We’re often asked, “what’s the difference between a pentest and a red team?” In one sentence: a pentest is about finding as many vulnerabilities as possible; a red team is about achieving a defined objective. So a red team evaluates not a single system but the whole organization — people, process, and detection/response.
First, the difference in feel
Aspect | Pentest | Red team |
|---|---|---|
Goal | Max findings in scope | Achieve a specific objective |
Style | Usually announced/cooperative | Stealthy, evading detection |
Evaluates | System vulnerabilities | People, process, detection/response |
Neither is “better” — they’re different stages. Red teaming shines when an organization with baseline controls wants to know “so how do we hold up against a real attack?”
The core: attack and detection side by side
The real value of a red team isn’t “we got in” but “where detection failed.” So we lay the attack timeline next to what the blue team saw at the same moments. Like this.
time what the attack team did what the detection team saw
──── ───────────────────────────── ──────────────────────
09:12 first host via phishing (not detected)
10:40 C2 beacon + persistence firewall logged it, no alert
13:05 local → domain escalation (not detected)
15:30 credential harvest + lateral move 1 EDR alert → triaged as FP ←★
17:50 reached the target data (not detected)
──── ───────────────────────────── ──────────────────────
Lesson: the 15:30 alert was real. Saving that one would have
changed the story — that's the starting point for improvement.This single table is the heart of a red team report. “Why was the 15:30 alert missed?” is far more valuable than “we got in.”
How the attack chains (ATT&CK view)
Like a real actor: initial access (phishing, exposed flaws, leaked credentials) → persistence/C2 → escalation → internal recon (mapping credentials and trust) → lateral movement → objective. Each maps to a MITRE ATT&CK tactic, and that mapping becomes the checklist of “which tactics we detect and which we miss.”
Going deeper — like a real APT
Real targeted attacks rarely punch through good defenses head-on; they aim at trusted “parts.” So our red team includes 1-days in externally exposed components/libraries — and 0-days when needed — confirming, within a controlled scope, whether a known flaw identified during recon is a real entry. The discovery view connects to How 0-days Are Found.
Field note: after a red team we sit with the blue team and walk the timeline together (purple teaming). “If we’d read this log this way here, we’d have caught it” — that conversation is, honestly, the most valuable moment of the project.
FAQ
Who is red teaming for?
Most effective for organizations that already have baseline testing and controls and want to check real-attack response. For a first time, we often suggest a pentest first.
Is the blue team told in advance?
Often only a few are aware, to preserve stealth — but scope and escalation contacts are agreed clearly beforehand.
Closing
A red team is more a mirror of response capability than of vulnerabilities. To see together how fast your organization reacts to a real attack, reach out at red teaming.