As red teamers, we sometimes assume that the need for red teaming is self-evident, and, given this assumption, we proceed to promote the practice through example and anecdote (the more entertaining, the better): “Look what happened to Company X! They forgot to red team, poor fools,” or “You won’t believe what our extremely clever red team uncovered!” While anecdotes can be illustrative and persuasive, grounding our efforts on a more solid foundation is an effort that is past-due.
Let’s start with the goal. Red teaming can be fun, and it can give a team a surge to identify an unexpected vulnerability, but the real purpose of red teaming is to help improve the client’s decisions. If we all made great decisions all the time, red teamers would be out of business. The root of red teaming, then, is the poor decision, and it’s there that we should look in order to unpack the need.