Continuous Automated Red Teaming (CART) : A Complete Guide

For high-risk organizations like financial institutions, healthcare providers, and sensitive government agencies that need to determine their web security posture and measure the effectiveness of their web security investments, occasional red teaming operations are not enough—red teaming must be continuous and automated.

In this article, we’ll take a deep dive into continuous automated red teaming (CART), learn how it works, and examine its benefits.

What is continuous automated red teaming (CART)?

Continuous automated red teaming is a cybersecurity approach that proactively tests organizations’ software, network, and employee defenses via authorized ethical hacking that is automated and continuous. It involves regular simulation of real-world attacks by imitating the attackers’ tactics, techniques, and procedures (TTPs).

CART covers a wide range of attack types and tactics, using methods such as penetration testing, phishing campaigns, and simulated software breaches. It aims to continuously assess security measures to provide recommendations for improvement and prevent real attacks. Ideally, a CART attack should test one or a combination of the following, depending on a risk analysis and assessment:

  • Network vulnerabilities: Including insecure user accounts, open ports, and misconfigured firewalls that hackers can leverage to access your software, elevate privileges, and carry out malicious actions
  • Software vulnerabilities: Including code glitches and missing authentications that can facilitate OS command injection, cross-site scripting, and man-in-the-middle attacks
  • Employee security awareness: Including social engineering, malware injection, and phishing scams that hackers leverage to gain privileged employee access

How does CART work?

CART tests the limits of an organization’s infrastructure and employees' security awareness by covering the attack path of real hackers—from reconnaissance to attack execution. It involves six key stages, as explained below.

1. Goal setting

The general goal of implementing CART is to measure the strength of your organization’s cybersecurity defenses, test your security team's threat detection, evaluate your staff’s incident response abilities, and identify and remedy exploitable vulnerabilities.

However, many service providers offer CART customization to enable organizations to achieve specific, time-bound CART goals, such as testing a newly implemented security product, third-party software/update, or newly built app/app update.

2. Rules setting

At this stage, organizations establish rules of engagement that state how far the attack should go. For example, after exploitation, should the system be hijacked; should data be encrypted/decrypted or held for ransom; should a bug be infected by the hacker; or should the attack simulation stop just short of the actual attack stage?

You should also state whether any data is out of bounds. In essence, this stage seeks to manage risk via established parameters.

Black box reconnaissance

This stage involves gathering generally available information (e.g., employee or business email addresses) that hackers can leverage to conduct attacks.

Black box reconnaissance uncovers employee and customer negligence (e.g., weak or exposed passwords) and tests security awareness via phishing links and spamming. It also involves safely applying up-to-date vulnerability and threat data to continuously and stealthily identify security vulnerabilities in the target system from the perspective of an unprivileged attacker.

CART tools automatically detect security misconfigurations (e.g., exposed databases, codebases, firewalls, and cloud buckets), vulnerable cloud assets, and poor authentication and authorization mechanisms.

4. Attack simulation

This is where the actual attack begins. All or some of the activities in this stage can be implemented depending on the CART goal and the organization’s preferences.

Penetrating the system

Identified vulnerabilities are exploited to achieve “unauthorized” system access. This stage validates attack path information gleaned from the reconnaissance stage and tests existing infrastructure and employee defenses. It also provides clear insights into the different types of vulnerabilities being dealt with and which ones are exploitable.​

Escalating privileges

Once securely embedded in the system, the CART tool exploits software misconfiguration or weak access controls to move laterally within the system and gain access to higher privileges, such as permission to access or modify sensitive data or code.

Attack delivery

Finally, the CART tool launches an actual attack based on prespecified goals and boundaries (e.g., exfiltrating data or decrypting/encrypting data for ransom). Organizations must ensure that the attack delivery will not result in regulatory breaches and that the CART service provider is trustworthy to avoid data breaches.

Comprehensive report

An ideal CART tool should provide a list of exploitable vulnerabilities in order of priority to allow organizations to prioritize security investments. It should also detail the attack path and provide actionable recommendations for proactive vulnerability remediation.

6. Incidence response

Organizations must respond to CART activities as they would actual attacks. This includes implementing security measures and infrastructure, as well as the remediation steps offered by the CART tool to prevent actual attacks. Once implemented, CART can be repeated to validate investments, software updates, or configuration changes made.

CART vs. traditional red teaming

Automation and continuous monitoring scales red teaming beyond the offerings of traditional approaches. Here are four key differences:

Traditional red teaming


Time and effort intensity Spans longer durations and requires manual intervention Takes little time and effort to complete, as the process is automated
Frequency Typically done once or twice a year; new vulnerabilities may be discovered and exploited by real attackers any time in between Continuous; vulnerabilities and ongoing attacks can be discovered and remediated/prevented proactively
Cost/scalability Depends largely on hardware and peopleware; usually costly to carry out Offered by SaaS providers; usually more cost-effective
Accuracy Offers point-in-time results, which can be error-prone (due to human intervention) and out-of-date (due to duration and infrequency) Provides real-time vulnerability detection via the ongoing use of intelligent software

Why implement continuous automated red teaming?

Below are some of the key reasons automation and continuous monitoring are important in red teaming.

Proactive and continuous vulnerability identification

Automation makes red teaming fast, regular, and efficient, allowing for proactive attack surface mapping and management. In addition, CART offers generalized testing of the entire stack—software, network, and employee—which strengthens your organization’s defenses across the board and enables swift detection of unauthorized activities.

