Red Team Report Checklist

Red Team Report Checklist

The Ultimate Guide for Professional Reporting

A Red Team operation goes beyond simple vulnerability scanning; it tests an organization's "Detection & Response" capabilities. Therefore, the report must prioritize Business Risk and Strategic Storytelling over mere technical lists. Use this checklist to ensure your report delivers maximum value.

1

Document Control

• Version History Track changes including Draft, Review, and Final versions with dates.
• Confidentiality Marking Clear labels such as "Strictly Confidential" or "Internal Use Only".
• Distribution List Define who is authorized to read the report (e.g., CEO, CISO, SOC Lead).

2

Executive Summary

• BLUF (Bottom Line Up Front) A concise conclusion (e.g., "We successfully exfiltrated critical data within 4 days").
• Key Statistics Metrics like "Time to Initial Compromise" and "Time to Domain Admin".
• High-Level Attack Graph A visual representation of the attack path for non-technical stakeholders.
• Business Risk Impact Translation of technical flaws into financial, legal, or reputational risks.

3

Scope & Rules of Engagement

• In-Scope Assets Clearly defined IP Ranges, Domains, and Physical Locations.
• Excluded Assets What was off-limits (e.g., No DoS attacks, No production database modification).
• Objectives / Flags The specific goals of the operation (e.g., Accessing CEO's Email).

4

The Attack Narrative

• Chronological Timeline A step-by-step account of what happened, when, and how.
• MITRE ATT&CK Mapping Tagging every action with standard TTP codes (Tactics, Techniques, and Procedures).
• Visual Diagrams Supporting screenshots, network maps, and attack flowcharts.

5

Blue Team Analysis

• Detection Gap Matrix Categorizing attacks as: Detected, Missed (No Logs), or Blocked.
• Timestamp Comparison Comparing Red Team attack times vs. Blue Team alert times.

6

Technical Findings

• Vulnerability Details Vulnerability Name, Severity Level, and CVSS Score.
• Proof of Concept (PoC) Exact commands or code required to reproduce the exploit.
• Specific Remediation Detailed guidance on patching or configuration changes (not just generic advice).

7

Post-Engagement Cleanup

• Artifacts Removed Confirmation that malware files, shells, and tools have been deleted.
• Accounts Deleted Confirmation that any temporary user accounts created for testing are removed.

© 2026 KMN-RedTeaming (PRT). All rights reserved.