Thoughts
Nov 2024
Yesterday I spoke with a security director who recently rebuilt his company’s entire security program after two Red Team assessments we ran for him. We talked about what changed, and how his new approach differs from the way most organizations still handle security. He wanted our honest take on his strategy.
The first point I made was simple. Security is dynamic. It never stands still. Adversaries evolve, change tactics, and find new ways around defenses. Checklists and past threat models are not enough. Compliance frameworks like PCI are only a cover-your-ass point. They confirm you meet the most minimum minimum, maybe, not sure it even covers the that even, and you are not secure if you base your security only on that. Without continuous testing and improvement, every defense erodes over time, no matter how advanced the technology looks on paper.
Security must adapt in real time. It has to question assumptions, simulate real attacks, and plan for failure. Breaches are inevitable. The goal is to make compromise costly, delay the attacker, and recover fast.
That mindset is where Red Teaming delivers value. It turns security from a compliance exercise into a living system. It challenges plans, surfaces blind spots, and forces decision-makers to confront risk directly. Red Teaming is not about checking boxes. It is about staying sharp, learning fast, and staying ahead.
Today’s security world splits into two groups. The checkbox crowd focuses on compliance and risk reports. The risk-takers embrace testing, learn from friction, and keep pushing forward. Red Teaming belongs with the second group—the ones who move first.
Which side are you on?