Red Team Engagement vs Pentest — When to Use Each
Published April 26, 2026 · 12 min read
A pentest answers "is this app vulnerable?". A red team engagement answers "can a determined adversary achieve their objective inside our environment, and would we even notice?". The two engagements use overlapping tools but solve different organisational problems. This post tells you which one your security programme actually needs based on maturity, regulator, and budget.
Definition the way operators use it
Penetration test— a time-boxed assessment where the tester has explicit scope (this URL, that IP range, this app), ample testing windows, and the goal is to enumerate & exploit vulnerabilities. SOC awareness is usually low or zero — this is intentional, the test shouldn't be hindered by alerting noise.
Red team— an objective-based, intelligence-led adversary emulation. The team picks crown jewels (e.g. "exfiltrate the customer DB", "sign a fraudulent SWIFT transaction") and simulates a specific TTP profile of a real actor (e.g. APT29, FIN7, Lazarus). The blue team is not told. Detection and response capability is what gets evaluated.
Side-by-side comparison
| Dimension | Pentest | Red team |
|---|---|---|
| Goal | Find & exploit bugs | Achieve adversary objective |
| Scope | Defined assets | Open scope, defined targets |
| Blue team awareness | Often informed | Black box |
| OPSEC | Low (noisy OK) | Stealthy (avoid detection) |
| Duration | 1-3 weeks | 4-12 weeks |
| TTP profile | Generic OWASP / CVE | Specific APT (ATT&CK) |
| Deliverable | Findings list + CVSS | Narrative kill-chain + detection gaps |
| Cost (US) | USD 8-40k | USD 50-300k |
| Frequency | Quarterly / yearly | 1-2x per year |
| Best use | Patch management, audit | Detection & response maturity |
Anatomy of a red team kill chain
- Intel collection — OSINT, employee LinkedIn, leaked creds (T1589/T1591).
- Initial access — spear-phish (T1566), exposed VPN (T1133), SSRF (T1190).
- Execution — payload delivery, in-memory loaders (T1059, T1620).
- Persistence + privilege escalation — T1547, T1068, AD abuse (T1558).
- Defense evasion — process injection, EDR bypass (T1027, T1562).
- Credential access + lateral movement — Kerberoasting (T1558.003), pass-the-hash (T1550.002).
- Action on objective — exfil crown jewels, sign fraudulent transaction, deploy ransomware-style canary.
# Sample Cobalt-Strike-style C2 profile snippet (red team training only)
# Mimics APT29 jitter pattern
set sleeptime "45000";
set jitter "37";
set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";
http-get {
set uri "/owa/auth/15.1.2106/themes/resources/logo.png";
client { header "Accept" "image/webp,*/*"; }
server { header "Content-Type" "image/png"; }
}Rules of engagement (RoE) — the contract
- Allowed initial-access techniques (phishing? physical? supply chain?).
- Out-of-scope assets & production-only restrictions.
- Trusted agents (white cell) inside the org who can vouch for the team.
- Stop conditions (data destruction, real customer impact).
- Evidence-handling: chain of custody for any data accessed.
- Disclosure window for findings, including critical bugs found en route.
Frameworks
- TIBER-EU — ECB-mandated for critical financial infrastructure in EU.
- CBEST — Bank of England equivalent for UK financial services.
- iCAST — Hong Kong Monetary Authority red team scheme.
- AASE — RBI's Advanced Adversary Simulation Exercise (recommended for Tier-1 Indian banks).
- FFIEC ACET / CAT — US bank examiner red-team expectations.
- MITRE ATT&CK Adversary Emulation Plans — open library, includes APT29, FIN6, OilRig.
When to choose pentest
- You ship new code weekly and need fresh OWASP coverage.
- SOC 2, ISO 27001, PCI DSS audits — they want a pentest report.
- You're early in your security journey — find the easy bugs first.
- You acquired a company and need to baseline the new attack surface.
When to choose red team
- You have an EDR, SIEM, and 24x7 SOC — and you've never tested whether they catch anything.
- You're a regulated bank in EU/UK/HK/SG and red team is mandated.
- The board asked "could a real APT compromise us?".
- A recent industry breach (e.g. Lazarus on banks) is making leadership nervous.
Purple team — the middle ground
Purple team exercises put offensive (red) and defensive (blue) operators in the same room, walking through ATT&CK techniques one at a time. Run a TTP, check whether the SOC alerts. If not, fix detection logic, replay. Atomic Red Teamand MITRE Calderaare the standard open frameworks. Atomic Red Team is a library of ~1,500 atomic tests indexed by ATT&CK technique; Caldera is an autonomous emulation engine that chains atomics into adversary profiles. Used together they let a security team measure detection coverage in a metric instead of a screenshot.
A typical purple team cadence is monthly: pick a single ATT&CK tactic, run every relevant atomic, log SIEM hits, identify gaps, write or tune Sigma rules to close them, replay, ratchet up. Inside twelve months a small SOC can move from 30% ATT&CK coverage to north of 70% on the techniques their threat profile actually requires.
What good red team deliverables look like
A pentest report lists vulnerabilities. A red team report tells a story. The reader should be able to follow the kill chain end-to-end: how the operator established initial access, how they pivoted, what they exfiltrated, and at every step what the SOC saw (or did not see). The deliverable usually contains:
- An executive narrative — 2-3 pages, no jargon, written for the board.
- Detailed kill-chain timeline — every action, ATT&CK technique ID, MITRE sub-technique, mapped to existing detection rules.
- Detection-gap matrix — for each technique, was it logged, was it alerted, was it triaged, was it escalated. Four columns, one row per technique.
- Recommended detection content — Sigma, KQL, or SPL queries the customer can drop into their SIEM the same week.
- Replay artefacts — IOCs, payload hashes, C2 beacons — so the SOC can prove a detection works.
A red team that hands you a PDF without the gap matrix and the detection content has done half the job. Write the requirement into the SoW from day one: deliverables include reusable detection logic, not just findings.
Selecting a red team provider
Provider quality varies more than it does in the pentest market. Look for evidence the team has cleared a regulator-aligned scheme — TIBER-EU, CBEST, iCAST accreditation — or is staffed by operators with published research (CVEs assigned to their handle, conference talks at DEF CON, Black Hat, Offensive Security trainers). Ask for a redacted past report. A vendor that won't share one with NDA in place is probably trading on marketing rather than capability.
Confirm OPSEC discipline before you sign. The vendor should be able to describe their C2 infrastructure rotation, redirector model, payload signing, and how they avoid burning customer telemetry into their own corporate environment. If the salesperson can't answer those questions without escalating to engineering, you're buying from a body shop, not a red team.
See our red team service for full-scope engagements or pair it with quarterly VAPTfor layered coverage.
FAQ
What is the difference between a red team and a penetration test?
A penetration test answers 'is this asset vulnerable?' against a defined scope with the blue team often aware. A red team engagement answers 'can a determined adversary reach their objective, and would we detect it?' It is objective-based, intelligence-led, runs against a near-open scope, keeps the blue team blind, and evaluates detection and response rather than just control gaps.
Do we need a red team if we already do pentests?
Only once your detection and response capability is worth testing. If you have an EDR, a SIEM, and a staffed SOC that you have never validated against a realistic adversary, a red team measures whether they actually catch and escalate an intrusion. If you are still finding easy bugs in pentests or shipping unreviewed code, spend on pentesting and a vulnerability management programme first.
How much does a red team engagement cost?
In the US a full-scope red team typically runs USD 50-300k depending on duration (4-12 weeks), number of objectives, and whether physical or supply-chain access is in scope. A standard pentest is USD 8-40k. Regulated schemes like TIBER-EU push higher because of the threat-intelligence and attestation overhead.
Is a red team mandatory for our sector?
For systemic financial entities, often yes. TIBER-EU (DORA, EU), CBEST (UK), iCAST (Hong Kong), and RBI's adversary-simulation expectations effectively mandate intelligence-led red teaming for in-scope banks and infrastructure providers. Outside those regimes it is risk-driven rather than mandatory.
What is a purple team and how is it different?
A purple team puts offensive and defensive operators in the same room, running ATT&CK techniques one at a time and tuning detection logic on the spot using tools like Atomic Red Team and MITRE Caldera. It is collaborative and measures detection coverage as a metric, whereas a red team is adversarial and blue-team blind. Many teams run monthly purple-team cadences between annual red team engagements.
Plan a red team with AxVeil.
MITRE ATT&CK adversary emulation in your stack. Lazarus, APT29, Volt Typhoon profiles.
Talk to us about scoping →