Organisations with a solid security baseline who have implemented robust security controls and are confident in the efficacy of their detection capability (in terms of both tooling and personnel capability) are able to maximise the opportunity provided by Red Teaming, using it as an opportunity to stress-test and exercise their security team.
However, Red Teaming typically takes the path of least resistance; the shortest route from the point of breach to the end-goal. Red Team exercises are designed to answer the question of “can the attacker cause harm”, as opposed to “how can I stop an attacker from causing harm”. This means that without Red Teaming an organisation’s broader defensive controls and capabilities are unlikely to be tested, resulting in limited learning and improvement opportunities.
For this reason, Red Team exercises are especially well-suited to organisations who have already invested in developing their cyber security controls and capabilities. Organisations who lack an established security baseline should consider alternative approaches which are less focused on realism, and more attuned to identifying and driving capability improvements, before engaging in a hyper-realistic simulation such as a Red Team.