Starting a Red Team — Part 1: From Dust

Steve Myrick
Nov 4 · 3 min read

“We need a Red Team.” These 5 simple words have sent me down a path that started with a mandate and some recruiting budget and will (hopefully) end with a world-class red team.


It’s the summer of 2019 and I had started a new role in security engineering, building out antivirus and DLP tools. I had gone looking for greener pastures after feeling stagnant in my first pentest (read: appsec) role. But that thing about the grass being greener occasionally turns out being true. A colleague whom I’d worked with at that first pentest role (and subsequently the engineering role as well) had recently left for an opportunity to start a fledgeling red team. And as I had done before, I followed.

The sunk cost fallacy applies to jobs too. If you’re not happy, don’t turn down a good opportunity just because you haven’t been at your current role that long.

I traded in my blue badge and this view:

However, my actual desk faced the parking deck.

For a orange badge, and this view:

I guess I’m a baseball fan now?

Day 1. Let’s take stock of what we’ve got.

Processes? No. Methodologies? No. Tooling? Partially. Executive buy-in? Definitely. People? Just 2. Mission statement? More like a dream, but sure.

One of these, however, is arguably the most important — executive buy-in. If your team doesn’t have the backing of upper management, you won’t get budget for new hires when someone leaves or that fancy new password cracking rig. More importantly — you won’t have anybody to bat for you when someone’s scan takes down the network for a few minutes.

When interviewing, ask what level of executive buy-in the team has. Ask what would happen if your team accidentally broke something in prod. The enthusiasm in their response will speak just as loud as their words.

How do you move a mountain? One rock at a time. We all know it’s impossible to build a team, let alone an entire program overnight. Though, in this situation, we have to straddle the line between taking months to build a solid foundation for future success and immediately attempting to produce measurable output (read: completed engagements.)

As we scrambled to piece together what tools we could quickly get licenses for, we luckily found a few eager teams ready to throw their apps to the fledgling security team. While we happily accepted their requests, In my head I was thinking how refreshing it was to actually have a dev team approach security instead of trying to herd cats.

Never underestimate the benefit of having dev teams interested in security and not afraid of security assessments. They’ll be your greatest allies.

As our director dredged through the mountains of resumes in an attempt to fill our next few reqs, it became clear that we needed to fill our roles — and fast.


Next up, Part 2: New Hires, Assemble.

Steve Myrick

Written by

Yet another infosec wannabe. CTF’s, Red Teaming, Pentesting, and other content marginally more interesting than my Twitter feed.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade