Thoughts

Yesterday, I had an insightful conversation with a security director who recently helped revamp his company’s security approach after two Red Team assessments we ran for him. We discussed the difference between his approach and how most organizations handle information security today. He was particularly interested in our team's take on his new strategy.

I emphasized that security is dynamic, not static. Adversaries evolve constantly, using new techniques and ways to bypass defenses. You can't rely on checklists or past threats alone - security must adapt. Being PCI compliant is just a baseline, for example. It doesn't provice any real security. Without continuous improvement and testing, like Red Teaming, you'll remain vulnerable, regardless of how much you invest in the latest tech or certification. Security must be proactive and challenge assumptions, because, ultimately, breaches will happen. The goal is to make it harder for attackers and plan for the worst.

I believe the right mindset is key here. Red Teaming offers this mindset, testing security plans dynamically and helping decision-makers truly understand the risks. It’s not about checking boxes; it’s about challenging assumptions and staying one step ahead.

Security today seems divided into two camps: the “checkbox people”, who are content with compliance and risk mitigation, and the “risk-takers”, pushing boundaries to stay ahead. Red Teaming belongs to the latter group, the group that’s ready to take the next step.

Which group do you belong to?