red team

Eamon Carroll
#
min read
Back to glossary

What is a red team in cybersecurity?

A red team is a group of authorized security professionals who emulate real-world adversaries to find ways to compromise systems, people, and processes. Unlike a checklist-based security assessment, a red team focuses on realistic attacker behavior—often blending technical exploitation with social engineering and stealth.

The purpose of a red team is not just to “get in,” but to validate whether monitoring, incident response, and security controls actually work under pressure.

How does a red team differ from penetration testing?

A penetration test (pen test) typically has a defined set of targets and aims to identify and prove vulnerabilities within scope. A red team engagement is usually broader and more scenario-driven, emphasizing stealth, persistence, and business impact.

Common differences include:

  • Pen test: vulnerability depth, coverage, remediation guidance
  • Red team: adversary realism, detection evasion, response validation
  • Red team: measures security posture across people, process, and tech

Both can be forms of ethical hacking, but the intent and success criteria differ.

What goals does a red team engagement achieve?

A red team engagement tests whether your organization can prevent, detect, and respond to a motivated attacker. It validates security outcomes, not just individual controls.

Typical goals include:

  1. Identify paths to critical assets (e.g., customer data, production systems)
  2. Evaluate alerting and triage effectiveness in the SOC
  3. Measure incident response speed and decision-making
  4. Expose gaps in identity, segmentation, and logging
  5. Provide evidence for security investment priorities

Many teams treat this as adversary simulation aimed at measurable improvements.

What tactics and techniques do red teams use?

A red team uses attacker-style tactics across the kill chain, often aligned to frameworks like MITRE ATT&CK.

Examples include:

  • Reconnaissance and initial access (phishing, exposed services)
  • Credential access (password spraying, token theft)
  • Lateral movement and privilege escalation
  • Persistence and command-and-control
  • Data access and exfiltration simulations

Some engagements incorporate threat emulation or attack simulation of a specific actor profile to mirror likely risks.

What is included in a red team engagement scope?

A red team scope defines what’s allowed, what’s off-limits, and how safety is maintained. Clear guardrails prevent business disruption while preserving realism.

Scope usually specifies:

  • In-scope assets (apps, endpoints, cloud tenants, facilities)
  • Allowed techniques (e.g., social engineering permitted or not)
  • Timing, escalation paths, and “stop” procedures
  • Data handling rules and evidence requirements
  • Success criteria (flags, objectives, or assumed breach goals)

Many organizations choose assumed breach testing to start from a realistic foothold.

How do red team and blue team work together?

A red team challenges defenses, while the blue team (defenders) focuses on detection, containment, and remediation. In mature programs, the red team and blue team align on learning outcomes and measurement.

Effective collaboration often includes:

  • Pre-briefs on rules of engagement
  • Real-time deconfliction to avoid outages
  • Post-exercise workshops to tune detections and playbooks

This feedback loop turns the red team exercise into sustained security improvement.

What is purple teaming and when is it used?

Purple teaming blends red team realism with blue team visibility. Instead of keeping the defenders fully blind, a purple team approach encourages shared iteration: run an attack path, observe telemetry, tune detections, then rerun.

It’s useful when you want to:

  • Rapidly improve detection engineering and response playbooks
  • Validate specific controls (EDR, SIEM, email security)
  • Train analysts using realistic attacker behavior

Purple teaming can complement a full red team engagement by accelerating learning.

What deliverables should you expect from a red team?

A red team should provide outputs that are actionable for both executives and technical teams.

Common deliverables include:

  • Executive summary of business impact and key risks
  • Attack narrative (timeline of actions and decisions)
  • Evidence (screenshots, logs, command history)
  • Detection gaps and recommended telemetry improvements
  • Remediation guidance prioritized by risk
  • Replayable test cases (useful for breach and attack simulation (BAS) tools)

The best reports clearly connect findings to security outcomes.

How often should organizations run red team exercises?

Frequency depends on risk, change rate, and maturity. Many organizations run a red team annually, while high-change environments may do smaller adversary exercises quarterly.

Consider running a red team when you:

  • Launch major systems or migrate to cloud
  • Change identity platforms or network architecture
  • Experience incidents or near-misses
  • Need to validate controls after major remediation

Combining periodic red team engagements with targeted pen tests and continuous BAS can provide balanced coverage.

Sign up for your free 14-day trial

Try for free
Eamon Carroll
Marketing Coordinator

Eamon Carroll is a Marketing Coordinator at Intruder, where he supports cybersecurity education and content that helps organizations understand vulnerability and attack surface management. He combines his marketing experience at different SaaS organizations with a passion for clear communication on complex cyber risk topics, making security insights more accessible to diverse audiences.

Sign up for your free 14-day trial

Try for free