If you’re looking to assess your organisation’s security posture, you’ll likely encounter the terms ‘penetration testing’ and ‘red teaming’ – however, you may not fully understand the difference between the two practices. They are, in all fairness, painted as quite similar undertakings for those who are unaware of their nuances. We have outlined each assessment type below and this will hopefully provide you with guidance on how to select which service would be suitable for you.
Penetration Testing or Red Teaming? Let’s first consider your objectives
While at a glance, penetration testing and red teaming may seem very similar in nature, they each have strengths that are suited to particular circumstances and bring about different results. In order to find out which one will provide you with the most value, you need to determine what your goals are. From there, you can better decide which of these processes will meet these goals.
To quickly address your objectives:
- If you are small to medium sized business looking to discover vulnerabilities or configuration issues, then penetration testing is a fundamental for you.
- If you are a larger enterprise with more advanced security controls and good security posture, red teaming is the way to go.
However, justifying the need for these services cannot be boiled down to single sentence explanations. Read on to learn what exactly each test covers and why it might be the one for you.
Penetration testing (also known as pentesting) seeks to find as many vulnerabilities or flaws in a given environment within an allotted timeframe. At Content Security, we mainly focus on internal and external infrastructure, wireless networks, as well as web and mobile applications.
After identifying vulnerabilities in the target organisation, the pentester exploits them to determine the level of access an actual attacker could gain – meaning they verify the weaknesses’ risk levels. They are not stealthily traversing your network or system, looking to bypass security controls and enact actual attacks. Rather – this can be considered a general assessment of known and unpatched vulnerabilities.
Note: traditional penetration testing is done manually by ethical hacking experts and is often limited due to time and scoping constraints. For that reason, automated testing is gaining traction as a proactive and more accessible means of staying on top of threat.
Who needs a penetration test?
Almost every business should undertake penetration testing – it is crucial to staying ahead of attackers. It allows organisations to strategise where to invest their security budget, and what controls they need to protect their data.
Nowadays, it is also a large part of meeting and maintaining compliance and regulatory standards. For example, meeting PCI requirement 11 entails running regular internal and external vulnerability scans.
It is generally recommended that you conduct a penetration test every time your environment changes to identify how and where a cybercriminal might target you.
Red teaming is a step above penetration testing. It is a more focused, scenario-based adversary simulation driven by narrowed objectives. By emulating actual, stealthy attackers, red teamers are able to provide organisations with a more realistic picture of risks posed to their assets.
This goes beyond unearthing network, application or system vulnerabilities – this involves looking at data, human and other physical assets. For example, red teaming could involve testing incident response (IR) capabilities, security awareness and physical security controls.
Unlike penetration testing, red teamers want to avoid detection at all costs – they truly mimic what real, malicious attackers do, and in doing so have little restrictions on their exploits. Furthermore, red teaming focuses heavily on business outcomes.
So how is red teaming really different from penetration testing?
To look at this from an industry specific lens, healthcare organisations may fear losing their clients personal identifiable information (PII), while financial institutions may be more concerned about an attacker gaining access to their ledger. A red team engagement has a specific goal and go about achieving this without being restrained by traditional penetration testing boundaries.
In taking on the role of a threat-actor or group, the red team will perform reconnaissance to garner information about the organisation prior to the campaign. Once a weakness is found, it is exploited so that the team can gain a foothold within the corporate network. After this has been achieved, they are better positioned to execute the attack objective – this may be exfiltration of intellectual property, breaching onsite security or gaining access to server rooms.
Who needs a red team?
Red team testing is in the top 5 mitigating cost factors, saving businesses over $300k in the event of a breach. 
In conclusion, which test is better?
Neither is necessarily better than the other – they are useful in different ways, under different circumstances. Each are foundational to proactively closing gaps before attackers get the chance to exploit them.
Red Teaming is a comprehensive, in-depth stress test; if you want to test your detection and response capabilities while simultaneously unearthing unknown weaknesses, red teaming is for you.
But remember, you wouldn’t engage a red team as a baseline improvement initiative. This shouldn’t be your first choice if you want to uncover and remediate system vulnerabilities, or if you are simply looking to assess changes in your environment.