Is Red/Blue Teaming Right for Your Network?

What you need to know about red, blue and purple teaming, and how to know if it’s a worthwhile expense for your organization.


War games, fire drills and dress rehearsals all exist for the same reason: If you wait until the chips are down to think about whether you’re ready to face a given situation, the answer will probably be a resounding “no.” As it turns out, there’s an equivalent exercise in cybersecurity, designed to simulate an attack and find holes in your network defenses before an actual attacker does. It’s called red and blue teaming, and it’s available to anyone — for a price.

What is Red, Blue and Purple Teaming?

In cybersecurity, the red team is a group of “ethical hackers” that acts as the adversary and carries out a physical or digital intrusion. For best results, the red team is hired by the organization, rather than made up of insiders, allowing them to take the sort of outsider view that an adversary will have — but the group can also be made up of individuals within the organization.

Often, these exercises consist of tasks such as gaining access to a network, conducting reconnaissance, gaining credentials, performing encryption, taking control of browsers, social engineering and much more. For some exercises, the red team spends part of the simulation laying low to avoid being detected by employees or others associated with the organization.

The main advantage of red/blue/purple teaming versus pen-testing is the element of surprise: The blue team, which is created to act in opposition to the red team, often has no indication that a simulation is occurring. As a result, the blue team (and others in the company) will treat the simulation as an actual intrusion, carrying out threat hunting and other defense strategies exactly as they could be expected to in an actual security event. This allows the blue team to help refine incident response plans and ensure they’re ready to face an actual attack.

In addition to developing defenses, these exercises also help to foster a more security-minded culture in the organization.

Many simulations also make use of a “purple team.” This group is made up of members of both the red team and the blue team and can also include individuals outside the simulation, such as managers, software engineers and others. While optional, purple teams can help organizations get the most out of their red/blue teaming exercise by recording findings and outcomes and helping to make adjustments to ongoing simulations.

Why Red/Blue/Purple Testing Is Better Than Pen-testing

While red/blue/purple testing shares some elements of pen-testing, it is a distinct exercise: Red team testing is lengthier and more thorough, including more complex rules of engagement and more expansive evaluation.

While pen-testing is generally limited to describing vulnerabilities and how they were breached, red-teaming provides a comprehensive overview of a security program’s response capabilities.

Red/blue/purple teaming evaluates an organization’s security posture in a way that pen-testing alone cannot, allowing the organization to validate its level of risk and determine the potential financial impact of a security breach.

The Rising Cost of Red/Blue/Purple Teaming

But all of this comes at a cost — red team testing starts at around $10,000, and can run as high as $85,000 for more complex and lengthy evaluation.

There are a number of ways to limit this cost, such as capping the scope and amount of time spent by a red team, limiting the red team to a particular attack surface or vector, or shopping around for a red-team vendor at a lower price point that is still capable of meeting an organization’s security objectives. But red/blue/purple teaming is inherently expensive, so it might not be right for organizations that are unlikely to see a benefit commensurate with the cost.

Is Red/Blue/Purple Teaming Right for You?

While the insights yielded by red/blue/purple teaming can be highly valuable, it is more valuable for some organizations than others. Organizations that are globally regulated or affiliated with the federal government, as well as organizations that work with complex supply chains, can be expected to see the greatest benefit from this testing.

Whether an organization opts to start a red/blue/purple testing journey can depend on several factors, such as the compliance mandates that the organization is subject to, data privacy requirements, and the organization’s overall risk tolerance. With the average data breach costing millions of dollars, organizations need to perform their own assessment as to whether their likelihood of being targeted justifies the expense.

If you can’t justify the cost — or can’t justify it yet — that doesn’t mean you can’t gain some of the benefits that red/blue/purple teaming. For more on how to reap red/blue benefits on a make-do budget, register for the upcoming Mindhunter #13 webinar here.

This post is also available in: French German Spanish Italian

Stephan Kaiser
Senior Solutions Engineer | SonicWall
Stephan works as a Senior Solutions Engineer for SonicWall's Central Europe territory, where he helps partners and customers improve security for a wide range of organizations. With a background in system administration and broadband implementation, Stephan has over a decade's experience at SonicWall, and more than 15 years of security expertise overall.