Red Team activities: Finding the cyber security
vulnerabilities before the bad guys do

27 Feb 2019

Red Team activities: Finding the cyber security vu...

In the world of information security, colours play a big part. We have red teams, blue teams and purple teams, and within the red team structures we have white hats, black hats and grey hats.

‘Red’ activities are concerned with offensive security exercises e.g. trying to gain access to an organisation, a network, a system etc. This is done through a number of means, but those you have probably heard of include:

All of these will almost certainly make use, to some extent, of Open Source Intelligence (OSINT), which concerns gathering information about the target from free resources, such as social media accounts, news reports and public records (take a look at our article on social engineering for more information). This may be achieved by physical reconnaissance or by looking online for data about the target, which can then be used to identify vulnerabilities in order to try to gain access.

Let’s delve a bit deeper into what these methods involve, so you can see how they could benefit your organisation:

Vulnerability scanning

A vulnerability scan is a very high-level test which doesn’t go into as much detail as a penetration test. It’s the equivalent of a burglar trying the doors and windows on a house to see if they’re open – and then not going into the house (which would be a penetration test).

This type of scan identifies how an application, website or other system is vulnerable, but it doesn’t tell you what you could do if you exploited the vulnerability.

Penetration testing

A common way of testing web sites and web applications is to run a penetration test. This is where ethical testers—i.e. people with prior written permission from an organisation—run tests to see if they can find vulnerabilities, and find out what would happen if those vulnerabilities are exploited.

Ethical testers are often called white hat hackers while, conversely, people who try to gain access without permission (which is illegal) are called black hat hackers. The names come from the old black and white Western films in the 1950s and 1960s, where the bad guys all wore black hats and the good guys wore white so the audience could tell them apart. In the middle you’ll find those who occupy a murky space between the two - grey hats, for example, are people who test systems without permission (breaking the law) who then ask for money because they were being ‘helpful’ in return for divulging the weaknesses they have found.

Penetration tests can take a number of forms:

  • External: These tests are carried out from outside the network to establish the risks to the organisation from an attack from people outside the organisation’s network.
  • Internal: These tests are carried out from within the network, typically to find out what can be accessed from inside the organisation.
  • Web Application: These tests specifically look for vulnerabilities with any public-facing or internal web applications.

Typically, the testers will provide a report documenting their findings, and the organisation being tested will then fix any issues found by the testers.

Much like taking your car in for an MOT and service, penetration tests should be run on a regular basis, because new vulnerabilities, including zero day threats, are constantly being discovered.

Physical penetration testing

The ‘attacking’ team will make use of social engineering (in the context of information security, this refers to psychological manipulation of people into performing actions or divulging confidential information) as part of their efforts to gain access to a building or premises.

Physical testing is typically engaged by senior management to assess processes—such as visitor registration, tailgating, signing in, staff challenging non-wearers of passes etc.—to see how far a potential intruder could get into a building.

These tests may have a specific objective e.g. to access a specific server in a data centre, or to place a keylogger on a desktop PC to try to capture passwords, or to install a rogue Wi-Fi access to point to capture network traffic.

The intention of these tests is to identify weaknesses in policies, processes, procedures and training, so they can be addressed, and improvements made.


Red-teaming is often considered the highest standard of threat emulation and is suited to organisations who have an active security programme and are looking to validate the effectiveness of their approach and the alertness of their defensive solution.

Essentially, a team of offensive security professionals are engaged to perform a specific task; be it compromising a network, accessing a specific file and taking a copy, or gaining access to an individual’s business emails. Typically, an objective is specified and the team’s creativity is unleashed (within limits, of course). This more closely simulates what a genuine attacker would do - explore and search for the easiest way into a target using their skills to create opportunities when none currently exist.

Regardless of whether the team meet the objective, PGI consultants will explain what they did and how this was achieved. This can be compared to any discovered actions to ensure that logging and monitoring levels are sufficient, and to identify the attack taking place, preventing a genuine intruder from taking a similar approach.

An example

One red-teaming technique involves the delivery of a special parcel to the building—marked private and confidential—addressed to a fictitious employee. Within the package is a Wi-Fi-hot spot and 4G modem along with batteries, allowing the red-team to hack the wireless network without entering the target building. They can then leverage this capability for further attacks, such as gaining access to the human resources system and adding a team member to the database as a new employee, who is able to enter the site after being checked by security. This member of the red-team then poses as a member of the IT team and approaches users, asking for them to print out a file that he needs. Once he has obtained a hard copy of the document, he can walk out of the building with the file, having completed his assignment.

How can these assessments benefit your organisation?

Red team activities can identify weaknesses and vulnerabilities in the physical processes and defences in the controls you have in place to protect your online systems. It is better to find these weaknesses yourself than for an attacker to find them, because you are then in a position to put in place better defences, enhancing your controls and protecting your data.

The type of threat changes regularly, new methods of attack are constantly being developed, so it is important that you test your systems regularly.

For more information on how PGI can help you find your vulnerabilities, please contact us: or ​​​​​+44 (0)207 887 2699

Share this article


Your free global geopolitical
risk dashboard

PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.

The Risk Portal gives users up-to-date information and analysis on global affairs.

The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.

Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.

Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.

Visit the Risk Portal

GDPR Services

Making ongoing compliance easier for you and your business

GDPR is now in force. Make sure your business meets the necessary requirements, providing assurance for all of your customers and employees.

PGI GDPR Services

A full audit of your business to assess the level of your compliance against GDPR requirements.

Become GDPR compliant with minimal work. We will conduct an analysis, review, report and implement any necessary changes to your business.

We will conduct simple security assessments to help you understand and mitigate the potential risks to your business.

Find out more on GDPR

Compliance Services

Get your business ready to face the cyber challenge.

We provide a full range of accredited, certified and bespoke services that assess the resilience of your cyber security posture.

PGI GDPR Services

PGI’s Qualified Security Assessors (QSA) will help you meet Payment Card Industry Data Security Standards (PCI DSS).

Find out more on PCI DSS

Demonstrate your commitment to cyber security by achieving and maintaining accreditation for the globally-recognised information security standard.

Find out more on ISO 27001

Expert assistance on the implementation and maintenance of governance requirements for personal data.

Find out more on GDPR

Find out more on Compliance

Vulnerability Testing

Understand the threats of phishing and malware to avoid being targeted.

Undertake our phishing vulnerability assessment to reduce your organisation’s risk of attack, by measuring the cyber awareness of your workforce.

Malware & Phishing Services

PGI will conduct a tailored phishing campaign, using multiple methods, to identify realism and train employees where necessary to mitigate future attacks.

PGI monitor multiple metrics to identify the types of phishing, generate in-depth analytical reports and provide an informed decision to help improve your organisation’s level of security and awareness.

Find out more on Vulnerability Testing

Cyber Security

Prevent attacks, respond to breaches and protect your business.

Our bespoke range of cyber security services not only protect your critical assets but provide the education you need to keep your operations and data safe.

Cyber Security Services

Implement this cost-effective cyber security measure launched by the government to prevent cyber-attacks, demonstrate information security commitment to your clients, and attract new business by being recognised as a secure organisation.

Find out more on Cyber Essentials Accreditation

The most effective way to identify how attackers target your organisation’s weaknesses is by evaluating your system, your network security, and reporting on any vulnerabilities that could have an impact on your business.

Find out more on Penetration Testing

If your business has experienced breaches, network compromises or operational disruption, our team of cyber security specialists can deploy quickly, and will begin the process of detecting and eliminating the threat efficiently.

Find out more on Data Breach Response & Recovery

In the event of a computer security investigation, a vital part of the response process is making a copy of your data for safe forensic analysis. We will work with you to preserve and use this evidence to discover the extent of an intrusion.

Find out more on Digital Forensics

Browse our Cyber Security services

Data Breach Response & Recovery

We prevent attacks, respond to security breaches, and protect your business

Our team of specialists can deploy quickly and efficiently to begin the process of detecting, eliminating and preventing future threats of a breach.

Malware & Phishing Services

A vital part of the response process is making a copy of your data for safe forensic analysis. We will work with you to preserve and use this evidence to discover the extent of an intrusion.

Find out more on Digital Forensics

We will identify and minimise the risks, as well as the possibility of future risks to your business.

Consistent interaction with your management team and recommendations on how to approach all outcomes that need attention.

Find out more on Data Breaches

Subscribe to our Cyber Bytes Newsletter

Keep yourself in the loop with PGI by signing up to our Monthly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.

Get in touch today

For more information on how we can help you or your business, please contact us via:

Related News

International Womens Day - Pioneering Women in Tec...

08 Mar 2017

Pioneering Women in Technology – Katherine JohnsonThe Oscar season has been and gone. The...

Read news article

Law Firms and why they need cyber security

07 Sep 2018

Why Law Firms need Cyber Security. Suffering a data breach can be devastating! From the experts at P...

Read news article

Content from the expert - GDPR and Cyber Governanc...

12 Jul 2017

Will there be a knock on effect regarding the General Data Protection Regulation (GDPR) after the UK...

Read news article
Back to the News Hub

+44 (0)207 887 2699
©2019 PGI - Protection Group International Ltd. All rights reserved.
PGI - Protection Group International Ltd is registered in England & Wales, reg. no. 07967865
Address: Unit 13/14, Swallow Court, Sampford Peverell, Tiverton, England, EX16 7EJ