Organizational post-engagement actions

Common Red Team Performance Metrics

a. Detection Metrics

Mean Time to Detect (MTTD): Time elapsed between adversary action and first detection.
Detection Coverage: Percentage of attack techniques that triggered alerts or logs.
Visibility Gap Analysis: Techniques used but not logged or alerted (mapped to MITRE ATT&CK).

b. Response Metrics

Mean Time to Respond (MTTR): Time between detection and defensive response (containment or remediation).
Escalation Accuracy: Whether SOC/IR teams correctly classified the event as malicious.
Playbook Activation Time: Time required to trigger and execute response procedures.

c. Adversary Simulation Metrics

Initial Access Time: Time required to compromise the first host.
Privilege Escalation Time: Time from initial access to obtaining elevated privileges (e.g., domain admin).
Lateral Movement Depth: Number of systems compromised, domains traversed, or VLANs accessed.
Dwell Time (Simulated): How long the Red Team remained undetected inside the network.

3. Mapping Metrics to Frameworks

Use standardized taxonomies to contextualize metrics:

Framework	Use
MITRE ATT&CK	Track and categorize techniques used/detected
D3FEND	Map detection and mitigation controls to attack stages
TIBER-EU Purple Teaming	Apply metrics to cooperative testing phases and risk validation
DORA Compliance	Provide evidence of capability improvement and incident detection timelines

Map red team findings to widely adopted security frameworks for structured remediation:

Framework	Operational Mapping
NIST 800-53 / CSF	Align findings with control families: AC (Access Control), AU (Audit & Accountability), IR (Incident Response), etc.
ISO 27001	Feed into continuous improvement and risk treatment plans.
CIS Controls v8	Identify missed safeguards (e.g., Control 8 – Audit Log Management, Control 13 – Network Monitoring).
MITRE D3FEND	Suggest technical detection and prevention mechanisms for specific attack techniques.