From pentesting to red teaming: Security testing solutions compared

Security testing solution 1: Vulnerability management

The role of a vulnerability management solution is to scan your environment for network and application vulnerabilities that haven’t been patched yet, and to help you manage the process of getting them fixed.

  • Even with real-time visibility of new vulnerabilities (and, with some modern solutions, predictive prioritization), most security teams oversee such complex IT environments that patching remains an onerous, time-consuming task. If the solution lacks context on other control capabilities, false positives can also muddy the waters.
  • More importantly, vulnerability management focuses on vulnerabilities — not the actions of threat actors themselves. So, while they help draw attention to possible points of compromise, they can’t advise on whether there’s a real risk that one of those points of compromise will be targeted. This stops security teams from taking a pragmatic view of each vulnerability, and prioritizing patches based on the value to the business.

Security testing solution 2: Pentesting

Penetration testing, or pentesting, is another common and well-known security testing solution. In a penetration test, an organization hires a trusted third party to attempt to breach their IT environment using the same tools and techniques as a real threat actor.

Security testing solution 3: Red teaming

A red team exercise is essentially a much more sophisticated and comprehensive version of a pentest, taken a number of steps further in terms of replicating real-world threat behavior.

Security testing solution 4: Breach and attack simulation (BAS)

Finally, breach and attack simulation (BAS) is a relative newcomer to the security testing world.

  • It should keep up with the threat landscape and use the latest threat intelligence as it becomes available.
  • It should provide continuous security validation 24 hours a day, seven days a week, 365 days a year.
  • It should be able to assess existing control capabilities, ensuring security teams aren’t flooded with false positives.
  • It should provide mitigation instructions for each threat sample, linked back to existing detection and prevention technologies in use (such as detection rules for your SIEM system).
  • Like red and blue team testing, it should facilitate effective communication and collaboration between stakeholders.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Picus Security Inc.

Picus Security Inc.


Breach and Attack Simulation (BAS) | Continuous Security Validation | Gartner Cool Vendor