One of the most frustrating things to me as a security person is having sales and marketing types confuse the different types of security assessment.
And among those types of assessment, the pentest and red team are two of the most commonly mangled. First, let’s start with similarities.
- They’re both types of security assessment, meaning their goal is to improve the security of an organization.
- They’re also both based on behaving—to some degree—like an attacker.
- They’re both focused on results rather than coverage—so they aren’t designed to tell you everything wrong with a company, but rather to show you the specific issue(s) they uncovered.
- They both should be used by higher maturity customers, i.e., customers that have already gone through multiple rounds of vulnerability assessment and patching.
Sales and marketing types love to mix these two together based on whichever one gets more reaction from the customer.
As you can see, Red Team engagements and Penetration Tests have a lot in common, but they are also quite distinct from each other as well.
- Penetration Test: A time-boxed technical assessment designed to achieve a specific goal, e.g., to steal customer data, to gain domain administrator, or to modify sensitive salary information.
- Red Team Engagement: A long-term or continuous campaign-based assessment that emulates the target’s real-world adversaries to improve the quality of the corporate information security defenses, which—if one exists—would be the company’s blue team.
The origin comes from the military, where an independent group that challenges an organization to improve its effectiveness.
Penetration Tests are short-term challenges to one’s security posture, and ideally should be done when you think you have your stuff together and you want someone to validate that assumption. They can be network-based, use physical attacks, social engineering, phishing, be application-focused—or all of the above.
Today the term is quite diluted, with Penetration Testing meaning something different to almost everyone. And there are thousands of companies that will sell you one. The problem is you have no way of knowing if you’ll get a Nessus scan or a custom, high-quality manual assessment.
Somewhere around 2017 the Red Team became the assessment de jour for much of the industry. The problem is that only a tiny percentage of security services companies can actually execute them.
The main distinctions between Penetration Test and Red Team are:
- Duration: Red Team engagements should be campaigns that last weeks, months, or years. The blue team and the target’s users should always be in a state of uncertainty regarding whether a given strange behavior is the result of the Red Team or an actual adversary. You don’t get that with a one or two week assessment.
- Multi-domain: While Penetration Tests can cross into multiple domains, e.g., physical, social, network, app, etc.—a good Red Team almost always does.
- Adversary Emulation: The item that separates a random Penetration Test from a Real Red Team engagement is that Penetration Tests generally involve throwing common tools and techniques at a target, whereas a Red Team should be hitting the organization with attacks that are very similar to what they expect to see from their adversaries. That includes constant innovation in terms of tools, techniques, and procedures, which is in strong contrast to firing up Nessus and Metasploit and throwing the kitchen sink.
In general, Penetration Tests and Red Team engagements are more likely than Vulnerability Assessments to use exploitation, or proofs of concept, to show that vulnerabilities actually exist. But it’s important to understand that exploitation is not necessary if the evidence is obvious enough to the receiver of the report.
You can ask for a Pentest or Red Team as a low-maturity customer, but you’ll just be wasting money.
- Both Pentests and Red Team engagements are based on acting like an attacker, they’re focused on results rather than coverage, and should only be requested by high-maturity customers.
- Penetration Tests are usually very short engagements of one to two weeks, whereas Red Team engagements should be campaign-based, long-term, and/or effectively continuous.
- Red Team engagements are usually cross-domain, where only some Penetration Tests have that quality.
- Red Team engagements should constantly create new tools and techniques to emulate their adversaries, while Pentest groups usually use off-the-shelf frameworks and standard pentester tactics.
This should help you tell these two assessments apart, and if you want to know when to use which kind of assessment, you can read my guide:
When to Use Vulnerability Assessments, Pentesting, Red Teams, and Bug Bounties
- The only real reason to do a Penetration Test in a low-maturity company is to bring skeptical decision-makers to religion by showing them that yes—they really should be listening to their security person.