Scoping is perhaps one of the most important activities of a red team engagement. The quality of scope often decides the success or failure of an engagement. A well-defined scope helps identify the goals, rules of engagement, boundaries, and constraints of the assessment.

The scope of a red team engagement answers the following questions:

• What and what not will be assessed during the engagement? - This includes information about hosts, applications, IP addresses etc. that the red team can breach. It also includes what they cannot breach or infiltrate during the engagement. The list of what not to touch during the engagement will depend on the type of red team assessment being conducted.

• Who will be involved in the engagement? - This includes the members of the red team who will be conducting the engagement, senior leadership members such as CISO or CIO, members of the white cell, who will be the trusted agent, technical and operational personnel, legal and compliance personnel. It is important that right set of people are involved in scoping discussions so as to set the right expectations for the outcome of the engagement.

• When will the engagement be conducted? - This includes important timelines pertaining to the engagement such as the start and the end date, reporting timelines etc.

• Whereabouts for the engagement? - This includes the physical locations which are in scope for the engagement. It also includes the location from where the engagement will be conducted from i.e. where the red team will be based out of. Certain organizations may not be comfortable with red teams based outside of their premises due to the nature of the engagement. Specially when red team engagement is being conducted by an external service provider.

• Why the organization is conducting the engagement? - This is not a direct part of the scope but is equally important. It helps in understanding the motivation behind conducting the engagement, thereby arriving upon the objective. It also helps the red team members understand the maturity of security controls at the target organization. Understanding the ‘why’ is crucial for the success of the engagement.

• How will the engagement be conducted? - This is another important aspect of the scope. The how part answers questions such as the type of red team engagement to conduct, the model for the engagement, whether it will be announced or unannounced, the methodology that will be used during the execution phase. Most of these will be decided based on the objective (answered in the ‘why’ part) of the engagement. It also includes information on types of attacks that are out of scope for the engagement. For example, physical break-ins, phishing the CEO, running an exploit against a host or an application (even if they are in scope) etc. It may also include information about tools that will be used during the engagement.

Red Team Notes
- The scope of a red team engagement answers what, who, when, where, why and how about the engagement. The answer to each questions makes the scope more meaningful and well-defined.
- The quality of scope if often the deciding factor between success or failure of the engagement.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

In addition to the above, the scope will also include information about the deliverables of the engagement, communication plan for emergencies or findings during the engagement, rules of engagement, legal authorization for conducting the engagement (i.e. get out of jail card), information about any potential impacts to business operations or employees during the engagement window and assumptions being made about the the target environment.