red-team
by alirezarezvanired-team is an authorized adversary-simulation planning skill for red team engagements, attack path analysis, MITRE ATT&CK sequencing, choke point scoring, OPSEC risk notes, and crown jewel targeting. Includes a planner script and methodology reference for safer scoped exercises.
This skill scores 82/100, making it a solid listing candidate for directory users who need structured red team engagement planning rather than a generic offensive-security prompt. The repository evidence shows enough methodology, workflow guidance, and a usable planner script for an agent to trigger and execute the skill with reduced guesswork, though adoption is somewhat limited by missing install guidance and likely constrained technique coverage.
- Clear trigger scope: authorized red team engagements, attack path analysis, offensive simulations, and explicit separation from vulnerability scanning or incident response.
- Substantial operational content in SKILL.md, including kill-chain methodology, technique scoring, choke point analysis, OPSEC risk assessment, crown jewel targeting, workflows, anti-patterns, and cross-references.
- Includes executable support tooling, `scripts/engagement_planner.py`, with usage examples, authorization gating, JSON output, exit codes, and technique/access-level validation.
- No install command or README is present in the skill path, so users must infer installation from the broader repository structure.
- The planner appears to use a limited built-in technique catalog in the provided excerpt, so teams may need to extend it for broader MITRE ATT&CK coverage.
Overview of red-team skill
What the red-team skill is for
The red-team skill is an authorized adversary-simulation planning skill for building structured red team engagement plans, attack paths, MITRE ATT&CK technique sequences, choke point analysis, OPSEC risk notes, and crown jewel targeting. It is best for security teams, consultants, purple-team leads, and AI agents that need a repeatable planning framework instead of an ad hoc offensive-security prompt.
This is not a vulnerability scanner, exploit generator, or incident-response playbook. Its real job is helping you reason about how an authorized simulated adversary could move from a defined access level toward high-value assets, what techniques create the most operational risk, and where defenders can validate controls.
Best-fit users and engagement types
Use this red-team skill when you already have written authorization, a scoped environment, known or candidate MITRE ATT&CK techniques, and a need to produce planning artifacts. It fits:
- Internal red team exercises with signed Rules of Engagement
- Attack path analysis for crown jewels such as AD, databases, cloud storage, or payment systems
- Purple-team planning where defenders need expected telemetry and choke points
- Executive risk discussions where attack paths need effort and detection-risk scoring
It is less useful if you only need a basic checklist, unauthenticated vulnerability discovery, malware development, or emergency triage.
What makes this skill different
The useful differentiator is its planning structure. The repository includes SKILL.md, a supporting methodology document at references/attack-path-methodology.md, and a helper script at scripts/engagement_planner.py. Together, they focus on:
- Kill-chain phase assembly from selected techniques
- Effort scoring using detection risk and prerequisites
- Choke point identification across attack paths
- OPSEC risk assessment
- Crown jewel path planning
That gives the red-team skill more operational shape than a generic “make me a red team plan” prompt.
How to Use red-team skill
red-team install and repository reading path
Install the skill in a Claude skills environment with:
npx skills add alirezarezvani/claude-skills --skill red-team
After install, read the files in this order:
SKILL.md— main workflow, boundaries, anti-patterns, and engagement logicscripts/engagement_planner.py— shows the expected inputs and output modelreferences/attack-path-methodology.md— explains attack path graphs, effort scoring, and choke point analysis
The script is especially useful before prompting because it reveals the practical input schema: --techniques, --access-level, --crown-jewels, --authorized, and --json.
Inputs the red-team skill needs
For reliable red-team usage, provide more than a vague target. Strong inputs include:
- Authorization status and RoE summary
- Engagement objective, such as detection validation or crown jewel access simulation
- Starting access level:
external,internal, orcredentialed - In-scope systems, business units, cloud accounts, or network segments
- Out-of-scope systems and prohibited actions
- Candidate MITRE ATT&CK techniques, for example
T1078,T1059,T1003 - Crown jewels, such as “Domain Controller,” “S3 Data Lake,” or “PCI database”
- Detection, logging, and EDR assumptions
- Required output format: plan, attack path table, OPSEC risk register, or JSON
A weak prompt asks for “a red team plan.” A stronger prompt gives constraints the skill can score and sequence.
