Press TechRound interviews Secure.com CEO on the future of AI security
Read

How Does a Red Team Build an Attack Chain?

Learn how red teams link small weaknesses into a full attack chain, step by step, using MITRE ATT&CK and real adversary behavior.

Key Takeaways

  • An attack chain is a linked sequence of small weaknesses that add up to a full compromise, not one dramatic hack.
  • Red teams plan attack chains using frameworks like the Cyber Kill Chain and MITRE ATT&CK to keep the work structured and repeatable.
  • The chain typically moves through recon, initial access, execution, privilege escalation, lateral movement, and finally the objective itself.
  • A chain is only as strong as its weakest, quietest link. Attackers look for the boring stuff: a stale password, an open port, a forgotten service account.
  • Annual red team tests only catch the chain that existed on test day. Your environment changes every week, so the chain does too.

In July 2025, attackers didn’t need a zero-day to walk out with data on 1.4 million people. They talked their way into a third-party CRM platform through a simple social engineering trick. A few weeks later, a nearly identical story played out at another company, this time hitting 4.4 million records. Neither business got hit by one massive exploit. They got hit because a handful of small, unremarkable weaknesses lined up just right.

That lineup is called an attack chain. And building one on purpose, safely and with permission, is exactly what a red team does for a living.

What Is an Attack Chain, Exactly?

An attack chain is the full path an attacker takes from their first foothold to their final goal. It’s rarely one clever trick. It’s a series of smaller steps, each one opening the door to the next.

Picture it like a set of dominoes. A weak password by itself might not matter much. But that password gets an attacker into an email account. That email account has access to a shared drive. That drive has a spreadsheet with admin credentials someone forgot to delete. Now the attacker owns the domain. No single step looks scary on its own. Together, they’re a breach.

Red teams build this same kind of chain, minus the actual damage, to answer one question for a company: if a real attacker started here, how far could they actually get?

Attack Chain vs. Kill Chain: Are They the Same Thing?

Mostly, yes. “Kill chain” comes from military language and was adapted for cybersecurity as the Cyber Kill Chain, a seven-stage model: recon, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. “Attack chain” is the more general term for the same idea, the connected sequence of steps an attacker follows. Some teams also use the Unified Kill Chain, an 18-stage model that folds in more of what happens after the initial break-in. Whichever label you use, the point stays the same: attacks are chains, not single events.

How Red Teams Actually Build an Attack Chain, Step by Step

Here’s what the process looks like in practice, based on how most professional red team engagements are actually run.

The Attack Chain

Five steps. One full compromise.

No single link looks dangerous on its own — that’s the point. Here’s the path a red team (and a real attacker) follows from first contact to final objective.

STEP 01

Reconnaissance

LinkedIn profiles, exposed subdomains, forgotten test servers, and vendor integrations — 20–30% of the whole engagement.

STEP 02

Initial Access

Phishing, an exposed app, an abused VPN, or a soft entry through a third-party connection. Just one working foothold.

STEP 03

Execution & Persistence

A scheduled task or small backdoor, so the foothold survives a reboot or password change.

STEP 04

Privilege Escalation & Lateral Movement

Misconfigured permissions, cached credentials, and weak segmentation turn one small win into a real chain.

STEP 05

Actions on Objectives

Domain admin, customer records, or financial systems — the scoped goal, documented step by step.

Step 1: Reconnaissance

Before anyone touches a keyboard against the live target, the team gathers intelligence. This is often the most time-consuming phase, sometimes 20 to 30 percent of the whole engagement. They’re looking for:

  • Public employee information (LinkedIn, company bios, conference talks)
  • Exposed subdomains, cloud storage buckets, and forgotten test servers
  • Technology stack clues from job postings and DNS records
  • Third party vendors and integrations that might offer a softer way in

Good recon isn’t glamorous. It’s mostly reading. But it decides everything that comes next. Teams that skip it end up guessing.

Step 2: Initial Access

This is the first real foothold. Common entry points include:

  • Phishing or spear phishing emails
  • Exploiting an internet-facing application
  • Abusing exposed remote access tools like VPNs or RDP
  • Compromising a third party or supply chain connection

The goal at this stage is small. Get one working credential, one running shell, one foot in the door. Nothing more.

Step 3: Execution and Persistence

Once inside, the red team needs to make sure that foothold survives a reboot or a password change. This might mean creating a scheduled task, planting a small backdoor, or setting up a way to reconnect later. Real attackers do the same thing because losing access after all that recon work is a waste of their time too.

Step 4: Privilege Escalation and Lateral Movement

A single low-level account rarely gets an attacker to the goal. So the chain grows. Teams look for:

  • Misconfigured permissions that let a regular user act like an admin
  • Cached credentials sitting in memory
  • Trust relationships between systems that let one compromised machine reach another
  • Weak segmentation between departments, cloud accounts, or environments

This is where a single weakness turns into a real attack chain. One small win opens access to the next system, and the next.

Step 5: Actions on Objectives

Every engagement is scoped around a specific goal set with the client ahead of time. That might mean reaching a database with customer records, gaining domain admin, or proving access to financial systems. The red team documents exactly how they got there, what worked, what got flagged, and what didn’t.

Why MITRE ATT&CK Matters for Building an Attack Chain

A red team engagement that isn’t mapped to a real framework produces a story. One that is mapped produces something you can actually reuse: a checklist your SOC can retest, prioritize, and automate against.

