How to Choose: Penetration Tester vs. Red Team

Don’t be misled into thinking that because you have a Penetration Tester that you have a Red Team – or that because you have a Red Team you have a Penetration Tester. While some functions may overlap, you are getting two different things when enlisting the help of each. Both provide something beneficial to your organization and the security measures in place – so let’s further investigate what you can really expect from each.

Who are Penetration Testers?

A penetration test is a must-have for any organization – and most entities are required to complete one in order to meet various compliance protocols each year. No matter if you hire in-house or as an outside consultant, Pen-Testers are the designated person who will ethically hack and evaluate your environment. With someone in place as the point of contact, and as the brains behind the security scope necessary, you will find yourself more equipped and with fewer items slipping between the cracks. The risk here is that your single pen-tester could become too close to the work and not see the potential threats as clearly – or depending on your security posture, the workload could be too much for one person to bear and remediate in a timely fashion.

While it’s good to have someone in place to handle this, in many companies it’s growing to be too much for one person to handle due to how quickly the number of attacks are increasing on top of how much research is required to get in front of these attacks. That’s where red teaming comes in.

What are Red Teams?

This is another way to go about testing and monitoring to have full visibility into your security posture. This is a group (team) with a minimum of two people up to over twenty whose sole purpose is to test your organization’s security – both often and without the knowledge of the rest of the staff. This allows for a true test of the organization’s security posture without everyone on their best behavior for the sake of a test. Instead, this will show a true reflection of how your organization really fairs against adversaries.

Within your Red Team you will often have members with different experience or expertise and potentially be hired for ad-hoc tasks depending on the scope. This allows you to have a well-rounded team to actually be able to fully test different environments. One of the keys to building a qualified Red Team is to hire experienced, critical thinkers to form the core of your team and continue adding to the team with a diverse mix of skills.

Don’t count anyone out of being a part of your Red Team. Some of the best Red Team members have come from IT administration ranks, experience in network engineering or have been a part of Windows and Unix administrations. Maybe you’re looking to build a Red Team for a specific case such as testing web applications. If that’s the case we’ve seen some of the best come from development. At large, this is the group who will test your organization’s security often and well without the knowledge of the rest of the staff – and with more tools and methods than pen-testing.

What’s right for you?

There are a lot of factors that go into this decision. Budget probably being the first to come to mind. Depending on your organization this might make the decision for you. Small businesses typically hire someone internally to manage the day-to-day influx of security questions and lead the charge of the overall security awareness within an organization. Then they may consider outsourcing other aspects to do more of the heavy lifting for remediation projects that are too much for one person to handle.

No matter what, cyber threats aren’t going away so there is always going to be a need to have someone, or a group of someone(s), in place. The need for an internal security management team and program is only growing. So, now that you know the difference between the two, are you ready to test the security posture of your infrastructure?