CART

CART stands for Continuous Automated Red Teaming.
It’s a key component in CTEM (Continuous Threat Exposure Management), which is a proactive cybersecurity strategy focused on continuously identifying and reducing exposure to threats.

CART (Continuous Automated Red Teaming) emulates real-world attacker behavior by using known TTPs (Tactics, Techniques, and Procedures from frameworks like MITRE ATT&CK) to:

  1. Map Attack Paths – Identify how an adversary could move from initial access to critical assets.
  2. Identify Choke Points – Detect critical security junctions where multiple attack paths converge.
  3. Test Control Bypasses – Attempt to evade existing defenses like EDRs, firewalls, or MFA through real attacker techniques.
  4. Simulate Lateral Movement – Recreate how attackers propagate within the network after gaining initial access.

All of this is done using TTPs aligned with threat frameworks (e.g., MITRE ATT&CK) to ensure simulations are realistic and relevant.

TTPs in CART

CART uses attacker TTPs to simulate realistic attack scenarios that map paths, identify choke points, test control bypasses, and simulate lateral movement — all to reduce real-world exposure.

TTPs are the foundation for how CART performs the four core activities.

Here’s how TTPs fit into each:

CART ActivityHow TTPs Apply
Map Attack PathsUse known techniques (like spearphishing, credential dumping) to simulate initial access and path discovery.
Identify Choke PointsSee which TTPs succeed or fail at specific junctures, showing where security controls should stop the attacker.
Test Control BypassesEmulate evasion techniques (e.g., process injection, DLL sideloading, MFA fatigue) to test real-world bypasses.
Simulate Lateral MovementUse lateral techniques (like Pass-the-Hash, WMI, RDP hopping) to check how easily attackers can escalate or pivot.

CART IN CTEM

CART is a premium component of CTEM and maps to CTEM objectives as under –

  1. Continuous Threat Simulation
    CART constantly simulates real-world attacker behavior. This helps identify vulnerabilities before real attackers do.
  2. Validation of Security Controls
    It tests whether existing security controls (like firewalls, EDRs, SIEM rules) are actually detecting and blocking malicious behavior.
  3. Exposure Visibility
    CART shows you which paths an attacker could realistically use in your environment – helping prioritize remediation based on real risk.
  4. Automation & Scale
    It automates what human red teams do manually, allowing organizations to test security at scale and with high frequency.
  5. Feedback into CTEM Lifecycle
    CART findings directly inform other CTEM components like vulnerability management, attack path analysis, and remediation planning.

Examples of CART Findings

A. Attack Paths

An attack path is a sequence of steps an attacker can take to move through your environment and reach a valuable target (like domain admin credentials, sensitive data, etc.).

Examples

  • A low-privileged user has read access to a shared folder.
  • That folder contains a script with hardcoded credentials.
  • Those credentials allow RDP access to a server.
  • That server has a misconfigured service running as SYSTEM.
  • The attacker exploits that service to escalate privileges and dump credentials.
  • Now the attacker can pivot across the network.

🧨 Why it matters in CART: CART simulates these kinds of paths automatically to show realistic attack chains that an adversary could take. It highlights which path is most dangerous and where to cut it off.

Choke Points

A choke point is a critical junction in an attack path where:

  • Multiple paths converge, or
  • You can detect/block many attacks by securing that single point.

Examples

  • All internal admin traffic flows through a central Jump Server.
  • This Jump Server logs activity and has strict controls.
  • If it’s compromised, an attacker gets broad access.
  • If it’s well-secured, many attack paths are automatically broken.

🧨 Why it matters in CART: CART can help identify these high-value points and test their effectiveness — “If I compromise this host, how far can I go?”

Control Bypass

A control bypass happens when an attacker finds a way to get around a security control (like MFA, EDR, or firewall rules).

Examples

  • MFA is enabled for VPN access.
  • But there’s a legacy internal app that doesn’t enforce MFA and allows SSO with cached credentials.
  • CART simulates logging into this app and exfiltrating data — bypassing your MFA policy.

🧨 Why it matters in CART: CART tests the effectiveness of your security controls — not just their existence. It simulates how attackers can sneak around them, just like in real attacks.

Lateral Movement

Lateral movement is when an attacker moves sideways through a network — from one compromised system to another — in search of higher privileges or valuable assets.

Examples

  • Attacker gets access to an employee laptop via phishing.
  • They find saved RDP credentials in memory.
  • They use those to log into a file server.
  • From the file server, they find admin credentials and reach the domain controller.

🧨 Why it matters in CART: Lateral movement is how attackers go from a small initial access to a complete breach. CART simulates this to test your internal segmentation, privilege boundaries, and detection mechanisms.