Require the plan to change, not just the risk register

A red team exercise that doesn’t change the plan has accomplished nothing.

Why it works

Red team findings are often captured in a risk register and then set aside, leaving the original plan unchanged. This happens because the red team findings are framed as a list of concerns rather than as inputs that require a response. The mechanism of value in red teaming is plan adaptation: the plan improves because it is exposed to adversarial pressure, not because adversarial concerns are documented and filed.

How to do it

1. After the red team session, list the top three findings alongside a required response for each.
2. Responses must be one of: change the plan to address it, accept the risk with explicit reasoning, or note a test that will resolve it.
3. Review the plan against the findings before finalizing it — any finding without a logged response is a gap.
4. Build a follow-up check six weeks later to confirm the responses actually held.

Evidence

The value of adversarial review is a function of whether findings are acted on. Research on organizational learning shows that feedback loops that produce responses outperform those that produce documentation without adaptation. (mechanistic)

Principled reasoning from organizational learning theory; not a studied red-team-specific finding. The specific requirement to change the plan or explicitly accept the risk is a practitioner protocol.

Common mistake

Treating the red team exercise as complete when the report is written. The report is not the output — the revised plan is. If the plan didn’t change, the red team was theater.