While I don't work on a red team, it does seem to me that an organization should vet software used by their red teams via the same processes that they use to make risk determinations regarding any other software run on organization systems.
Is it a trend to just "let red teams go to town" without their strict compliance to existing security processes? Are software titles to be used usually included in a statement of work or when negotiating the scope of an engagement?
