What Is a Red Team Exercise? How It Differs From Pentesting
The terms "red team" and "pentest" get used interchangeably in casual conversation, and they shouldn't. They're related activities that often use similar tools, but they have fundamentally different purposes, scopes, and outputs. Choosing the wrong one for your security program's needs means getting an answer to a question you didn't ask.
Penetration Testing: What It Is
A penetration test is a scoped technical audit. The organization defines which systems are in scope. The tester attempts to compromise those systems using attacker techniques. The output is a ranked list of vulnerabilities with remediation guidance.
The key characteristics: defined scope, known to IT/security staff (usually), time-bounded (typically 1-3 weeks), technical focus, output is a vulnerability report.
A pentest answers: "What specific vulnerabilities exist in these systems right now, and how bad is each one?"
Red Team Exercise: What It Is
A red team exercise is adversary simulation. A team of skilled attackers (the red team) attempts to achieve specific objectives against an organization using any methods they choose. The defensive team (blue team) usually doesn't know the exercise is happening.
The key characteristics: objective-based (not scope-based), unknown to most defensive staff, extended duration (often 4-12 weeks), full attack chain including social engineering and physical access, output is an assessment of the full security posture.
A red team exercise answers: "If a sophisticated attacker targeted us today, how far would they get and would we know?"
graph TD
subgraph "Red Team Exercise Lifecycle"
RECON["1. Reconnaissance
(OSINT, social media,
public records)"]
WEAP["2. Weaponization
(custom payloads,
phishing kits)"]
DEL["3. Delivery
(phishing, USB drops,
physical access)"]
EXPL["4. Exploitation
(credential theft,
vuln exploitation)"]
INST["5. Installation
(persistence,
C2 implants)"]
C2["6. Command & Control
(encrypted tunnels,
DNS covert channels)"]
OBJ["7. Objective Achieved
(data exfil, domain admin,
physical access)"]
end
RECON --> WEAP --> DEL --> EXPL --> INST --> C2 --> OBJ
OBJ -.->|"Pivot to
new target"| RECON
subgraph "Blue Team (Unaware)"
SIEM["SIEM Monitoring"]
SOC["SOC Analysts"]
IR["Incident Response"]
end
EXPL -.->|"Trigger
alert?"| SIEM
SIEM -.->|"Escalate?"| SOC
SOC -.->|"Respond?"| IR
Red team kill chain - the blue team typically does not know the exercise is underway, testing real detection and response capability
The Scope Difference Is Everything
In a pentest, the tester follows a list. Systems not on the list are untouchable. In a red team exercise, the attackers pick their own path to the objective. If the easiest way to reach the customer database is through an executive's laptop via a phishing email, the red team does it anyway. Real attackers don't respect scope documents.
graph TD
START["Security Assessment
Needed"] --> Q1{"Compliance
requirement?"}
Q1 -->|"Yes"| PENTEST["Penetration Test"]
Q1 -->|"No"| Q2{"Mature security
program?"}
Q2 -->|"No"| PENTEST
Q2 -->|"Yes"| Q3{"Want to test
detection &
response?"}
Q3 -->|"Yes"| REDTEAM["Red Team Exercise"]
Q3 -->|"No"| Q4{"Need collaboration
between offense
and defense?"}
Q4 -->|"Yes"| PURPLE["Purple Team Exercise"]
Q4 -->|"No"| PENTEST
subgraph "Pentest Output"
PENTEST --> VULNS["Ranked Vulnerability
Report"]
VULNS --> REMED["Remediation
Guidance"]
end
subgraph "Red Team Output"
REDTEAM --> NARR["Attack Narrative
+ Detection Gaps"]
NARR --> IMPROVE["Defense
Improvements"]
end
subgraph "Purple Team Output"
PURPLE --> COLLAB["Collaborative
Detection Tuning"]
COLLAB --> RULES["Updated Detection
Rules"]
end
Decision tree for choosing the right security assessment type based on organizational maturity and objectives
Blue Team and Purple Team
The blue team is the defensive counterpart - the organization's internal security operations team. In a red team exercise, the blue team is the adversary's real target: can they detect what's happening and stop it?
Purple team exercises emerged as a middle ground. Red and blue teams collaborate rather than operate in opposition. The red team attempts a specific technique, tells the blue team what they did, and the blue team checks whether they detected it. If not, they tune detection rules together.
sequenceDiagram
participant ORG as Organization
participant PT as Pentest Team
participant RT as Red Team
participant BT as Blue Team
rect rgb(30, 30, 30)
Note over ORG,PT: Penetration Test Flow
ORG->>PT: Define scope document
ORG->>PT: Notify IT/security staff
PT->>PT: Test in-scope systems only
PT->>ORG: Vulnerability report
end
rect rgb(40, 20, 20)
Note over ORG,BT: Red Team Exercise Flow
ORG->>RT: Define objectives (not scope)
Note over BT: Blue team NOT notified
RT->>RT: Reconnaissance (weeks)
RT->>RT: Choose own attack path
RT->>BT: Attack (phishing, physical, wireless)
BT-->>BT: Detect? Respond?
RT->>ORG: Full attack narrative + gaps
ORG->>BT: Debrief and improve
end
Pentest follows a defined scope with IT staff aware; red team exercises simulate real adversaries against an unaware blue team
When a Pentest Is the Right Choice
Use a penetration test when: you have a compliance requirement, you're launching a new application, you want a technical inventory of specific issues, or you have limited budget.
When a Red Team Exercise Is the Right Choice
Use a red team exercise when: you want to test detection and response capability, your security program is mature and regular pentests find diminishing returns, you need to justify security investment to leadership, or you're concerned about sophisticated targeted threats.
Wireless Security in Red Team vs Pentest Context
In a wireless penetration test: enumerate APs, test for weak passwords, verify PMF is enabled, check for WPS vulnerabilities, test guest network isolation.
In a red team exercise: wireless might be the initial access vector. The red team parks outside the target's building, deploys a rogue AP with an evil portal, waits for employees to connect, captures credentials, uses those credentials to reach internal systems.
The BLEShark Nano is used in both contexts. For wireless pentests: scanning, deauth testing, handshake capture, portal testing. For red team physical operations: battery-powered rogue AP deployment, evil portal, BLE scanning. Deauth is disabled on EU-region BLEShark Nano devices per RED regulations.
The Organizational Maturity Question
Think of security as a maturity progression. Early-stage organizations don't know where their vulnerabilities are - a pentest answers that. Mid-stage organizations have patched most known vulnerabilities. Advanced-stage organizations have mature technical controls and want to test their defenses under realistic attack conditions - that's where red team exercises provide the most value.
Running a red team exercise before your organization has addressed basic vulnerabilities identified in pentests is usually a waste of money. Fix the basics first. Then test whether the overall defense holds.