Red team findings

Identifies red team findings patterns in security and access control contexts. Detects potential exposure of sensitive security information in Australian systems.

Type

regex

Engine

boost_regex

Confidence

medium

Confidence justification

category-aware structural regex with anchor and context constraints replaces phrase-only detection.

Detection quality

Mixed

Jurisdictions

au

Regulations

Criminal Code Act 1995 (Cth), SOCI Act 2018 (Cth)

Frameworks

CIS Controls, ISO 27001

Data categories

credentials, security

Scope

wide

Platform compatibility

Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported

Pattern

(?is)\b(?:red\s+team|red\s+team\s+findings|adversary\s+simulation|attack\s+simulation|penetration\s+test|offensive\s+security|exploitation\s+report|security\s+assessment|red\s+team\s+engagement|attack\s+scenario)\b

Corroborative evidence keywords

red team findings, red, team, findings, software, engineering, architecture, field, column, row, entry, record, value, form, register, database, extract, export, spreadsheet, table (+4 more)

Proximity: 300 characters

Should match

• red team — Primary topic phrase match
• red team findings — Case-insensitive topic phrase match
• adversary simulation — Alternative topic phrase match
• attack simulation — Additional topic phrase match

Should not match

• unrelated generic text without domain phrases — No relevant topic phrases present
• placeholder value 12345 — Random text should not match topic-specific regex
• source code config — Generic word pair from old broad template should not match

Known false positives

• Authentication-related terminology in software documentation, security training materials, or system architecture descriptions without actual credentials. Mitigation: Require proximity to credential-specific patterns (API keys, connection strings, tokens) rather than general security terminology.
• Code snippets and configuration examples containing credential-related keywords or placeholder values in developer documentation. Mitigation: Check for common placeholder patterns (example.com, localhost, 0000) and documentation file types to reduce false positives from technical writing.

References

• https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism
• https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
• https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information