We recently launched Red Team as a Service (RTaaS), the first-ever offering that uses the scale and agility of crowdsourcing to help organizations build red teams and beef up their security postures. While red teaming has been around for a long time, we recently noticed several misconceptions about what makes an effective red team engagement.
Why does this matter? Red teaming can be incredibly powerful, but not all engagements are created equal. Some sound impressive on paper but don’t drive outcomes, whereas others can reduce security incidents by up to 25%. The difference often comes down to spotting the right signals.
So, we’re here to set the record straight using everyone’s favorite educational tool: a pop quiz!
Below is a series of common red teaming scenarios, broken down across three levels. Your challenge: decide whether each scenario is a red or green flag. After each scenario, we’ll provide you with our expert analysis. As a bonus, we brought on Alistair G, Director of Red Team Operations at Bugcrowd, to break down a few of these scenarios a bit more. Best of all, if you get every scenario correct, congratulations—you can officially call yourself a flamin’ hot red teamer!
We’ll start nice and easy with some questions about crafting your red team engagement. After each scenario, decide whether it’s a red or green flag.
Answer: Red flag
Why? Red teaming isn’t cheap. It’s the complete covert compromise of an organization’s technology, people, and processes. Like real-world attackers, red teams take their time to methodically refine and iterate their tactics to maximize potential damage and avoid detection. Doing this effectively requires hiring the right group of hackers and red teamers over a long period (from weeks to months), which necessitates a big financial investment.
If you’re receiving a low quote from a consultancy, this might be because it’s actually performing a different service (like pen testing) or skipping key phases of the process. In either case, read through the proposal carefully to make sure you understand what the consultancy is providing and whether it helps your goals.
Why? Traditional red team consultancies often rely on a handful of highly skilled operators who juggle intense, back-to-back projects. Firms should account for this by adequately hiring new operators, but hiring can often be a slow and complex process. Chances are, if a consultancy takes a long time to schedule your engagement, it’s probably because it’s not adequately staffed. If so, you should cut your losses and find a new partner.
P.S.—This is where RTaaS can be helpful. By tapping into our global operator community, Bugcrowd can help you quickly spin up and scale your red team engagement in days—no more waiting around for next steps.
Answer: Green flag
Why? The post-engagement report is one of the most critical aspects of a red team exercise. It includes all the issues the red team discovered, all the attacks it tried, which of the attacks worked (and which didn’t), and suggested remediations. Without this data, the paying organization might miss critical information from the exercise.
Providing this report signals that the red team cares about helping you drive security outcomes—not just checking boxes.
Why? Frameworks and best practices can be helpful starting points for scoping an engagement, but they aren’t everything. Red teams that adhere too closely to existing frameworks and best practices might miss out on spotting novel attack vectors, creating opportunities for real-world attackers to strike.
Remember: Real-world attackers constantly adapt their tactics to break in and avoid getting caught; they’re not constrained by frameworks or playbooks. Your red team should behave accordingly. When in doubt, remember that red teaming is simulation, not emulation.
Why? Short answer: Stunt hacking is great for getting PR attention… and that’s it.
Long answer: Security consultancies can provide tangible value by sharing information, such as new threat intelligence, that helps the broader ecosystem identify and neutralize emerging attack vectors. Doing this adequately requires actual technical expertise. Conversely, stunt hacking requires understanding the broad pop culture narrative and how to break through the noise.
Organizations should work with security consultancies that deliver results and expertise, not just headlines. Hot take? Maybe.
Thought that was a piece of cake? Let’s kick things up a notch.
Why? Real-world adversaries relentlessly pursue their goals, effortlessly navigating setbacks and waiting for the right moment to strike. Red teamers must bring a hustle mentality to an assessment to adequately mirror this mindset and uncover valuable security insights.
A hustle mentality demonstrates that hackers are willing to go above and beyond by doing things outside the scope of their job, like researching new technologies or exploring new attack vectors. While this knowledge helps them craft more effective attacks, it also demonstrates something more powerful: It provides confidence that the red teamer won’t give up when faced with roadblocks. Instead, they’ll likely power through, increasing the exercise’s value for your organization.
Answer: Yellow flag
Why? Trick question! Told you we’re gonna kick it up a notch 🙂
Whether a red teamer uses other people’s tools depends on where they are on their journey. Early in their careers, red teamers will likely spend more time using preexisting tools to understand the space and develop their expertise (a good thing, by the way!).
However, if someone has been red teaming for a while, they should have enough programming experience to build their own tools (or configure existing ones). This ensures that they aren’t held back by the limitations of preexisting tools, giving you the most effective results.
For example, many red teamers use Cobalt Strike, a powerful tool for simulating real-world attacks. However, if they run it off the shelf using the default configurations (like the beacon and Malleable C2 profile), security tools like Endpoint Detection and Response (EDR) will catch them. To successfully avoid detection, the red teamer must customize the profile (which requires programming knowledge) or build their own tooling.
Why? Red teamers with OPSEC awareness can use this knowledge to avoid getting caught by the blue team while still achieving their objectives. This helps organizations evaluate their defenses—an essential outcome of a red team exercise.
For example, suppose a red team is trying to compromise an account. An OPSEC-aware red teamer might try common passwords across multiple accounts (instead of a single account) to avoid detection by account lockout policies (i.e., lock the account if a password is mis-entered too many times). A non-OPSEC-aware red teamer, however, might try the password on the same account—locking account access and potentially getting caught.
We’re at our last level. Can you handle the heat?
Why? Ultimately, red team exercises can only improve security posture if you use the findings to take action.
This means that all teams (including security, engineering, product, leadership, and potentially board members) must engage with the exercise’s output. Together, they must make critical roadmap decisions considering all potential constraints (operational, financial, etc.). Organizations that do this successfully fully leverage the exercise’s outcomes to drive security results (a green flag if we ever saw one!).
Why? Many organizations that turn to red teaming have already done the basics (like pen testing or bug bounty programs) and want to elevate their security maturity further. To make this leap, a different playbook is required—one that prioritizes offensive security and staying ahead of attackers, not just catching up to their latest tactics.
Running one red team exercise is a step in the right direction, but to truly stay ahead of the game, organizations must build a comprehensive program that continuously tests and evaluates defenses through red teaming and other advanced techniques. Attackers continually evolve their tactics, so organizations must evolve their security programs simultaneously.
Why? CISOs are critical in the red teaming process, connecting the dots between the board and individual teams and driving organizational actions that lead to an enhanced security posture. Without their involvement, organizations are less likely to effectively leverage findings from a red team assessment and drive security outcomes.
If you’re serious about getting the most out of your red team exercises, CISOs must be involved from the get-go.
You know what’s the greenest flag of them all? Kicking off an RTaaS engagement with Bugcrowd.
In all seriousness, RTaaS makes it dead simple for organizations to add red teaming to their security roadmap. By blending the power of our global operator community with a range of fully managed engagement models, we simplify the implementation and scaling of red team exercises. Best of all, it meets all the levels of an effective RTaaS engagement; it provides a simple, straightforward process to set up red team engagements; vetted operators with hustle and OPSEC-awareness; and in-depth, actionable reports that even your CISO wants to read.
If you’re ready to get started, request a quote. To learn more about the offering, check out our Ultimate Guide to Red Teaming.