866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Are You Getting the Right Red Team? Blog Feature
Austin Bentley

By: Austin Bentley

Print/Save as PDF

Are You Getting the Right Red Team?

Penetration Testing | Red Team Assessments

Published: Feb 25, 2025

You may feel confident that your organization has a mature cybersecurity program if you’re able to thwart the vast majority of threats through established practices and procedures. However, despite those efforts, even amongst the most secure of organizations there is still the ever-looming threat of the legendary Advanced Persistent Threat (APT). Furthermore and unfortunately, it’s difficult to ascertain if you’ve been compromised by one. Thankfully though, it is possible to simulate an external APT attempting to breach your organization’s perimeter through a red team exercise.

Red Team Exercises Explained

Red team exercises are designed to test your organization’s overall security processes, and not specific networks or applications. As such, it’s common to confuse red teaming with penetration testing, but there are several notable differences:

Red Teaming 

Penetration Testing 

Unannounced – low organization knowledge 

Announced – high organization knowledge 

Widest possible scope 

Narrow scope 

Stealthy 

Loud 

Heavy post-exploitation activities 

Minimal post-exploitation activities 

Low knowledge, yet realistic threat 

Usually high knowledge, semi-realistic threat 

It's important to understand that red team assessments are unannounced – that is, very few individuals should know of the assessment. If individuals are aware of the assessment, this will impact how they react to events, thus resulting in an unrealistic assessment. Red team assessments should have a scope which includes the entirety of the organization as in-scope; remember, attackers are not limited by a highly specific rules of engagement. Red team assessments are meant to be stealthy – the stealthier the compromise, the larger the impact. Red teams should perform lateral movement and not limit themselves to the initial compromise – much like that of a real-world attacker. Lastly, red team assessments start off with minimal knowledge – knowledge should be gained through reconnaissance procedures.

Now that we've outlined what exactly a red team assessment is, the first step in the process is to define your red team's goal.

Defining Your Red Team's Goal

To define your red team's goal, you should consider: Are you performing this for compliance reasons? If not, what exactly is your organization trying to assess? Are you looking to assess specific security controls or procedures? Or, are you looking to test specific individuals or assets? In any case, before beginning discussions with providers on red teams, it’s important to internally discuss where the red team’s focus best lies

Once you’ve defined your goals, you can engage in discussions with potential providers about their methodology.

Questions to Ask Potential Red Team Providers

Asking providers the right questions helps ensure that you're on the same page. It also allows you to better determine the value of the provider's offering compared to others. We've compiled a list of questions you should consider asking to determine if a provider is an appropriate fit for you:

What framework does your team use?

As of this writing, there’s one widely recognized red team framework, and that’s MITRE ATT&CK. This framework details all of the TTPs (techniques, techniques and procedures) used by real-world attackers, and encompasses the entirety of the attack lifecycle. As such, this framework can be leveraged during discussions with your provider to determine if they are living up to the claim of resembling a real-world attacker.

How long will the red team exercise take?

This is particularly tricky to answer, and depends more so on you than your provider. Real-world attackers are not bound by budgets or scopes, so they can easily spend years on a single target. However, you are bound by budget and scope. At a minimum, we would argue a proper red team exercise takes a minimum of one month (4 weeks). We’d exercise caution when dealing with providers who recommend extraordinarily short engagements of a week or two.

In general, the longer the engagement, the more realistic the engagement becomes. Here's why:

  1. Thorough Reconnaissance
    Reconnaissance and OSINT is time consuming, and an extended engagement window allows the red team to dig deeper, research further, and ultimately identify less exposed entry points or areas for abuse.

  2. Planning and Opportunity Identification
    Much like real world attackers, red teaming requires waiting for ideal moments of opportunity to attack. This could be anything from attacking external infrastructure over a holiday, to targeting a marketing department with social engineering during a big conference that might be keeping them pre-occupied and unalert. An extended engagement window allows the red team to observe the target over time, and choose attack vectors and timing that more closely mimic threat actor strategies.

  3. Exploration of Complex Attack Chains
    Certain attack paths, especially lateral movement, can take time to identify, develop, and execute. A longer engagement time allows the red team to explore these vectors without rushing, giving your organization a fuller picture of potential threats.

