{"kind":"Skill","metadata":{"namespace":"community","name":"thinking-red-team","version":"0.1.0"},"spec":{"description":"Deliberately attack your own plans, systems, and assumptions to find weaknesses before adversaries or reality does. Use for security review, architecture validation, plan stress-testing, and pre-launch preparation.","files":{"SKILL.md":"---\nname: thinking-red-team\ndescription: Deliberately attack your own plans, systems, and assumptions to find weaknesses before adversaries or reality does. Use for security review, architecture validation, plan stress-testing, and pre-launch preparation.\n---\n\n# Red Team Thinking\n\n## Overview\n\nRed teaming, borrowed from military and security practice, involves deliberately attacking your own plans, systems, or ideas to find weaknesses. A dedicated \"red team\" assumes an adversarial role, trying to defeat the \"blue team's\" defenses. This reveals vulnerabilities that defenders' blind spots hide.\n\n**Core Principle:** Attack yourself before others do. The best defense is knowing your weaknesses.\n\n## When to Use\n\n- Security architecture review\n- Pre-launch preparation\n- Validating critical decisions\n- Stress-testing plans and assumptions\n- Disaster preparedness\n- Competitive strategy\n- Code and system review\n\nDecision flow:\n\n```\nBuilding or planning something important?\n  → Have you tried to break it? → no → RED TEAM IT\n  → Are you confident in your defenses? → yes → RED TEAM YOUR CONFIDENCE\n  → Has an adversary tested you? → no → BE YOUR OWN ADVERSARY\n```\n\n## The Red Team Process\n\n### Step 1: Define the Target\n\nWhat are you attacking?\n\n```markdown\n## Red Team Target\n\nSystem: User authentication system\nScope:\n- Login flow\n- Password reset\n- Session management\n- API authentication\n\nOut of scope:\n- Physical security\n- Social engineering of employees\n- Third-party services\n\nGoal: Find vulnerabilities that could lead to:\n- Unauthorized account access\n- Session hijacking\n- Privilege escalation\n```\n\n### Step 2: Adopt Adversary Mindset\n\nThink like an attacker:\n\n```markdown\n## Adversary Profile\n\nWho would attack this?\n- Script kiddies: Automated scanning, known exploits\n- Sophisticated attackers: Custom exploits, patience\n- Insiders: Already have some access\n- Competitors: Want data or disruption\n\nAttacker motivations:\n- Financial gain (steal data, ransom)\n- Disruption (take down service)\n- Credential harvesting (sell on dark web)\n- Competitive advantage (steal IP)\n\nWhat would I do if I were them?\n```\n\n### Step 3: Enumerate Attack Surfaces\n\nWhere can attacks happen?\n\n```markdown\n## Attack Surface Enumeration\n\nEntry points:\n| Surface | Exposure | Attacker Access |\n|---------|----------|-----------------|\n| Login form | Public | Anyone |\n| API endpoints | Public | Anyone with API key |\n| Password reset | Public | Anyone with email |\n| Admin panel | Internal network | Employees |\n| Database | No direct access | Only if compromised |\n\nTrust boundaries:\n- Public internet → Web server\n- Web server → Application\n- Application → Database\n- User → Authenticated user\n- User → Admin\n```\n\n### Step 4: Execute Attack Scenarios\n\nSystematically try to break things:\n\n```markdown\n## Attack Scenario 1: Credential Stuffing\n\nAttack: Try known breached credentials against login\nGoal: Compromise accounts with reused passwords\n\nExecution:\n1. Obtain breach database (simulated)\n2. Run credentials against login endpoint\n3. Document rate limiting behavior\n4. Test account lockout triggers\n5. Attempt bypass techniques\n\nFindings:\n- Rate limiting triggers at 10 attempts/minute\n- No account lockout\n- No breach credential detection\n- Login response time reveals valid