What Is Red Teaming and How Is It Different From a Pen Test?

December 7, 2023

The terms "red team" and "pen test" appear in the same paragraph in most vendor brochures, often as if they describe the same service at different price points. They do not. They have different objectives, different structures, different success conditions, and they answer different questions for the organisations that commission them. Using one when you need the other produces an expensive result that does not answer the question you actually needed answered.

Part of the confusion is that red teaming borrows techniques from penetration testing. Both involve skilled practitioners attempting to gain unauthorised access to systems and data. The difference is in the objective, the scope, and the constraint structure. A penetration test is a comprehensive technical assessment. A red team engagement is a simulation of a specific adversary achieving a specific objective, run against real detection and response capabilities, with as much realism as the target organisation can tolerate.

What a Penetration Test Does

A penetration test is designed to find vulnerabilities. The tester's job is to be thorough, to enumerate the attack surface, to attempt exploitation, and to document everything they find. Speed is not a primary concern. Avoiding detection is not a concern at all. The goal is a comprehensive picture of the technical vulnerabilities that exist in the defined scope. Success is measured by the completeness of the finding list and the quality of the remediation guidance.

Penetration tests are appropriate for organisations that want to understand the state of their attack surface. They are the right tool when you are asking "what vulnerabilities exist and how bad are they?" They are not the right tool when you are asking "could an attacker achieve a specific outcome in our environment, and would we know about it?" That is a red team question, and the answer requires a fundamentally different engagement structure.

What a Red Team Engagement Does

A red team engagement simulates a targeted attacker attempting to achieve a specific objective, called the target flag, within the client's real environment. The flag might be access to a specific database, the ability to initiate a financial transaction, or the exfiltration of a particular category of data. The red team uses whatever techniques are available to reach that flag. The blue team, which is the client's security operations and incident response capability, is tested simultaneously. They do not know the engagement is happening unless they detect it.

A red team engagement measures detection and response, not just technical vulnerabilities. The most important findings often relate to what the red team was able to do without being detected, for how long, and at what stage the blue team became aware. An organisation with excellent vulnerability management may still have a six-week dwell time because their detection rules do not fire on the techniques the red team used. That finding is more valuable to a mature organisation than another list of unpatched systems.

When Each Is Appropriate

Penetration testing is appropriate at most maturity levels. If you do not yet know the state of your attack surface, a pen test produces immediately actionable findings. Most organisations should be running pen tests regularly, both as a compliance activity and as a genuine technical check. Red teaming requires a more mature baseline. If your organisation cannot patch critical vulnerabilities within a reasonable timeframe, if you do not have a security operations function monitoring your environment, or if you have not run pen tests against your key systems, a red team engagement will find that your defences are inadequate without telling you much about why.

Red teaming delivers most value when the technical hygiene is reasonably sound and the question has shifted from "what vulnerabilities do we have?" to "can an attacker achieve business impact and would we detect them?" Financial institutions, critical infrastructure operators, and organisations subject to sophisticated targeted threats are the natural market for red team engagements. The exercise tests the whole defensive programme, not just the technical controls, and it requires that programme to exist in some functional form before the test is meaningful.

What to Expect From a Properly Scoped Engagement

A properly scoped red team engagement starts with a clear objective definition. The target flag must be specific, realistic, and meaningful to the business. "Access to the corporate network" is not a flag; "access to the finance team's payment processing system and the ability to initiate an outbound transfer" is a flag. The engagement also defines the threat profile being simulated, which shapes the techniques, initial access methods, and operational tempo the red team will use.

The engagement runs over weeks rather than days. The red team operates with operational security, avoiding detection where possible and measuring dwell time as part of the output. A debrief with both the red team and the blue team together, called a purple team session, is where the most value is extracted. Comparing what the red team did against what the blue team observed identifies specific detection gaps and produces targeted improvements to monitoring and response.

  • Use pen tests to assess attack surface and remediate vulnerabilities.
  • Use red teams to test detection and response capability against realistic adversary behaviour.
  • Do not commission a red team engagement if fundamental technical hygiene is not in place.
  • Require a specific, business-relevant target flag before the engagement begins.
  • Plan for a purple team debrief as part of the engagement, not as an optional extra.

To discuss red teaming and how it applies to your organisation, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
Offensive Security
Written by
Shahbaz Rasheed
Managing Director
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?