  4. Avoiding Detection & Testing Incident Response
    A core goal of the red team is to stay under the radar. Shorter engagements may force the red team to be more aggressive, increasing chances of detection, and conversely impacting the scenarios realism. Additionally, with longer engagements, the red team can gauge how well the incident response team detects and reacts to more subtle or extended attacks, rather than more aggressive and immediate breaches.

What is explicitly out of scope?

To a real-world attacker, nothing is out of scope. However, red teams are bound by certain moral, ethical and legal obligations. Ideally, the red team will state that almost nothing is out of scope, while clearly emphasizing that no moral, ethical or legal lines will be crossed.

Will your team perform OSINT (Open Source Intelligence)?

By virtue of being a low-knowledge assessment, performing OSINT is an absolute must. By performing this, the attacker will expand the attack surface. Additionally, by identifying employees, departments, technologies and priorities, the attacker can begin devising tailored attack scenarios.

During OSINT gathering, if an attacker is particularly thorough or lucky, they may even identify low-hanging fruit (often undiscovered during penetration tests due to smaller scopes.)

What attacks will be performed during the assessment?

Attacks can generally include anything, but they need to be in service of achieving the goal or objective of the assessment. We’d also be cautious of any attack vectors that seem closely aligned to a typical pen test scenario. Remember, since the scope is effectively the entire organization, this opens up new exciting attack vectors  – not just your typical external network pen test and a blanket phishing exercise. For example, credential stuffing, spear phishing, vishing, and even physical location testing should all be considered as attack options.

What social engineering may be performed?

Admittedly, this is closely related to the prior question. However, we fundamentally believe that all red team exercises should have at least one social engineering component. And, social engineering doesn't need to be – and shouldn’t be – limited to only phishing exercises. While they are no doubt a critical component of any red team assessment, it’s important to note that there are other social engineering exercises, such as vishing, smishing and tailgating.

That being said, phishing should almost certainly still be performed. However, each phishing attempt should be targeted in nature and not a blanket approach to the entire organization. Doing this will increase the chances of compromise, while reducing the chance of the campaign being caught. For example, when attacking a specific department, the attacker should create an enticing email based off of OSINT reconnaissance of online services used by that department. 

If you're running out of time on the engagement and you still haven't gotten in, what's next?

Often, there’s a delicate balance between stealth and aggressiveness. However, at this point, the gloves should come off: the attacker should ramp up the aggressiveness to get into the organization by any means necessary. For example, targeted phishing campaigns should start to include more individuals. More brazen, “front-door” approaches, such as outright calling departments impersonating other departments should proceed. External attacks against the organization, such as credential stuffing or scanning, should be increased in size and scope.

Once you've gotten in, what's next?

Simply put, the attacker needs to work further to achieve their originally defined goal or objective. It’s possible the goal may have already been met. However, if it’s not, the attacker will need to perform an assessment of where they are within your environment, and how to achieve their larger goal. For example, if the goal is to obtain access to a segmented network, and the attacker currently has access to a wider network, then the attacker should proceed with reconnaissance. Next, the attacker would identify vulnerabilities or poor practices, and attempt to stealthily exploit these issues to eventually reach the target environment to accomplish the final goal.

Strengthen Your Security with the Right Red Team Provider

Engaging a red team provider is a significant step in maturing your organization's security posture. By asking these critical questions during the provider selection process, you can ensure that the assessment will effectively simulate real-world threats while remaining within acceptable boundaries.

Ready to take the next step? Fill out our short scoping questionnaire, which will begin the process of engaging with us as your provider. Once completed, our team will review your requirements and schedule a consultation to discuss how our red team can help strengthen your security posture through realistic adversary simulation.

In the meantime, learn more about effective red team assessments in these helpful resources:

About Austin Bentley

Austin Bentley is a Manager at Schellman, headquartered in Kansas City, Missouri. With a robust background in penetration testing, Austin has developed a distinctive procedural methodology that sets his assessments apart. His expertise spans various forms of penetration testing, ensuring comprehensive security evaluations. Before stepping into his managerial role, Austin honed his skills in Application Security at a major financial institution, where he was instrumental in safeguarding critical systems.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.