When Red Teams Uncover the Unimaginable

Many organizations believe they’re secure—until a red team proves otherwise.

In my 28 years of offensive security, I’ve seen firsthand how quickly confidence crumbles when real-world adversarial tactics are applied to corporate defenses. Red team operations don’t just test systems; they push the limits of access achievable from the perspective of a determined, sophisticated, adversary. Often, the rules of engagement are wider, allowing for not only server-side attacks, but social engineering, wireless, and even physical techniques. What we often uncover in our operations is that catastrophic levels of access are possible

My team and I have gained network footholds and escalated privileges to access and even control commercial blast furnaces, driver code-signing infrastructure, payroll systems, sensitive IP, banking host systems, CCTV systems, CFO’s inboxes, MRI/Xray machine results, file shares full of PHI, enumerable interesting files, 2^nd homes of CEOs that were VPN-linked to corporate networks, and full hash dumps of many, many Active Directory forests.

We’ve pivoted to on-prem networks after compromising cloud resources, and we’ve had operations pivot from on-prem to cloud-based footholds. Sometimes, the larger the target the easier, regardless of the scale of their infosec budget. This is due to the natural asymmetry between attackers and defenders. Larger scale means more opportunities for unintentionally exposed weaknesses. These aren’t theoretical risks. They’re real, and more organizations are vulnerable to this level of compromise than realize.

Footholds

External breaches begin with a foothold—an initial point of access that opens the door to deeper compromise. In our work, we categorize footholds into four primary types:

1. Social Engineering

While common, we view it as the least rewarding. Tricking users into clicking links or revealing credentials is effective, but it doesn’t reflect the skill of a sophisticated adversary. Still, we’ve seen attackers spoof CFO emails to initiate “emergency” wire transfers or use AI-generated voice clones to bypass help desk protocols.

2. Password Spraying

This low-and-slow technique remains one of the most effective. By guessing common passwords across large user lists, attackers avoid lockouts and often succeed. We’ve breached networks using nothing more than “Summer2025!” across thousands of usernames scraped from public sources. I’d guess more than 1 in 1000 of corporate users would chose it unless banned word enforcement is in place, blocking strings like “summer” and “2025” and “25.” For a longer password policy, I’d guess “Summertime2025!” as an example.

3. MFA Weaknesses

Multi-factor authentication is essential—but not infallible. As in all security controls, a thorough, consistent deployment is key. We’ve bypassed MFA using push fatigue, conditional access loopholes, and stale enrollment links. In one case, we enrolled our own device using a six-month-old link found in a compromised inbox.

4. Exploitable Vulnerabilities

Custom web apps are especially vulnerable. We’ve exploited everything from SQL injection to path traversal to object deserialization bugs to logic flaws that let basic users set their own price on checkout or elevate to admin access. Outdated commercial software components can even lead to remote code execution if left unpatched.

Reality Check: Compliance vs. Exposure

Security audits often paint a rosy picture. But red teams operate outside the script. Rules of engagement on red team operations are often much wider than standard pen testing—we simulate adversaries with precise goals.

In many engagements, client’s will have trove of many past penetration reports from several different firms, with little to no demonstration of “penetration.” It’s not uncommon for us to correct this perception by achieving significant levels of access from basic unauthenticated, external pen testing. The gap between perceived and actual risk can be vast. Quality, coverage-oriented, penetration testing is more valuable than goal-based red team operations for organizations with less mature security postures.

AI’s Role in Offensive Security

While AI hasn’t yet replaced human ingenuity in red teaming, it’s accelerating our workflows. We use generative AI to build proof-of-concept exploits faster, analyze attack surfaces, simulate voices during vishing operations, and even craft authentic-looking phishing campaigns. The rise of agentic offensive AI achieving top ranks on public bug bounty lists is a sign of what’s coming.

Empathy for Defenders

Despite our offensive role, we deeply respect defenders. The asymmetry is real: defenders must be perfect 24/7; attackers only need one mistake. That’s why our reports don’t just highlight vulnerabilities, kill chains, screenshots, and real-world impact; at the top of our executive summary are positive practices that we encountered during testing. We enjoy writing these more than the findings themselves. We’re on your team to educate and remediate, not expose.

Conclusion: The Unimaginable Is Often Right in Front of You

Red teams don’t just find flaws—they force organizations to confront uncomfortable truths. The façade of security often hides fragile systems, misconfigurations, and overlooked risk. And when we uncover the unimaginable, it’s not to criticize—it’s to strengthen.

Because in cybersecurity, reality checks aren’t optional. They’re the only thing standing between “secure on paper” and a front-page breach.