Not all offensive security programs deliver the same value. Many organizations invest in penetration tests or even red team exercises, only to find the results don’t move the needle. The difference lies in how well these efforts align with real business risks and provide actionable insights. So, what does “good” look like? And how do you know if your investment produces results instead of just ticking off another checklist?
To answer these questions, Trevin Edgeworth, Red Team Practice Director at Bishop Fox, walked through the building blocks of strong offensive security in the webcast “Red Teaming: Is Your Security Program Ready for the Ultimate Test?” His insights offer a clear picture of what good looks like in practice.
What Good Offensive Security Coverage Looks Like
Good coverage depends on an organization’s risk profile, industry, and data sensitivity. There is no one-size-fits-all formula. Every environment is different, and your approach should be tailored to your business risks and priorities. A general tiered approach can serve as a boilerplate, which organizations should adapt to their own needs.
For example, a company that hosts a critical web application in the cloud may need far more frequent cloud penetration testing than once per year, while a factory might prioritize physical testing and operational technology over cloud-focused efforts.
A general tiered approach looks like:
- Foundational Security Practices: This is the bedrock of a solid security program, and it includes basic threat modeling and security reviews. It also encompasses establishing attack surface management, vulnerability management, and a strong application security program with regular testing.
- Advanced Testing: Once foundational elements are solid, organizations can move to more advanced testing methods like network, cloud, and application penetration testing.
- Adversary Emulation: The highest tier involves sophisticated practices such as red teaming, purple teaming, and tabletop exercises, which simulate real-world attacks to test defenses and response capabilities.
Organizations should aim to strengthen each level before progressing to the next.
Assessing if Current Efforts Are Enough
Offensive security maturity generally falls into three tiers:
- Minimal Coverage (Compliance-Driven): This typically involves meeting regulatory requirements, such as a once-per-year penetration test for compliance purposes (e.g., PCI environments). This is the minimum bar and often doesn't go beyond basic checkbox-checking.
- Baseline Coverage (Most Common): Many organizations fall into this category. They increase the cadence of penetration testing to around twice per year due to evolving networks and new technologies. They also introduce targeted assessments for "crown jewel" systems (e.g. critical systems like Active Directory, MFA environments, or customer portals). The key is to identify a manageable number of these critical systems, ideally no more than 20-30, to make regular testing feasible.
- Advanced Coverage: This level is typical for large retailers, banks, and other high-value targets where point-in-time testing isn't sufficient. These organizations implement continuous offensive security measures. This can include external penetration testing services, ongoing attack surface management, and bug bounty programs. They also utilize dedicated teams to continuously monitor their perimeter for zero-days and new vulnerabilities. For major companies with diverse lines of business, a single annual red team exercise is inadequate. Instead, they might conduct multiple, highly specific red team scenarios throughout the year to address different threats, threat actors, and business segments.
Minimal | Baseline | Advanced | |
Compliance Requirements | As required | As required | As required |
External Network Pentest | Annual | Semiannual | Continuous |
Internal Network Pentest | Annual | Semiannual | Semiannual+ |
Web Application Pentest | Annual | Semiannual | Semiannual+ |
Cloud Penetration Testing | Annual | Semiannual | Semiannual+ |
Critical System Assessment | Not in scope | Biennial or post-deployment | Biennial or post-deployment |
Red Team | Not in scope | Annual assumed breach (external, assumed breach, social engineering) | Annual assumed breach with multiple scenarios (5-5-20x model) |
Purple Team | Not in scope | Semiannual | Quarterly+ |
As organizations progress through these tiers, red teaming becomes the capstone of an offensive security program. It goes beyond checking compliance boxes or testing point-in-time vulnerabilities. Red teaming is about simulating real-world adversaries with specific objectives, and it is where the difference between average and exceptional coverage becomes clear.
