Before You Red Team: Fix These 5 Common Mistakes

Adversaries don’t rely on luck; they rely on patterns. After 20+ years in security and managing several hundred Red Team engagements, I’ve noticed that the same five mistakes keep surfacing:

1. Improper Secrets Management
2. Excessive User Privileges
3. Lack of Proper Network Segmentation
4. Overreliance on User Training to Stop Social Engineering
5. Poor or Default Security Detections

These gaps aren’t just theoretical—they’re grounded in real-world findings. In fact, approximately 90% of all Red Team engagements still exhibit at least one of these vulnerabilities. They’re common, avoidable missteps that leave organizations exposed to compromise

1. Improper Secrets Management

Attackers often don’t need zero-day exploits to win—sometimes they just need to look around. Plaintext credentials stored in SharePoint folders, internal wikis, or even spreadsheets are all too common. These are jackpot moments for attackers, enabling them to bypass authentication and quickly move laterally across systems, escalate privileges, or gain deeper access to sensitive resources with minimal effort.

A successful compromise can often be traced back to poorly stored passwords. People store credentials in places they should never be. Red Teams love to find these—sometimes it means the difference between failure and success on an engagement.

SOLUTION: Use secure secrets management tools to store user credentials. Lock down access to sensitive information and regularly audit your environment for exposed secrets.

2. Excessive User Privileges

Too many users are “running with scissors.” When someone with unnecessary admin privileges clicks the wrong link or runs the wrong script, the consequences can be catastrophic. Attackers can take advantage of these elevated privileges to gain full domain control or access sensitive data in just days—sometimes even hours—without triggering a single alert.

SOLUTION: Apply least privilege principles rigorously. Ensure users only have access they need—nothing more. Regularly review entitlements and remove unnecessary admin rights.

3. Lack of Proper Network Segmentation

Flat network architecture is one of the fastest ways to turn a minor compromise into a major incident. Time and again, we see internal networks designed for user convenience and accessibility, not security.

A lack of segmentation means that once attackers gain access to one part of your environment, they often have free rein across your network — including critical systems like servers, operational technology (OT), or cloud infrastructure.

SOLUTION: Segment your network. Restrict lateral movement between user, server, and OT environments. Enforce access control lists and monitor east-west traffic.

4. Overreliance on User Training to Stop Social Engineering

Security awareness is important, but it’s not a silver bullet. Attackers and Red Teams continue to succeed with social engineering—even against well-trained workforces. One Bishop Fox client had phishing-resistant MFA in place—FastPass and YubiKeys included—but an attacker still persuaded an employee to insert their YubiKey and approve the login. That one approval opened the door. Even phishing-resistant MFA isn’t bulletproof when human trust is involved.

Susceptibility to phishing or social engineering will never reach zero. There will always be some people who click malicious links or download attachments, so you need to provide a proper safety net for when, not if, that happens. Organizations must assume user error and plan accordingly.

SOLUTION: Assume user error. Deploy layered technical defenses like DNS sinkholing, sandboxing, and URL filtering. These controls help catch and contain threats even after a user clicks.

5. Poor or Default Security Detections

Many teams assume their security tools will catch everything, but adversaries test their malware against off-the-shelf EDR tools long before hitting your network. What can’t they predict? Your custom detections are tuned to business logic and unusual behavior, such as logins from unexpected locations.

Attackers have access to popular tools like CrowdStrike. They can test in their labs what gets detected, so they know what not to do in a real target environment. What they don't have is visibility into any custom logic you've baked into your security detections.

SOLUTION: Build custom detection rules. Monitor for suspicious behavior specific to your environment—like privileged logins from unfamiliar geolocations or unauthorized access to sensitive systems.

Shift the Advantage Back to the Defender

These mistakes may seem minor in significance, but they are very often the breadcrumbs that attackers follow. If these gaps exist in your environment, an attacker—or Red Team—won’t just find them, they’ll exploit them. Fixing these five areas won’t make you immune to an attack, but it will make life much harder for any would-be intruder.

And that’s the point: Raise the bar so attackers must work harder, take noisier steps, and increase their risk of detection.

If you want to maximize the value of a Red Team engagement—and stand a chance against advanced adversaries—start by fixing these five common mistakes first. Otherwise, you’re simply handing over the keys before the test even begins.

For a deeper dive into what it takes to prepare for Red Teaming, watch my virtual session: “Red Teaming: Is Your Security Program Ready for the Ultimate Test?”