Red teaming is one of the most sought-after skill sets in offensive security, and one of the most poorly understood in terms of how to actually develop it. Most people searching for red team training find either enterprise courses priced for corporate budgets, vague advice to "learn hacking," or content that conflates red teaming with general penetration testing.
This guide is for people who want to build practical red team skills from scratch and need a clear picture of what that actually requires, in what order, and how to know when they are ready.
Red Teaming vs Penetration Testing: The Distinction That Matters
Before covering how to build red team skills, it is worth being precise about what red teaming actually is, because a lot of training content gets this wrong.
Penetration testing is a structured, scoped technical assessment. A penetration tester is engaged to find vulnerabilities in defined systems within a defined timeframe, and to report what they found. The engagement has clear rules and documented methodology.
Red teaming is an adversary simulation. A red team is engaged to test whether an organisation's people, processes, and technology can detect and respond to a realistic attack. The engagement is typically longer, less constrained, and structured around achieving specific objectives (gaining access to sensitive data, reaching a target system) rather than comprehensively enumerating vulnerabilities. Red teamers operate with stealth, use real-world attack chains, and often test physical security, social engineering, and detection capability alongside technical exploitation.
In practice, the skills overlap significantly. Most red teamers have a penetration testing background. The difference is operational maturity: a penetration tester finds vulnerabilities, a red teamer emulates adversaries. Building toward red teaming means starting with penetration testing fundamentals and developing the operational thinking layer on top.
The Skill Progression
Red team skill development follows a consistent sequence. Skipping layers is the most common reason people plateau.
Layer 1: Technical foundations
Everything builds on networking, operating systems, and scripting. TCP/IP, DNS, how Windows Active Directory authenticates users, how Linux processes work, and basic Python and Bash scripting are not optional prerequisites that you can learn alongside offensive techniques. They are the vocabulary that makes offensive techniques comprehensible. An attacker who does not understand what a Kerberoasting attack is exploiting cannot adapt when the standard approach fails or triggeres a detection.
Time investment at this layer is typically four to eight weeks of structured study and hands-on practice before moving to Layer 2.
Layer 2: Penetration testing fundamentals
The core offensive disciplines that every red teamer needs: network scanning and enumeration (Nmap, service fingerprinting), web application testing (Burp Suite, OWASP Top 10), exploitation methodology (Metasploit, manual exploitation), privilege escalation on Linux and Windows, and Active Directory attacks (Kerberoasting, AS-REP Roasting, Pass-the-Hash, BloodHound enumeration).
This layer is where most structured training content lives, and where TryHackMe's Jr Penetration Tester path provides structured, role-aligned coverage. The path works through each of these domains with guided hands-on labs and culminates in the PT1 certification, a 48-hour practical exam covering web, network, and Active Directory targets with a graded professional report.
Layer 3: Red team tradecraft
This is where penetration testing knowledge becomes red team capability. Tradecraft covers: operating with stealth and avoiding detection, understanding and evading endpoint detection and response (EDR) tools, building and operating command and control (C2) infrastructure, living off the land using built-in system tools rather than dropping known malicious binaries, and chaining techniques into coherent attack narratives that mirror real threat actors.
This layer requires practical experience that goes beyond guided exercises. Unguided machines, CTF challenges, and building a home lab environment where you can test techniques against real defensive tooling are how tradecraft develops.
Layer 4: Adversary emulation and operational planning
Senior red teamers plan and execute engagements that mirror specific threat actors, using the MITRE ATT&CK framework to structure attack chains around documented adversary tactics, techniques, and procedures. This includes scoping and rules of engagement, operational security during engagements, and producing executive-level reports that translate technical findings into business risk.
This layer is developed through professional experience, mentorship, and advanced certifications like CRTO (Certified Red Team Operator) and OSCP at mid-level, and CRTE or formal red team operator courses at advanced level.
The Tools Red Teamers Actually Use
Understanding which tools matter and why helps prioritise what to learn. The table below maps the core toolset to the skill layer it belongs to and what it is used for.
The Mindset Gap Most Beginners Have
Technical skills are necessary but not the primary differentiator between a penetration tester and a red teamer. The mindset gap is.
Penetration testers think about finding vulnerabilities. Red teamers think about achieving objectives while avoiding detection. Those are different cognitive frames, and they produce different behaviour during an engagement.
A penetration tester who discovers a vulnerability documents it and moves on. A red teamer who discovers a vulnerability asks: does exploiting this advance the objective? Will it trigger a detection? Is there a quieter path? What does this access enable? The goal is not to find everything, it is to demonstrate what a real attacker could achieve.
Developing this mindset happens through practice in environments where detection matters. Testing techniques against real defensive tooling, understanding what logs your actions generate, and deliberately practising stealth rather than just exploitation are how operational thinking develops. This is why unguided challenges and home lab environments become important at Layer 3, alongside structured guided content.
The Reporting Requirement
Red team engagements produce two outputs: the compromise, and the report. Employers and clients care about both.
A red team report needs to serve multiple audiences simultaneously. The executive summary explains what was achieved and what the business risk is, in language that a non-technical reader can act on. The technical narrative describes the attack chain step by step, with enough detail for a defender to understand exactly what happened and where detection failed. Specific findings document individual vulnerabilities with reproduction steps and remediation guidance.
Most training content gives this almost no attention. Candidates who arrive at a red team interview with sample reports, even writeups of CTF challenges formatted as professional findings, stand out immediately. The PT1 certification on TryHackMe includes a graded report component precisely because report quality is a core professional competency, not an afterthought.
The Common Mistakes
Jumping to advanced techniques without foundations. C2 infrastructure and EDR evasion are Layer 3 and 4 skills. Attempting them without solid networking, OS, and Layer 2 offensive knowledge produces someone who can follow tutorials but cannot adapt when things do not go as expected.
Treating tools as the skill. Knowing how to run Metasploit is not the same as understanding exploitation. Knowing how to run BloodHound is not the same as understanding Active Directory attack paths. Tools operationalise knowledge; they do not substitute for it.
Practising only in guided environments. Guided labs develop technique familiarity. Unguided machines and CTF challenges develop problem-solving ability. Both are necessary, and most people spend too long in the guided stage before moving on.
Skipping the blue team perspective. The most effective red teamers understand how defenders think and what their tooling detects. Spending time on the defensive side, understanding SIEM alert logic, EDR behavioural detection, and log analysis, makes offensive work significantly more effective and is a genuine differentiator in interviews.
Building Your Foundation on TryHackMe
TryHackMe's Jr Penetration Tester path covers Layers 1 and 2 of the progression outlined above in a structured sequence: networking and OS fundamentals, web application testing, network penetration, Active Directory attacks, and professional reporting. It is the most direct route from beginner to the practical foundation that red team skill development builds from.
The Red Teaming path then extends into Layer 3, covering C2 frameworks, MITRE ATT&CK, host evasion, network evasion, and active directory persistence. It is one of the few structured learning resources that covers red team tradecraft rather than just penetration testing technique.
The PT1 certification validates Layer 2 readiness through a practical engagement. It is the credential that demonstrates you can conduct a structured offensive security assessment, produce a professional report, and operate across web, network, and Active Directory targets independently.
Nick O'Grady