What to do if caught in a Red Team engagement?


I’ve seen a lot of people talk about how to pentest and how NOT to get caught during engagements but have a hard time finding “How to behave when caught during a Red Team engagement”.

Red Teams are to simulate adversaries attacking systems. Many actions can’t be done (or at least very hard to) with just some computers and Red Teams often have to go on site and break in (legally). What I’ve seen so far is people succeeding in not getting caught. However, I haven’t seen anyone talk about what to do when caught. It may just be some suspicion or even being chased by security (possibly armed).

In cases wear a Red Teamer is caught during an engagement, what should he/she do?

  • Say “I’m a security tester. You’ve caught me so I’ll just leave.”
  • Run away like a criminal with their stolen data (which sounds fun but dangerous) to be more like an actual criminal attacker
  • Contact the employer to report it and get a “just continue” pass
  • Quietly come along for some possible interrogation (I think this would be the safest)