Uncategorized

Red Teaming for Beginners: Key Lessons from My First Engagement

Posted on by

To me, one the most appealing aspects of becoming a professional social engineer was red teaming on an onsite job. I pictured myself in tactical gear, breaking into a bank under the cover of night—stealthily bypassing every security measure and showcasing my skills. I finally got to go on an onsite social engineering adversarial simulation (often referred to as physical pen testing). Was it everything I thought it would be? And what lessons did I learn? Join me as I dive into my first experience with red teaming for beginners.

 

It Starts with OSINT

OSINT (Open Source Intelligence) is the starting point of any onsite job. During this process, we gather data from open sources and publicly available information to produce actionable intelligence. First, we find the physical location of the facility or building we’ll be attempting to access and look for things like gates, security cameras, back entry ways, and any other information that could be helpful in achieving our goal. We document all of the pertinent findings including pictures of the property with accurate descriptions. We also look at the surrounding areas for any clues for possible pretexts.

In this particular job we found a truck for an internet service provider (ISP) parked at the entrance of the target building, which gave us a clue as to who our client used for this service. We then verified this information by calling the ISP while impersonating our client. We now had a solid pretext: impersonating as their ISP and checking connectivity issues.

Pretexting

For a pretext to be effective it must be as realistic as possible. Not only do you need accurate information to craft the pretext, but you also have to look the part. This includes props like uniforms, tools, badges, etc. Impersonation is a key part of the pretext. While the pretext should be kept simple, it’s important to have basic knowledge of the services offered by the person/business you’re impersonating.

Biases should also be kept in mind while crafting a pretext. For example, at one of the locations, the guard was not convinced that we were “service technicians,” because I, as a female, didn’t fit the criteria. Female technicians were not very common (at least in the town we were in), therefore it raised some flags. Definitely a lesson learned!

Be Adaptable

It was the last day of our engagement, and we were headed to our final location to break into. At that moment, we got a call from our contact saying that their IT department was called by an employee in the previous location and knew that we were not from the ISP company. We were just five minutes away from the location and had to come up with a different pretext on the fly!

Through a quick OSINT search we found another ISP we could impersonate, but how would we do so if our polo shirts and badges had the other company’s name on them? That’s when our team lead said, “Zip up your jackets and hide your badges!” We then walked into the building impersonating a completely different set of service technicians. Being adaptable allowed us to successfully complete our mission.

Reporting

Just when you think it’s over…think again! As a team, we got together at the end of each day to ensure all details were documented. Once we got back to our location all the pictures and notes had to be compiled into a report. The report contains all the OSINT, pretexts, and attacks, along with the summary of the work and outcomes along with recommendations. Report writing is crucial for our clients as it highlights their strengths as well as their vulnerabilities; and more importantly what steps to take to strengthen their overall safety posture. A final debrief meeting is also held to walk through the findings, align on key takeaways, and address any outstanding questions.

Debriefs That Drive Change

The meeting started almost as soon as we sat down. Our point of contact had gathered all the team leads for a full debrief, and we were invited to walk them through everything. Passing back by the security guard who’d just waved us in — there was a flicker of nerves. But because our pretext never relied on fear or manipulation, just psychology and rapport, the vibe stayed light. People were curious, not defensive.

As we walked through each step—what worked, where we pivoted, and what we’d do differently—I was struck by how this team responded. No panic, no blame. Just thoughtful questions: “How do we prevent this?” “Where were the breakdowns?” “What should we strengthen next?” Not a single person shamed an employee or pointed fingers. That mindset is rare. And it’s exactly the kind of environment where real learning happens.

This client, in particular, takes a full-spectrum approach to security. We’ve worked with them on phishing, vishing, and physical assessments, and each has its own rhythm. Success rates vary across these modalities, and that’s part of the point. Real adversaries aren’t limited to one channel. So, if you’re only testing one, you’re already behind.

And that’s the beauty of this work. We’re not here just to “get in.” We’re here to leave something behind: awareness, resilience, and confidence. These red team engagements are powerful because they expose vulnerabilities in a safe, structured way. They give leadership the clarity and insight they need to act before the real attackers show up.

Because when you understand your weak points, you’re already one step ahead.

Written by
Rosa Rowles
Human Risk Analyst, Social-Engineer, LLC

This entry was posted in Uncategorized and tagged .

Leave a Reply

Your email address will not be published. Required fields are marked *