Press TechRound interviews Secure.com CEO on the future of AI security
Read

How AI Red Team Workflows Actually Work, From Scope to Fix

See how an AI red team finds attack paths, tests crown jewels, and turns findings into fixes, mapped to MITRE ATT&CK from day one.

Key Takeaways

  • A governed AI red team runs on rules of engagement first. Scope, boundaries, and human sign-off get set before a single test fires.
  • The real value isn’t finding more bugs. It’s mapping which attack paths actually reach a crown jewel, so teams fix what matters first.
  • Continuous asset discovery closes the gap that a once-a-year pentest leaves wide open.
  • MITRE ATT&CK gives red team findings a shared language that blue teams, auditors, and executives can all read the same way.
  • A finding without a fix is just a to-do list. Remediation guidance and retesting are what close the loop.

A mid-market SaaS company (we’ll keep them anonymous) found 127 attack paths into its production environment in a single week, once it moved from an annual pentest to ongoing testing. None of those paths showed up in last year’s report. That’s not a knock on the old test—it’s just proof that a snapshot from twelve months ago tells you almost nothing about today.

That’s the problem Secure.com’s Infrastructure Security Teammate was built to solve. Not to replace human testers, but to augment security teams by running the repeatable, high-volume parts of adversary emulation every day instead of once a year, so the humans can spend their time on the tricky stuff automation still can’t touch.

How an AI Red Team Actually Runs Day to Day

A Digital Security Teammate running red team operations without rules of engagement is just an attack. The difference between the two is scope, boundaries, and a clear owner for every decision the system makes.

Before any test runs, a governed AI red team platform locks in:

Governed by design

Rules of engagement, locked in before a single test fires

A Digital Security Teammate without scope and sign-off isn’t a red team — it’s just an attack. Three checkpoints keep every action accountable.

01 — SCOPE

What’s in scope

Assets, subnets and identities that are fair game — and what’s explicitly off limits.

02 — SIGN-OFF

What needs human approval

Low-risk probing runs on its own. Anything touching production data waits for a person.

03 — ESCALATION

How findings get escalated

A critical path to a crown jewel doesn’t sit in a queue until Friday’s report.

  • What’s in scope. Which assets, subnets, and identities are fair game, and which are explicitly off limits.
  • What actions require human sign-off. Low-risk probing might run automatically. Anything that could touch production data usually needs a person to approve it first.
  • How findings get escalated. A critical path to a crown jewel doesn’t sit in a queue until Friday’s report.

This is where “governed AI” matters more than raw automation. A system that tests aggressively but can’t explain why it took an action, or who approved it, isn’t something a security leader can defend to an auditor. Governance means the AI acts transparently, logs every step, and keeps a human in the loop on anything consequential.

Building a Program Without Starting From Zero

Teams building an AI red team program from scratch usually start small on purpose:

  • Pick one business-critical system to test continuously first.
  • Anchor every test to a real framework instead of a custom checklist.
  • Add scope gradually as trust in the automation grows.
  • Keep a quarterly human-led exercise running alongside it, to catch what automation misses.

Testing in regulated environments follows the same logic, just with tighter guardrails. Financial services and healthcare teams often restrict automated testing windows, require extra approval steps for anything touching regulated data, and keep a detailed audit trail of every action the AI takes, since regulators will ask for it eventually.

Finding the Paths That Actually Matter

Here’s the part that separates a useful red team exercise from a pile of low-priority findings: not every vulnerability matters equally. A red team that just lists bugs is doing half the job.

Why prioritization matters

One weakness rarely matters. The chain does.

A leaked credential alone is low severity. Chained with the right access, it’s a direct route to a crown jewel — and that combination is what gets flagged urgent.

Crown jewel reached
Customer database

Crown jewels are scored by business impact before testing even starts — so attack paths get prioritized by what they reach, not just what’s technically exploitable.

An AI red team builds attack paths, meaning it chains individual weaknesses together the way a real attacker would. A leaked credential alone might be a low-severity finding. That same credential, combined with an over-permissioned service account and a misconfigured trust relationship, might be a direct route to your customer database. That combination is what actually gets flagged as urgent.

This is where crown jewel identification comes in. Before testing even starts, assets get scored by business impact, not just technical exposure. A test server nobody uses matters less than the system holding customer records or financial data. Attack paths get prioritized based on whether they reach one of those crown jewels, not just whether they’re technically exploitable.

A few specific attack simulations show up constantly in this stage:

  • Privilege escalation chains, where a low-privilege account is tested for paths to admin-level access.
  • Lateral movement simulation, tracing how an attacker who lands on one machine could move to others.
  • Cloud identity and entitlement attacks, since over-permissioned IAM roles are one of the most common ways attackers expand access in cloud environments.
  • Insider threat access abuse, testing what damage a legitimate but misused account could do.
  • Ransomware and supply chain attack paths, which increasingly start with a third-party vendor rather than a direct hit on your own systems.
  • Phishing-to-breach chains, tracing what happens after one person clicks the wrong link, not just whether the email gets flagged.
  • Cloud misconfiguration exploitation, testing whether an open storage bucket or loose security group actually leads anywhere an attacker would want to go.
  • Data exfiltration paths, checking whether sensitive data could actually leave the environment undetected.

None of this replaces a human’s judgment. It just means the humans spend their time on the paths worth their attention, instead of manually tracing every possible chain by hand.

Where an AI Red Team Actually Tests

A red team is only as good as what it can see. That’s why continuous asset discovery sits underneath everything else. New cloud instances, forgotten subdomains, and shadow SaaS accounts show up between scheduled tests all the time. If testing only covers what existed at scope-definition time, everything spun up after that point stays untested until next year.

