UPCOMING SLIVER WORKSHOP: Getting Started & 1.6 Features Learn More

Before You Red Team: Fix These 5 Common Mistakes

Blog Before you red team: fix these five common mistakes with Bishop Fox branding.

Share

Adversaries don’t rely on luck; they rely on patterns. After 20+ years in security and managing several hundred Red Team engagements, I’ve noticed that the same five mistakes keep surfacing:

  1. Improper Secrets Management
  2. Excessive User Privileges
  3. Lack of Proper Network Segmentation
  4. Overreliance on User Training to Stop Social Engineering
  5. Poor or Default Security Detections

These gaps aren’t just theoretical—they’re grounded in real-world findings. In fact, approximately 90% of all Red Team engagements still exhibit at least one of these vulnerabilities. They’re common, avoidable missteps that leave organizations exposed to compromise

1. Improper Secrets Management

Attackers often don’t need zero-day exploits to win—sometimes they just need to look around. Plaintext credentials stored in SharePoint folders, internal wikis, or even spreadsheets are all too common. These are jackpot moments for attackers, enabling them to bypass authentication and quickly move laterally across systems, escalate privileges, or gain deeper access to sensitive resources with minimal effort.

A successful compromise can often be traced back to poorly stored passwords. People store credentials in places they should never be. Red Teams love to find these—sometimes it means the difference between failure and success on an engagement.

SOLUTION: Use secure secrets management tools to store user credentials. Lock down access to sensitive information and regularly audit your environment for exposed secrets.

2. Excessive User Privileges

Too many users are “running with scissors.” When someone with unnecessary admin privileges clicks the wrong link or runs the wrong script, the consequences can be catastrophic. Attackers can take advantage of these elevated privileges to gain full domain control or access sensitive data in just days—sometimes even hours—without triggering a single alert.

SOLUTION: Apply least privilege principles rigorously. Ensure users only have access they need—nothing more. Regularly review entitlements and remove unnecessary admin rights.

3. Lack of Proper Network Segmentation

Flat network architecture is one of the fastest ways to turn a minor compromise into a major incident. Time and again, we see internal networks designed for user convenience and accessibility, not security.

A lack of segmentation means that once attackers gain access to one part of your environment, they often have free rein across your network — including critical systems like servers, operational technology (OT), or cloud infrastructure.

SOLUTION: Segment your network. Restrict lateral movement between user, server, and OT environments. Enforce access control lists and monitor east-west traffic.

4. Overreliance on User Training to Stop Social Engineering

Security awareness is important, but it’s not a silver bullet. Attackers and Red Teams continue to succeed with social engineering—even against well-trained workforces. One Bishop Fox client had phishing-resistant MFA in place—FastPass and YubiKeys included—but an attacker still persuaded an employee to insert their YubiKey and approve the login. That one approval opened the door. Even phishing-resistant MFA isn’t bulletproof when human trust is involved.

Susceptibility to phishing or social engineering will never reach zero. There will always be some people who click malicious links or download attachments, so you need to provide a proper safety net for when, not if, that happens. Organizations must assume user error and plan accordingly.

SOLUTION: Assume user error. Deploy layered technical defenses like DNS sinkholing, sandboxing, and URL filtering. These controls help catch and contain threats even after a user clicks.

5. Poor or Default Security Detections

Many teams assume their security tools will catch everything, but adversaries test their malware against off-the-shelf EDR tools long before hitting your network. What can’t they predict? Your custom detections are tuned to business logic and unusual behavior, such as logins from unexpected locations.

Attackers have access to popular tools like CrowdStrike. They can test in their labs what gets detected, so they know what not to do in a real target environment. What they don't have is visibility into any custom logic you've baked into your security detections.

SOLUTION: Build custom detection rules. Monitor for suspicious behavior specific to your environment—like privileged logins from unfamiliar geolocations or unauthorized access to sensitive systems.

Shift the Advantage Back to the Defender

These mistakes may seem minor in significance, but they are very often the breadcrumbs that attackers follow. If these gaps exist in your environment, an attacker—or Red Team—won’t just find them, they’ll exploit them. Fixing these five areas won’t make you immune to an attack, but it will make life much harder for any would-be intruder.

And that’s the point: Raise the bar so attackers must work harder, take noisier steps, and increase their risk of detection.

If you want to maximize the value of a Red Team engagement—and stand a chance against advanced adversaries—start by fixing these five common mistakes first. Otherwise, you’re simply handing over the keys before the test even begins.

For a deeper dive into what it takes to prepare for Red Teaming, watch my virtual session: “Red Teaming: Is Your Security Program Ready for the Ultimate Test?”

    Subscribe to our blog and advisories

    Be first to learn about latest tools, advisories, and findings.


    Trevin Edgeworth

    About the author, Trevin Edgeworth

    Red Team Practice Director

    Trevin Edgeworth is the Red Team Practice Director at Bishop Fox, where he focuses on building and leading best-in-class adversary emulation services to help customers of all sizes and industries strengthen their defenses against current and emerging threats.

    Trevin has over 20 years of security experience; he has built and overseen red team programs for several Fortune 500 companies, including American Express, Capital One Financial, and Symantec Corporation. Other accomplishments include leading a security organization as Chief Security Officer (CSO) for a major security company. Trevin has led a variety of security functions in his career, including cyber threat intelligence, hunt, deception, insider threat, and others.

    Trevin is an active member of the security community. He has presented at several industry conferences and been interviewed by leading publications on topics such as red teaming and threat intelligence.

    More by Trevin

    This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.