Red Team and Threat-Led Penetration Testing Frameworks

Leveraging frameworks and methodologies for offensive security assessments is a best practice to show your customers and clients you have a repeatable, professional offering. No one wants to hire or agree to an ethical hacking engagement without a plan in place that will bring value to the business. Sure there are many organizations that just want that compliance box checked off but that does not mean you need to cut corners. This post covers a list of all the known red team and threat-led penetration testing frameworks available in the industry and by various regulators. 

There are many Red Team, Threat-Led Penetration Testing, and Adversary Emulation frameworks available for public use as you can see below. Unfortunately, the terms Penetration Testing, Red Teaming, Adversary Emulation, and Adversary Simulation are all used in various ways by regulators. As information security practitioners, we know we need to understand the scope of work and use the correct name for the assessment (don’t perform Vulnerability Assessment and call it a Red Team engagement).

The general guide is to not reinvent the wheel but to leverage one or a few industry frameworks to create your own internal framework or methodology for performing Red Team Exercises and Adversary Emulations. It is key to ensure you use and document a framework or methodology to ensure your assessments are professional and repeatable. This is a main differentiator in a professional assessment and in offering business value.

Industry Frameworks and Methodologies

Industry frameworks are created by those in the industry to be leveraged by other organizations without forcing any sort of regulatory compliance mandates.

Regulatory Frameworks and Methodologies

For those working in highly regulated industries, such as financial institutions, and/or in various jurisdictions, the below regulatory frameworks may be required or suggested to be followed:

Figure 1 from

As one can see, there are many frameworks and methodologies for performing Red Team and Threat-Led Penetration Testing in the industry and in various regulatory jurisdictions. These should serve as a good starting point to building out a Red Team or Purple Team program.


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email