Offensive security
What is red teaming and how is it different from a pentest?
In short
What a red team engagement is, how it differs from penetration testing, where blue and purple teams fit, and when you are ready for one.
An attacker sends three convincing emails to staff in the finance team. One person clicks, and a laptop quietly starts talking to a server the attacker controls. Over the next two weeks, nothing dramatic happens. The intruder maps the network, borrows a set of stolen credentials, moves from the finance laptop to a shared file server, then toward the system that holds payment records. The whole time, the question that matters is not whether a firewall had an open port. It is whether anyone inside the company noticed. A red team engagement is built to answer exactly that.
What red teaming is
Red teaming is a goal-driven, adversarial exercise that simulates a real attacker trying to reach a specific objective. Instead of listing systems to check, you set a goal, for example reaching a crown-jewel database or gaining domain administrator rights, and the red team works out how to get there the way a genuine adversary would.
The important part is what it tests. A red team engagement measures people, process, and technology together. Can an attacker trick an employee? Do the security tools raise an alert? If they do, does anyone act on it, and how fast? The exercise is usually run with stealth, over weeks rather than days, precisely because a real attacker does not announce themselves and does not rush. The output is not only a list of weaknesses but an honest picture of whether your organisation would detect and stop an intrusion in progress.
Red teaming vs penetration testing
These two are often confused, and the difference matters when you are deciding what to buy. A penetration test is a scoped engagement to find and prove vulnerabilities in defined targets. A red team engagement is a goal-based simulation that tests detection and response across the whole organisation. The table below sets them side by side.
| Dimension | Penetration test | Red team engagement |
|---|---|---|
| Objective | Find and prove vulnerabilities | Achieve a specific goal, like reaching a target system |
| Scope | Defined systems or applications | Broad, often the whole organisation |
| Stealth | Usually announced and coordinated | Covert, most staff do not know it is happening |
| What is measured | Vulnerability coverage and severity | Whether detection and response actually work |
Neither is better; they answer different questions. A penetration test asks what is broken and gives you a thorough list to fix. A red team asks whether you would catch a real attacker, which a checklist scan cannot tell you. If you want the distinction laid out more fully, our guide to vulnerability assessment vs penetration testing covers the related pairing.
Blue teams and purple teams
If the red team plays the attacker, the blue team plays the defence. The blue team is your internal security function, the people and tools that monitor systems, detect suspicious activity, and respond to incidents day to day. In a red team exercise, they are the ones being tested, usually without knowing an exercise is underway.
Purple teaming is where the two sides work together. It is not necessarily a separate standing team; it is a way of running the engagement so the red and blue teams share information directly. After each attacker action, the two sides compare notes: the red team says what it did, the blue team says what it saw or missed, and any gap becomes a specific fix to a detection rule or a response step. Purple teaming turns findings into improvements faster than a purely covert exercise, because the learning happens in the room rather than only in a report weeks later.
When red teaming makes sense in Indonesia
Red teaming suits organisations that already have some security maturity. If you have no monitoring, no incident response process, and a backlog of unpatched systems, a red team will simply confirm what a cheaper penetration test would have told you. The money is better spent building those basics first. For most Indonesian firms, that means running a solid pentest programme and closing the findings before commissioning a red team.
Where red teaming earns its cost is in regulated sectors that want to test their real response, not just their patch levels. Banks and financial institutions under OJK supervision are expected to demonstrate that they can detect and respond to incidents, not merely that they scan for vulnerabilities. A red team engagement produces evidence about that response capability under realistic conditions. Our note on penetration testing requirements for Indonesian banks under POJK 11/2022 covers the baseline testing regulators expect before you get to that stage.
The honest sequence is pentest first, red team later. A red team is the exercise you run once you have a defence worth testing.
Where Alpha Code fits
Alpha Code runs both kinds of engagement, so you can start where you actually are. For most clients that begins with scoped Penetration Testing to find and fix what is broken, with findings mapped to the reporting OJK and UU PDP obligations expect. Once that programme is mature and there is a defensive capability worth testing, a goal-based red team engagement, run covertly and optionally as a purple team exercise, measures whether your people and process would actually stop an attacker. If you are unsure which one you need, that is the conversation worth having first, and our comparison of vulnerability assessment vs penetration testing is a good place to start.
Reviewed by Mohit Bhansali, Head of Technology
Frequently asked questions
Red teaming is a goal-driven, adversarial exercise that simulates a real attacker trying to reach a specific objective, such as accessing a payments database or a domain controller. It tests people, process, and technology together, including whether your defenders notice and respond. A red team usually works quietly over an extended period rather than running a fixed checklist against a set list of systems.
Related
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.