One thing i see a lot when reading red teaming/pentesting content is a focus on quick, short life time hacks. this makes sense in the context of a pentest or engagement, but its non-ideal in the aspect of teaching good tradecraft. I think tradecraft is important for everyone involved, defense and offense, since it makes you think about things in a different way. if me and my team treat every engagement like i am emulating a CNO shop, we might start thinking about things very different.
That all said, one example of this that i have seen people discuss in passing but havent been able to find any solid content on is the whole concept of an attacker prioritizing access to a enterprises infrastructure as code repo early on. i have seen posts about "omg compromised dev machines = supply chain attack", which is true if your primary concern is someone like Group PCP, though if you are concerned about a serious adversary, maybe a products repo isnt the primary objective.
Alright, lets assume i compromised one of your devs.