Security

Choosing the Right Red Team Partner

CISA cancelling red team contracts has agencies searching for new solutions.

Randy Barrett is a freelance writer and editor based in Washington, D.C. A large part of his portfolio career includes teaching banjo and fiddle as well as performing professionally.

Picking the right red team to test an agency’s cyberdefenses is crucial, lest it face an onslaught of rapidly evolving threats.

The Cybersecurity and Infrastructure Security Agency canceled its red team contracts in February as part of the Department of Government Efficiency’s cost-cutting, leaving agencies to fend for themselves.

“CISA has taken action to terminate contracts where the agency has been able to find efficiencies and eliminate duplication of effort,” said the agency in a statement.

Security experts lamented the red team contract termination because agencies need help testing their network infrastructures from seasoned white hat hackers more than ever.

“It’s a shame to see what’s happened at CISA,” says Alice Fakir, senior partner and vice president for federal cybersecurity services at IBM Federal. “Red teaming should be an ongoing practice,” rather than tactical or occasional.

Click the banner below to start implementing smarter security.

x_security_q325_animated_click_desktop_01

x_security_q325_animated_click_mobile_01

CISA’s highly regarded red team operation found key problems with a critical infrastructure organization in a 2024 assessment; the target “relied too heavily on host-based endpoint detection and response solutions and did not implement sufficient network layer protections.” CISA further found the IT staff needed better training and resources, and that management “minimized the business risk of known attack vectors for the organization.”

That’s the kind of feedback a real intruder isn’t going to pause and deliver.

What Is Red Teaming, and Why Does It Matter for Cyber Resilience?

Cybercriminals regularly engineer new ways to break into networks, which is why agency IT departments must understand their own vulnerabilities. Add new artificial intelligence capabilities to the mix, and the opposing team is more formidable than ever.

Breakout time, the time it takes for an attacker to move laterally within a network that’s been breached, has fallen to 48 minutes on average — the fastest time observed was a mere 51 seconds — according to CrowdStrike’s 2025 Global Threat Report.

“We track it as the time from when a threat actor initially lands in an environment, until they move laterally toward their objective,” says Tom Etheridge, chief global professional services officer for CrowdStrike.

Red teams imitate the behavior of malicious hackers, employing many of the same exploits to access networks and demonstrate which parts of the security architecture need improving.

“Red teaming is true adversarial behavior,” says Aaron Herndon, principal security consultant for Rapid7. “You’re doing a war game against a company’s blue team.” (A blue team consists of an organization’s in-house IT security staff.)

Red teams attack unannounced and often stay low and slow, like real hackers, Herndon says.

“We’re not going to find all vulnerabilities, just the easiest way to get in — or a way that is least-detected,” Herndon says.

Rapid7 commonly allows 40 days for a full assessment. The outside red team and internal blue team compare notes to close gaps, fix faulty processes and improve the organization’s overall security posture after the drill.

The challenge is that people assume red teaming is a generic skill set.”

Alice Fakir Senior Partner and Vice President for Federal Cybersecurity Services, IBM Federal

Agencies have a much more difficult task in protecting their networks.

“Agencies have IT sprawl, legacy systems and unfinished systems,” says Gil Vega, senior vice president and CISO for Veeam. “One of the most difficult jobs in the world is being a government agency CIO.”

Vega would know, as he previously served as CISO for the Department of Energy and Immigration and Customs Enforcement.

Red teams can be either external or in-house but should not be confused with penetration testers. Pen tests are pre-announced, limited in scope and designed to find as many vulnerabilities as possible large and small. They are also conducted in cooperation with the target organization’s blue team.

DISCOVER: The Navy is improving real-time threat analysis.

What Is Purple Teaming?

Purple teaming in cybersecurity is when the offensive and defensive teams work together.

“While purple teaming isn't always necessary to help prepare for a possible breach, it can accelerate maturity by closing gaps between offensive and defensive operations,” says Anthony Lehman, manager of vigilance services for SentinelOne. “Purple teaming is especially valuable when time, clarity and measurable improvements are priorities.”

Click the banner below for the latest federal IT and cybersecurity insights.

How is AI Changing Red Teams?

AI is supercharging cyber intrusion.

“AI is helping threat actors accelerate attack speed,” Etheridge says.

“The challenge becomes, how do you bring in a red team to think like an AI attacker?” Fakir says.

Just as the bad guys are using AI agents to run network incursions, security vendors are now building their own platforms to automate social engineering, deepfakes, phishing and account takeovers.

“They’re developing lists of steps so that even a junior red team member can do sophisticated attacks,” Vega says.

What Are the Traits of a Good Red Team Partner?

“The challenge is that people assume red teaming is a generic skill set,” Fakir says.

Instead, agencies should look for a vendor that has hands-on experience in their specific area. The contractor must be well-versed in the threat vectors associated with the target network.

“How robust are their toolsets?” Fakir says.

It’s also important to ask for some sample reporting by the prospect’s red and purple teams, Herndon says.

It all comes down to experience. That means a strong intelligence capability for collecting and reporting on threat actor tactics, techniques and procedures. A good red team partner “can help identify security gaps and vulnerabilities across the technology stack, applications, people and business processes,” Etheridge says.

The near future holds clear challenges for federal network security officials. AI is getting better by the minute, particularly social engineering attacks based on data scraped from LinkedIn. Help desk exploits are also on the rise. The move to cloud computing creates another set of weaknesses that will require continuous red team, purple team and pen testing.

“Many organizations set up credentials and forget about them,” Etheridge says.

The red team will spot that.

UP NEXT: Agencies are augmenting endpoint management with machine learning.

style-photography/Getty Images