For in-house red teams
who run offensive operations against their own org

A platform built around the in-house red team programme

In-house red teams run offensive operations against their own organisation as a continuous programme rather than as a series of disconnected projects. The work spans assumed-breach exercises, scenario-based scenarios, full-scope engagements, purple-team collaboration with the SOC, and the leadership reporting that ties offensive results back to risk decisions. Most teams end up running this programme across a notes app, a screenshot folder, a spreadsheet of techniques, a separate document for the rules of engagement, and a series of Slack threads with the blue team that age out before the next operation kicks off.

SecPortal gives in-house red teams one workspace for engagements, technique findings, evidence, retests, and leadership reporting. Findings carry CVSS scores from the moment they are opened, ATT&CK mapping is part of the workflow, the SOC and detection engineering see the same shared record on purple-team operations, and AI assists the reporting work that sits on top. Whether the team is two operators inside a Series B product company or a dedicated red team supporting a global enterprise, the platform scales without adding administrative overhead.

Capabilities the in-house red team actually uses

How the programme runs inside SecPortal

An in-house red team is most effective when one operating picture covers offensive results, detection coverage, and remediation closure. SecPortal supports the full programme rather than a single phase of it.

From operation kickoff to verified close, in one record

The leverage in red team operations is the durability of the record after the engagement closes. SecPortal runs a single operation flow that the next engagement can build against.

1. 1Open the engagement with scope, rules of engagement, operators, communication channels, and abort criteria stamped against the record. The rules-of-engagement template populates the standard sections; the engagement record holds the bespoke ones.
2. 2Log findings with technique, CVSS vector, severity, evidence, and remediation guidance as the operation runs. Each finding lands on the same record the engagement lives on, not in a parallel notes file.
3. 3Coordinate with the SOC and detection engineering through shared finding records when the operation is purple-team rather than red-team. Detections written, alerts fired, and gaps captured all sit on the same finding the technique was logged against.
4. 4Run a retest after remediation, attach the verification evidence to the same finding, and either close it with a status change actor recorded automatically or revert to open with regression notes captured in place.

Where in-house red teams typically start

Most teams adopt the platform in three phases: bring the active engagement record under one workspace, layer in technique findings against ATT&CK with evidence attached, then consolidate purple-team coordination, retests, and leadership reporting onto the same record. The relevant capability and workflow pages explain each phase in detail.

• The core offensive workflow lives in the red teaming use case, the assumed-adversary simulation pattern is covered in the threat-led penetration testing use case, and the SOC-collaboration model is on the purple teaming use case.
• Technique mapping and ATT&CK coverage tracking are covered on the MITRE ATT&CK framework page, with regulator-led adversary simulation context on the TIBER-EU framework page and the CBEST framework page.
• Engagement records, scope, rules of engagement, and operator assignment live in the engagement management feature, while the underlying findings model with CVSS scoring and evidence sits in the findings management feature.
• The retest workflow that pairs verification to the original finding is covered in the retesting use case, with the underlying economics and audit expectations laid out in the pentest retest economics research.
• Continuous operations between point-in-time engagements are covered in the continuous penetration testing use case, and the rules of engagement template that populates the standard scope sections is the rules of engagement template tool.

SecPortal is built for in-house red teams that want one platform for the whole programme: live engagements, technique findings, evidence, retests, purple-team coordination, and the reporting on top. The SOC gets a clearer signal, leadership gets faster reports, and the red team gets back the hours that used to disappear into post-operation document production.

If your function is closer to defensive operations than offensive operations, the sister page SecPortal for internal security teams covers the same workspace from the defensive angle. If you run an external red team consultancy that delivers operations to client organisations, the SecPortal for cybersecurity firms page covers the multi-client delivery model.

For broader context on how red team programmes connect to remediation tracking, the remediation tracking use case and the aging pentest findings research cover what happens after the offensive operation hands its findings to the engineering owners.