Elevate Testing with Red Teaming’s 5-5-20x Model
To ensure your red team efforts align with what matters most for your business, consider using Trevin’s suggested 5-5-20x framework by identifying your organization’s:
- 5 top threats: identify the five most significant threats to your organization (e.g., ransomware, supply chain compromise)
- 5 top threat actors: the most likely adversaries you will encounter (e.g., nation-state actors, insider threats, cybercriminals)
- 20 crown jewels you must protect - the top 20 critical systems in your organization (e.g., customer data, financial systems, intellectual property)
- X lines of business that make up your attack surface (e.g. a major online retailer will likely have 10 or more different lines of business with several internal or hybrid red teams that look at different aspects of their lines of business)
Design red team scenarios to target combinations of these elements. Instead of sprawling, unfocused exercises that might yield some insights but not address the highest risk objectives, this approach will ensure that you achieve results that are both strategic and measurable.
By planning red team scenarios that comprehensively cover these elements over a 12-to-24-month period, organizations can achieve robust, strategic offensive security coverage.
Great Red Teams Deliver Strategic ROI
Red teaming isn’t just scaled-up vulnerability scanning or rebranded pen testing. When done right, red teaming is a targeted, intelligence-driven simulation of a real-world adversary pursuing a meaningful objective in your environment.
The most effective red teams help you understand your actual risk landscape and generate actionable insight in three key areas:
- Exploitable Weaknesses: These are technical vulnerabilities tied to realistic attack paths. The goal is relevance and impact.
- Detection and Response Gaps: These reveal how well your tools and people detect and react to threats. This feedback is invaluable to your SOC, IR, and detection engineering teams.
- Strategic Deficiencies: These are broader, systemic issues like lack of segmentation, credential reuse, or weak secrets management. They're often the root causes of persistent risk.
Your red team engagement should touch all three to not miss critical insights that threat actors can exploit.
The Good, the Bad, and the Ugly
The value of a red team lies in how well it connects findings to business risk.
Category | Good | Bad | Ugly |
Objectives | Aligned to business risk and threat intel | Vague or unclear | No real objective, just “do a red team” |
Findings | Technical, detection, and strategic insights | Only technical CVEs | Noise and irrelevant issues |
Reporting | Clear executive summary and detailed tactics | Long, unfocused report | Disorganized and unusable |
Blue Team Collaboration | Active debriefs and information sharing | Minimal communication | No cooperation |
Program Impact | Informs roadmap and investments | Ambiguous next steps | Forgotten and unused |
Remember, high-quality red teaming should leave you with greater confidence and clarity, not more confusion.
Practical Examples: What Real Good (and Bad) Looks Like
Here are a few practical examples of what a “good,” “bad,” and “ugly” red teaming outcome might look like:
- “Good:” The red team engagement reveals how a ransomware group could traverse cloud and on-prem infrastructure undetected, which then drives focused investment in segmentation and telemetry.
- “Bad:” The red team delivers a 90-page vulnerability list with no context, paralyzing the security team.
- “Ugly:” The red team reports 300+ issues, most unrelated to the defined objectives, leaving the client overwhelmed and misaligned.
The lesson: it's the quality and focus of findings (not the volume) that defines a successful engagement.
A Strong Red Team Engagement Ends with Clarity
After a successful red team engagement, you should be able to walk into any executive meeting and say:
- “Here’s how an attacker could reach our most critical assets.”
- “Here’s where our defenses succeeded and where they fell short.”
- “Here are the specific improvements we need to prioritize.”
A truly impactful red team engagement provides an organization with crystal-clear insights into its security posture. It enables leaders to articulate precisely how attackers could compromise critical assets and where existing defenses prove insufficient.
Ultimately, a strong engagement culminates in a prioritized list of actionable improvements, guiding strategic security investments.
Want to Ensure You’re Ready?
Download our companion guide: Red Team Readiness. It will help validate readiness, align objectives, and maximize the impact of red team engagements.
Subscribe to our blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
Recommended Posts
You might be interested in these related posts.
Aug 27, 2025
The Top Reasons Security Leaders Choose Red Teaming
May 09, 2025
Before You Red Team: Fix These 5 Common Mistakes
Mar 31, 2025
Epic Fails and Heist Tales: A Red Teamer’s Journey to Deadwood
Jun 18, 2025
2025 Red Team Tools – Cloud & Identity Exploitation, Evasion & Developer Libraries
Jun 04, 2025
2025 Red Team Tools – C2 Frameworks, Active Directory & Network Exploitation