In my earlier post, we discussed how to navigate ethics as a red team professional. Now, lets discuss another important aspect of being a good red team professional, responsibility.

One of the primary attractions of being a red team professional is being able to break into network and systems where we don’t belong and not be legally liable for it i.e. experiencing the adrenaline rush of being an attacker without any jail time. This gives an illusion that red team professionals can get away with anything. This can’t be far from the truth.

As red team professionals, we can also be held liable if we are irresponsible during a red team engagement. Examples of irresponsible conduct include but not limited to:

• Getting carried away while acting as an attacker and cause more harm than good.

• Being lax with security of the client’s or the organization’s exfiltrated data.

• Using unsecure protocols for C2 communications and data transfer.

• Not employing proper authentication mechanisms for verifying C2 server and agents.

• Deploying the red team infrastructure without proper security measures in place.

• Running a dangerous exploit against production applications without approvals.

• Performing the engagement with the mindset that blue team or defenders are “the enemy”, looking down upon them or making them look bad on purpose.

• Not maintaining proper operator logs or notes.

• Not verifying whether operators are maintaining proper logs and whether they are sufficiently detailed or not.

While I have listed above things that a red team should avoid at all costs, this article by Tim Malcomvetter provides pointers on what a responsible red team should do instead.

Responsibility in red teaming is a critical factor beyond legality and ethics. Responsibility governs day-to-day technical decisions and ensures professionalism, care, and trustworthiness in engagements. It involves safeguarding client data, minimizing risks, and balancing exploitation of vulnerabilities without causing undue harm. Practical responsibility includes secure data extraction, mindful handling of sensitive information, and adherence to confidentiality and integrity. Even actions that are legal and ethical can be irresponsible in a red teaming context, making the lens of responsibility essential.

In his course, Responsible Red Teaming, Matt Kiely has described four core principles that red team professionals must follow for responsible conduct:

• Never Inject Undue Risk: Prioritize client safety by choosing low-risk approaches, even if they are more challenging.

• Client’s Interests First: Treat client data with utmost care, seek their guidance, and advise in good faith, always aligning with their best interests.

• Maintain Integrity: Build trust through transparent, defensible actions that prioritize the client’s needs and reflect professionalism.

• Adversary as a Role, Not Identity: Act as a sparring partner for the defense team, remembering the ultimate goal is to strengthen their security posture, not to emulate a malicious actor's intent.

I recommend that you go through the section Responsible Red Teaming Principles of Matt’s course (it’s free, although you can pay if you want to) and understand each of these principles in detail.

Red Team Notes
Being a responsible red team professional means prioritizing trust, care, and professionalism in every engagement. It's about strengthening blue teams by emulating relevant threats while ensuring client data is protected, secure, and handled responsibly. Success lies in building capability, maintaining accountability, and always acting with integrity to earn trust and improve defenses.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

Finally, here’s an abridged version of Matt Kiely’s The Responsible Red Teamer’s Manifesto. I recommend that you read the following or Matt’s original version before every engagement as a reminder to self for being a responsible red team professional:

I am a Responsible Red Teamer, the defender’s sparring partner. My role is not to defeat the blue team but to strengthen them. My success lies in making defenders more capable through our engagements. We share the same goal: mastering our craft and fortifying defenses.

I prioritize trust and care. Client data is sacred, and I will protect it rigorously, ensuring encryption, secure handling, and positive control at all times. I will never exceed the scope of an engagement, leaving no trace or risk behind.

My actions will be ethical, deliberate, and safe. I will emulate relevant threats aligned with my client’s needs, deploying advanced techniques only when appropriate. Whether relentless or restrained, I will always think creatively, acting with professionalism and purpose.

I am a resource for defenders. I will approach every engagement with clarity, compassion, and professionalism, ensuring my results are impactful and my intentions clear. Trust is earned through my actions and upheld in every interaction.

Until every blue team is prepared and capable, I will hold responsibility as my guiding principle. I am a Responsible Red Teamer, and this is my pledge.