The Highlighter Trick and a Pint of Milk: Shocking Red Teamer Confessions

The offensive security industry has evolved dramatically in recent years. To dig deeper into the realities of red teaming strategies and practices today, I recently had the pleasure of hosting the Confessions of a Red Teamer webinar. I was joined by two expert red teamers, Gavin Holt, co-founder of Amber Wolf, and Giles Inkson, a Red Team Lead at NetSPI.

During our discussion, we demystified the work that goes into testing an organization's defenses, and the conversation offered powerful insights for anyone looking to take their cyber readiness to the next level. We started by sharing some of our most memorable stories from the field.

Confessions from the Field

●     The Highlighter Trick: I recounted a physical job where we needed to bypass a keypad on a door. After watching the building for three days, we still couldn't see the pin. So, we colored the brass buttons on the keypad with a green highlighter. We came back later that night, saw which four numbers were smudged, and after a few rounds of trying the combinations while battling the escalating lockout timer, the door clicked open.

●     The New Hire Phish: Gavin’s team used LinkedIn to identify an employee who was starting at a target bank in two weeks. They figured out the bank’s email format and tried to log in as the new person every day until the login page switched from"account doesn't exist" to "wrong password". They knew the mail box was live, so they sent a fake induction email with a malicious payload. Five minutes into their first day, the employee’s first act was to detonate the payload and give them access.

●     The Pint of Milk: Giles told a story about a nervous, first-time red teamer on a physical engagement at a high-security building with a cafe in the lobby. Seeing his junior team member was terrified, Giles noticed he was dressed just like the cafe waiters. He sent him to a shop to buy two pints of milk. The new red teamer walked straight into the building's kitchen, presented the milk to the chef as a prop, and then simply walked past significant security controls and into the target area.

These stories highlight the creativity and persistence required in red teaming, but they're just the beginning. Here are some key takeaways and best practices that came out of our discussion.

Beyond the Buzzwords: What is Red Teaming, Really?

The definition of red teaming itself, as the lines between different security functions have become blurred. There has been a shift in language, in that what used to be called vulnerability assessments are now sold as penetration testing.

This can create confusion, but the key differentiator is the scenario-based nature of the work. It’s about creating a test in a real-world environment to challenge the assumptions an organization has about its own security capabilities.

From one perspective, a red team is any group that exercises your incident response and detection capabilities. If you aren't actively testing the blue team, it’s not a true red team engagement; it’s just a rebadged penetration test.

Ultimately, these are three separate disciplines: you have vulnerability assessments, then penetration testing, and finally red teaming, which is where you truly put your entire security program—people, process, and technology—through its paces.

The Physical Domain: More Than Just Cyber

With digital defenses getting stronger, the physical domain is still as relevant as ever. As phishing awareness improves and EDR tools get better, initial digital access is getting harder. This makes physical intrusion a viable and sometimes necessary path for an attacker. For organizations concerned about sophisticated threat actors, looking at physical and cyber together is crucial.

It requires a significant investment of time and effort to be valuable. A quick, half-baked effort adds no value. You need to ensure the physical tests are realistic, safe, and valuable to the customer. It's also critical to have an honest discourse with the client to determine if a physical component is truly appropriate for their threat model and objectives.

The Hidden Work: Fueling a Successful Engagement

Success in this field doesn’t rely on a single approach. In fact, when running my team, we intentionally avoided using zero-day exploits because they don't offer much value to the customer in terms of learning. True success is born from a continuous cycle of research and development that happens long before an engagement actually begins.

Giles estimates that for every day spent on an activered team engagement, his team spends an additional two to four hours on R&D. This unseen work is critical for staying ahead of modern defensive tools. It’s about testing underlying tactics and strategies, not just trying to bypass a specific antivirus product.

This prep work also involves meticulous open-source intelligence (OSINT). Giles shared a great story about finding a company’s IT onboarding policy on a public PDF sharing site. The document detailed the default password format for new employees. This single piece of information allowed his team to bypass their otherwise sound MFA policy, proving that breakthroughs often come from human curiosity and persistence, not just automated scanners.

Getting Caught: A Feature, Not a Failure

Perhaps one of the biggest myths is the idea that getting caught is a failure. In fact, it’s often a valuable part of the exercise. As Giles notes, “Detection in and of itself is not the end of the world. It's a part of the process that we should be exercising”.

When a red team is detected, the focus of the test shifts. It becomes an opportunity to ask new questions:

●     Can the blue team fully eradicate the threat, or are they just playing Red Team Whack-a-Mole?

●     Do they understand how we got in and what we did, or are they just reacting to a single alert without a full triage?

●     Can they follow their incident response playbook effectively under pressure?

Gavin also adds that if the team is caught, they often work with the customer to do some "internal social engineering" and explain the activity away as an expected test, allowing the exercise to continue and provide more value.

Final Takeaways on Building Readiness

To conclude, we each offered a key piece of advice:

●     For organizations: Make sure you are mature enough for a red team before you engage one. There is a lot of pressure on organizations to say they do red teaming, but if you don't have a solid detection and response capability, you may not get the full value.

●     For professionals: The job is much more than just EDR evasion. It requires building up a wide range of skills beyond just the hard tech skills, including the ability to communicate, adapt, and educate.

●     For aspiring red teamers: It’s not as cool and fun as you might think; there is a lot of hidden pain. Success is born from experience, so start with the fundamentals and build from there.

Ultimately, red teaming provides one of the most effective ways for an organization to look past a compliance checklist and truly measure its readiness against a dedicated attacker.

The stories from these red teamers are just the beginning. To truly understand the meticulous planning and hidden work that goes into testing an organization's defenses, you need to go behind the scenes. To hear more, check out our upcoming webinar, Confessions of a Blue Teamer: How Unseen Work Pays off in a Crisis and download our ebook, Shadow of the Breach: The Real Work of Cyber Readiness, for a comprehensive guide on building and proving your team's resilience.

‍