Blog

Since the beginning of 2024, FedRAMP Revision 5 has mandated that organizations not only perform traditional penetration tests, but also undergo comprehensive red team engagements. This new requirement reflects a broader emphasis on assessing not just technical vulnerabilities, but also the effectiveness of an organization’s overall security posture, including it’s response to sophisticated and realistic threats. Over the past year, we’ve conducted many red team exercises, each tailored to different organizational environments and threat landscapes. These engagements have varied significantly in scope and complexity, offering us a wealth of insights into both our successes and the challenges we’ve faced.

Thinking Inside the Box Traditional red teaming approaches often focus on external threats—simulating how an outside attacker might breach a company’s defenses. This method is undeniably valuable, offering insights into how well an organization can withstand external cyberattacks. However, this "outside-in" perspective can sometimes overlook another aspect of security: the risks that arise from within the organization itself. While traditional red teaming is crucial for understanding external threats, thinking inside the box—examining internal processes, workflows, and implicit trusts—can reveal vulnerabilities that are just as dangerous, if not more so to an organization.

If you’ve decided to undergo a red team assessment and engaged Schellman to perform it, you may be wondering what the next steps entail—as in, how will the next stages of the process work and what should you expect?

Penetration testing and red team assessments are often conflated or confused—though they’re both advantageous cybersecurity solutions, there are distinct differences between them that any organization considering either should know. Just to be clear, a penetration test is not a red team assessment.

Red teaming is a proactive approach to cybersecurity, where a group of ethical hackers simulates real-world attacks on an organization's systems to identify vulnerabilities and test its defenses. This process helps organizations improve their security posture by revealing weaknesses before malicious actors can exploit them.