Phase 2
Planning
Planning turns reconnaissance into a working operation. The output should be a plan for gaining access, expanding access, and establishing persistence across phases 3 to 5, while defining the first approach, the first fallback, the operating boundaries, and the decisions that will have to be made in real time once the operation starts.
Planning Considerations
- Primary access plan: What the team will try first and what evidence will prove success.
- Expansion plan: How the first foothold could be turned into broader access, higher privilege, or access to more valuable areas.
- Persistence plan: Whether durable or repeatable access is needed later in the engagement and what forms it could take.
- Roles and communications: Operator responsibilities, check-ins, safety, escalation, and stop conditions.
- Scope boundaries: What is allowed physically, socially, and technically, including whether approved cyber validation is in scope.
Phase Output
It is highly important not to assume the team has a complete plan. In most cases that is impossible. Most black team operations involve a high degree of improvisation.
- Operational plan: A realistic first path for phases 3 to 5, including access, expand-access, and persistence options.
- Fallbacks and decision points: What to try next and what must be improvised on-site.
- Rules of engagement: Scope, contacts, stop conditions, and safety boundaries.
Transition
Planning ends when the team can explain what it will try first, what it will not do, and where improvisation begins. The next phase is Initial Access.