Red Team Operator

Title : XFR Red Team Operator

The Adversary Simulation Operator is a senior technical role on the IBM X-Force Red Adversary Simulation team. You will lead long-term, threat-led operations against high-end clients, emulating sophisticated adversaries across enterprise, cloud, and AI-enabled environments. Engagement types include full adversary simulation, purple team, managed red team, and regulated threat-led testing (TIBER-EU, DORA TLPT, CBEST).

This is a senior contributor role. You will lead operations, develop tradecraft, mentor junior operators, and produce research that informs both our service offerings and the broader community.

The role can be performed from anywhere in the US.

Core Responsibilities

•             Lead full adversary simulation engagements from threat modeling and scoping through execution, reporting, and client debrief

•             Plan and execute multi-phase operations emulating real-world adversary TTPs across initial access, post-exploitation, lateral movement, persistence, and objective completion

•             Develop and refine offensive tradecraft, including custom payloads, tooling, C2 profiles, and evasion techniques against modern EDR and XDR stacks

•             Engineer and operate resilient attack infrastructure with strong OPSEC discipline

•             Coordinate with fellow operators on complex multi-stage operations and act as engagement lead when required

•             Deliver high-quality reporting and technical debriefs that materially improve client detection and response capability

•             Mentor junior operators on tradecraft, OPSEC, and engagement craft

•             Produce original offensive security research (blogs, talks, tools, CVEs) that strengthens the practice and contributes back to the community

Engage with clients as a senior technical authority through scoping, execution, and remediation phases

•             This role can be performed from anywhere in the US.

Required Professional and Technical Expertise

•             5+ years in a dedicated adversary simulation/red team

•             8+ years total experience across security, systems, networking, or software development

•             Demonstrated ability to develop and modify offensive tooling, payloads, and exploits to evade modern defensive controls

•             Deep working knowledge of real-world adversary TTPs and the ability to translate threat intelligence into emulation plans (MITRE ATT&CK, threat actor profiles, intelligence reporting)

•             Strong command of Active Directory, Entra ID, and enterprise identity attack paths

•             Experience operating modern C2 frameworks at a senior level (Cobalt Strike, Mythic, Sliver, Brute Ratel, or comparable), including infrastructure design and malleable profile development

•             Demonstrated history of published offensive security research (blogs, talks, tools, or CVEs)

•             Strong technical writing skills with the ability to produce reporting suitable for both executive and engineering audiences

•             Experience leading or coordinating engagements with multiple operators

•             Strong communication skills and the ability to operate as a senior technical voice with client stakeholders

Windows internals depth, including Win32 APIs, kernel concepts, and AV/EDR evasion mechanics

Preferred Professional and Technical Expertise

•             Relevant certifications such as OSCP, OSEP, OSED, SANS GXPN or GREM, CRTO, CRTL, CREST CCSAS or CCSAM, or clearly demonstrable equivalent capability

•             Experience delivering regulated threat-led engagements (TIBER-EU, DORA TLPT, CBEST, iCAST, or similar).

•             Demonstrated ability to write opsec focused tooling and capabilities in published code repositories

•             Track record of presenting at recognized security conferences (DEF CON, Black Hat, Troopers, OffensiveCon, x33fcon, RingZer0, or comparable)

•             Deep cloud red team experience across AWS, Azure, or Google Cloud Platform, including identity attack paths and cloud-native control evasion

•             Experience targeting AI and ML systems, including prompt injection chaining, agent abuse, MCP exploitation, RAG poisoning, and AI infrastructure compromise

•             Experience building or extending C2 frameworks, attack platforms, or red team automation tooling

•             Detection engineering perspective with the ability to translate offensive findings into actionable detection logic

Prior senior consulting experience at a recognized offensive security practice