All skills
Skillintermediate

Red Team Adversarial

Adversarial thinking and red teaming for finding weaknesses before adversaries do.

Claude Code Knowledge Pack7/10/2026

Overview

Red Team Adversarial

Adversarial thinking and red teaming for finding weaknesses before adversaries do.

Core Principle

Red teaming asks: "If someone wanted to break, exploit, or game this, how would they do it?" The Fool adopts the mindset of an adversary — not to cause harm, but to find vulnerabilities before real adversaries do. This applies beyond security: competitors, disgruntled users, perverse incentives, and regulatory challenges are all adversarial forces.

Process

  1. Identify the asset — What are you protecting? (system, decision, strategy, product)
  2. Construct adversary personas — Who would attack this and why?
  3. Map attack vectors — How would each persona exploit weaknesses?
  4. Assess impact — Rank by likelihood x impact
  5. Design defenses — Specific countermeasures for the highest-ranked vectors

Adversary Persona Construction

Generic "attackers" produce generic findings. Specific personas produce actionable insights.

Persona Template

FieldDescription
RoleWho is this adversary?
MotivationWhy would they attack?
CapabilityWhat resources and skills do they have?
AccessWhat do they already have access to?
ConstraintsWhat limits them?

Common Adversary Personas

PersonaMotivationTypical Vectors
External AttackerFinancial gain, data theftAPI exploitation, credential stuffing, injection attacks
CompetitorMarket advantageFeature copying, talent poaching, FUD campaigns
Disgruntled InsiderRevenge, financial gainPrivilege escalation, data exfiltration, sabotage
Careless UserNone (accidental)Misconfiguration, weak passwords, sharing credentials
RegulatorCompliance enforcementAudit findings, data handling violations, accessibility gaps
Opportunistic GamerPersonal benefitExploiting loopholes in business logic, referral fraud
ActivistIdeological goalsPublic embarrassment, data leaks, service disruption

Domain-Specific Personas

DomainKey AdversaryFocus
E-commerceFraudsterPayment bypass, coupon abuse, fake returns
SaaSFree-tier abuserRate limit evasion, multi-accounting, resource hoarding
MarketplaceBad-faith sellerFake listings, review manipulation, escrow games
API PlatformScraperRate limit bypass, data harvesting, reverse engineering
Social PlatformTroll/bot farmSpam, manipulation, fake engagement

Attack Vector Identification

By Category

CategoryVectorsExample
TechnicalInjection, auth bypass, race conditions, SSRFSQL injection in search parameter
Business LogicWorkflow bypass, state manipulation, price tamperingApplying expired coupon via API replay
SocialPhishing, pretexting, authority exploitation"I'm the CEO, I need access now"
OperationalSupply chain, dependency poisoning, insider threatCompromised npm package in build pipeline
InformationData leakage, metadata exposure, timing attacksUser enumeration via login error messages
EconomicResource exhaustion, denial of wallet, asymmetric costLambda invocation flood causing $50K bill

Attack Tree Construction

For complex systems, build attack trees to map paths to a goal.

Goal: Steal user payment data
├── Path 1: Compromise the database
│   ├── SQL injection in search endpoint
│   ├── Credential theft from env variables in logs
│   └── Exploit unpatched database CVE
├── Path 2: Intercept in transit
│   ├── Downgrade TLS via misconfigured CDN
│   └── Man-in-the-middle on internal service mesh
└── Path 3: Abuse application logic
    ├── Export feature with insufficient access control
    └── Admin panel with default credentials

Perverse Incentive Detection

Systems create incentives. Sometimes those incentives reward the wrong behavior.

Questions to Surface Perverse Incentives

QuestionWhat It Reveals
"How will people game this?"Loopholes in business logic
"What behavior does this reward that we don't want?"Misaligned incentives
"What's the cheapest way to get the reward without the effort?"Shortcut exploitation
"If we measure X, what Y gets sacrificed?"Goodhart's Law in action
"Who benefits from this failing?"Adversaries with motive

Common Perverse Incentive Patterns

PatternExampleConsequence
Metric gaming"Lines of code" as productivity metricVerbose, unmaintainable code
Reward hackingReferral bonus with no verificationFake accounts for self-referral
Race to the bottom"Fastest response time" as SLATeams avoid taking complex tickets
Cobra effectBounty for reporting bugsTeam introduces bugs to claim bounties
Information asymmetryUsers know more than the systemAdverse selection in marketplace pricing

Competitive Response Analysis

When the "adversary" is a competitor.

ScenarioAnalysis Framework
Feature parityWhat can they copy? How fast? What's our defensible moat?
Price warCan they sustain lower prices? What's their cost structure?
Talent poachingWhich roles are critical? How replaceable? What's our retention advantage?
Platform riskAre we dependent on their platform? What's the switch cost?
FUD campaignWhat claims could they make? Which are hardest to refute?

Output Template

## Red Team Analysis: [Target]

### Asset Under Assessment

[What we're protecting and why it matters]

### Adversary Profiles

#### Adversary 1: [Name/Role]
- **Motivation:** [Why they attack]
- **Capability:** [What they can do]
- **Access:** [What they start with]

#### Adversary 2: [Name/Role]
- **Motivation:** [Why they attack]
- **Capability:** [What they can do]
- **Access:** [What they start with]

### Attack Vectors (Ranked)

| # | Vector | Adversary | Likelihood | Impact | Risk Score |
|---|--------|-----------|-----------|--------|------------|
| 1 | [Specific attack] | [Who] | High/Med/Low | High/Med/Low | [L x I] |
| 2 | [Specific attack] | [Who] | High/Med/Low | High/Med/Low | [L x I] |
| 3 | [Specific attack] | [Who] | High/Med/Low | High/Med/Low | [L x I] |

### Perverse Incentives

| Incentive Created | Unintended Behavior | Severity |
|-------------------|-------------------|----------|
| [What the system rewards] | [How it gets gamed] | High/Med/Low |

### Recommended Defenses

| Attack Vector | Defense | Effort | Priority |
|--------------|---------|--------|----------|
| #1 | [Specific countermeasure] | Low/Med/High | Immediate/Next sprint/Backlog |
| #2 | [Specific countermeasure] | Low/Med/High | Immediate/Next sprint/Backlog |
| #3 | [Specific countermeasure] | Low/Med/High | Immediate/Next sprint/Backlog |