Using Red Team Assessments to Test Security Maturity

red teamingRed teaming is an under-appreciated term in modern businesses.  Red teaming is an opportunity for leadership to understand how an entire system works together to protect information critical to a company’s existence, their “crown jewels.” Red teaming in the age of the Internet has had companies focusing exclusively on CYBER Red Teams.  However, such an approach is misleading. Solely focusing on cyber red teaming only reflects the vulnerabilities in the information systems themselves. There are more ways to gain access to your information systems than just hacking into your network from the outside.

The essence of red teaming requires a different way of thinking. A red team needs to challenge common assumptions, understand common vulnerabilities in systems, and consider how different people view the world. The United States military, for example, during the Cold War, established squadrons to fly and think like Soviet Union pilots so pilots were familiar and ready for the tactics they’d see in wartime. With the advent of the Internet, efforts have been focused on protecting the information that travels across it, often neglecting the physical and personal security protecting the resources on which critical information resides.

Red teaming is about more than just the signals being sent. Some basic questions to be asked include:

  • Are the access controls to a server room adequate?
  • Are my security teams alert (at odd hours)?
  • Do my employees know what information is unique/sensitive to the company?
  • Do employees know how to interact with strangers during a phone call?

In addition, these are questions to be asked concerning the level of effort to protect the information systems themselves.  While the task can be daunting, the holistic red team allows for bite-sized chunks to be identified and help secure the entire system’s architecture.

Recent efforts have been undertaken to make red teams an internal effort or department within a company.  An internal company red team is counter-productive to truly testing a company’s security program.  A red team, its personnel and even its specific goals/efforts, should be known to as few people within a company as possible.  A red team should be able to use its methodology to break into the company as a whole – e.g., by cyber/electronic means, social engineering (in person, phone, email, etc.), or piggy-backing.

Imagine: Joe works at Company X as a Red Team member and sees the same guards every time he enters/exits the office building. When Joe is tasked to “break into” the building, the guards will let him right through. When red team personnel are known inside a company, the purpose of having a red team has already been defeated.

At Sera-Brynn, the connection between technical and social intrusion efforts has not been lost.  We provide an all-around red team understanding and execution. Sera-Brynn has made understanding adversaries a priority.  Team members include former members of the Intelligence and the Special Operations Communities who have specialized in understanding adversary tactics to obtain the physical or electronic “crown jewels” an organization is trying to protect. For as Sun Tzu stated in the 6th century BCE, “…one who knows the enemy and knows himself will not be endangered in a hundred engagements.”

Learn More about Red Teaming

A red team is a group of security professional who work together to conduct a multi-layered attack. It can include people, technology, physical assets and infrastructure within its scope.  It’s designed to stress-test the organization’s security.

To learn more about Sera-Brynn’s red team or other offensive security assessments, email


About the Author

Dave Snell is a Senior INFOSEC Consultant at Sera-Brynn.  Dave has over 15 years’ experience in technical and cyber operations in support of U.S. special operations forces. He is presently a lead penetration tester at Sera-Brynn, specializing in red team operations.

View Sera-Brynn