Red teaming is one of the most technically demanding and most rewarding career paths in cyber security. You simulate real-world attacks against organisations to test whether their people, processes, and technology can detect and respond to a determined adversary. Salaries range from $85,000 at entry level to $250,000 or more for senior operators, and demand is projected to grow 32% by 2028.
Getting there takes time and a clear sequence. Most people who want a red team career either aim for it too early, before the foundational skills are in place, or follow the wrong sequence and stall out. This guide gives you the honest roadmap.
What Does a Red Teamer Actually Do?
Let's start with the real version, not the Hollywood one.
A red teamer simulates adversary behaviour against a target organisation to test whether defences hold. Unlike a penetration test, which finds vulnerabilities in scope, a red team engagement tests detection and response capability across people, processes, and technology simultaneously. Engagements are longer, less constrained, and structured around realistic attack objectives: achieving lateral movement to a domain controller, exfiltrating a simulated sensitive dataset, or maintaining persistent access for thirty days without being detected.
According to Red Team Guide, the offensive security job market in 2026 is clearly stratified: entry level is competitive and certifications matter most at this stage; mid-level has good demand with OSCP plus three years of experience as a strong position; senior and lead roles are scarce with excellent compensation; and the ability to translate technical findings into business language increasingly differentiates candidates at every level.
The implication is simple: prepare for entry level with the right credentials and demonstrable practical skill. Everything after that flows from experience.
What Skills Do You Need Before You Can Call Yourself Red Team Ready?
Red teaming is not a starting point. It is a destination that requires a specific sequence of foundational skills to be in place first.
Networking fundamentals. You cannot conduct realistic adversary simulation without understanding how networks route traffic, how protocols behave, and what anomalous traffic looks like from a defender's perspective. TCP/IP, DNS, Active Directory authentication, and common enterprise network architectures are all prerequisites. Not optional context: actual prerequisites.
Linux and Windows proficiency. Red team operators work in both environments. Linux is your attack platform. Windows is where most enterprise targets live. Deep OS knowledge including file system internals, persistence mechanisms, registry structure, and privilege escalation paths on both platforms is foundational.
Scripting and automation. Python, Bash, and PowerShell are essential for red team work for automation, custom tooling, and exploit development. The ability to read, modify, and write scripts is not advanced red team skill. It is table stakes.
Penetration testing fundamentals. Red teamers need solid foundations in web application testing, network penetration, and Active Directory attacks before they develop the operational tradecraft that distinguishes red teaming from pentesting. Kerberoasting, Pass-the-Hash, BloodHound enumeration, Mimikatz, and lateral movement techniques through Windows environments are all expected knowledge.
Evasion and operational security. This is where red teaming diverges from penetration testing. Living off the land with built-in system tools, evading EDR detection, operating C2 infrastructure stealthily, and maintaining operational security throughout an engagement are skills that develop on top of pentesting fundamentals, not in parallel with them.
TryHackMe's Jr Penetration Tester path builds the foundational offensive layer, and it was completely rebuilt for 2026. The revamped path now spans 89 rooms across 17 modules, with a fully rewritten Web Security section aligned to the 2025 OWASP Top 10, a brand-new 9-room Active Directory module replacing the single legacy AD room, three new capstone challenges that test the full attack kill chain, and a complete pentest methodology module covering scoping, threat modelling, report writing, and re-testing. It is the most comprehensive entry-level offensive path on the market and is designed in lockstep with the PT1 certification, making it the canonical study route before you sit the exam. The Red Teaming path then extends into tradecraft: C2 frameworks, MITRE ATT&CK, host and network evasion, and Active Directory persistence. Work through both in sequence.
Which Certifications Actually Open Doors?
The certification path for red teaming is longer than most specialisations and the sequence matters.
TryHackMe PT1 is the right first practical credential. It validates the foundational offensive skill set through a 48-hour engagement exam across web, network, and Active Directory targets with a graded professional report. The revamped Jr Penetration Tester path is built in lockstep with PT1, so working through the path is the canonical preparation route before sitting the exam. It is what demonstrates you are ready to move beyond guided learning into independent offensive security work. Premium subscribers receive a 15% discount. Explore PT1
OSCP (Offensive Security Certified Professional) is the most widely recognised offensive security certification in the industry and consistently the most requested in penetration testing and red team job postings. A 24-hour practical exam, a professional report requirement, and a reputation that technical hiring managers understand. This is the certification that moves you from entry-level consideration to genuine mid-level competitiveness. Prepare for it after PT1, with at least six months of consistent lab work on unguided machines.
CRTO (Certified Red Team Operator) from Zero-Point Security is the credential most specifically aligned to red team operator work. It covers Cobalt Strike operation, C2 infrastructure, Active Directory attacks, OPSEC, and the full internal red team engagement lifecycle. The CRTO proves you can operate in a Windows enterprise like a real operator, not just memorise facts. It is the natural follow-on after OSCP for those specifically targeting red team roles rather than general penetration testing.
CRTP (Certified Red Team Professional) from Altered Security covers Active Directory attack paths in depth and is a strong mid-level credential for those targeting AD-heavy environments, which describes the majority of enterprise red team engagements.
What Does the Career Progression Actually Look Like?
Red team careers follow a consistent progression, and understanding it prevents the most common mistake: targeting senior roles before the foundational stages are complete.
Stage 1: Junior Penetration Tester (0 to 2 years)
This is where everyone starts. You run vulnerability assessments under supervision, follow established methodologies, write sections of penetration test reports, and learn to use tools correctly. The market at this stage is competitive, certifications matter most, and candidates frequently outnumber openings. PT1 plus a strong portfolio is the combination that gets you through.
Stage 2: Penetration Tester / Junior Red Team Operator (2 to 4 years)
Independent assessment capability, cross-domain skill across web, network, and Active Directory, and OSCP completed. You are contributing to red team engagements under senior operator guidance and developing the tradecraft that distinguishes red teaming from point-in-time pentesting.
Stage 3: Red Team Operator (4 to 7 years)
Leading engagements independently, operating C2 infrastructure, conducting adversary emulation mapped to MITRE ATT&CK, writing executive-level reports that translate technical findings into business risk. Senior and lead red team talent is scarce in 2026 and compensation is strong.
Stage 4: Red Team Lead / Principal (7+ years)
Programme leadership, client relationship management, mentoring junior operators, and increasingly the ability to translate red team findings into strategic security recommendations at the CISO level. Compensation at this stage is excellent and the network matters as much as credentials.
How Do You Build a Portfolio Without a Red Team Job?
This is the question most beginners ask and most guides answer badly. You do not need a red team job to build red team evidence. You need documented, structured offensive security work that demonstrates the skills employers test for.
Every TryHackMe room you complete is a potential writeup. Every unguided machine you root is an opportunity to document the full attack chain from enumeration to privilege escalation in professional report format. CTF competitions produce competition-appropriate writeups (published after the competition closes) that demonstrate methodology and tool proficiency. A GitHub repository of documented attack writeups, structured like professional penetration test findings, is the portfolio that gives hiring managers something concrete to evaluate.
The public TryHackMe profile is the foundation. Consistent activity across the Red Teaming path and Jr Penetration Tester path, visible over several months, communicates sustained effort and genuine commitment. Pair that with PT1 and a folder of professional writeups and you have a portfolio that speaks for itself at entry level.
What Is the Most Common Mistake People Make Preparing for a Red Team Career?
Trying to start at Stage 3.
The most common pattern is spending months studying advanced red team tradecraft, C2 frameworks, and OPSEC techniques before the underlying penetration testing fundamentals are solid. C2 operation makes no sense without understanding what post-exploitation capability you are trying to maintain. EDR evasion makes no sense without understanding what detection logic you are trying to avoid.
The sequence matters: foundations first, offensive fundamentals second, red team tradecraft third. SOC experience is also genuinely useful because it teaches how events are monitored, prioritised, escalated, and investigated. Red teamers who understand how defenders think write better attack chains and produce more actionable reports. Spending time on the blue side before or during red team development is not a detour. It is preparation.
Where Do You Start?
Start on TryHackMe. The Jr Penetration Tester path has been completely rebuilt for 2026: 89 rooms across 17 modules, a fully rewritten web security curriculum aligned to the 2025 OWASP Top 10, a dedicated 9-room Active Directory module, and three capstone challenges that test the full kill chain before you sit PT1. Work through it and document every room as a writeup. Sit PT1 when you complete it. Then move to the Red Teaming path and build the tradecraft layer on top of solid offensive fundamentals.
The path is long. The rewards, in skill, in impact, and in compensation, are worth it.
Crack your first shell. Root your first machine. Level up.
Nick O'Grady