In the world of cybersecurity, red teaming is often seen as the pinnacle of offensive security – a live-fire exercise where skilled operators simulate real-world adversaries to test a company’s defences. But behind every successful red team engagement is a role that is often overlooked yet absolutely critical: the Red Team Manager.
This post explores the multifaceted role of the Red Team Manager, the unique challenges they face, and a new simulation tool designed to train the next generation for this high-stakes position.
The Problem: A Missing Rung on the Career Ladder
For aspiring cybersecurity professionals, the path to becoming a Red Team Manager is often unclear. It’s a position that you can currently only learn by doing, leaving little room for error when the stakes are incredibly high. As a CREST examiner for the re-designed CCRTM exam, it is often painfully obvious to me when individuals have no experience to draw from and try to sit the exam. This gap in training was a key motivation for developing a new way to teach the role effectively, that can supplement shadowing and on the job training.
The Bridge Between Attack and Risk
A Red Team Manager is much more than just a senior operator. They act as a crucial bridge between the client’s business objectives and the technical execution of the red team. Their primary function is to analyse risks, align the engagement with business goals, ensure everything remains safe and legal, and translate the technical findings into actionable business insights.
The core mission is to simulate chaos without causing it. This involves several key responsibilities:
- Leading safe, realistic engagements that align with client goals.
- Delivering concrete evidence of security gaps while minimizing operational risk.
- Maintaining a constant focus on protecting the client’s staff, systems, and data.
This requires deep collaboration with the technical operators on tools and tactics, and the ability to translate their findings into the language of business risk.
Applying a Risk Management Lens to Red Teaming
At its heart, red teaming is a controlled exercise in risk exposure. A successful manager must think like a risk professional, constantly balancing the value of a potential finding against the risk of the test itself.
This process involves several stages:
- Identify: Determine what critical assets should be tested and devise realistic attack scenarios to target them – often supported by threat intelligence, regulators and the client.
- Assess: Analyse the potential harm a test could cause, such as service disruption or premature detection. Discussions with Red Team Specialists on what our options are and how the aligns with the scenario is critical here.
- Prioritize: Focus on areas where the engagement can add the most value, based on the impact and likelihood of a threat, weighed against the client’s risk appetite.
- Respond: Build in contingencies like pre-approved “leg-ups” (white cards), clear scope limitations, and the use of safe tooling. This will often mean we move more cautiously than real threat actors, but keep in mind our job is to be realistic but avoid shutting down our client.
- Monitor: Maintain real-time oversight during the engagement, handle deconfliction requests, and gather post-engagement feedback for stakeholders.
The Art of Communication: Turning Technical Jargon into Business Impact
A Red Team Manager’s value shines brightest in their communication. When setbacks occur, they must be able to calm the client and guide the team to recover momentum.
One of the most powerful tools for this is the use of analogies to make complex vulnerabilities relatable. For example, when explaining an Active Directory Certificate Services (ADCS) vulnerability, you could use this analogy:
” Imagine that Active Directory Certificate Services (ADCS) is like Companies House in the UK. It’s the trusted authority that issues official documents proving who directors are and who has signing power for the business.
Now picture a loophole: if someone knows how to word their filing cleverly enough, they can trick Companies House into issuing them papers that say they’re the Finance Director or even the CEO—despite never being appointed.
Armed with those “legitimate” but fraudulent documents, they can walk into banks, sign contracts, or approve major deals, and no one questions them—because everyone trusts Companies House above all else.
That’s essentially what happens with ADCS exploitation: attackers abuse flaws in the certificate system to impersonate senior leaders, unlock sensitive systems, and act with unchecked authority -often invisibly.”
By explaining what was done, translating the technical risk into business impact, and using relatable analogies, a manager makes the findings resonate with the c-suite which can help your client prioritise risks better and unlock funding.
Training the Future: Introducing Sim-Adversary
Given that red teams can take anywhere between 4-12 weeks to play out, take place in live environments where mistakes can have significant real-world consequences, and a red team manager might be expected to juggle 3+ engagements simultaneously, we needed a way to take the danger out of learning how to handle these complexities whilst not waiting for shadowing opportunities to arise for more junior members of the team. As a result, Prism Infosec gave me the time needed to help develop a tool for that. Sim-Adversary.
Sim-Adversary, an open-source, browser-based tool designed to provide a safe, repeatable, and business-focused red team training experience. Inspired by “Choose Your Own Adventure” game books, it allows aspiring red team managers to practice in without client risk.
The process is simple:
- Profile: The trainee is given a concise threat brief, including the adversary’s skills, tools, and objectives.
- Play: The trainee is put in the “hot seat” to execute the simulated engagement and adapt to challenges as they arise.
- Present: Afterwards, they participate in a post-game analysis where they debrief their choices, map detections, and present their findings in a business-facing context.
This is overseen by a qualified and experienced red team manager who can provide guidance and feedback, and explain how they would tackle a similar situation, allowing the trainee to benefit from experience, whilst building role awareness and confidence; and allowing them to step into the role slightly quicker. This tool is not a one and done training pathway, a trainee still needs to learn the tools, learn the frameworks, learn risk management, and presentation skills, but it can support them in that journey, and is expected to be underpinned with shadowing and on-the-job training.
Summing Up
The role of the Red Team Manager is a delicate balance of managing risk, communicating clearly, and keeping the team focused. By translating technical details into business insights and training the next generation with innovative tools like Sim-Adversary, the cybersecurity community can grow and better prepare professionals for this demanding role.
Prism Infosec have kindly agreed to open-source the game engine for Sim-Adversary, and we have released a phishing scenario and some of the random events we incorporate into the game, along with full instructions for how to add your own scenarios and events to the wider community.
