Building a Red Team: How to Get Started

These groups of authorized hackers work to infiltrate their customer's data, development environment, or any other business area to locate and identify vulnerabilities.

Mike Arrowsmith, Chief Trust Officer, NinjaOne

March 23, 2022

5 Min Read
Red blocks indicating people
Source: Andriy Popov via Alamy Stock Photo

Cybersecurity has not always been top of mind for young companies. Historically, cybersecurity only became a priority when a company reached a certain size or mandates required it. This mindset has radically changed given a number of recent high-profile attacks and widespread vulnerabilities, including the widely known Log4j, which put hundreds of thousands of devices at risk. Today, companies of all sizes and in every industry are on high alert.

To combat these rising threats, companies must work overtime to fully understand their risk level and engage in regular penetration testing and security audits. With an increasingly dangerous threat landscape, cybersecurity must become a priority from the start — and one initiative that can successfully improve overall security is building an internal red team.

Red Teams: What They Are, Why You Should Care
A red team is a group of white-hat hackers hired by a company to try and infiltrate its customer data, development environment, or any other business area to locate and identify vulnerabilities. While hackers traditionally are thought of as hooded figures behind the glow of a computer monitor, digital attacks aren't the only vector that can be targeted. A good red team will also test a company through social engineering — perhaps as an unscheduled maintenance worker seeking to gain access to an executive's office.

Not every company will have the resources or need to build a fully fledged red team, but even small steps can go a long way toward protecting customer and employee data. Even the most basic steps lead to positive outcomes, most of all trust — a vital resource and competitive differentiator in today's market.

Fast-Growing Companies Are at High Risk
As the number of customers and employees increase at a company, so does the number of endpoints, tools, and partners that must be supported. This can be especially challenging for fast-growing companies, where everything happens quicker — something that is great for innovation but more challenging to protect. As a company's attack surface grows, it gets harder to identify vulnerabilities that can open up the company to unnecessary risk. Recent stats are sobering and show the challenges companies today are facing. Businesses suffered 50% more cyberattacks per week in 2021 compared with 2020, according to Check Point research, and smaller businesses are becoming an increasingly popular target.

The first step in creating a red team is to determine if it's needed. A red team is a group that responsibly attacks a company to uncover what vulnerabilities may be exploited. Whether this proactive approach is appropriate for your company comes down to the type of data that is being protected. A grocery store may not need to take this approach, but a company that sells software to government agencies does.

Once it's determined that a red team is the appropriate path forward, it's time to look at whether building a team from scratch is the right course of action. While outsourcing this capability is typically more economical at the onset, in the long run creating an internal team focuses resources toward ascertaining risk of vulnerabilities in critical systems faster and probing more deeply into critical services.

Consider these best practices when starting from scratch.

Build Your Team
Your ability to be successful lies with the strength of your team. Since the team is likely to be small at first (one to three employees), you want to find team members that have a lot of experience. While top talent can be expensive and hard to find, this is a critical first step.

Pick a Standard
OWASP Top 10, BSIMM, and NIST are great places to start for penetration testing standards. Even with a dedicated team focused on finding weak spots, you can't be everywhere at once, and you need to be selective. Picking a standard can help a team prioritize what is the highest risk to the organization.

Create a Plan of Attack
Resources are not infinite. While starting at the most vulnerable areas of the business makes sense, eventually it's important to go deeper and attack everything from the network and code, all the way down to individual employees. Threats can come from an outsider or internally (purposely or accidentally), and you need to be prepared for anything.

Adjust Policies
When a vulnerability is uncovered, action must be taken. Sometimes, it's a simple process. It's relatively easy to make security updates or apply patches to laptops, desktops, and networked devices — all of which can be done in the background without interruption to the user. Other processes may prove more difficult.

Communicate With Others
When security teams operate in a vacuum, they can inadvertently impede others' work. To avoid interruption while still maintaining security standards, policies should be developed in partnership with other departments. For example, a policy of blocking access to social media and community networks could prevent certain employees from doing their jobs. It can be a delicate balance, but a balance that can be achieved with an open line of communication.

Creating a red team takes resources and a strategic approach. However, even a small red team can find flaws in everything from code to DevOps processes before they are exploited — a truly invaluable resource.

It can be a slow process, but picking strategic targets and going after them in parallel will produce meaningful results from the start. Early wins will boost a company's security posture as well as show leadership the value of a robust cybersecurity program and ensure a dedicated red team remains a strategic priority.

About the Author

Mike Arrowsmith

Chief Trust Officer, NinjaOne

Mike Arrowsmith is the Chief Trust Officer at Ninjaone where he leads the organization’s IT, security, and support infrastructure to ensure NinjaOne meets customers’ security and data privacy demands as it scales. Prior to NinjaOne, Arrowsmith held top security roles at Guardant Health and Splunk, where he focused on managing and scaling IT and security teams. Arrowsmith brings a deep understanding of how high-value, fast-growth companies can navigate security challenges, embed a culture of security, and bake in data ethics to everything they do. Most of all, Arrowsmith has an unrelenting focus on customer experiences and is heavily involved in product development at NinjaOne, bringing a "company zero" mentality to his team.



Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights