Red teaming is not penetration testing but penetration testing is red teaming.
Information Security does not own red teaming. Red Teaming has been around for centuries and has been used throughout time for various purposes, assuredly most of these uses weren’t cyber. At its core, red teaming is applying a critical mindset to a process, plan or anything else you want to put there. With that in mind, penetration testing is red teaming, just not what you might consider red teaming applied to information security.
Red Teaming adapted for the Information Security profession is a niche in the InfoSec career field whereas Penetration Testing is a much more common profession. Some organizations use these terms interchangeably though which causes some confusion, especially to those just getting in.
So what is the difference?
- Penetration Testing typically has the goal: Find all the vulnerabilities in this subnet, web app, host, network, <Insertwhateveryouwant>.
- Red Teaming has the goal: Emulate an adversary with as much realism as possible.
- Penetration Testing usually has a narrow scope; set of IP’s etc.
- Red Teaming usually has a massive scope; phishing, entire external perimeter, physical etc.
- I see penetration testing as an audit function, validating controls, testing for common vulnerabilities, etc.
- I see red teaming as a holistic organization security meter; testing the blue team, user security awareness as well as determining that path of least resistance to total organization compromise.
A penetration test report should get shorter and shorter every time the pentesters are brought back, finding less and less vulnerabilities. On the other hand, a red team report should get longer and longer, having to use more and more footholds and weaknesses to execute on the goals of the operation.
For those looking for jobs in one or the other, make sure you clarify in the job interview what the role is, a job could be listed as a red team role but consist of PCI pentests.