Automation ensures red teaming is always available. This is critical since hackers that infiltrate a system can remain undetected indefinitely. When done regularly, CART ensures organizations are always aware of vulnerabilities or intruders in their systems and what can be done to remove them.

Risk prioritization and security investment validation

CART tools provide risk-level classification for assets and vulnerabilities based on contemporary advanced threat data and techniques being deployed by hackers. This improves the prioritization and efficiency of resource allocation and management. Besides attacking the system to discover vulnerabilities, CART analyzes the effectiveness of remediation steps and security investments, thereby helping you maximize ROI.

Improved incident response

When a red team operation is ongoing, cybersecurity staff should ideally be left in the dark. This way, if the attack is discovered, they can respond as if it were an actual attack. This will test their (and the security infrastructure’s) readiness and ability to detect and respond, providing a clear roadmap for curtailing future attacks.

Enhanced employee security consciousness

When social engineering or employee negligence facilitates an attack, seeing the results of a red team attack and its legal/financial consequences will trigger increased security awareness. This may be more effective than simply providing theoretical training on security awareness.

Regulatory non-compliance detection

CART identifies regulatory non-compliance issues such as poor access control implementation, ineffective data encryption, and cloud buckets and PII exposure. This allows organizations to remediate these issues swiftly and prevent non-compliance fines and lawsuits.

CART: Real-life examples

Let’s look at two real-life examples where CART could have been instrumental.

In July 2022, the Chinese government fined Didi Global, a Chinese online ride-hailing service provider, 8.026 billion yuan ($1.19 billion at the time) for violating Chinese network, data, and PII security laws. Beyond the fine itself, there were further non-compliance costs: Customer trust had been breached; the organization had to undergo a yearlong investigation during which it could not take on new customers; and two of its senior executives were personally fined 1 million yuan each.

With a CART tool conducting regular simulated attacks and providing recommendations for vulnerability and non-compliance remediation, Didi could have detected and rectified the non-compliance issue and avoided an investigation and subsequent penalties.

In another incident, Suncor Energy, Canada’s largest energy firm, was targeted in an attack that was only discovered days after it had begun. The hackers left over 1,500 of Suncor’s gas stations across the entire country unable to function; exposed customer PII; and disrupted the functioning of web accounts, mobile apps, and internal systems for over 10 days. While the attack was later stopped, it could have entirely been prevented with CART.

Best practices to improve security posture with CART

Below, we present seven key best practices for effectively enhancing your security with CART.

1. Choose a reputable service provider

CART operations can be invasive, requiring CART tools to penetrate sensitive parts of the system, escalate privileges, and attempt to cause damage the way an attacker would; therefore, it’s important to choose a trusted service provider to prevent what should be a test from becoming an actual attack. Also, make sure to choose a CART tool that provides detailed, actionable reports.

2. Properly discuss terms

Outline no-go areas in the system, especially sensitive data, to prevent any potential compliance violation. Carefully detail what to do with access and data for when an attack hits and is successful.

In addition, after each red team operation, rescind access gained and privileges escalated. This has two benefits: The software can start a new red team operation on a fresh slate the next time, and it will prevent the personnel with access to the CART tool from unnecessarily accessing or modifying sensitive data.

3. Test the CART tool’s effectiveness

Assess threat simulations and TTPs to be used. Be sure they are current and relevant. Follow the attack process and examine its similarity to actual attacks; this is crucial for valid results. Also, verify that reports and recommendations provided are accurate and effective.

4. Inform staff about CART activity on a need-to-know basis

For accurate results, treat red teaming like actual attacks. Employees should discover the ongoing “attack” on their own without being prompted. This will serve as a training ground, preparing them for future malicious activity. It will also prevent employee complacency during an actual attack, ensuring they do not assume it is just another red team operation.

5. Implement forensics and incident response (IR)

Provide your security team with precise, documented plans for detecting, responding to, and minimizing the consequences of cyberattacks (red team or not). Set clear expectations and attack thresholds. Outline what should be done at each IR phase from preparation and detection to analysis, containment, and post-incident recovery.

Use red team “attacks” as opportunities to practice these phases while measuring the breakout or dwell time the “intruder” achieves within the system before discovery or ejection. In addition, implement feedback provided by the CART tool as appropriate.

6. Assess implementation of CART recommendations

To maximize CART efficacy, assign the task of implementing recommendations to specific members of the cybersecurity/blue team. Then, confirm that these parties correctly applied the recommendations. Finally, rerun red teaming procedures to test new additions or modifications for efficacy.

7. Continuously red team

Attack paths, techniques, and vulnerabilities evolve with time. Regular red team activities will ensure your defenses are appropriately strengthened. If red teaming is irregular, misconfigurations and unauthorized persons may have longer dwell times in your system, increasing exposure to full-scale attacks.


Automation and continuous monitoring make red teaming quicker, cost-effective, and more efficient. As a comprehensive full-stack observability platform for modern IT, ManageEngine Site24x7 provides you with reliable, efficient, and advanced capabilities to proactively detect behavioral anomalies in systems, expose attack surfaces/paths, and provide actionable solutions.

Was this article helpful?

Related Articles

Write For Us

Write for Site24x7 is a special writing program that supports writers who create content for Site24x7 "Learn" portal. Get paid for your writing.

Write For Us

Write for Site24x7 is a special writing program that supports writers who create content for Site24x7 “Learn” portal. Get paid for your writing.

Apply Now
Write For Us