What is the first thing that comes to your mind when you read “red team”? Is it hack, hack and then hack some more? You are not alone.

What is the first thing that comes to your mind when you read “enterprise red team”? Is it a group of red team operators hacking away at their terminals? You are not alone in this either.

At a holistic level, a red team is an enterprise process and like any other enterprise process, it needs to be tracked and matured. Without a proper method to gauge a red team’s effectiveness or maturity, an organisation will not know the value red team is adding to the business.

A recommended method to track the maturity of processes over time is (specially IT or software development related) , the Capability Maturity Model (CMM). Over the years, CMM has been adapted to and implemented for tracking maturity of a variety of enterprise process.

Recently, Brent Harrell and Garet Stroup adapted the CMM to measure the maturity and effectiveness of red teams and published the Red Team Maturity Model. The ground work for this was laid by Jordan Potti, Noah Potti and Trevin Edgeworth, when they created their version of the Red Team Maturity Model.

Red Team Notes
- Harrell and Stroup’s adaption is more closely aligned with the CMM whereas Potti, Potti and Edgeworth’s adaptation is more simplified. 

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

In my opinion, large enterprise red teams will benefit from Harrell and Stroup’s adaption (though it will work for smaller organisations as well albeit a bit complex) whereas smaller and medium size enterprise red teams can use Potti, Potti and Edgeworth’s adaptation as a starting point.

Authors of both adaptations have done an excellent job of describing it on their respective websites (Harrell and Stroup’s website Potti, Potti and Edgeworth’s website).

Harrell and Stroup also presented their model at BSides Las Vegas, 2023. Below is the recording of their presentation.