Red teaming is meant to be realistic. But when does realism become too much?

The objective of a Red Team Assessment is to simulate a realistic cyber attack under real-world conditions - just as a motivated external attacker (threat actor) would. The primary goal is to evaluate an organization’s detection capabilities, response processes, and overall cyber resilience. How effectively is an attack detected? Which vulnerabilities can be exploited? How does the organization respond? Which technical and organizational security controls work as intended - and which ones fail?

But what happens if the simulation goes too far? What if the Red Team deliberately decides to take systems offline by launching a Distributed Denial-of-Service (DDoS) attack?

This article explores a theoretical question: Does it make sense - or is it even justifiable - to include DDoS attacks as part of a Red Team Assessment? And if so, under which conditions?

1. What Is a DDoS Attack?

A Distributed Denial-of-Service (DDoS) attack aims to deliberately disrupt the availability of systems, services, or infrastructure - typically by generating massive volumes of automated requests against web servers, applications, or APIs. These attacks are usually launched from botnets or rented cloud infrastructure, creating sufficient traffic to overwhelm network capacity or exhaust system resources such as CPU or connection tables.

CERTAINITY performs DDoS simulations as part of controlled stress tests. Together with our technology partners, we simulate realistic botnet activity and conduct tests at both the network layer (Layer 3 and Layer 4) and the application layer (Layer 7). Every engagement is carefully planned and executed with a clearly defined objective. In most cases, the goal is to validate or optimize existing DDoS protection mechanisms. This includes evaluating the behavior of individual system components as well as upstream protection services provided by internet service providers or specialized mitigation vendors under realistic attack conditions. In addition to validating technical controls, these stress tests can also serve as evidence of compliance with regulatory requirements such as NIS2, DORA, or similar frameworks.

Within Red Team Assessments, however, DDoS attacks are typically excluded or subject to strict limitations. Their disruptive nature makes the potential impact difficult to predict, and their objectives rarely align with the primary goals of a Red Team engagement.

2. Red Team Assessments

A Red Team Assessment is far more than a traditional penetration test. Its objective is to attack an organization as realistically as possible from the perspective of a motivated external threat actor. Rather than focusing on individual vulnerabilities, the assessment evaluates the complete attack chain - from the initial compromise, through lateral movement within the environment, to achieving the attack objective, such as privileged access to critical systems or sensitive information.

Red Team Assessments are designed to evaluate an organization’s ability to detect, respond to, and contain targeted cyber attacks - both from a technical and an organizational perspective.

The assessment is governed by clearly defined Rules of Engagement, which typically include:

  1. No physical damage and no risk to human safety.
  2. No disruption of business operations.
  3. No intentional impact on service availability - particularly through DoS or DDoS attacks.

These rules ensure that Red Team Assessments generate valuable insights without putting day-to-day business operations at risk. The objective is to challenge the organization and uncover weaknesses - not to cause disruption.

A typical Red Team Assessment involves three distinct roles:

  1. The Red Team acts as the attacker and conducts the simulated attack.
  2. The Blue Team is the customer’s defensive security team - ideally without prior knowledge of the assessment.
  3. The White Team oversees the engagement, ensuring coordination, safety, and compliance with the agreed Rules of Engagement, while intervening if necessary.

3. DDoS in Red Teaming - A Theoretical Thought Experiment

Targeted DDoS attacks are by no means uncommon in the real world. The following examples illustrate the potential impact such attacks can have:

  1. Cloudflare (May 2025):
    Cloudflare successfully mitigated the largest publicly known DDoS attack to date. During just 45 seconds, attackers directed 37.4 terabytes of traffic at a single IP address. The attack peaked at 7.3 terabits per second (Tbps) and combined multiple techniques, including UDP floods as well as reflection and amplification attacks.
    → Source: Golem.de - Cloudflare blocks record-breaking DDoS attack

  2. Truth Social (June 2025):
    Following Donald Trump’s announcement of a U.S. military operation targeting Iranian nuclear facilities, his social media platform Truth Social became the target of a politically motivated DDoS attack. The pro-Iranian hacker group Team 313 claimed responsibility. The attack temporarily rendered the platform unavailable.
    → Source: IT-Daily - Iranian hackers take down Truth Social

These examples illustrate that DDoS attacks are an effective weapon used by real-world threat actors - whether to create a diversion, destabilize operations, extort victims, or deliberately disrupt critical services.

Beyond their use for extortion, DDoS attacks can also serve strategic purposes. They can distract security teams, overwhelm monitoring systems, or deliberately trigger incident response procedures. Such distractions may provide attackers with an opportunity to carry out the actual intrusion unnoticed or exfiltrate large amounts of data while defenders are focused elsewhere. In some cases, the pressure of an ongoing DDoS attack may even lead organizations to temporarily disable or weaken security controls such as XDR platforms as part of emergency response measures - creating an opportunity that sophisticated attackers could deliberately exploit.

Within the context of a Red Team Assessment, deliberately launching a DDoS attack would certainly push the traditional boundaries of the engagement - but it should not automatically be considered off-limits. Instead, the decision depends on the specific objectives and how the scenario is integrated into the assessment. One conceivable approach would be to conduct a controlled DDoS stress test as part of the Red Team Assessment, planned in close coordination with a designated representative of the target organization (the White Team) and executed outside normal business hours - for example during the night or over a low-traffic weekend.

Such a simulation could be strictly time-limited - for example, to 30 minutes - providing a realistic but controlled service disruption. While the operational impact would remain limited, the insights gained could be highly valuable. This approach would allow the customer organization’s Blue Team to be evaluated under realistic conditions:

How quickly is the incident detected when it occurs without prior announcement? Is there a structured incident response process? Are mitigation measures such as Cloudflare rules, traffic scrubbing services, or ISP-provided DDoS filtering activated in time? Do internal decision-making processes continue to function effectively outside regular business hours?

Such simulations can be particularly valuable where critical applications or infrastructure are operated by external service providers. With a clearly defined testing window, agreed escalation procedures, and well-established technical boundaries, a controlled DDoS exercise could be conducted responsibly and integrated into a broader Red Team Assessment.

Scenarios like these are still uncommon today - but they are certainly conceivable.

4. Arguments For and Against

The integration of DDoS scenarios into a Red Team Assessment remains a controversial topic. There are valid arguments both in favour of and against such an approach.

Arguments in favour of incorporating DDoS attacks into Red Team Assessments:

  1. Realism: A comprehensive attack simulation that excludes availability attacks does not fully reflect the spectrum of real-world threats.
  2. Testing Response Capabilities: It allows organizations to evaluate how quickly and effectively they respond to an unexpected incident.
  3. Validating Operational Processes: Incident response procedures, crisis communication, and coordination with external service providers can all be assessed under realistic pressure.
  4. Demonstrating Readiness: Organizations that have successfully completed such scenarios are better prepared for real incidents and can demonstrate proven response capabilities to auditors, regulators, and other stakeholders.

Arguments against incorporating DDoS attacks into Red Team Assessments:

  1. Limited Applicability: In many situations, a DDoS attack would not be a realistic choice for a genuine threat actor. The scenario must fit the organization’s threat profile - which is not always the case.
  2. Business Risk: Even carefully planned simulations carry the risk of service disruption, potentially leading to financial losses, reputational damage, or other unintended consequences.
  3. Legal Considerations: Such exercises can raise legal and contractual issues - particularly if internet service providers, cloud providers, or other responsible third parties have not explicitly approved the activity.
  4. Technical Collateral Damage: Shared services, external APIs, or multi-tenant environments could unintentionally affect or disrupt other organizations.
  5. Ethics and Trust: Red Team Assessments rely on trust between all involved parties. An inadequately coordinated availability attack can undermine that trust. Clearly defined Rules of Engagement and close coordination with the White Team are therefore essential.

Ultimately, the decision to include a DDoS scenario in a Red Team Assessment should never be made by default. It should always be based on a thorough risk assessment, carefully coordinated with all relevant stakeholders, and formally documented before the engagement begins.

5. Conclusion

The idea of incorporating DDoS attacks into a Red Team Assessment is compelling - and from the perspective of realistic threat scenarios, entirely justifiable. In practice, however, it is complex, carries inherent risks, and is not suitable for every organization.

With careful planning, close coordination with the White Team, an appropriate testing window, and clearly defined objectives, such a scenario can provide valuable insights. At the same time, the pursuit of realism must never come at the expense of business continuity. Organizations considering the integration of DDoS attacks into a Red Team Assessment should fully understand the associated technical, legal, and organizational risks.

In short: if the context, timing, risk assessment, and objectives are all aligned, incorporating DDoS into a Red Team Assessment may not only be acceptable - it can be a valuable addition.


If you’ve made it this far, you might be wondering whether this approach could also benefit your organization.

If so, we’d be happy to talk. Get in touch with us today, and together we’ll determine which testing scenario best fits your objectives. And if a DDoS stress test isn’t the right choice for your environment, we’ll tell you that as well.

Even if our team would probably enjoy running one. 😉