What is a Red Team?

Origins

The term comes from military planning, where a "red team" represented the enemy during war games and tried to defeat the defending "blue team." US Department of Defense organizations were doing this in the 1960s; the cybersecurity industry borrowed it in the 1990s when information warfare became a recognized discipline. By the 2010s, commercial red teaming became a standard practice at large organizations — banks, defense contractors, big tech.

Pentest vs red team — the real distinction

A penetration test has a defined scope, finds as many vulnerabilities as possible within that scope, and documents them. Loud and exhaustive is fine. A red team has a defined objective — exfiltrate a specific database, get domain admin, reach a specific executive's inbox — and uses whatever it takes to get there, often with stealth as a primary constraint. The deliverable is not a list of bugs; it is an attack narrative plus an assessment of how the defenders did.

What a red team engagement actually looks like

A typical commercial red team runs across four phases. Reconnaissance: open-source intelligence on the target, infrastructure mapping, employee enumeration from LinkedIn and public sources. Initial access: phishing, vendor compromise, exposed services, sometimes physical entry. Internal operations: privilege escalation, lateral movement, credential theft, persistence, mapped to ATT&CK techniques. Objective and report-out: reach the goal, document the attack chain, debrief with leadership and the blue team. The whole engagement runs weeks, not days, and the report is a narrative not a checklist.

When you need one

Red teams are most useful when you already have a security program worth testing. If you have a SOC, EDR coverage, detection rules, and an incident response process, a red team measures whether they actually work against real adversary techniques. If you have none of those, start with a pentest — red-teaming a defenseless environment is overkill and produces a report nobody knows what to do with.

Many organizations split the difference with a purple team engagement, where red and blue collaborate openly: red executes techniques mapped to MITRE ATT&CK and blue verifies whether their detection rules fired. Lower drama, faster learning.

At QUANT LAB

Our penetration testing practice covers the spectrum from focused web app and network engagements through Active Directory deep-dives. For mature organizations we coordinate goal-driven red and purple team operations mapped to MITRE ATT&CK. For earlier-stage clients, we usually recommend a scoped pentest first — red teaming an environment without an SOC is rarely the right starting point.

Rules of engagement

Every legitimate red team engagement runs against a written Rules of Engagement document that names the target, the objective, in-scope and out-of-scope assets, allowed techniques, and how the team handles emergencies — if the operators find evidence of a real intrusion in progress, or if a defensive action threatens production stability, the engagement pauses. Get-out-of-jail letters signed by the right executive prevent operators from being arrested if a physical pretexting attempt goes wrong. Without this paperwork no professional red team will run the engagement.