Documentation requirements¶

Good documentation enables learning and provides evidence of testing.

Pre-engagement¶

Engagement plan: Objectives, scope, ROE, timeline, participants, success criteria Authorisation: Signed permission documents Risk assessment: Potential impacts and mitigation plans Communication plan: Who knows what and when

During engagement¶

Red team documentation:

• Every command executed (timestamped)

• Tools used and configurations

• Systems accessed

• Data accessed or modified

• Obstacles encountered (what worked, what didn’t)

Blue team documentation:

• Alerts triggered (or not triggered)

• Investigation steps taken

• Response actions executed

• Communication records

• Decisions made and reasoning

Purple team documentation:

• Timeline of events

• What was supposed to be detected vs. what was

• Gaps identified in real-time

• Questions to explore in debrief

Post-engagement¶

Technical report: Detailed findings, TTPs used, detection gaps, evidence collected

Executive summary: High-level results, business risk implications, improvement priorities

Lessons learned: What worked, what didn’t, what to change for next time

Action items: Specific improvements with owners and deadlines

Metrics: Detection rates, response times, coverage statistics