Red teaming
How red teaming works
A red team engagement typically follows four phases:
- Reconnaissance – the team gathers intelligence on the target organisation using open-source intelligence (OSINT), social media analysis, and technical scanning to identify potential attack paths
- Initial access – using phishing, social engineering, physical access, or technical exploitation to gain a foothold in the target environment
- Lateral movement and escalation – once inside, the team moves through the network, escalates privileges, and attempts to reach pre-agreed objectives (e.g. accessing a critical database, reaching a board member’s email)
- Reporting and debrief – detailed findings covering what was achieved, what was detected (and what was not), and specific recommendations for improving detection and response
Throughout the engagement, the organisation’s security team (the ‘blue team’) is typically unaware the exercise is taking place. This tests real-world detection and response capability, not rehearsed procedures.
Red teaming vs penetration testing
| Red teaming | Penetration testing | |
| Objective | Test detection and response | Find technical vulnerabilities |
| Scope | Broad – people, process, technology | Defined – specific systems or applications |
| Blue team awareness | Typically unaware | Usually informed |
| Duration | Weeks to months | Days to weeks |
| Attack methods | Social engineering, physical, technical | Primarily technical |
| Output | Narrative of attack path + detection gaps | Vulnerability list with severity ratings |
| Best for | Mature organisations testing their SOC | Organisations needing to find and fix vulnerabilities |
Cyberfort Group and red teaming
Our CREST-certified testers deliver red team engagements aligned to a range of industry frameworks across Financial Services, Manufacturing, Transport, Public Sector, IT & Technology and Retail. As one of 24 NCSC Assured Cyber Security Consultancies, we combine adversarial simulation with threat intelligence to test detection and response capabilities across your organisation. Learn more about our penetration testing services →
Related glossary terms
- CREST certification – the accreditation standard for penetration testing and red team providers
- Purple teaming – a collaborative approach where red and blue teams work together to improve defences
- MITRE ATT&CK – the knowledge base of adversary tactics and techniques used to plan red team engagements
- Threat modelling – the structured process for identifying threats that informs red team scenario design
External references
- Wikidata: Q1569348 – canonical entity identifier
- Wikipedia: Red team – origins and general concept
- CREST: Red Team Testing – CREST’s overview of red team standards
- Bank of England: CBEST – UK financial sector red team framework
Frequently asked questions
What is the difference between red teaming and penetration testing?
Penetration testing identifies technical vulnerabilities within a defined scope, typically with the security team’s knowledge. Red teaming simulates a realistic attack across the full organisation – people, process, and technology – usually without the blue team’s awareness, to test detection and response capabilities.
How long does a red team engagement take?
Red team engagements typically run from two to eight weeks, depending on scope and objectives. More complex scenarios involving physical access, social engineering, and multi-stage attacks require longer timelines to execute realistically.
Do you need penetration testing before red teaming?
Generally, yes. Red teaming is most valuable for organisations with mature security controls and an established SOC. If basic vulnerabilities remain unpatched, a penetration test will deliver more actionable findings. Red teaming tests whether your defences work in practice – it assumes you already have defences in place.
Awards and Accreditations
Contact Us
Cyberfort Ltd
Venture West,
Greenham Business Park, Thatcham,
Berkshire,
RG19 6HX