Modern environments stretch across more surfaces than a single test window can reasonably cover:

Attack surface coverage

If it’s reachable, it should be in scope — the moment it appears

Modern environments spread across more surfaces than any single test window can cover. New assets get folded into scope automatically, instead of waiting for next year’s review.

Multi-cloud & hybrid

AWS, Azure, GCP and on-prem side by side.

Containers & Kubernetes

Misconfigured roles, exposed dashboards.

Serverless functions

Often skip network-level scrutiny entirely.

Web apps & APIs

Still the most common attacker entry point.

Network & DNS exposure

Perimeter and subdomains — the classic recon targets.

Third-party vendors

A partner’s weak security can become your breach.

New assets get folded into the testing scope automatically as they appear, instead of waiting for the next quarterly review. That’s also when incident response readiness gets checked, by seeing whether the security team notices and reacts to a simulated attack in real time, not just whether the exploit technically worked.

From Finding to Fixed: Remediation, Reporting, and ATT&CK

A finding that never gets fixed isn’t worth much. This is the stage most red team programs get wrong, and it’s where the operational workflow matters as much as the testing itself.

Every finding gets:

  • Prioritized by business impact, not just a generic severity score
  • Deduplicated across testing cycles, so the same root cause doesn’t generate ten separate tickets
  • Paired with remediation guidance, meaning specific steps to close the gap, not just a description of the problem
  • Tracked through to retest, confirming the fix actually holds once it’s deployed
  • Logged over time, so a security lead can see whether the same class of issue keeps resurfacing across cycles, not just whether last week’s list got shorter

None of that matters if findings die in a spreadsheet. A finding needs to land where the team already works: opened as a ticket automatically, checked against what a vulnerability management tool already knows about that asset, and cross-referenced with SIEM and detection data to see if the attack would have even been noticed. That connective tissue is what turns a red team report into an actual workflow instead of a document someone reads once.

Where findings actually go

A finding without a fix is just a to-do list

Remediation is where most red team programs quietly stall. Here’s the workflow that keeps a finding moving until it’s actually closed.

1
Prioritized

By business impact, not a generic score.

2
Deduplicated

One root cause, one ticket — not ten.

3
Guided

Paired with the exact steps to close it.

4
Retested

Confirms the fix actually holds.

5
Logged

Tracked over time, cycle to cycle.

SHAPES THE NEXT CYCLE
Patterns from this cycle shape what gets tested first next time
Opens as a ticket Checked vs. vuln data Cross-referenced with SIEM Mapped to MITRE ATT&CK

Findings also need to speak more than one language. A technical team wants a step-by-step reproduction path. A board wants a short, plain-English answer to “are we exposed, and what are we doing about it.” A MITRE ATT&CK mapping bridges both, showing exactly which adversary tactics and techniques were tested, caught, or missed, and giving a simple coverage number leadership can track quarter over quarter. That framework is what lets a red team result connect cleanly to a risk register without losing meaning in translation.

The loop closes with the blue team. Findings should feed straight into detection engineering, not sit in a PDF. Purple team exercises, where red and blue teams work from the same findings in real time, are one of the fastest ways to confirm that a fix actually improved detection coverage, not just patched one hole. Over enough cycles, the system also gets sharper on its own, since patterns from past engagements shape which paths get tested first the next time around.

CONTINUOUS MONITORING: ACTIVE AWS · Azure · GCP · SaaS · On-Prem
Secure.com — Infrastructure Security Teammate

Finding the hole is the easy part. Closing it — and keeping it closed — is the job.

Our Infrastructure Security Teammate runs the workflow above continuously, then pairs it with drift detection and remediation so findings don’t just get documented. They get tracked, fixed, and proven.

Continuous, agentless discovery

New assets across cloud and on-prem are folded into scope the moment they appear.

Automatic crown jewel scoring

CIA scoring — Confidentiality, Integrity, Availability — flags what matters most.

CIS & DISA STIG benchmarking

Configurations are checked against the standards auditors already trust.

Blast radius mapping

Attack paths show where a misconfiguration actually leads, not just where it sits.

Auto-remediated drift

Low-risk configuration drift is fixed automatically the moment it’s detected.

Routed human approval

Higher-impact fixes go to the right owner with SLAs and a full audit trail.

Paired with the Compliance Teammate for audit evidence, findings don’t stop at a report — they’re tracked, assigned, and closed with proof to show for it.
Explore the Infrastructure Security Teammate See it map your own attack paths, live.

FAQs

Can an AI red team support SOC 2 or PCI DSS penetration test requirements?
Yes, though it usually works alongside a human-led engagement rather than replacing it entirely. Most frameworks accept continuous, automated testing as evidence of ongoing security validation, as long as findings, retest results, and audit trails are documented clearly.
Does an AI red team cost less than a traditional one?
Often, yes, mainly because continuous automated testing handles the repeatable, high-volume work that would otherwise need a large team running manual tests around the clock. Human red teamers still handle the creative, judgment-heavy work, so most programs end up as a mix of both rather than a full replacement.
How does an AI red team handle testing without breaking production?
Through rules of engagement set before testing starts. Low-risk checks might run automatically, while anything that could touch live data or disrupt uptime typically needs human approval first. Scope boundaries are enforced the same way every time, not left to judgment calls mid-test.
Should testing run monthly or continuously?
It depends on how fast your environment changes. Teams shipping code weekly or managing complex cloud environments generally need continuous testing to keep pace. Slower-moving, more static environments might get by with monthly checks, though continuous discovery still helps catch new assets in between.

Conclusion

An AI red team isn’t really about running more tests. It’s about running the right ones, on the paths that actually lead somewhere, and making sure a finding turns into a fix instead of a forgotten line in a report. Rules of engagement keep it accountable. Attack path mapping keeps it focused. And a system built to catch drift after the test ends is what keeps that work from unraveling a month later.