The Difference Between Red Teaming and Penetration Testing

Automated application security testing has come a long way from its humble beginnings, but to really understand an organization’s security posture, you still need human expertise. Apart from penetration testing, which is a vital part of any cybersecurity program, you’ve probably also heard a lot about red and blue teams, especially in recent years. So what’s this all about? Is red teaming just a fancy name for penetration testing? Let’s take a look…

The Difference Between Red Teaming and Penetration Testing

The Goals of Security Testing

Depending on its information security program, an organization may need to use different types of security testing to satisfy different objectives. The job of a penetration tester is to use all available tools to find as many vulnerabilities as possible in a specified time and subset of assets (usually a set of IPs). For maximum coverage, most pentesters will start by running an automated vulnerability scan of the target and then use manual penetration testing tools to probe promising weaknesses. 

If the test stops at finding vulnerabilities, it is a vulnerability assessment. If the pentester then attempts to exploit and combine any discovered vulnerabilities to breach systems and extract sample data, this is a proper penetration test. In both cases, the aim is to identify and report security weaknesses to prevent future cyber attacks.

The problem with real-world attacks is that they don’t have to obey the rules and limitations of security testing programs. Attackers will use any means they can to gain access – and they only need one point of entry for a successful breach. Pentesting focuses on technical vulnerabilities, so it does not directly indicate whether the organization is actually vulnerable to attack. This is where red teaming comes in.

How Red Team Assessments Are Done

Red teaming is a much broader approach to penetration testing that uses the methods of real-life attackers to test if an attack is possible. Such tests are often combined with an evaluation of the organization’s security controls, threat intelligence, and incident response procedures. Using terminology adopted from wargaming, this is then called a red team vs blue team exercise, where the red team are the attackers and the blue team members defend the organization.

Red teamers can be designated staff from the internal security team or (preferably) external offensive security experts who have no prior knowledge of the organization. Their job is to breach defenses, avoid detection, perform an attack, and provide sensitive data as proof.

Depending on the maturity and testing requirements of the organization, red team operations can be limited to the digital domain only or include physical security as well. In a full-scale, no-holds-barred red team exercise, the attackers might resort to social engineering techniques such as phishing and impersonation, as well as using specialist electronic equipment to breach physical and network security.

Expect the Unexpected

Red teamers are given an attack objective, for example, to extract intellectual property or financial information from company systems. Unlike penetration testing, red team operations are conducted in secret so that the organization’s staff and security systems react as if it were a real attack. This requires careful planning and executive sponsorship to balance realism and safety – the attack should not cause business disruption and the testing team should be protected from prosecution if caught. Because the red team might technically be breaking the law on multiple counts, detailed written agreements and disclaimers are a must.

That said, there is always a risk of unexpected incidents because staff can’t be notified of the attack and people’s reactions can be unpredictable. What if physical security is handled by an external agency that calls the police or even resorts to violence before the alarm can be called off? After all, red team exercises can run over several weeks, so the executive sponsor of the exercise might be unreachable at that precise moment. And what if the attack temporarily brings down the company network or intrusion detection system, leaving the organization wide open to real attacks? Simulated or not, this is war – and things can go wrong.

Should You Use Red Teaming?

If all this sounds a little scary, that’s because it is. Unlike penetration testing, red teaming is definitely not for everyone. To safely conduct a red team assessment and get the maximum benefit out of it, an organization needs to have solid security measures already in place and be well prepared to confront a variety of threat actors. 

In other words, if you think your organization is impregnable, you can order a red team operation to see if you’re right. If you know your security isn’t perfect and want to improve it, you’re better off with less invasive testing methods. And before you call in the pentesters, bounty hunters, and red teamers, be sure to check your web application security with a high-quality and easy-to-use DAST tool like Invicti to find and eliminate many critical issues on your own.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.