Red Team engagements extend beyond identification of traditional exploitation paths such as authentication bypasses, injection flaws, exposed assets, or privilege escalation. Organizations increasingly depend on application resilience, API stability, and infrastructure availability as critical security pillars. While offensive security teams traditionally focus on confidentiality and integrity impacts, availability testing when performed safely and with authorization can reveal equally important weaknesses.
Controlled load generation and resilience validation using tools like K6 and Locust provide Red Teams with the capability to identify bottlenecks, weak rate-limiting controls, infrastructure scaling gaps, and application behaviors under stress without crossing into destructive activity.
This article explores how controlled load assessments fit into Red Team operations, where tools like K6 and Locust excel, and how organizations can safely evaluate availability-related security posture. Load testing or controlled DOS assessments can be done in various layers of OSI model.
From an OSI model perspective, K6 and Locust primarily operate at the Application Layer (Layer 7) by generating legitimate HTTP/HTTPS-based traffic that closely resembles real user behavior. Unlike network-focused stress testing tools that target lower layers through mechanisms such as ICMP, UDP, or TCP packet floods, K6 and Locust focus on simulating application interactions including web page requests, API calls, authentication workflows, search operations, file uploads, report generation, and other business-critical functions. This makes them particularly valuable during Red Team and resilience validation exercises where the objective is to understand how applications, APIs, load balancers, web servers, and backend services respond under increased traffic conditions while maintaining realistic user behavior patterns.
Why Availability Testing Matters in Red Teaming?
Assessments like VAPT & Red Teaming frequently answer questions like:
- Can authentication be bypassed?
- Is sensitive data exposed?
- Can privilege escalation occur?
- Are APIs vulnerable to abuse?
Availability-focused assessments answer different but equally important questions like:
- Can APIs withstand sudden traffic spikes?
- Do rate limits function correctly?
- Can application resources be exhausted easily?
- Are cloud auto-scaling mechanisms configured properly?
- Can attackers abuse legitimate functionality to degrade services?
- Does infrastructure fail gracefully under pressure?
Attackers often exploit operational weaknesses rather than software vulnerabilities. Examples Include:
- Login endpoint flooding
- Resource-intensive API abuse
- Expensive database query amplification
- Search endpoint exhaustion
- File upload resource consumption
- WebSocket connection exhaustion
- Cache bypass abuse
- Cloud cost amplification attacks
Red Teams can simulate these scenarios in a controlled manner to improve resilience without causing operational disruption.
Controlled DoS/DDoS Assessment vs Malicious DDoS
Red Teams should never attempt uncontrolled denial-of-service activity. Controlled resilience validation focuses on:
- Rate-limit verification
- Capacity threshold identification
- Auto-scaling validation
- API abuse resistance
- Infrastructure observability testing
- Graceful degradation analysis
Proper stakeholder approvals are mandatory before any availability-focused testing.
Common Used Tools for Simulation (Layer 7)
As mentioned in the start of the blog, Tools i would commonly consider for these scenarios include K6 and Locust, both widely adopted for performance and load testing workflows.
K6 provides a lightweight scripting model and strong API-focused testing capabilities, making it useful for validating application resilience and traffic handling behavior.
Locust enables realistic user workflow simulation and concurrent session modeling, helping teams assess how applications respond to sustained or burst traffic conditions.
These tools should be used strictly within approved scope, authorized environments, and defined traffic ceilings. Their value in Red Team exercises lies in resilience validation and identifying operational weaknesses before adversaries can exploit them. Availability remains an important component of security maturity, and controlled load testing can provide additional visibility into system robustness during modern offensive security assessments.
Setting Up K6 and Locust for a Load Testing Assessment
Before performing any load testing activity, ensure the target environment is explicitly authorized, preferably a staging or controlled production window with monitoring enabled. The objective is not to disrupt services, but to validate how the application behaves under expected or slightly elevated traffic conditions.
1. K6 Setup –
K6 is useful when you want lightweight API-focused load testing using JavaScript. It supports local, distributed, and cloud execution modes, and can stream metrics to dashboards such as Grafana.
On Ubuntu/Debian:
sudo gpg -k
sudo apt update
sudo apt install -y gnupg2 ca-certificates
curl -fsSL https://dl.k6.io/key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/k6-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/k6-archive-keyring.gpg] https://dl.k6.io/deb stable main" | sudo tee /etc/apt/sources.list.d/k6.list
sudo apt update
sudo apt install k6
On Windows:
winget install k6
K6 also supports Docker installation using the official grafana/k6 image. To get a setup and installation guide on K6 setup and demonstration please refer to our YouTube video.
K6 can be integrated with observability platforms such as Grafana and Prometheus for advanced monitoring and long-term metric storage; however, for many controlled load testing and resilience assessment scenarios, these additional components are not strictly required. K6 includes a built-in web dashboard that provides real-time visibility into key performance metrics such as virtual users (VUs), request rate, response time, failure percentage, data transfer rates, and latency distributions. This lightweight approach allows testers to quickly execute assessments, monitor results, and generate HTML reports without the overhead of deploying and maintaining a separate monitoring stack.
For smaller engagements, proof-of-concept assessments, and Red Team resilience validation exercises, the built-in dashboard is often sufficient to visualize application behavior under load and identify potential bottlenecks. The sample assessment results, dashboard views, and performance metrics collected during testing can be seen in the screenshots provided below for reference.
2. Locust Setup –
Locust is useful when you want to simulate realistic user behavior using Python. It includes a built-in web UI and supports distributed load generation.
On Ubuntu/Debian:
Create a Python virtual environment:
python3 -m venv locust-env
source locust-env/bin/activate
pip install locust
On Windows:
python -m venv locust-env
locust-env\Scripts\activate
pip install locust
Locust also provides a built-in web interface by default, eliminating the need for additional monitoring platforms for most load testing and resilience assessment scenarios. Once a test is launched, testers can access a real-time dashboard through a web browser to monitor key performance metrics such as active users, requests per second (RPS), average response time, latency percentiles, failure rates, and request statistics. The dashboard also includes dedicated views for charts, failures, exceptions, and request-level statistics, making it easy to visualize application behavior under load and identify potential bottlenecks. In addition to real-time monitoring, Locust supports exporting HTML and CSV reports for documentation and reporting purposes.
For smaller engagements, proof-of-concept assessments, and Red Team resilience validation exercises, the built-in dashboard is often sufficient to conduct, monitor, and analyze load testing activities without requiring a separate observability stack. The sample assessment results, dashboard views, and performance metrics collected during testing can be seen in the screenshots provided below for reference.
Modern Red Teaming increasingly requires evaluating not only whether systems can be compromised, but also whether systems remain resilient under pressure. Controlled availability validation bridges security engineering and operational resilience. K6 and Locust provide security teams with safe, measurable, and repeatable approaches to identify resilience gaps before adversaries exploit them. When executed responsibly with stakeholder approval, monitoring, and defined safeguards controlled load assessments become another valuable capability in mature offensive security programs. Availability is a security property. Testing it responsibly strengthens security posture before attackers attempt to break it.
Note: For offensive security teams building VAPT and Red Team methodologies, combining traditional security validation with resilience assessment provides broader visibility into organizational security maturity.
Leave a Reply