What does your work look like as a Red Team Consultant?

Why Write This Article?

The target audience of this blog is people on LinkedIn interested in pursuing a red teaming career at Mandiant.

Preface: I am always happy to connect with folks and talk about the state of the Cybersecurity industry, my work, and how Mandiant / Google Cloud works with our customers. At the same time, I love learning something new about other companies and roles—there seem to be an infinite number of interesting people working on engaging projects, which I want to hear about!

Additional preface: The opinions in this article are my own and not that of my employer.

While I accept the majority of LinkedIn invites I receive, I am perplexed by how few people reach out after connecting. I usually send a message back asking if we have met before, to spark a conversation and hopefully learn something new!

In the last few months, I have been getting, on average, more than one LinkedIn message per week asking an AI-generated variant of the following question:

“What does your work look like as a Red Team Consultant at [Mandiant / Google]?”

This is a question I am happy to answer, but I find it very time consuming to reply to all of these messages over LinkedIn—especially when someone’s message has been “personalized” into a three-paragraph, AI-generated, formal request by copy-pasting my LinkedIn header into a generative AI tool.

While the answer to this question may be useful to someone wanting more information on a career in red teaming, I usually find it is sent as an ice breaker instead—no shame in that. When I was a student actively searching for full time roles, I was in a similar position, and can empathize with the effort it takes to cold-message people online.

As a result, I decided to write this short blog to explain what I do, and give some advice on how to reach out. If you are reading this as a college student to be proactive about applying to a role, props to you—the research efforts mean a lot.

Answering the Question

Our projects are generally measured in weeks for duration. Some projects can be a week long, others can go on for months. In a mid-level individual contributor role, there are few (1-4 hours/week) meetings you are required to attend.

We are expected to have a base-level understanding of all offensive security services offered, and work towards expertise in certain areas. Every consultant is expected to author and deliver a high-quality report following the completion of an engagement. Bonus points if you have the time to update our internal methodologies or processes along the way.

Given the variety of work we perform, it is rare for engagements to feel repetitive until you reach a year of experience. Along those lines, there is rarely a typical day as a consultant—which is why I enjoy the job so much.

The following is a (mostly accurate) breakdown of a week I recently experienced. I had a few days to assist with the social engineering portion of a red team, and spent the remaining time improving our internal methodologies and preparing for upcoming engagements. This may not be as interesting as you, the reader, hopes.

Monday:

  • Prepare C2 infrastructure for an upcoming engagement.
  • Review reports submitted by more junior consultants.
  • Make internal updates to our methodologies and coordinate ideas with our sales team.

Tuesday:

  • Sync with a colleague on updates for a course I will be teaching in a few weeks.
  • Conduct in-depth research on targets for social engineering.
  • Research SCCM related attacks.

Wednesday:

  • Continue researching targets for social engineering.
  • Successfully voice vish (“vish”) a target and obtain access to a client’s Entra ID employee database.
  • Begin working on status update documents.

Thursday:

  • Host a kickoff call for an engagement beginning next week.
  • Continue research for additional social engineering attacks.
  • Assist with payload development preparations.
  • Perform administrative tasks related to laptop migrations.
  • Confirm travel plans for an upcoming engagement; make contingency plans around weather and other unpredictable issues.

Friday:

  • Conduct additional vishing calls which take more time than the average person expects.
  • Gain persistent access to a client’s environment through vishing.
  • Mentor a new employee on vishing methodology while performing reconnaissance.
  • Attend our team’s weekly meeting to discuss interesting testing results, and tools.

Advice on Reaching Out

If you found this blog on your own, I would love to hear about how and why. Regardless, here is some advice on reaching out on LinkedIn to (sometimes) busy red teamers:

  • Personalize your message beyond a title and role
  • Remove as much AI fluff as possible
  • Make it as easy as possible to coordinate a call or video chat

Personally, I prefer a 15-minute phone call when it is for networking or general interest purposes, but understanding messaging may be preferable in certain situations. Reach out, as I would be happy to learn more about your background—like I mentioned earlier, there are so many interesting people doing incredible things, I would enjoy hearing about them as well!