Security leaders remain concerned about data breaches, and rightfully so. Cybersecurity Ventures projects that the global cost of cybercrime will increase to $10.5 trillion annually in 2025—a 15% increase from the prior year.
Given this escalating threat landscape, software security teams rely on various proactive security approaches, such as penetration testing or red teaming, to understand real-world vulnerabilities and their exploitability. Many of the most risk-sensitive organizations utilize both to continually understand vulnerabilities and test their defenses. In this blog post, we will walk through both approaches to help you better leverage them to improve your security posture.
An overview of penetration testing
Penetration testing (or pen testing) is a security assessment method in which an organization hires or engages human testers to examine its systems for vulnerabilities against a predetermined methodology, usually for complying with an internal or external control (e.g., PCI-DSS). These tests are scoped to target specific assets, such as APIs, network infrastructure, web applications, LLM applications, or hardware.
The pen testing engagement process
The pen testing team engagement is broken down into the following stages:
- Scope alignment—The pen testing team aligns with the hiring organization on the objectives and scope of the test, including the assets to be tested and the testing methodologies to be used.
- Vulnerability identification—The testing team analyzes the scope targets using the agreed-upon methodology to identify vulnerabilities, their potential impact, and their likelihood of exploitation.
- Reporting—The testing results are detailed in a final report that lists all the uncovered vulnerabilities and remediation advice to fix the vulnerability.
Benefits and use cases
Pen testing has become a standard security practice across industries, with surveys showing that 74% of organizations use it as part of their security strategy. Here’s why organizations invest in pen testing:
- Coverage—Pen tests deliver confidence that an asset has been tested for specific vulnerabilities at a point in time, a common internal and in some cases, regulatory requirement.
- Cost-effective—For organizations with lower-risk assets but some compliance overhead, pen testing is often a cost-effective way to meet these requirements without stretching their budget.
These advantages make pen testing valuable for several use cases:
- Meeting compliance requirements—Organizations use pen testing to meet internal or regulatory standards. For instance, the Payment Card Industry Data Security Standard (PCI-DSS 11.3) requires that human-powered pen testing be done at least annually to complement automated vulnerability assessments.
- Providing stakeholder reassurance—Before partnering with an organization, stakeholders, such as customers, suppliers, investors, and regulators, want reassurance about its security best practices. Through penetration testing, organizations can prove their commitment to meeting a baseline security threshold.
- Filling testing coverage gaps—Organizations can use pen testing to complement automated scanning and other routine security measures.
An overview of red team engagements
In a red team engagement, an organization tasks a group of security professionals (i.e., the “Red Team”) to carry out a simulated attack against the company’s technology, people, and processes. Think of it as an advanced exercise that simulates, but doesn’t replicate, what threat actors can do to your system. These engagements usually span anywhere from 2-4 weeks (for targeted red-team assessments) to 1.5-6 months (for full-scale assessments), ultimately decided by the client and Red Team.
The work of the Red Team is often countered by a “Blue Team,” which defends and protects the organization, including from attacks by the Red Team. The Blue Team could consist of a single analyst who examines logs, a full-fledged security operations center, or a combination of human analysts and security tools like Endpoint Detection and Response (EDR). Note that in traditional red team operations, the Red and Blue Teams don’t communicate. Instead, the Red Team communicates with a control group, typically consisting of security leaders and/or regulators.
Organizations that want to foster more collaboration between Red and Blue Teams and minimize friction often adopt a Purple Teaming model, a variation of the Red Team exercise emphasizing transparency and shared learning. In this approach, a Purple Team bridges the gap between the teams by facilitating knowledge sharing and collaboration with the teams to improve offensive and defensive capabilities.
The red team assessment process
When an organization hires a Red Team, the process is usually broken into the following phases:
- Planning: Before launching any attacks, the Red Team works with the control group to establish clear objectives, boundaries, and success criteria. This ensures the engagement provides maximum value while maintaining operational safety.
- Threat modeling: The control group shares relevant information with the Red Team or Threat Intelligence Provider (another entity that delivers personalized and sector-specific threat intelligence), such as concerns about specific assets or particular attacker profiles. This can then be used to model what kinds of attacks would be performed against the organization.
- Threat intelligence (or reconnaissance): The Red Team or Threat Intelligence Provider gathers information on the company’s people and technologies by leveraging tools like LinkedIn, the dark web, public search engines, GitHub repositories, and Shodan.
