What is red teaming?
Red teaming is a type of intelligence-led security engagement aimed at comprehensively assessing organisations’ overall cyber resilience, as well as testing their threat detection and incident response capabilities. Ethical hackers are responsible for performing red teaming exercises, emulating the conditions of a real-life cyber-attack by utilising the same tactics, techniques and procedures (TTPs) as those used by threat actors.
Red teaming engagements usually take longer to complete than other types of assessments, lasting weeks or even months. They usually leverage an intelligence-driven, black-box methodology. This is likely to include:
- Reconnaissance – The use of OSINT tools and resources to gather information that could be used to successfully compromise the target.
- Staging & weaponisation – Setting up and concealing the infrastructure and resources required to launch attacks.
- Attack delivery – Compromising and obtaining a foothold on the target network.
- Internal compromise – Activities at this stage may include lateral movement across the network, privilege escalation and data extraction.
- Reporting & analysis – The red teaming methodology should include a final report that includes an overview of the vulnerabilities that have been discovered and the attack vectors that were used, as well as recommendations on how to remediate and mitigate risks.
The specific goals of each red teaming exercise are defined by the particular requirements of the organisation. Examples of red teaming objectives include gaining access to a segmented environment that holds sensitive data, taking control of an IoT device or a specialised piece of equipment, or bypassing specific security controls, such as endpoint detection and response (EDR), email security controls or anti-bot controls.
The importance of red teaming
The value of red teaming lies in its authenticity, as it utilises real-world offensive tactics. With security threats constantly emerging and diversifying, a proactive and in-depth approach is key to maintaining an effective level of cyber resilience. Red teaming enables organisations to identify vulnerabilities and strengthen their defenses to help reduce the chances of a real-life attack. By simulating the behaviours and techniques of real-life attackers, red team engagements allow companies to better understand their hidden vulnerabilities and address them before a threat actor finds them. A simulated cyber-attack of this kind is as close as an organisation can get to understanding how prepared it is to deal with a cyber incident.
Red team assessments provide a more comprehensive picture of an organisation’s security status. This is because they not only help companies to identify which critical assets might be at risk and how easily they could be targeted by cybercriminals but they also help them to understand how prepared they are to respond to a targeted attack and fully test the effectiveness of people, processes and technology.
Red team exercises are also important in helping organisations to gauge the effectiveness of their incident response programs. Once red teaming engagements are completed, practical support is provided to address identified vulnerabilities, improve response plans and mitigate the risk of a real-life attack. Insight of this type helps companies to better understand their security weaknesses and ensure that future security investments deliver the best possible return.
Benefits of red teaming
Red teaming provides a wide range of benefits for organisations seeking to enhance their cyber resilience, including:
Enhanced preparedness: Red team engagements provide organisations with an accurate and up-to-date perspective on their ability to defend against a range of types of cyber-attacks.
Test the effectiveness of security technology, people and processes: With the attack surface broadening for many companies at an unprecedented pace, red teaming helps organisations to fully understand how prepared they are to defend against cyber incidents.
Identify and classify a wide range of security risks: Because threat types are continuing to diversify in form and function, maintaining familiar methods of addressing security weaknesses could lead to some being overlooked. Red teaming delivered by highly experienced and certified ethical hackers gives a clearer view of the potential risks that could affect an organisation.
Improve detection and response procedures: With detection and response critical to a strong security posture, red teaming is valuable in helping to uncover weaknesses or gaps in coverage.
Uncover weaknesses missed by other forms of testing: Because red teaming takes a holistic approach, it helps to identify vulnerabilities that could be missed by other types of assessments. This makes it hugely valuable in helping companies to avoid the risks of becoming complacent about potential weaknesses.
Address risks and mitigate vulnerabilities: Through red teaming engagements, organisations can better understand their level of current and potential cyber risk. They can then take informed and targeted action to resolve any issues that are uncovered.
Obtain guidance on future security investments: By gaining a truer picture of their security status, organisations can better understand where best to invest in their security defences.