usernames\n```\n\n```markdown\n## Attack Scenario 2: Session Hijacking\n\nAttack: Steal or forge session tokens\nGoal: Access accounts without credentials\n\nExecution:\n1. Analyze session token structure\n2. Test token entropy\n3. Attempt token prediction\n4. Test XSS vectors for token theft\n5. Check secure cookie flags\n\nFindings:\n- Session tokens use secure random\n- Cookies missing HttpOnly flag ←VULNERABILITY\n- No session binding to IP\n- Tokens don't expire on password change\n```\n\n### Step 5: Attempt Bypass\n\nFor each defense, try to bypass it:\n\n```markdown\n## Defense Bypass Attempts\n\nDefense: Rate limiting on login\nBypass attempts:\n| Attempt | Result |\n|---------|--------|\n| Distribute across IPs | BYPASSED - no IP correlation |\n| Vary username slowly | Works - only per-IP limit |\n| Use different user agents | No effect |\n| Target password reset instead | BYPASSED - no rate limit |\n\nConclusion: Rate limiting is per-IP only, easily distributed\n            Password reset has no rate limiting\n```\n\n### Step 6: Document Findings\n\nCreate an actionable report:\n\n```markdown\n## Red Team Findings Report\n\n### Critical Vulnerabilities\n\n#### CRIT-1: Password Reset No Rate Limit\nSeverity: Critical\nAttack: Brute force password reset tokens\nImpact: Mass account compromise\nRemediation: Add rate limiting to password reset\nTimeline: Immediate\n\n#### CRIT-2: Session Tokens Vulnerable to XSS\nSeverity: Critical\nAttack: Inject XSS, steal session cookies\nImpact: Account takeover\nRemediation: Add HttpOnly flag to session cookies\nTimeline: Immediate\n\n### High Vulnerabilities\n\n#### HIGH-1: Rate Limiting Easily Bypassed\nSeverity: High\nAttack: Distributed credential stuffing\nImpact: Account compromise at scale\nRemediation: Add account-level rate limiting\nTimeline: 1 week\n\n### Medium Vulnerabilities\n\n#### MED-1: Username Enumeration via Timing\nSeverity: Medium\nAttack: Determine valid usernames\nImpact: Enables targeted attacks\nRemediation: Constant-time response for login\nTimeline: 2 weeks\n```\n\n## Red Team Patterns\n\n### Security Red Team\n\n```markdown\n## Security Red Team Checklist\n\nAuthentication:\n- [ ] Credential stuffing\n- [ ] Brute force attacks\n- [ ] Session hijacking\n- [ ] Token prediction\n- [ ] Password reset flaws\n\nAuthorization:\n- [ ] Privilege escalation\n- [ ] IDOR (insecure direct object reference)\n- [ ] Missing function-level access control\n- [ ] JWT manipulation\n\nInput validation:\n- [ ] SQL injection\n- [ ] XSS (stored, reflected, DOM)\n- [ ] Command injection\n- [ ] Path traversal\n\nBusiness logic:\n- [ ] Race conditions\n- [ ] State manipulation\n- [ ] Price manipulation\n- [ ] Workflow bypass\n```\n\n### Plan Red Team\n\n```markdown\n## Plan Red Team: Product Launch\n\nRed team the launch plan:\n\nWhat could go wrong?\n| Failure Mode | Attack Vector | Mitigation |\n|--------------|---------------|------------|\n| Traffic spike | Product goes viral | Auto-scaling, load test |\n| PR disaster | Journalist finds bug | Bug bash before launch |\n| Payment failure | Provider outage | Backup payment provider |\n| Support overwhelmed | Many questions | FAQ, chatbot, staff up |\n\nAssumptions to challenge:\n| Assumption | What if wrong? | How to verify? |\n|------------|----------------|----------------|\n| Users will understand new UI | Confusion, support tickets | User testing |\n| Infrastructure handles 10x | Crashes | Load testing |\n| Marketing will drive traffic | No signups | Organic channel backup |\n```\n\n### Architecture Red Team\n\n```markdown\n## Architecture Red Team: Microservices Migration\n\nAttack the architecture:\n\nSingle points of failure:\n- API Gateway - if down, everything down\n- Auth service - if down, no