Prompt pattern for better red-team usage
Use the skill by asking the agent to apply the repository methodology, not just summarize it. Example:
Use the
red-teamskill to create an authorized engagement plan. We have signed RoE for a production-safe simulation against the corporate Windows domain. Starting access level iscredentialed. In scope: AD, endpoint fleet, internal file shares. Out of scope: destructive actions, persistence beyond test window, password spraying, and production data exfiltration. Candidate techniques:T1078,T1059.001,T1003.001,T1550.002. Crown jewels: Domain Controller and HR file share. Prioritize attack paths by effort score and detection risk, identify choke points, list OPSEC risks, and suggest defender validation points.
This prompt works because it supplies authorization, scope, access level, techniques, crown jewels, and output expectations.
Using the engagement planner script
The helper script can be run locally from the skill directory if you want structured output before writing a narrative plan:
python3 scripts/engagement_planner.py --techniques T1059,T1078,T1003 --access-level external --authorized --json
Use --list-techniques to inspect supported technique IDs. Treat the script as a planning aid, not a complete engagement authority. Its built-in technique list is limited, so map your real ATT&CK catalog and environment constraints back into the skill prompt when needed.
red-team skill FAQ
Is red-team for Penetration Testing?
red-team can support red-team for Penetration Testing work, but it is narrower and more strategic than a standard pentest checklist. Penetration testing often emphasizes finding and validating vulnerabilities. This skill emphasizes adversary simulation: sequencing techniques, modeling attack paths, identifying choke points, and testing detection and response controls.
Can beginners use this red-team skill?
Beginners can use it for learning structured engagement planning, but they should not treat it as authorization or operational permission. The skill assumes you understand RoE, scope boundaries, MITRE ATT&CK terminology, access levels, and why OPSEC matters in a legitimate security exercise. If those are unfamiliar, use it with a senior security reviewer.
What are the main adoption blockers?
The biggest blockers are missing authorization, vague scope, and incomplete environment context. The skill cannot responsibly plan around “a company network” without access level, allowed techniques, prohibited actions, crown jewels, and detection assumptions. Another blocker is expecting the included script to cover every ATT&CK technique; it is a practical planner, not a full ATT&CK database.
When should I not use it?
Do not use this skill for unauthorized targeting, exploit development, malware instructions, credential theft, persistence outside an approved test, or live-fire activity without signed RoE. Also avoid it when the task is incident response, compliance evidence collection, or simple vulnerability scanning; those need different workflows.
How to Improve red-team skill
Improve red-team outputs with stronger constraints
The fastest way to improve red-team results is to make constraints explicit. Include time window, business impact limits, allowed tooling, blocked techniques, logging coverage, and what “success” means. For example, “simulate access to the HR file share without data exfiltration” produces safer and more actionable planning than “get to HR data.”
Common failure modes to watch
Watch for plans that are too generic, skip RoE assumptions, over-prioritize flashy techniques, or ignore detection risk. Another common issue is a linear kill chain with no alternatives. Ask for multiple paths, effort scores, likely detection points, and choke points where defenders can measure control effectiveness.
Iterate after the first plan
After the first output, ask targeted follow-ups:
- “Re-rank paths assuming EDR detects PowerShell heavily.”
- “Remove techniques outside credentialed-access scope.”
- “Convert this into a purple-team exercise table.”
- “Add expected telemetry for each phase.”
- “Identify the minimum safe simulation steps for executives.”
These iterations turn the red-team guide into an environment-specific plan instead of a static template.
Extend the skill for your environment
For mature teams, customize the skill inputs with your own ATT&CK mappings, asset criticality model, EDR visibility assumptions, cloud identity paths, and approved technique library. You can also adapt engagement_planner.py to include internal technique constraints, detection scores, and crown jewel definitions. The more the skill reflects your actual controls and RoE, the more useful its attack path analysis becomes.
