Red teaming has become a well-known term in cyber security, but it is not the right exercise for every organisation at every stage. Commissioning a red team engagement before the conditions are right produces expensive findings you cannot meaningfully act on. Understanding what red teaming actually tests — and what it requires — will help you decide whether it belongs in your security programme now.
What a red team exercise is
A red team engagement is a covert, scenario-driven simulation of a real threat actor. A small team of specialist operators is given an objective — gain access to a specific system, exfiltrate a defined data set, reach a target environment — and attempts to achieve it using the same techniques, tools, and tradecraft a genuine attacker would use. Crucially, the defenders are not told the exercise is happening. The simulation tests whether your people, processes, and technology can detect, investigate, and respond to an attack in progress — not just whether vulnerabilities exist.
How it differs from a penetration test
Penetration testing and red teaming are both offensive security disciplines, but they answer different questions and should not be treated as interchangeable.
| Penetration Test | Red Team Exercise | |
|---|---|---|
| Primary question | What vulnerabilities exist? | Would we detect and respond to an attack? |
| Scope | Defined and agreed in advance | Broad; operators choose their path |
| Defender awareness | Usually known to technical staff | Kept secret from the defending team |
| Duration | Days to two weeks | Weeks to months |
| Primary output | Vulnerability findings and remediation | Detection gaps, response weaknesses, attack narrative |
A penetration test produces a prioritised list of technical weaknesses for your engineering teams to fix. A red team exercise tells your security operations function whether it can identify and contain a threat actor operating inside your environment.
The SOC requirement
Red teaming only has value if your organisation has active detection capability. If nobody is monitoring alerts, reviewing logs, or triaging suspicious behaviour, a red team engagement will complete its objective undetected — which does not demonstrate resilience, it simply confirms there is nothing in place to provide it.
Before commissioning a red team exercise, your organisation should have at minimum:
- A Security Operations Centre (SOC), managed detection and response (MDR) provider, or in-house security monitoring function
- A monitored SIEM with coverage across endpoints, identity, and network traffic
- Defined incident response procedures and an on-call escalation path
- Regular alert triage, not just passive log collection
Without these, the red team's findings will show that an attacker can move freely through your environment — but that is already the expected outcome when there is no one watching. The value of a red team engagement is stress-testing a detection capability that exists, not revealing the absence of one.
Start with a penetration test
If your organisation has never had a penetration test, that is where to begin. Known exploitable vulnerabilities — unpatched systems, weak credentials, misconfigured services — are almost certainly present, and a red team will exploit them immediately. The engagement will end quickly and tell you only that your patching and hardening posture needs work, which a penetration test would have identified at a fraction of the cost.
A penetration test establishes a security baseline. Once critical findings are remediated and basic hygiene is in place, you have a foundation worth pressure-testing with a red team. Running them in the right order means each engagement builds on the last rather than repeating the same findings.
Not sure where to start? A penetration test gives you the security baseline that red teaming builds on — identifying the vulnerabilities that need to be resolved before adversary simulation is worthwhile.
Penetration Testing