When a board asks whether the company can withstand a cyberattack, the answer usually involves commissioning a test. The problem is that 'test' covers two fundamentally different exercises that answer different questions and should drive different decisions. Conflating them leads to spending money on the wrong engagement and drawing the wrong conclusions from the results.
What a Penetration Test Actually Measures
A penetration test is a point-in-time technical assessment of a defined scope. You give the testers a target: an application, a network range, an API. They attempt to find and, where safe to do so, exploit vulnerabilities within that scope. The output is a vulnerability report with risk ratings and remediation guidance.
What a penetration test tells you: whether known vulnerability classes exist in your target, how exploitable they are from a technical standpoint, and whether your patching and secure development practices are working. What it does not tell you: whether your detection and response capability would catch an attacker in the act, whether your staff would fall for a phishing campaign, or whether an attacker could move from an initial foothold to your most sensitive data.
What a Red Team Exercise Measures
A red team exercise simulates a targeted threat actor pursuing a specific objective against your organisation. The scope is deliberately broad: the red team can use any technique a real attacker would use, including phishing, physical access, supply chain compromise, and zero-day-style exploitation. The only constraint is the rules of engagement agreed before the exercise starts.
The blue team — your security operations centre, your incident responders — does not know the exercise is happening. The red team wins if they reach the objective without being detected and stopped. Your security team wins if they detect and contain the intrusion before the objective is reached. The output is not primarily a list of vulnerabilities. It is an assessment of your detection and response capability under realistic adversary pressure.
A Decision Framework
| Question | If Yes, Consider |
|---|---|
| Do you need to validate a specific application or system before release? | Penetration test (application scope) |
| Do you need to meet a compliance requirement (PCI-DSS, ISO 27001, Cyber Essentials)? | Penetration test (scoped to requirement) |
| Do you want to know whether your SOC would detect an active intrusion? | Red team exercise |
| Have you already done multiple pentests and want to test your response capability? | Red team exercise |
| Do you have a mature security programme and a named threat actor profile? | Threat-led red team (e.g., TIBER-EU, CBEST) |
Common Scoping Mistakes
- --Commissioning a red team exercise when there is no SOC or detection capability to test. The exercise will succeed trivially and produce no useful learning.
- --Scoping a penetration test to an application that is not the real attack surface. If your highest-risk entry point is a VPN appliance, testing only the web application tells you nothing about your actual exposure.
- --Running a red team without agreed objectives. Without a crown-jewel target defined in advance, the exercise drifts and produces a report that looks like a penetration test.
- --Excluding cloud infrastructure from pentest scope because it is 'managed by a third party'. Most modern attacks target cloud control planes, identity providers, and CI/CD pipelines.
Threat Modelling as the Starting Point
Before deciding which engagement to buy, spend time on your threat model. Who would realistically target your organisation? What do they want? What is the most likely path they would take? If your threat model identifies a sophisticated nation-state actor targeting your intellectual property, a standard penetration test of your customer-facing web application is not the right investment. If your primary concern is opportunistic ransomware, a penetration test of your external perimeter combined with a phishing simulation is a proportionate starting point.
Threat Model Template
Organisation: [Name]
Crown Jewels: [List of highest-value assets]
Threat Actor Profile:
- Type: [Nation-state / Organised crime / Hacktivist / Insider]
- Motivation: [Data theft / Financial / Disruption / Reputational]
- Capability: [Low / Medium / High / Advanced]
- Known TTPs: [MITRE ATT&CK tactics/techniques relevant to your sector]
Attack Paths (most likely to most unlikely):
1. Phishing -> credential theft -> cloud console -> data exfil
2. VPN vulnerability -> internal network -> AD compromise -> ransomware
3. Supply chain -> software update -> persistent access
Recommended engagement type: Red team / Pentest / BothThe right engagement is the one that answers the question your threat model raises. Get the threat model right first, and the choice between a penetration test and a red team exercise becomes straightforward.