The State of Red Teaming in 2025: Why Traditional Security is Failing

Why Your Current Security Products Are Failing

Traditionally, most security teams have focused on perimeter defense and when breached focus their efforts around network security monitoring and endpoint detection. Current security products excel at these areas, with:

1. Endpoint Detection and Response (EDR) offerings like CrowdStrike, Elastic, and SentinelOne leading the way. EDRs are not good, they are great at detecting a large majority of traditional malware attacks targeting the endpoint.
2. Network Detection and Response (NDR) like Darktrace and Vectra, while often noiser, provide an invaluable source of telemetry and level of visibility for the security team.

However, despite the deployment of these products, both mature adversaries and Red Teams do not seem to be deterred in their attempts to compromise organizations and persist within networks for extended periods of time. That begs the question, why are these detections failing and where is the disconnect between the understanding and expectation of what attacks look like and what they often shape up to be?

On the majority of Red Team engagements we have been involved in, often hands on as an operator - we have always followed a common set of playbooks. These techniques, while not novel, have been highly effective at both:

• Obtaining initial access without deploying malware to endpoint systems
• Escalating privileges and compromising high value targets
• Persisting within networks for extended periods of time

These playbooks are not unique to the engagements we have been involved in, but are instead a reflection of the reality of the modern security landscape - with real world attacks quickly shaping up to match these playbooks.

And almost every time, these playbooks are successful and lead to the compromise of the organization, often without detection, but almost always without eviction/response.

If you are on a Blue Team and have recently sparred with a Red Team you likely have a sour memory of lacking the ability to detect and respond to the techniques used by the Red Team - at least that is what everyone tells me.

Why is this the case, and more importantly, what can be done to improve the situation?

What has changed for Adversaries?

On the majority of Red Team engagements we have been involved in, often hands on as an operator - we have always followed a common set of playbooks. We will break down both the tactics, techniques, and procedures (TTPs) that work for Adversaries and Red Teams. The disconnect between what Blue Teams expect and what Adversaries are doing is often due to a lack of understanding of the adversary's TTPs. Bridging this gap will help Blue Teams understand the reality of the modern security landscape and start to close the gap.

Traditional Attack Paths

All breaches begin with initial access. The goal of initial access is to identify and "exploit" a primitive that allows them to deploy malware to an endpoint within the target organization's network.

From this foothold, the attacker can perform enumeration actions like Active Directory discovery and network scans to identify any potential misconfigurations and understand what systems and services exist in the environment.

Traditionally, adversaries have focused on obtaining initial access to an environment through a primitive that allows them to deploy malware to an endpoint. These primitives are often incredibly situational, based on the organization. For example, in the case of phishing this would be targeting either employees or high-privilege helpdesk operators to download and execute a payload.

From this position on the network the attacker would then begin by enumerating both Active Directory with LDAP queries and performing network scans to identify services and systems acesible from the current foothold. For example, if an SMB share was identified as readable - an attacker would look to see if they could access the share and enumerate any files with credentials.

Mature security teams will have implemented a number of controls to prevent this type of initial access at multiple layers. These types of attacks are often highly unlikely to be successful.

Modern Adversary TTPs

These techniques, while not novel, have been jokingly referred to as Read Teaming due to nature of the actions taken by the adversaries primarily focused around spending large amounts of time reading through internal knowledge and document stores.

This often includes locations like:

• Source Code Repositories (GitHub, GitLab, BitBucket)
• Internal Documentation (Confluence, Google Docs, Sharepoint)
• IT Support Ticketing Systems (Jira, ServiceNow)
• Collaboration Platforms (Slack, Microsoft Teams)

Privilege Escalation