2.3 Penetration Testing Versus Red Teaming
| No: 56224/67 | Date(g): 13/5/2019 | Date(h): 9/9/1440 | Status: In-Force |
Effective from 2019-05-13 - May 12 2019
To view other versions open the versions tab on the right
There is a significant difference between red teaming exercise and penetration testing. Red teaming focusses on testing the cyber resilience of an organization. In a penetration test, the scope is often limited to an application or system, with the intent to comprehensively test the security of that limited scope application or system.
The overall objective of a red teaming exercise is different from the objective of a penetration test. In a red teaming exercise, the objective is to (independently) test the overall cyber resilience of a Member Organization. This is achieved by testing the implemented cyber security controls, along with the detection and response capabilities.
A secondary objective is to share the lessons learned with the Member Organizations within the Financial Sector, to further improve the overall cyber resilience within the sector.
| Penetration testing | versus | Red Teaming |
| Gain oversight of vulnerabilities | Goal | Test the resilience against realistic attacks |
| Predefined subset | Scope | Realistic access paths |
| Focus on preventive controls | Tested controls | Focus on detection and response |
| Focus on efficiency | Test method | Focus on realistic simulation |
| Mapping, scanning and exploiting | Test techniques | Tactics, Techniques and Procedures (TTPs) |
| Very limited | Post-exploitation | Extensive focus on critical assets or functions |
| Parts of development lifecycle | Recurrence | Periodical exercise |
Figure 1 Difference between penetration testing and red teaming