Disclaimer #2: On RRT's Design
This course was a labor of love. From the vey start, I committed to releasing it free of charge to the public. The material in this course was put together add something to the conversation in our field regarding responsibility and what it means to be a red teamer with honor.
With that having been said, please consider the following:
This course is different from most other courses in this field. It is almost experimental in its design. It requires you to do a lot more than run commands and examine the results. It requires you to think deeply about the subject matter.
Also please keep in mind that I am only one person with one set of experiences. I am locked into my own perspective.
Teaching this kind of material is far outside the realm of what a student will normally expect when they sign up for a red team course. The material may feel strange or uncomfortable at first.
“I thought this was a red team course, why are we talking about ethics?”
I promise, there is a method to it.
When you teach someone how to Kerberoast a service account or how to set up Evilginx or how to perform a CreateThread shellcode injection proof of concept, there are usually clear outcomes indicating that it was a success. An account is Kerberoasted, a transparent proxy is now set up, and a binary can execute shellcode. The results are clear.
But when you try to teach someone the ethical, moral, and responsible considerations around red teaming, there is really no objective measure of success. The material in this course is my best-faith effort to codify things that I think make a responsible red teamer and things I’d like to see more people do to improve safety in our field. But there is no objectivity in this course. You will not leave with a concrete example of what is right and what is not that can be applied to every scenario. That would be impossible for me to capture in writing.
The successful outcome of this course does not look like a bunch of note pages, some new tradecraft tricks, and concrete technical skills. The successful outcome of this course is something much more nuanced. It looks more like a deep contemplation of what responsibility, legality, and ethics mean to you in the context of red teaming.
My best hope for this course is that it will cause you to think deeply about your own experiences, your own situations, and your own responsibilities in your pocket of our field. And I hope that, when faced with the next decision, big or small, you will consider the questions: “Is this legal? Is this ethical? Is this responsible?” If that happens, I’ve done my job.
If at any point during this course, you think the material is not how you would do something, or represents poor tradecraft, or you flat out think I’m wrong, that’s ok. I invite you to think critically about each example in this course and what you would do if you were facing the example in real life. I always welcome feedback. My contact information is in the whoami section at the beginning of the course. Please don't hesitate to reach out!
With that out of the way, let’s begin!