Effective Hot Wash Presentations

A Hot Wash presentation serves as a critical component of red team assessments—providing immediate feedback and insights while details remain fresh in everyone's minds. This guide explores the essential elements of creating and delivering an effective Hot Wash presentation.

2/24/20252 min read

Image of hot wash presentation
Image of hot wash presentation
What is a Hot Wash?

A Hot Wash is an immediate post-operation debrief session that brings together red team operators and defenders to discuss observations, findings, and lessons learned. It serves as a bridge between the technical execution and formal reporting phases. You can find a more detailed analysis in the Cyber Red Teaming book and a template to use in the Resources section or here.

Key Components
1. Purpose and Scope

  • Outline of assessment goals, including primary and secondary objectives that guided the engagement scope and success criteria.

  • Breakdown of systems, networks, and assets that were targeted during the assessment, along with specific operational time-frames for each phase of testing.

  • In-depth discussion of engagement parameters, including authorized activities, restricted areas, and any special considerations or limitations that shaped the assessment approach.

2. Operational Timeline

  • Detailed chronological timeline showing the sequence and timing of major assessment activities, including initial access attempts, lateral movement phases, and critical discoveries that shaped the engagement path.

  • Decision points and pivotal moments during the assessment, including successful tactics, alternative approaches considered, and adaptations made in response to defensive measures or environmental conditions.

  • Visual mapping of the attack progression showing the relationships between different stages, techniques employed, and the evolution of access levels throughout the engagement timeline.

3. Action Map

  • Visualization and activities of attack paths taken during the assessment, including initial entry points, lateral movement techniques, and privilege escalation methods used to achieve objectives.

  • Analysis of technical methods and tools deployed at each stage of the operation, including both custom and industry-standard approaches that were leveraged to test security controls.

  • Both successful and unsuccessful attempts, providing valuable insights into effective defensive measures and potential areas for security enhancement.

4. Assessment Objectives Analysis

Break down objectives into two categories:

  • Achieved objectives with supporting evidence and documentation of successful techniques, including detailed technical specifications, timestamps of key events, and impact analysis.

  • Unachieved objectives with explanations, including encountered obstacles, defensive measures that prevented success, environmental factors, and valuable lessons learned from attempted approaches.

5. Sustain Observations

Document what worked well:

  • Effective security controls that successfully prevented or detected unauthorized access attempts, including

    • Properly configured firewalls, intrusion detection systems, and access control mechanisms.

    • Robust system hardening, regular security updates, comprehensive logging, and well-implemented security policies across the infrastructure.

  • Successful detection and response actions, including timely alert generation, appropriate escalation procedures, and effective incident response coordination between security teams.

6. Improvement Observations

Identify areas needing enhancement:

  • Security gaps and vulnerabilities, including misconfigurations, outdated systems, weak access controls, and potential attack vectors that could be exploited by malicious actors.

  • Missed detection opportunities, including network monitoring blind spots, inadequate logging configurations, and gaps in security tool coverage that could allow threats to go unnoticed.

  • Response timing, such as delayed alert handling, inconsistent incident response procedures, communication breakdowns between teams, and areas where automated response capabilities could be enhanced.

Presentation Best Practices
Structure and Flow

  • Begin with a clear agenda.

  • Use consistent formatting throughout.

  • Include visual aids where appropriate.

  • Maintain a logical progression of information.

Delivery Tips

  • Keep technical jargon appropriate to the audience.

  • Encourage interactive discussion.

  • Be prepared with supporting evidence.

  • Allow adequate time for questions.

Documentation

  • Record key discussion points - take notes!

  • Document action items and owners.

  • Capture feedback for inclusion in final report.

Post-Presentation Follow-up

After the Hot Wash presentation:

  • Distribute presentation materials to stakeholders.

  • Schedule follow-up meetings for critical items if needed.

  • Begin incorporating findings into formal report.

Review

A well-executed Hot Wash presentation bridges the gap between operational execution and formal reporting. It delivers immediate value to stakeholders by capturing critical observations and lessons learned while details remain fresh. These guidelines help presenters deliver clear, actionable insights that drive prompt security improvements clients expect from their investment.

Cyber Red Teaming

Copyright © 2025 Jerod Franz All rights reserved.