Red Team Planning & Intel Analysis.

Planning tree — objective

• Objective > activity. "Identify whether the SOC can detect domain enumeration from a foothold workstation within 4 hours" — concrete, measurable. Not "do red team things".
• Defender behavior in scope. Detection, response, escalation, recovery. Pick which you're testing; trying to test all four at once produces no signal in any of them.
• Success criteria written. "If alert fires within 4 hours: detection works. If alert fires but no host containment within 2 more hours: detection works, response doesn't." Each measurable.

Planning tree — actor profile

• Pick a named actor. Simulating "APT29" gives the engagement a TTP set to follow. MITRE ATT&CK Navigator maps named-actor-to-techniques.
• Fidelity level. High = exact tooling, exact infrastructure pattern, exact dwell-time profile. Low = TTP set only, modern tools to execute them.
• Don't mix. Simulating APT29's initial access with FIN7's lateral movement = unrepresentative. Stay within actor.

Planning tree — infrastructure

• Domains. Aged-out (registered 6–12 months in advance), low-reputation neighbor-free, TLS-terminated with valid Let's Encrypt. Categorization by domain reputation services takes weeks; pre-register.
• Redirectors. Domain-fronted or CDN-fronted to obscure true backend. nginx with location-block rules forwarding only specific paths to C2 backend.
• Cloud staging. Disposable cloud VMs for each phase. Never reuse infrastructure across clients or across phases.
• Mailbox infrastructure. If phishing: SPF/DKIM/DMARC-passing, warmed sender history before campaign, dedicated sending IP.

Planning tree — evasion budget

• IOC budget. "5 EDR alerts maximum across engagement; 0 SOC escalations". Track in real time. Above budget = pause, reassess.
• Tradecraft choice ties to budget. nanodump on LSASS (low IOC) vs Mimikatz (high IOC) is a budget decision, not a capability one.
• Operator log of every action. Each command + timestamp + reasoning. Required for post-engagement attribution of which alert tied to which action.

Planning tree — deconfliction

• White cell contact. Named individual + phone + Signal + email, available 24/7 for the engagement window.
• Deconfliction call template. "This is <tester> calling about an action expected to generate <alert pattern> at <time window>. Please confirm." Decide upfront: who initiates (tester or defender?) when SOC suspects a real intrusion mid-engagement.
• Real-incident protocol. What happens if a real attacker appears during the engagement? Default: pause engagement, stand down, hand to IR.
• Eviction protocol. What happens if defender catches and contains a foothold? Pause and brief, don't sneak around the containment.

Intel analysis — source discipline

• Source rating. Tag each claim with source quality. Primary (saw it firsthand), Reliable secondary (vendor research with reproducible IoCs), Aggregated (collected from other reports), Rumor (single mention, no corroboration).
• Confidence language. "We assess with high confidence" / "moderate confidence" / "low confidence" — pick one per claim. Avoid "likely" or "probably" without scale.
• Cross-corroboration. Two independent sources confirming the same fact = high confidence. Two reports both citing the same earlier report = single source, not two.
• Beware analytic momentum. Once a hypothesis is named, every subsequent observation gets fitted to it. Set explicit disconfirming evidence threshold before starting analysis.