- Strategy development: Using the above data, the Red Team or Threat Intelligence Provider identifies potential scenarios or tactics, techniques, and procedures (TTPs) relevant to an organization. For example, to gain remote access to an endpoint, they might write custom malicious tooling, develop social engineering pretexts, and build email lists for password spraying.
- Execution and reporting: The Red Team carries out its planned operations and documents its activities, successes, and failures for the control group. Progress is reviewed at intervals throughout the engagement, but the Red Team holds a final debrief with key stakeholders at the end of the project.
Benefits and use cases
Red team engagements (including variations like Purple Teams) offer several advantages in driving security outcomes:
- Detect novel attack paths—Red Teams surpass traditional security testing by simulating real-world attacks by chaining together many smaller vulnerabilities, misconfigurations, and pre-authorized business tools (i.e., remote access software, internal scripts, etc.). By using the same applications employees legitimately use, Red Teams can avoid detection while achieving their objectives. This comprehensive testing technique ensures organizations understand their security profile based on the perspective of actual attackers, which is a critical step in reducing risk.
- Reduce security risk—Red teaming accelerates an organization’s security testing by identifying the most critical attack paths that cause the most damage. By fixing these vulnerabilities, organizations can bolster their defenses. The impact is significant. According to Forrester, Red Team testing typically results in a 25% reduction in security incidents and a 35% reduction in the cost of security incidents.
- Focus security investment—Red teaming can help organizations better estimate the impact of potential breaches, enabling them to make data-driven decisions about their security strategies and maximize the ROI of their security investments.
These advantages make red teaming a clear choice for many use cases:
- Benchmark your organization’s security profile—Red teaming helps security leaders understand the weaknesses of their current security controls and how potential attackers might exploit them. These exercises also reveal what’s working well in your security setup, building confidence in existing measures.
- Satisfy due diligence requirements—If you’re going through M&A, a VC firm or the potential acquirer might want to conduct an in-depth exercise (beyond traditional pen testing) in cooperation with you to understand your organization’s security risk. Similarly, customers and other vendors might ask for similar tests.
- Meet specialized compliance requirements—Compliance regulations like CBEST or Threat Intelligence-based Ethical Read Teaming (TIBER) require organizations to test their security through real-world simulations of attacks. Red team exercises allow organizations to meet these requirements.
| Traditional pen tests | Red team engagements | |
| Goal | Tests specific assets for common vulnerabilities | Simulate a real-world attack against an organization’s technologies, people, and processes |
| Scope | Defined systems (e.g., LLMs, IoT, cloud setup, and APIs) | Focused on technology, people, and processes, but can expand beyond (i.e., data, third-parties, physical security, etc.) |
| Length | 3–14 days | 2-4 weeks (for targeted assessment) and 1.5-6 months (for full assessments) |
| Testing technique | Human-driven assessment against a checklist of known vulnerabilities | TTPs of potential threat actors (includes hacking techniques like social engineering, technical exploits, exfiltration methods, procedural pathways, etc.) |
| Benefits |
|
|
A comparison between traditional pen tests and red team engagements.
Maturing your security program: Integrating Red Teams and pen testing
Companies can elevate their security maturity by combining penetration testing with red team engagements, taking advantage of what each approach does best. Pen testing meets key compliance requirements while ensuring the systematic examination of critical systems for potential vulnerabilities before attackers exploit them. Red teaming complement this by stress testing the effectiveness of existing security controls by simulating adversarial attacks on an organization’s people, technology, and processes. As real-world case studies in our Ultimate Guide to Offensive Security demonstrate, organizations utilize these approaches to accurately calculate the cost of security gaps, resulting in more informed security roadmaps.
An analogy might be helpful here—think of securing your organization like protecting a bank vault. A basic security audit checks for obvious flaws in critical parts of the overall building (like an unlocked window). This is similar to pen testing, where testers check key assets against a list of common exploits. However, sophisticated thieves might use other methods, like tricking an employee into giving up crucial information or exploiting a vulnerability in the building’s HVAC system. This mirrors how threat actors work, which is why organizations use red teaming to test their defenses. Combining these approaches enables organizations (including banks) to protect themselves against common and deep-rooted vulnerabilities.
As organizations mature, they must go beyond the basics to actually safeguard their systems. Combining pen testing and red teaming addresses both common vulnerabilities and sophisticated attack scenarios, resulting in a more comprehensive security approach. Organizations that embrace this holistic testing approach go beyond just checking boxes—they turn security into a competitive advantage.
