Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity Leadership and ManagementCybersecurity News

An attacker’s perspective on choosing a red-team or pen-test engagement

By David Wolpoff
workforce
June 25, 2020

Sitting on the frontlines as a red-teamer, people regularly ask me, “Should I do a pentest or hire a red team?”  But that’s not the question they should be asking.

Security leaders should be asking, “What can I do to make it more expensive for an attacker to 'pwn' me?” 

Expense for an attacker is defined by many factors: time to break in, cost for an exploit, complexity, time spent sitting in a network waiting, etc. Expense is increased by forcing an attacker to go through many “hoops” to get to the crown jewels and meet their objective. 

Pentesting and red teaming can identify ways to make your program more expensive to hack, but doing both is not a reality for everyone, nor is every security program ready for both. Mature security programs who’ve tested their controls and have visibility are typically ready for a red team. Younger security programs need to test their controls, and will make it more cost prohibitive for an attacker by starting with a pentest. 

A pentest will tell you if a security system and/or control is working as it was designed to work.  Red-teaming tells you if you’ve adequately secured the most important things to protect. (Note the word adequately, nothing is completely secure.)

Questions a pentest will answer:

  • Does my program function as it was designed to function? 
  • Is my security program doing the things I expect it to do? 
  • Does this security control I put in place work as expected?

Questions a red team engagement answers:

  • Is my program doing the things that need to be done to protect my environment? 
  • What happens if my controls fail?
  • Is my team and program prepared to respond under pressure and realism?

An example

Let’s say Moose Inc. put a new EDR solution in place, and the CISO wants to confirm it was set up correctly.  Basic alerting was set up to trigger when new admin credentials were made, or anything related to the domain controller.  If pentesters tried to crack this EDR, they’d try to create new admins or perhaps mess with the domain controller, but fortunately, in this case, the security organization put the right alerting in place.  After this pentest engagement Moose Inc’s CISO would feel confident the EDR control is in a good spot.  And, yes, the EDR was set up well.  But what about the controls and configurations adjacent to the EDR?

If Moose Inc. hired a red-teamer, they would go beyond testing the EDR controls, and perhaps pull from an active directory tree and identify logins that already had admin controls. From that point forward the red-teamers have inherited permissions to mess with the EDR, without generating alerts. 

The red-teamer finds the gaps between security controls and visibility, whereas the pentest typically surfaces problems within specific controls.

When to pentest 

Just because the red-teamer finds gaps between systems, doesn’t mean a pentest isn’t important. It’s great at answering the question: “Does this work as I asked it work?” And that’s just as important for making things more expensive for the hacker.  

Pen-testing aims to find flaws, across a broad range of things; it has the breadth, but not the depth. It does a good job proving a protection is working, but not if the program behind it is working.  Or, like in our example, if a CISO puts in a new security control, they should have the pentester confirm the control was put in place according to plan. 

But a pentest has its shortcomings. Once you’ve disclosed how you designed something, you’ve tainted it.  Pen-testers go broad, they use a comprehensive public corpus of techniques, but they won’t stress a program. And, typically a pentester doesn’t go super deep because of time, budget and scope. 

When to hire a red team

When a CISO wants to answer the questions “Does this work?” or  “What happens if this fails?” or “is my team ready?” -- it’s time to bring on a red team.  Red teaming helps you understand if the entirety of your security program is working. It’s typically goal oriented, not time bound.  Typically a red teamer won’t go through your main defenses, but will still find a way in. They may not go wide, but they go deep.  They find systemic problems, from failures in training to technical execution, and can even change the way business is done. 

Don’t jump to bringing on a high-end red team unless you’re ready for high-end learnings.  If you’re still focused on blocking and tackling, maybe you’re not ready to get a high red team to beat you up. 

For practitioners who have to choose between a pen test or red team engagement, it comes down to the maturity of your security program and the questions you want to answer. And ultimately, it’s all about making it harder and more expensive for an attacker to get in and achieve its objective.

 

KEYWORDS: cyber security hacker IT security penetration testing

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

David moose wolpoff

David Wolpoff (Moose) is co-founder and CTO of Randori. Moose's background is in red-teaming, digital forensics, vulnerability research, reverse engineering and embedded electronic design. Before Randori, Moose ran "Hacker on Retainer," where he ran red teams, conducting determined adversary attacks for clients, including many of the Fortune 500. Prior to that, he held executive positions at Kyrus Tech, a government defense contractor; and ManTech, where he oversaw teams conducting vulnerability research, forensics and offensive security efforts on behalf of government and commercial clients.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • network-security-freepik

    Looking at zero trust from an attacker’s perspective

    See More
  • convergence freepik

    When product security and cybersecurity converge: A CSO’s perspective on how security organizations can thrive

    See More
  • hacker

    Why cybersecurity teams need the attacker's perspective

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • databasehacker

    The Database Hacker's Handboo

  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing