operational disruption
  • Privilege misuse that mimics insider threats without relying on exploits

The key is not the sophistication of the technique, but the realism of the impact and the organization’s ability to respond.

Timing and Execution

Operational impacts are usually performed towards the end of the engagement, once the Red Team has prepositioned itself to strike efficiently.

⏳ Timing matters: too early, and the Blue Team may harden prematurely; too late, and there may be little room for meaningful lessons.

Impacts are always executed with precision, minimizing unnecessary noise, while ensuring that defenders face a scenario as authentic as possible.

Why the "Act" Phase Matters

The value of this phase lies in the mirror it holds up to the organization:

  • It measures the coordination between people, processes, and technology.
  • It reveals whether alerts are noticed and acted upon.
  • It tests continuity and recovery under real stress.
  • It highlights not just vulnerabilities, but resilience—or the lack thereof.

For defenders, it is muscle memory training: recognizing adversarial patterns, learning to respond under pressure, and closing gaps before a real adversary arrives.

Documentation and Reporting

The "Act" phase must be meticulously documented to provide lasting value:

  • Comprehensive Logs → Every command, attempt, timestamp, and outcome is captured.
  • Attack Flow Diagrams → Visuals make the threat journey clearer than text alone.
  • Narrative Reporting → Rather than listing vulnerabilities, the Red Team tells the story of how objectives were achieved and what that reveals about defenses.
  • Risk and Context → Instead of generic severity scores, risk is explained in relation to organizational goals and defensive performance.

Two Levels of Debrief

  • Executive Outbrief → High-level, business-focused: what was impacted, what it means for operations, and how reputation or continuity could have been affected.
  • Technical Outbrief → A collaborative exchange with the Blue Team: what was done, how it was detected (or not), and lessons learned from both perspectives.

Key Takeaways

The "Act" phase is not a spectacle—it is the logical conclusion of Red Teaming. It transforms stealthy preparation into meaningful action, exposing the truth of an organization’s security posture.

✅ It tests defenses in the only way that truly matters: against impact.
✅ It provides clarity on whether systems, people, and processes can withstand a real attack.
✅ It closes the loop of the methodology: Get In → Stay In → Act.

In the end, the "Act" phase gives leadership and defenders something invaluable:
a ground truth of resilience, and a roadmap to improve before facing real-world adversaries.

Stay InOutsider Threats
© 2025 redteamer.wiki