logins\n- Message queue - if down, async breaks\n\nCascade failures:\n- Service A times out → retries → overwhelms B → cascade\n- Database connection exhaustion → app servers stuck → timeout cascade\n\nData consistency attacks:\n- Eventual consistency window exploits\n- Distributed transaction rollback states\n- Cache invalidation race conditions\n\nFindings:\n1. No circuit breakers between services\n2. Shared database = coupled failure domains\n3. No chaos engineering to verify resilience\n```\n\n### Decision Red Team\n\n```markdown\n## Decision Red Team: Technology Choice\n\nDecision: Adopt Kubernetes for container orchestration\n\nRed team the decision:\n\nArguments AGAINST:\n- Operational complexity high for small team\n- Learning curve delays delivery 3-6 months\n- Could use simpler solutions (ECS, docker-compose)\n- Over-engineering for current scale\n\nCounter-arguments:\n- Scale projections justify complexity\n- Team wants to learn K8s anyway\n- Platform engineering investment pays off\n\nRed team verdict:\nThe learning curve argument is strongest.\nConsider: Managed K8s (EKS/GKE) to reduce ops burden\n         Start with single namespace, expand gradually\n```\n\n## Red Team Template\n\n```markdown\n# Red Team Report: [Target]\n\n## Scope\nTarget: [What's being red teamed]\nIn scope: [What to attack]\nOut of scope: [What to skip]\nGoal: [What constitutes a successful attack]\n\n## Adversary Model\nWho: [Who would attack this]\nCapabilities: [What they can do]\nMotivation: [Why they'd attack]\n\n## Attack Surface\n| Surface | Exposure | Notes |\n|---------|----------|-------|\n| | | |\n\n## Attack Scenarios Executed\n| Scenario | Result | Severity |\n|----------|--------|----------|\n| | | |\n\n## Findings\n\n### Critical\n[Findings requiring immediate action]\n\n### High\n[Findings requiring near-term action]\n\n### Medium\n[Findings for backlog]\n\n### Low\n[Informational findings]\n\n## Recommendations\n| Finding | Remediation | Priority | Effort |\n|---------|-------------|----------|--------|\n| | | | |\n\n## Lessons Learned\n[What did the red team reveal about blind spots?]\n```\n\n## Verification Checklist\n\n- [ ] Defined clear scope and adversary model\n- [ ] Adopted genuine adversary mindset\n- [ ] Enumerated attack surfaces\n- [ ] Executed multiple attack scenarios\n- [ ] Attempted to bypass defenses\n- [ ] Documented findings with severity\n- [ ] Provided actionable remediation\n- [ ] Updated defenses based on findings\n\n## Key Questions\n\n- \"How would an attacker approach this?\"\n- \"What assumptions am I making that an attacker wouldn't?\"\n- \"What's the weakest point in this system?\"\n- \"If I wanted to cause maximum damage, how would I?\"\n- \"What am I confident about that I haven't actually tested?\"\n- \"What would I find embarrassing if an attacker found it first?\"\n\n## Sun Tzu's Wisdom (Applied)\n\n\"If you know the enemy and know yourself, you need not fear the result of a hundred battles.\"\n\nRed teaming is knowing yourself as the enemy would. You find your weaknesses before they do. You attack your confidence before it betrays you. The purpose isn't pessimism—it's preparation.\n"},"import":{"commit_sha":"a31e22d4445ad8fef7cd771d32af537aebb68c49","imported_at":"2026-05-22T21:14:39Z","license_text":"MIT License\n\nCopyright (c) 2025 TJ Boudreaux\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n","owner":"tjboudreaux","repo":"tjboudreaux/cc-thinking-skills","source_url":"https://github.com/tjboudreaux/cc-thinking-skills/tree/a31e22d4445ad8fef7cd771d32af537aebb68c49/skills/thinking-red-team"}},"content_hash":[128,24,43,190,239,29,216,113,184,162,21,34,23,169,152,225,89,45,151,80,92,19,131,37,134,108,242,13,59,46,6,102],"trust_level":"unsigned","yanked":false}