Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Join AT&T Cybersecurity in Chicago to learn top 2024 resilience tactics on May 21st!

Penetration Testing vs. Red Teaming

Home
Industry Insights
Penetration Testing vs. Red Teaming

Blog Article Published: 10/25/2023

Originally published by Schellman.

Penetration testing and red team assessments are often conflated or confused—though they’re both advantageous cybersecurity solutions, there are distinct differences between them that any organization considering either should know. Just to be clear, a penetration test is not a red team assessment.

In this article, we’re going to briefly overview each kind of assessment, the differences between them, and how to determine which solution is the best move for you.

Once we clarify the particulars of each and where these two options diverge, you can better decide which of them is best for your organization.


What is Penetration Testing? (Pen Testing)

To start, penetration testing involves simulating an attack from a malicious actor—with your organization's full knowledge and cooperation—to evaluate the security of a specific system, application, or network. When you engage a pen test team, their goal will be to identify and exploit as many vulnerabilities as possible within the timeframe of the engagement so that you can fix them before they’re exploited by real attackers.

To understand where these weaknesses are, your technical controls will be lowered for these tests—things like allowing the tester’s traffic through a web application firewall (WAF) just so the test can be completed within the short window of time permitted.

For more details on several different penetration tests, check our articles:

All of these—as well as the other types of pen tests—focus on those technical controls of the particular system or area you decide to have tested. However, they do not assess how your defensive security operations deal with a threat—still, there are plenty of additional benefits to penetration testing.


What is Red Teaming?

On the other hand, red teaming does assess your defensive security operations, as a red team assessment takes a more comprehensive approach to evaluating an organization's overall security posture. Unlike penetration testing, you choose specific goals for a red team engagement to test any aspect of your security—including your physical security and your employees’ resistance to social engineering campaigns—and the red team will do whatever it takes to achieve them.

Example Red Team Assessment

Theoretical Goal

Techniques That Would Be Used

Outcome

To penetrate your network and obtain access to sensitive data or system databases without detection.

Your red team would need to circumvent various security controls, including firewalls and access controls, by utilizing a combination of tactics and techniques such as open source intelligence (OSINT), gathering, social engineering, going low and slow, attempting to be unnoticed, and evading detections while exploiting vulnerabilities.

Having gained access, the red team would look to accomplish the agreed-upon goal(s) of the assessment, which could include attempting to exfiltrate data or exploiting critical systems without being detected.


With this kind of assessment, success isn’t measured in the number of vulnerabilities identified or systems compromised—rather, success is using the red team's practical suggestions to enhance your organization's general security posture.

By incorporating these various techniques into its holistic approach that will challenge your defensive strategies and assumptions before identifying the gaps or flaws in them, a red team assessment will provide you with a thorough understanding of how well your security operations deal with a threat. This then provides an opportunity to improve your organizational security through training.


What’s the Difference between a Penetration Test and Red Team Engagement?

When you boil all that down to differences between these two engagements, there are three key areas where they diverge:

  • What They Evaluate:
    • Penetration Tests: The security of a computer system, network, or application by simulating real-world cyberattacks limited to the hosts in scope.
    • Red Teaming: Your organization's overall security posture, which includes technical controls AND human factors—such as user awareness—AND non-technical aspects of security, such as incident response procedures.
  • Assessment Goals:
    • Penetration Tests: These aim to identify and exploit vulnerabilities within the in-scope hosts, categorize findings by likelihood and impact, and remediation recommendations are provided—this is typically done within a specified, time-limited window with some disabled technical controls.
    • Red Teaming: Rather than a specific system or network, you’ll give your red team a specific objective (or goal) and they’ll directly challenge your defensive strategies to measure their effectiveness in a more holistic—and realistic—cybersecurity assessment.
  • Amount of Collaboration and Awareness Within Your Organization:
    • During a penetration test, you will work closely with your contracted penetration testers, including providing them with the information they’ll need as they try to discover and exploit specific vulnerabilities within your defined scope.
    • During a red team assessment, the red team will instead act as a real attacker would (and malicious actors would certainly not collaborate with you) to accomplish agreed-upon goals—therefore, your security team would have no prior knowledge, and a very limited number of contacts within your organization would be aware this activity was even happening.


Do You Need Penetration Testing or Red Teaming?

Ultimately, your decision to move forward with a penetration test or a red team assessment will depend on your specific objectives and the level of assurance you want regarding your cybersecurity, but here are some criteria to help you along:

Choose Penetration Testing If:

Choose Red Teaming If:

You’ve Never Evaluated Your Cybersecurity Before.

Penetration tests and their focus on vulnerability identification and management make sense if you’re just standing up your defenses, and the collaborative effort involved will help get your feet wet as you look to solidify your security program.

You Have a Robust Cybersecurity Program.

If you’ve already created a sturdy foundation around your organization’s cybersecurity—or you believe you have a wide attack surface that could be exploited by a capable bad actor—red teaming and its holistic evaluation makes sense.

You Have a Specific Compliance Need.

For those organizations who are seeking to comply with PCI DSS and FedRAMP, there are different pen testing requirements for each standard.

Many other frameworks also have technical controls that could be fulfilled by having a pen test performed, although it’s not specifically mandated (SOC, ISO, HIPAA, HITRUST, etc.).

You Want to Test Your Security Team.

When engaged, red teamers will be working directly against what is called the blue team—or your security team. Since they’ll have no prior knowledge of the red team’s attack, you’ll be able to measure how ready your personnel are in the event of a non-simulated breach.

You Need a Short Turnaround and/or Budget Constraints.

Penetration tests typically are performed within a time-limited window, while the overall duration of a red team assessment will be longer—in the same vein, pen tests are generally cheaper engagements than red teaming.

You’re Attempting to Achieve FedRAMP ATO.

According to CA-8(2) within the latest Revision 5 of FedRAMP’s security baselines, cloud service providers (CSPs) are now required to perform a red team assessment. Without a red team report and test plan submitted, you will not be able to achieve ATO.


Next Steps

Though very different in a few key ways, penetration testing and red team assessments can each help boost your organization’s overall security—each path will help you build a solid knowledge base and thorough preparation, and gain confidence in the proactive measures you’ve taken to protect your business against cyber threats.

Choosing which of these engagements is right for your organization depends on what you need to be evaluated and what you want out of said evaluation, as well as what resources you have available to dedicate to the endeavor.

FedRAMPPenetration Testing

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Virtual Cloud Trust Summit 2024
AT&T Cybersecurity in Seattle
This Year’s Zero Trust Opportunity for Security Professionals
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Considerations When Including AI Implementations in Penetration Testing

Published: 04/30/2024

Remote Code Execution (RCE) Lateral Movement Tactics in Cloud Exploitation

Published: 04/12/2024

Why Cyber Defenders Should Embrace a Hacker Mindset

Published: 04/10/2024

The Elephant in the Cloud

Published: 03/29/2024