Red Teaming Overview

Red Teaming is the practice of testing the security of your systems by trying to hack them A Red Team's role is to emulate a malicious actor and try to break into your system

A Red Team can be an externally contracted group of pen testers or a team within your own organization, but in all cases, their role is the same: to emulate a genuinely malicious actor and try to break into your systems.

The value of Red Teams can be understood most easily by imagining a fictional scenario. An organization might have an extremely well-developed pentesting process and therefore be confident that its systems can’t be breached by external actors

Red Teaming For :

Almost every company can benefit from some type of Red Teaming. If your company doesn’t work in tech, it might seem that Red Teaming would be of limited utility to you. But that’s not the case. Cybersecurity is not just about protecting sensitive information.

A worryingly high number of organizations do not have the control they think they do over their data, for instance, that on average 22% of a company’s folders are accessible to every employee, and that 87% of companies have over 1000 sensitive, stale files in their systems.


Once you’ve completed several business cycles of vulnerability and pen testing, you can start Red Teaming. At this point, the real value of Red Teaming can be realized. However, attempting to bring in red teaming before getting a good handle on the basics will produce very little value.

Penetration Testing

Red Teaming is often confused with penetration testing, but the two techniques are slightly different. Or, more specifically, pen testing is just one of the techniques that can be used by Red Teams.


 the role of the pen tester is quite tightly delineated. The work of pen testers is organized into four broad phases: planning, information discovery, attack, and reporting. As you can see, pen testers do more than just looking for software vulnerabilities. They’re thinking like hackers: after they get into your system, their real work begins.

They’ll continue to do more discovery and then base new attacks on what they learn as they navigate through folder hierarchies. And that’s what makes pen testers different from someone hired just to find vulnerabilities by using, say, port scanning or virus sniffing software. An experienced penetration tester can identify:

  • Where a hacker might target you

  • How they would attack

  • How your defenses would fare

  • The possible magnitude of the breach


Red Teaming vs. Penetration Testing

Penetration testing is a small part of Red Teaming. Red teaming includes evasion and persistence, privilege escalation, and exfiltration. Penetration testing is just the first part of the cyber kill chain. Red teaming exercises would include the entire cyber kill chain.

Common Red Team Tactics

Red teaming uncovers risks to your organization that traditional penetration tests miss because they focus only on one aspect of security or an otherwise narrow scope. Here are some of the most common ways that red team assessors go beyond the test

Email and phone-based social engineering.
With a little bit of research on individuals or organizations, phishing emails become a lot more convincing. This low hanging fruit is frequently the first in a chain of composite attacks that lead to the goal.

Network service exploitation.
Exploiting unpatched or misconfigured network services can provide an attacker with access to previously inaccessible networks or to sensitive information. Often times, an attacker will leave a persistent back door in case they need access in the future.

Physical facility exploitation.
People have a natural inclination to avoid confrontation. Thus, gaining access to a secure facility is often as easy as following someone through a door. When is the last time you held the door open for someone who didn’t scan their badge?

Application layer exploitation.
Web applications are often the first thing an attacker sees when looking at an organization’s network perimeter. Exploiting Web application vulnerabilities (e.g., cross-site scripting, SQL injection, cross-site request forgery, etc.) can give an attacker a foothold from which to execute further attacks.