Covert red teams are overrated. There is much more to gain through collaboration of attack and defense.
Around eight out of 10 requests for red-team exercises that we get are eventually diverted into other types of engagements. There are a few occasions where a red team is indeed the best fit or is mandated by regulators. However, in most cases, we quickly find that the client is either not ready, can’t really afford it, or simply doesn’t understand it. What if I told you there’s a better way to improve your security posture: one that costs less, covers more ground, and educates your people in the process?
One collaborative methodology for threat-driven, offensive security exercises could resemble what we call “attack path mapping.” First, a set of starting points and business-critical objectives are decided. Then, the operators identify and technically validate as many paths as possible, that an attacker would likely take to achieve them. But crucially, they do so in full view of the blue team and by formally consulting the organization’s subject matter experts (SMEs). Here’s why this is (usually) a better solution.
The constraints: time, breadth, and stealth
Myth: Unlike a pen test, a red team will stress-test the security of your entire organization.
Reality: A red team will document only the path of least resistance to every objective set.
Imagine a large enterprise with a diverse attack surface including multiple clouds, continuous integration/continuous deployment (CI/CD) pipelines, overlapping identity planes, and multiplatform endpoints. A report with no findings — neither weaknesses nor strengths — about some of these areas doesn’t necessarily mean they were robust. It most likely means they were not traversed, as more reliable avenues were found to achieve the objectives. Whatever the case, as a stakeholder reading it, your questions about their resilience remain unanswered… Achieving broad coverage in a single assessment would take time, and time costs, so working within these boundaries requires relaxing another constraint: stealth.
Your experts on center stage
Let’s consider this real-world case: Network and security architects of a Critical Infrastructure provider designed the operational technology (OT) environment and segregated it from the IT environment. They also documented the connection points between the two and the key risks posed to those critical assets. Come assessment time, wouldn’t it be better if testers could tap into this expertise, instead of attempting to reinvent the wheel? We have found that scheduling a series of rapid threat modeling-style sessions with these experts and keeping them looped in throughout the engagement speeds up internal reconnaissance, allowing operators to understand the landscape (and attack paths present) faster. Of course, hands-on enumeration follows as usual, but the communications channel remains open and active.
Challenges in the clouds
Red teaming cloud-native estates presents more complications. Cloud identity and access control technologies such as Entra ID and AWS IAM were built aware of their predecessors’ inherent weaknesses. Gone are the days when any user could retrieve password hashes of service accounts “as a feature.” Nowadays, finding impactful paths requires some collaboration. This could take the form of granting testers “see everything” permissions to enable analysis with tools like RoadRecon or IAMGraph. And traversing these paths also requires some prior coordination: In case of a de-chain, the “standard” user provided for initial access will likely have no exploitable cloud permissions whatsoever. How about we define more interesting starting points, such as a compromised DevOps engineer or a malicious network engineer from a third-party contractor? Your SMEs will know exactly what their overprivileged contractor account looks like — trust me, it keeps them up at night.
Isn’t that a purple team?
I know what you’re thinking: “We’ve already invented this, it’s called a purple team.” I say, call it what you want, as long as you separate it from the granular, test-case driven kind, that’s fully automated with tools such as Atomic Red Team. And that’s because that form compromises realism heavily by focusing on the endpoints and barely touching the crown jewels deep within the network. Don’t get me wrong, I’ve conducted dozens of such exercises, and I can testify that it’s the best method available to assess an organization’s detection capability — it solves a different problem. Sure, executing isolated test cases for hundreds of Tactics, Techniques, and Procedures (TTPs) will make for punchy stats and fancy performance graphs. But they aren’t really addressing your worst security nightmares.
Still want that red team?
It’s 2025 and a lot of water has flowed under the bridge for the security community to acknowledge that provisions are not “cheating”. Taking this one step further, my thesis was that an alternative framework altogether is needed for large-scale adversarial simulation engagements. I hope that having read this you will also agree, that the collaborative methodology I’ve outlined offers a better value proposition overall. So, the next time you’re out in the market seeking an offensive security challenge, I invite you to ask yourself: Will a red team really solve your problem?
By Leo Tsaousis, Senior Security Consultant and Attack Path Mapping lead, Reversec
