When a “Red Teaming” Report is Actually Just a VA Report in Disguise...
I recently reviewed a cybersecurity report that was presented as the outcome of a red teaming exercise.
But the moment I started reading it, something felt off.
Yes, there were sections labeled “reconnaissance” and some scattered mentions of attacker TTPs — but what followed was basically just a vulnerability scan report.
There was no attack narrative. No sign of actual threat simulation. Just automated findings neatly listed down like any other VA report.
And this isn’t a one-off.
I've seen vendors pass off vulnerability assessments as red teaming. Some go a bit further and rebrand penetration tests as red team exercises. And since most stakeholders aren’t trained to spot the difference, these get signed off and paid for — without delivering the intended value.
VA, PT, RT — Know What You’re Buying
In a vulnerability assessment (VA), you're scanning for weaknesses. It's a passive process, often fully automated. You get a list of known issues to fix.
A penetration test (PT) takes it a step further — attempting to exploit those weaknesses in a safe, controlled environment. It’s usually scoped tightly (e.g. one system, app, or environment). The focus is on proving exploitability, not on evading detection or simulating an attacker’s mindset.
Red teaming (RT), on the other hand, is not about the vulnerabilities — it’s about the story. It asks: How far could a real attacker go before you detect them? It tests not just your systems, but your people, your controls, and your incident response process.
A good red team report should:
Be driven by clear objectives (e.g., exfiltrate sensitive customer data, access crown jewel system, gain domain admin)
Show attack paths and decision-making during the simulation
Reveal if your detection tools (like SOC, EDR, firewall, DLP) picked up anything
Measure the blue team's response (or lack of it)
Explore multiple attack vectors — not just phishing or scanning
If all you're getting is a list of findings without context, no narrative, and no reflection on how your defenses performed — that’s not red teaming. That’s just a report wearing a red hoodie.
Smarter Questions to Ask
Before signing off on a red team exercise, especially if you're a board member, CEO, or senior decision-maker, don’t get lost in technical jargon. Ask smarter questions that cut to the core of what really matters:
Before the engagement:
“What assumptions are we challenging through this red team exercise — and how will we know if those assumptions still hold true?”
After the report is delivered:
“What did this exercise teach us about our ability to detect, respond, and recover — and what changes should we be making based on what we’ve learned?”
Because red teaming isn’t about ticking boxes — it’s about stress-testing your entire defense stack, human and technical.
So next time someone hands you a red teaming report, don’t just check if the file is labeled correctly. Ask what was tested, what was simulated, and most importantly — what did you actually learn about your security posture?
That’s all for this week!
Cheers,
Siva