Quick take
Red teaming trains you to think like an attacker — powerful, employable skills. But offensive practice outside authorised environments is illegal. Practise only in permitted labs, follow simple Rules of Engagement (RoE), log everything, and always combine offence with detection practice. Below you’ll find a safe, practical plan you can run this week and reusable templates you can copy into every lab session.
Why the legal bit matters
Before anything else: permission is mandatory. Real-world penetration testing happens under contract and written RoE that define scope, allowed techniques, hours, and rollback procedures. Without that, even curiosity can become criminal activity. National cyber agencies, industry standards, and buyers all expect sign-off before active testing — so learn red team skills where permission already exists: in labs and sanctioned programs.
Quick authoritative refs: NCSC (UK), CISA (US), NIST — use these for formal RoE and commissioning guidance.
- NCSC: https://www.ncsc.gov.uk
- CISA: https://www.cisa.gov
- NIST: https://www.nist.gov
The safe-practice philosophy (one sentence)
Practice realistic offensive craft only where you have explicit permission, simulate destructive impacts rather than causing them, and always document and sanitise outputs before sharing.
A 7-day micro-plan (practise safely, level-up fast)
This is a week-long, focused plan you can run inside TryHackMe. Each day fits into an hour-to-two-hour slot.
Day 1 — Recon basics (guided)
- Objective: run lawful reconnaissance in a controlled room.
- Do: DNS/subdomain enumeration, basic port scanning (nmap), gather service banners.
- Where: start in a guided recon room on TryHackMe.
Day 2 — Service enumeration & fingerprinting
- Objective: identify running services and their versions.
- Do: banner grabs, version checks, basic vuln mapping.
Day 3 — Web app hunting (safe)
- Objective: practise harmless web discovery: parameter discovery, directory bruteforce (non-destructive).
- Do: use Burp in passive mode; avoid payloads that alter state.
Day 4 — Exploitation basics (simulated)
- Objective: trigger a low-impact exploit in a lab environment (read-only or snapshot-enabled).
- Do: follow lab instructions; never run destructive payloads.
Day 5 — Post-exploit & lateral movement (chains, simulated)
- Objective: practise chaining techniques inside multi-host lab boxes.
- Do: privilege escalation, pivoting — keep backups and revert snapshots after.
Day 6 — Detection hour
- Objective: switch to defender mode and examine logs/alerts from the week’s activity.
- Do: review SIEM/EDR outputs (in-lab sims), note detection fingerprints.
Day 7 — Report & sanitize
- Objective: write a short, professional report and a sanitized portfolio entry.
- Do: produce one-page summary + sanitized evidence (no flags, no secrets).
Mini case study (how one lab session looks in practice)
Scenario: You’re in a TryHackMe multi-host box. Your objective: achieve local privilege escalation on a Linux VM, document it, then reverse the environment.
- Draft a 1-page RoE for the session (scope: one lab; tools: nmap, wget, gcc; stop condition: VM crash).
- Run reconnaissance and record commands + outputs.
- Exploit a known vuln in the lab to escalate privileges — take screenshots, note commands.
- Reboot the VM (or revert snapshot) and confirm services restored.
- Produce a one-page report: summary, steps, impact, remediation.
- Publish a sanitized portfolio entry (e.g., “Completed lab: Local Linux privilege escalation — methodology summary”).
That simple loop (plan → act → revert → document) is the backbone of safe, professional practice.
Short report template
Keep this as your reporting boilerplate — employers and clients love brevity.
Title: Lab / Engagement name
Summary: One sentence — what you achieved.
Scope: Labs and limitations.
Steps to reproduce: numbered shell commands or steps (sanitised).
Impact: what could an attacker do? (low/medium/high)
Evidence: sanitized screenshots or logs (no secret tokens).
Remediation: 2–3 practical fixes.
Notes: snapshot IDs, rollback confirmation.
What to practise on TryHackMe
- Start with the Jr Penetration Tester path to cover fundamentals:
https://tryhackme.com/path/outline/jrpenetrationtester - Progress into the Red Team path for tradecraft and chaining:
https://tryhackme.com/path/outline/redteam - Always run labs inside the platform’s AttackBox or provided browser environment.
A few professional habits that matter more than trick syntax
- Journal everything. Good notes = repeatable learning + portfolio material.
- Revert, always. Snapshots before tests are non-negotiable.
- Sanitise outputs. Never publish secrets or flags.
- Defender empathy. Spend at least one session per lab in defender mode (read logs).
- RoE discipline. If you can’t make a short RoE for the session, don’t start.
Legal & ethical guardrails
- Don’t scan or probe IPs outside the lab.
- Don’t attempt to access systems you don’t own or haven’t been explicitly authorised to test.
- Follow platform ToS and national laws — arbitrary testing can be a criminal offence.
- Use bug-bounty programs only within their stated scope and disclosure windows.
Authoritative resources you or your legal team can refer to: NCSC, CISA, NIST (links above).
Quick checklist (copy into the top of your lab doc)
- Snapshot taken / rollback confirmed
- One-page RoE drafted and saved
- Only allowed tools in use
- Non-destructive approach chosen unless explicitly permitted
- Defender-hour scheduled after lab
- One-page report drafted and sanitized
Final note — how this prepares you for real work
Practising red team skills safely builds tradecraft and trust. Employers and clients hire people who can demonstrate: technical skill, structured discipline (RoEs & reports), and evidence of responsible practice. By training inside permitted labs, reverting to clean states, and producing concise reports, you graduate from “enthusiast” to “professional.”
Nick O'Grady