Red teamers apply their understanding of information security and computer science in creative ways to break into client networks (with prior agreement to do so from the client!). Working in a red team requires you to understand cyber adversaries to help customers understand their cybersecurity gaps and weaknesses.
Red teamers work as a team (a red team), with jobs also described as red team consultant or red team operator roles. Some employers will also hire red team engineers or tool developers who are more focused on developing tooling for their more operationally focused colleagues.
What is a red team?
Red teaming has a long history and has been used by governments, particularly the military, and businesses to reduce risks and identify gaps. The concept typically focuses on 'thinking like the enemy' to evaluate your organisation's potential weaknesses from an adversary's perspective. The UK government's 'Red Teaming Guide' uses the following definition.
Red teaming is the independent application of a range of structured, creative and critical thinking techniques to assist the end-user in making a better-informed decision or producing a more robust product.
Regardless of the paradigm (military, business or information security), red teams should drive improvement by challenging systems, plans and assumptions. The result should be the identification of potential vulnerabilities (which could be exploited by an adversary) and recommendations for how to address them.
In cybersecurity, organisations seeking to improve their security posture may engage a red team to perform an assessment of that organisation, the customer, from an adversary's perspective. The red team will research likely attackers based on the threat model of the customer. The red team will then develop and carry out a realistic attack plan based on the tactics, techniques and procedures (TTPs) that the attacker would use in real life. Red teams will typically be external to the organisation being assessed. However, some large organisations may have an in-house service.
This approach is particularly relevant to organisations with a well-understood threat model, which already have a good level of cyber defence maturity. For example, in the UK, certain financial institutions must go through regular red team engagements (referred to as 'intelligence-led penetration testing') as part of the CBEST programme.
Red team vs blue team vs purple team
Whilst the red team act as attackers, the blue team refers to the defenders. The blue team is responsible for defending an organisation against cyber attacks and may include Security Operation Centre (SOC) analysts, cyber threat intelligence analysts, incident responders and more. Blue teams will typically be an internal team (although sometimes this function may be outsourced) who work year-round focused on protecting the business from cyber attack. In contrast, a red team will usually have a time-limited engagement.
Purple teaming refers to activities designed to use red team approaches and knowledge to improve and develop blue team understanding and defences.
Penetration testing compared to red team assessments
There is an ongoing debate about precisely what the difference is between penetration testing and red teaming within infosec circles. Here, we will consider that penetration testing has a more limited scope and timeframe, focusing on specific software or systems. Within this scope, penetration testing aims to uncover any vulnerabilities, regardless of who may or may not exploit them. By comparison, red teaming will look at an organisation as a whole and attempt to exploit any software or systems necessary to achieve the end goal based on an understanding of adversaries expected to attack the customer.
Penetration tests may be conducted as part of commissioning a new web application before it is deployed into production or to demonstrate regulatory compliance. For example, penetration tests may be required for the Payment Card Industry Data Security Standard (PCI-DSS), which must be met by organisations that handle payment card data.
What does a red teamer do?
Upon starting a new engagement, the red team will agree on a customer's scope and objectives. This upfront activity is critical to avoid any issues later, and it is vital that all team members fully understand what is in scope and what is out of scope. With an agreement in place, red teamers will need to learn about the client to understand their business, sector and threat model. With this information, they will build up a picture of which adversaries are likely to have the means and motivation to launch a cyber attack against the organisation. Now the red team can build up an adversary emulation plan based on the scope and aims of the engagement and their understanding of credible threat actors.
With the plan agreed, it is time to put it into action. Depending on the agreed scope, the engagement may start with a reconnaissance phase. This phase may cover both a technical reconnaissance (understanding the customer's technology assets) and a social/organisational reconnaissance (understanding the company hierarchy and employees presence on social media). From here, the red team will seek to gain an initial foothold, potentially by exploiting a vulnerability in some outdated software or possibly by using spear phishing against an employee. Throughout the engagement, the red team will try to remain undetected and will be careful to keep their actions within scope.
Once access has been achieved, a red teamer will seek to obtain further credentials and begin lateral movement throughout the network to achieve their objective. Depending on the threat actor being emulated, the end goal could be to gain access to proprietary data or demonstrate that an attacker could deploy harmful malware such as 'ransomware'.
Finally, a red teamer will be involved in writing up a report outlining exactly what happened during the engagement and how the customer can improve their defences going forwards. The report is critical as this will be one of the key outputs received by the client.
Different members of the team will specialise in different areas. The list below outlines the range of skills that an employer may require, but you won't be expected to be an expert in all of them!
- Network penetration testing and experience working with network infrastructure
- An understanding of network protocols and their use for command and control channels
- Experience carrying out social-engineering assessments
- Proficiency with at least one scripting language (Python, Perl, Ruby)
- Development/modification of exploits, shellcode and associated tooling.
- Experience with security assessment tools, such as Nessus, Metasploit, Burp Suite Pro, Cobalt Strike, or Empire
- Development of applications in C#, .NET, Go, Java, or similar
- Understanding of common cryptography techniques
- Experience reviewing source code for security flaws
- Experience conducting wireless security assessments
- Experience conducting web application security assessments
- Experience working with a range of operating systems, including the use of Bash and Powershell
Certifications and Training
There is no single certification or training course which is required when applying for red team roles. However, the following may be relevant.
- GIAC Penetration Tester (GPEN)
- GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
- Offensive Security Certified Professional (OSCP)
- CREST Penetration Testing / CBEST Qualifications
Who employs red teamers?
Most red teamers are employed by companies specialising in cybersecurity services. They will then carry out assessments or engagements for external customers. Some organisations specialise in offensive security testing (such as red teaming and penetration testing), but many provide defensive consulting services too.
Some larger organisations may have their own dedicated red team staff to conduct assessments across different departments. When considering such a role, it is essential to consider whether you would prefer the opportunity to build a greater understanding of a single organisation (and the many systems and sections that make it up) or if the potentially more varied work of a consultancy is more appealing.
How to become a red teamer
People come to red teaming from a range of different backgrounds, having members with a diverse range of experience makes the team stronger. Due to the breadth and depth of knowledge required, employers often expect some level of industry experience. Some red teamers will have a background in blue team roles, others may have started in penetration testing and vulnerability assessment, but there is no one prescribed route.
The following list provides some of the core competencies that you will need on your journey to joining a red team.
- Computer operating system foundations - for Windows and ideally at least one of Mac and Linux.
- Computer networking foundations - understanding of TCP/IP and experience using tools such as Wireshark to analyse network traffic.
- Learn how to automate basic tasks with Python or another scripting language.
- Get experience working with a lower-level language such as C, Go or C#.
- Learn about different types of vulnerability, how they can be exploited and what mitigations are in place to try to prevent this.
- Develop an understanding of the cyber threat landscape, cyber threat intelligence and the MITRE ATT&CK Framework.
- Develop experience working with security assessment tools such as Burp Suite and Metasploit.
- Further specialise in subjects you find particularly interesting such as web application security, network infrastructure or wireless security.
Related Content on Upskilld
More cybersecurity job roles.
The analyst role is one of the most common jobs in cybersecurity. Various titles may be given to analyst roles such as Security Operations Center (SOC) Analyst, Security Analyst or Cyber Defense Analyst. Whatever the job title, ultimately, this job is about analysing data from a range of data sources (such as firewall logs and endpoint events data) to identify and mitigate threats.