Mounting "simulated" attacks on a networked systems in order to find their weaknesses - often known as "pentesting" or "red teaming" - is an important tool in cyber security evaluation and defense. The goal of this project is to automate some aspects of the red-teaming process, using AI planning techniques. Challenges in making this work are many: How to derive planning models from the information about security vulnerabilities that is available, and how to obtain realistic estimates of the information that is not? How to exploit the structure of the problem to achieve both scalable planning (making plans for networks with hundreds or thousands of hosts) while making realistic assumptions. Finally, many types of cyber attacks are not only technical but target people's and organisation's vulnerabilities. How to incorporate those in a planning model is one more open research question.