Skip to content
← All insights
· 4 min read · by Aaron Crow

Red team is not a penetration test

Confusing the two is how you spend $80k on a report nobody reads. Here's the difference, and when each is the right call.

#Red Team #Pentesting #Strategy

Procurement language collapses the two terms. The work doesn’t.

Pentest

A penetration test is breadth-oriented. The goal is to find as many real, exploitable vulnerabilities as possible inside a defined scope, document them, and hand you a list with severity ratings. The scope is typically an application, a network segment, or a defined external surface. The clock is short, usually one to three weeks.

You want a pentest when:

  • You need a current inventory of exploitable issues to feed into your remediation pipeline.
  • You’re meeting a compliance requirement that asks for one.
  • You have a new application, environment, or major change going live and need a focused review.

Red team

A red team engagement is depth-oriented. The goal isn’t to find every vulnerability. It’s to achieve a defined adversarial objective (data exfiltration, domain compromise, downstream impact) using the tools, tactics, and procedures of a real adversary. Detection and response are the actual test subjects.

The clock is longer (typically four to twelve weeks). The scope is usually the entire organization, with limited carve-outs. Most of the engagement is invisible to the defenders, which is the point.

You want a red team when:

  • You have a real defense program and you want to know if it actually works against a thinking adversary.
  • You need to validate detection engineering and SOC processes under pressure.
  • You’re making a board-level case for investment and you need evidence that’s harder to argue with than a tool comparison.

The trap

The trap is buying a “red team” that is actually just a longer pentest with more dramatic language. You can identify these by:

  • Heavy reliance on scanning tooling.
  • No real adversary emulation framework (MITRE ATT&CK, specific threat actor profiles).
  • A report that lists CVEs by severity instead of telling a coherent attack narrative.
  • No purple-team debrief with your blue team afterward.

If you’re paying red team prices for that, you’re being charged for the marketing, not the work.

Want to talk it through?

If you’re not sure which engagement actually fits where you are, start a conversation. Wrong scope is the most expensive mistake in this category.

Keep reading

MORE INSIGHTS

May 1, 2026

IT–OT convergence is not a product

Most vendors will sell you a box and call it convergence. Real convergence is operational, organizational, and frankly uncomfortable.

April 12, 2026

The quiet attack surface most executives ignore

Your enterprise security is excellent. Your home network, family devices, and personal accounts are a different conversation.