What is Penetration Testing? What is Red Teaming?

1 minute read

I bought a book recently (via a redditor’s recommendation) The Hacker Playbook 3: Practical Guide To Penetration Testing by book author Peter Kim (a seasoned and super experienced Pentester/Red Teamer) shared the differences between Penetration Tests vs Red Teams and thought it was a good share. The book is too much for a beginner - I kinda regret reading this now at this stage but theres still something to learn from here! Will share more about the key learning points of this book in future :)This is a copy paste from the content of the kindle ebook version and I do not own this table above! (kindle ebooks are cheaper!)

Penetration Tests are typically project based (typically with a fixed shorter duration to fix a time-line eg. VAPT in project phases). With a restrictive scope - Because Penetration tests could be very intrusive and May potentially affect business operations, there are usually boundaries set for the tests to take place before you start finding as many vulnerabilities and identify the vulnerabilities that could be exploited.

Red Teamers are like your simulated real enemies (the team defending are Blue Team). I believe this “Red/Blue teaming” concept came from the military - where exercises within an Army organisation are carried out to tests against one another eg. Are the Blue team able to defend against the Red team? If the Red team could successfully compromised Blue team’s security, what defense that Blue team employed worked or didn’t work - this is the same for Red Teaming in Penetration testing context. The cool thing about Red Teamers are they would not have that kind of restrictiveness as compared to a typical Penetration Test - I read that on any day a Red teamer could launch social engineering methods on its employees to try and test if there would be any cracks and openings for letting them (or the Actual enemy) gain a foodhold into compromising security.

If you want to know more in details what are the differences, I like how this blog contrast the differences between Penetration Testing and Red Teaming https://blog.rapid7.com/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues/