Once a red team engagement has culminated, it is time to share the results with stakeholders. While communicating results, it is important to remember that stakeholders will usually comprise people from different areas of the organization. Depending on where they are placed, they may not have the bandwidth or technical background to understand the technical nitty-gritty of attacks performed during the engagement. Therefore, the report of a red team engagement should be drafted keeping in mind the stakeholders.

For example, stakeholders from the upper management might be more interested in understanding the business impact of the observations instead of the state of the art attacks the red team performed during the engagement. On the other hand, the blue team, will most likely be keen to know the actual tactics, techniques and procedures performed during the red team engagement. Similarly, application owners might only be interested to know results and recommendations that involve their applications.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

The reporting phase begins much before the team actually gets to writing the report. Right after the engagement culminates, the team shares preliminary observations. This gives the organization an opportunity to identify any communication gaps or even rectify observations that can be easily fixed. Once the report is ready, it presented to stakeholders in form of a debrief. Depending on the audience, there may be multiple debrief sessions. For example, one session may be oriented towards executive team, highlighting the overall impact to the organization. This session will not go into a technical deep-dive. Then the blue team may want to have another session for a detailed technical discussion of the observations.

As I mentioned above, the actual report will have a varied audience. So it is a good practice to start with a bird’s eye view (i.e. the Executive Summary) of the engagement highlighting the overall attack flow and the business impact. Further sections can gradually delve into more technical aspects. To understand how to structure the report, you can have look at this template. If you want to see a report from a real-world red team engagement, go through the Enhancing Cyber Resilience: Insights from CISA Red Team Assessment of a US Critical Infrastructure Sector Organization report published by CISA in November, 2024.

Generative AI can be leveraged to streamline the process of drafting a red team engagement report. It can assist in summarizing attack paths, techniques, and observation based on engagement logs and operational notes, generating executive summaries, and suggesting remediation steps tailored to the target environment. AI can also help standardize report formatting and language, ensuring consistency across multiple engagements while allowing customization for specific clients or industries. It can specially be helpful where the red team needs to deliver the report in a non-native language.

Further reading

• Engagement Reporting - Red Team Development and Operations by Joe Vest and James Tubberville

• Chapter 7 Reporting - Professional Red Teaming by Jacob G. Oakley

Red Team Notes
- Reporting in a red team engagement is crucial for documenting attack paths, exploited vulnerabilities, and security gaps while providing actionable remediation steps. It ensures stakeholders understand the impact of simulated attacks and helps improve an organization's security posture. A well-structured report bridges the gap between technical findings and executive decision-making.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.