That’s where MITRE ATT&CK comes in. It’s a public knowledge base of real adversary tactics and techniques, built from actual observed attacks rather than theory. Instead of vague terms like “hacked in,” ATT&CK gives every action a specific label. Credential dumping from a system’s memory is T1003.001. Spearphishing with a malicious attachment is T1566.001. That specificity means a finding from one engagement can be compared directly to another, six months later, run by a completely different tester.

Here’s roughly how a red team uses it to plan a chain:

MITRE ATT&CK

From vague story to reusable checklist

ATT&CK gives every action a specific, comparable label instead of a vague “hacked in.” Here’s how a red team uses it to plan a chain.

1

Pick a realistic adversary

Anchor the scenario to a documented threat group with known, mapped behavior.

APT3 FIN7
2

Extract known techniques

Pull the specific, labeled techniques that group uses from initial access to objective.

T1566.001 T1003.001
3

Build the emulation plan

String those techniques into a believable order — this is the part automation still can’t do alone.

CALDERA Atomic Red Team
4

Run, log, report

Execute the emulation and hand the defensive team a report mapped directly to ATT&CK.

Retestable Comparable

Why it matters: a finding logged this way can be compared directly to another engagement, six months later, run by a completely different tester.

Open-source tools like MITRE CALDERA and Atomic Red Team help automate parts of this, running individual ATT&CK techniques as repeatable tests. However, these tools require significant expertise to configure, interpret results, and avoid disrupting production environments. But stringing those individual tests into a full, believable chain still takes a skilled operator who understands how one technique sets up the next.

Why a One-Time Attack Chain Test Isn’t Enough Anymore

Here’s the part most companies get wrong: they run a red team engagement, get a clean report, and file it away for the year. But a typical four-week penetration test only reaches approximately 15 to 30 percent of an organization’s real attack surface. The other 70 to 85 percent sits untested until the next scheduled engagement, whenever that is.

And your environment doesn’t sit still while you wait. Say your team passes a red team test in March. By June, you’ve shipped forty new releases, spun up a few new cloud services, and onboarded three new SaaS tools. Every one of those changes could open a new link in a new attack chain, and nobody has tested it yet.

Secure.com · Infrastructure Security (Cloud) Teammate

Your environment changes weekly. Your testing shouldn’t wait a year.

Secure.com’s Infrastructure Security (Cloud) Teammate keeps testing running between engagements, not just once a year.

  • Continuously monitors your environment for new deployments, segmentation changes, and new cloud accounts.
  • Tests every change automatically to see whether it opens a new attack path — no waiting for the next scheduled pentest.
  • Maps every finding to MITRE ATT&CK, so your SOC gets business-impact context, not just a failed scan.
  • Frees your red team for the harder work — the creative, business-context chaining automation still can’t replicate.
70–85% of your attack surface sits untested between annual pentests.
Explore the Infrastructure Security Teammate

This is exactly the gap that continuous, automated red teaming with human oversight closes. Instead of waiting on a fixed yearly calendar, Secure.com’s Infrastructure Security (Cloud) Teammate monitors your environment for changes (new deployments, segmentation modifications, new cloud accounts) and tests whether those changes introduce new attack paths. Findings map to MITRE ATT&CK techniques, providing your SOC with context on which attack techniques are viable and their business impact, not just that “something failed a scan.” Continuous, ATT&CK-aligned testing augments human red teamers. It handles the repeatable, technique-based layer so your offensive security team can spend their time on the creative, business-context work that automation still can’t fully replicate.

FAQs

Is a red team the same as a penetration test?
Not quite. A penetration test usually looks for as many vulnerabilities as possible within a set scope and timeframe. A red team engagement is narrower and more goal driven. It’s less about finding every flaw and more about proving whether a realistic attacker could chain a few of them together to reach a specific objective, like admin access or sensitive data.
Can building an attack chain be automated?
Parts of it, yes. Tools built for continuous automated red teaming (sometimes called CART) can run known ATT&CK techniques on a repeatable schedule and flag when a new one becomes viable. But creative chaining, the kind that links an odd misconfiguration to a business-critical system in a way nobody predicted, still benefits heavily from a skilled human operator. Most mature programs run both together.
How long does it take a red team to build a full attack chain?
It depends on scope, but recon alone often eats up 20 to 30 percent of the engagement timeline. A full engagement, from planning to final report, commonly runs several weeks. Autonomous, change-triggered testing can answer a narrower question (can an attacker reach this one asset from this one entry point) in hours instead of weeks.
What’s the difference between an attack chain and a kill chain?
They describe the same basic idea: an attacker’s path from first contact to final goal. "Kill chain" usually refers to a specific named model, like the Cyber Kill Chain’s seven stages or the newer 18-stage Unified Kill Chain. "Attack chain" is the more general, model-agnostic term for that connected sequence of steps.

The Bottom Line

Attackers rarely need a brilliant exploit. They need a handful of small, unremarkable gaps that happen to line up. Building an attack chain, whether you’re the one testing it or the one trying to stop it, comes down to the same discipline: understand the individual techniques, map them to something structured like MITRE ATT&CK, and test the full path regularly enough that you’re not finding out about a broken link the same week an actual attacker does.