Salted Hash Ep 34: Red Team vs. Vulnerability Assessments

Words matter. This week on Salted Hash, we talk to Phil Grimes about the differences between full Red Team engagements and vulnerability assessments

Words matter, something Phil Grimes, Professional Services Lead at RedLegg, knows all too well.

But the concept of 'words matter' or the need to have standardized vocabulary for Red Team engagements and penetration tests, isn't a new one. Dan Tentler, the founder and CEO of the Phobos Group, has been talking about this since 2017.

This week on Salted Hash, Grimes (a.k.a. Grap3_ap3), discusses why words matter, the concept of scoping for Red Teams, and shares more stories from his days in the field as we discuss tailgating and dumpster diving.

Sometimes customers tend to bite off more than they can chew. It's a struggle for those working in the security space and dealing with Red Team engagements.

An organization, for example, will ask for a full Red Team assessment, but then limit the engagement to simple things covered by a basic vulnerability assessment. Or worse, they assume they're prepared and are gutted when a full Red Team engagement runs through their security program like wet tissue.

"Be honest with yourself. Don't try to fool yourself, your peers, or your bosses, into thinking that your [security posture] is better than it is," Grimes says, offering thoughts on how organizations can go about knowing when they need a vulnerability assessment, and when they're ready for a full Red Team engagement.

After that, "find someone you can trust to work with to evaluate and improve that posture."

In addition to this week's episode, make sure you listen to Grimes share additional stories on the Salted Hash podcast, and the video below is of Dan Tentler's talk during Circle City Con – certainly related and worth watching.

Words on a ceiling: Red Team stories with grap3_ape

Words Have Meanings by Dan Tentler:

SUBSCRIBE! Get the best of CSO delivered to your email inbox.