BAS vs. Pentesting vs. Red Teaming

Offensive security testing comes in different approaches. The prominent names are breach and attack simulation, penetration testing and red teaming. Their common goal is to determine the strengths and weaknesses of security defenses in systems by assessments based on attacks. But they differ in their execution. At least as they are conceived most commonly. Mainly, there are differences in whether they involve manual tests, assess the attack surface continuously, attack with the organizations' security teams' awareness of the contract, include security at more than the IT system level, and have only specific crown jewels in their scope. At Fluid Attacks we see the shortcomings in the way most products and providers conduct some of these approaches and raise our own way, based on what we perceive to be the present and future of cybersecurity.

Breach and attack simulation solutions have been introduced to the market of security testing more recently than penetration testing solutions. In some instances, they are pitted against each other with the purpose of answering which one is best. Still, because they share the goal we mentioned above, there's confusion around the differences between the two.

Most BAS descriptions agree that this approach tests the effectiveness of the security controls of organizations' systems through attack simulations. Especially, it evaluates whether controls are configured correctly and can aptly detect, resist and respond to the latest threats and techniques. (To learn which controls are paid the most attention, read our blog post about BAS.)

Penetration testing is a quite more familiar term for some. We describe it as the simulation of attacks that a genuine threat actor may conduct against systems. It usually involves looking for vulnerabilities and generating exploits to bypass the system defenses. The targets are often the same controls that are tested with BAS solutions.

Their differences are in the execution. One such difference is most BAS solutions rely solely on tools, whereas penetration testing is always done manually. Indeed, pen testing is performed by humans, who can creatively launch exploits according to the organizations' context and imitate the likely behavior of criminals. (So, throughout this writing we are always referring to "manual penetration testing.") Despite the seemingly legit claims by some vendors that their tools leverage this methodology, we have argued in a previous blog post that there is no such thing as automated penetration testing.

Manual work helps accuracy and detecting the issues that represent the most exposure to attacks. (To learn more, read our 2022 report.) Ethical hackers, or pen testers, use the same tools and techniques a malicious threat actor would. Contrary to tools, they can get started as soon as cybersecurity researchers and response teams, among other entities (e.g., the US Computer Emergency Readiness Team), announce the threats. This prevents causing a time window during which the current threats may hit the systems.

Another difference is that BAS solutions always test systems continuously, whereas most pentesting offerings assess them just regularly. Please notice we say "most": A model that addresses the need of continuous penetration tests does exist and is called penetration testing as a service (PTaaS). In regards to cybersecurity spend, it is the general opinion that having humans perform security testing is more costly than relying on automation. But given what was explained above, it may actually be more costly in the long run to stick to automation only and avoid continuous manual assessments.

At Fluid Attacks, we acknowledge the limitations in the way penetration testing solutions are conducted in the industry. Our understanding is that, as threats evolve constantly and rapidly, security testing should support prevention effectively. It can do so by providing accurate and updated statuses of the security of systems. For this reason, we offer a penetration testing solution along with automated security testing in a single service offering, Continuous Hacking. We combine automation and manual work to test systems continuously. Our vulnerability scanner runs permanently, and at the same time we assign a team of ethical hackers to probe systems. This methodology allows organizations to make sure that every change in their systems can withstand the relentless efforts of attackers to get in.

Red teaming is another familiar term that refers to the simulation of real-world attacks. In this approach, security specialists attack under the modality of what are known as "red team exercises." These are essentially operations where they, the red team, advance offensively toward specific objectives. The target organization must detect the attacks and respond. In such exercises, different teams may be created: blue team, white team and purple team.

The above suggests a couple of differences to other offensive security approaches in terms of execution. For instance: In red teaming, none, or some, of the defenders know the attackers are contracted by the target organization, whereas in penetration testing all the defenders are fully aware of it.

We have included this in a previous blog post as one of our suggested management policies for conducting offensive security tests. In short, red teams should act just like malicious threat actors, who do not notify when, how and where they will attack, what techniques they use, what information they have accessed, etc.

Further, as could be suspected from our definition of red team exercises, in red teaming, the attackers often have only specific crown jewels in their scope, whereas in penetration testing the objective often is to find all the vulnerabilities and weaknesses in a system.

Another difference, which is one we mentioned earlier, is that red teaming may target an organization's employees and physical facilities, whereas pentesting solutions often attack only IT systems. This means that a red team would engage in activities such as social engineering (e.g., attempting to influence employees to take security risks) and trying to penetrate the company's facilities (e.g., to install devices).

At Fluid Attacks, we offer our red teaming solution in which we agree with our clients on which targets to attack. We do this, again, combining automated tools and human ingenuity to evaluate targets continuously.

It could be easily guessed that the differences between breach and attack simulation and red teaming mirror those between the former and penetration testing. That is, BAS solutions normally rely on automation and test continuously, whereas red teaming solutions rely on ethical hackers and normally test only regularly.

There is yet another issue to address. Some vendors claim that their BAS tools have red team and blue team features. That is, they emulate today's adversarial threat actors and provide insight on mitigation. And thus, they help purple teaming tasks. But all this seems like an effort to liken tool actions to what happens in a red teaming exercise. In the end, as long as the organization is run by humans, who panic at the moment of discovering a breach, are influenced by social factors, make mistakes, etc. these tools could not accurately test blue team operations. We mentioned above how tools are limited also in their red team operations. In short, continuous manual intervention is always necessary. Combining it with automated scans helps getting an accurate idea, and fast, about the security status of organizations.

At Fluid Attacks we conduct offensive security testing continuously, combining automation and manual work. Take your time to learn more about our penetration testing and red teaming solutions.

You can also check out our 21-day free trial of automated security testing. You can upgrade at any time to include offensive security testing.