Understand the effectiveness of incident response plans: Through the insights gained from red teaming exercises, companies can more effectively gauge the potential impact of their incident response plans, ensuring that they are set up to achieve the most positive outcomes in the event of a security incident.
Penetration testing vs red teaming
While red teaming and penetration testing both play a key role in helping to identify and address security issues, they differ significantly from each other. Red teaming is more complex and in-depth, harnessing an adversarial approach, while pen testing is more targeted and focused. Red teaming aims to holistically explore all aspects of a company’s security approach to uncover and address hidden weaknesses. This is in contrast with penetration testing which seeks to look at a company’s established security systems in order to identify as many security vulnerabilities as possible.
A key similarity between red teaming and pen testing is that they both usually conclude with a report providing key insights into the issues identified, with recommendations for steps required to remediate them. Ultimately, the decision to commission a red teaming or a pen testing assessment isn’t an either/or choice as both offer benefits to organisations. Your choice will be defined by your organisation’s specific security requirements and its level of security maturity. An effective security program is likely to include both, alongside other types of security assessments.
|Aims to achieve a specific objective and assess how a company’s security teams respond to threats
|Aims to find as many exploitable and unpatched vulnerabilities as possible
|Tests detection, response and security awareness and culture
|Identifies security risks to be remediated
|Takes a holistic approach to assessing all aspects of a company’s security
|Focuses on assessing an organisation’s systems and technology
|Longer duration in order to undertake in-depth reconnaissance, taking several weeks
|More focused and limited in scope and duration, usually taking from a number of days to a few weeks
|Adopts a stealthy approach
|Communicated to IT and/or security teams
|Applies an offensive approach to reflect threat actors’ methods
|Applies a defensive approach
|Applies an offensive approach to reflect threat actors’ methods
|Applies a defensive approach
|Leverages attacker tactics, techniques and tools to access systems or data
|Leverages a mix of tools and manual techniques
|Generally used by organisations with a more mature security posture
|Used by a range of organisations
The difference between red teams, blue teams and purple teams
Red, blue and purple teams differ in a number of ways:
Red teams simulate cyber-attacks over a number of weeks in order to test an organisation’s security posture. Their goal is to enhance cybersecurity by achieving a set objective, while also testing an organisation’s detection and response capabilities.
Blue teams analyse an organisation’s information systems in order to gain a clear picture of their security, identify any security flaws and also verify the effectiveness of their security measures. Blue teams advise IT security teams on the steps they need to take to prevent cyberattacks and threats, as well as ensuring that these security measures are sustainable in the long-term.
Rather than a dedicated team in its own right, purple teaming is an approach that involves the close collaboration between red and blue teams to identify security vulnerabilities and recommend remediation strategies.
The key difference between red teams and blue teams is that, while red teaming takes an offensive approach, blue teams are defensive. Purple teaming is the next step on as it combines the expertise of both red and blue teams to create a culture of continuous improvement. The strategic use of red teaming, blue teaming and purple teaming provides a more holistic approach to security, ensuring that key security threats aren’t overlooked. It also helps companies to respond to security incidents more quickly and strategically – critical in minimising the potential damage of an attack.
Selecting a red teaming solution
Considering commissioning a red team assessment? Choosing the right vendor to meet your organisation’s security requirements is an important decision. Look for guidance from an experienced provider with a proven track record for delivering security engagements that provide measurable outcomes and clear recommendations. Because the exercise may uncover a range of security issues it is also important to ensure that you have security expertise on hand to help you fully understand and act on the insights gained.
How Kroll can help
Looking for advice on red teaming? Kroll’s team of highly certified, CREST-accredited ethical hackers possess the skills and experience to identify and mitigate the latest threats, as proven by our track record of completing more than 100,000 assessments every year. is the world’s number one incident response provider, handling over 3,000 incidents globally every year. Our unrivalled expertise enables us to collect actionable frontline threat intelligence and adapt the latest tactics, techniques and processes to incorporate in our red team operations. To help our clients stay ahead of today’s complex demands, our red team fully assess your organisation’s threat detection and response capabilities with a simulated cyber-attack.