I stopped posting questions, but this one needed to be answred. It has been answered many times, but since people still don't get it...
Question:
"Where would you say red teaming ends and pentesting begins"
Answer:
It’s two completely different things. There is no line. And will never be a line. It’s not that one ends and the other follows. have you been reading the blog? Listened to the podcast?
One is running through a series of tests, using tools and maybe finding vulnerabilities, and maybe exploiting them. That's it. this is done within the scope of your test, not deviating. Most likely on the digital side and maybe, a little part of the physical side.
The other, Red Teaming, focuses on real world attacking. It doesn't focus on a specific part, it learns the target, its culture, the people, the physical side, the digital side and all, attacking things often on unexpected places, combining many things, and getting to a specific goal. It’s not a vulnerability scan. It’s not just listing findings. It’s addressing policies, business continuity and how people and the org react to an attack. It’s stress testing teams, capabilities, access, controls, etc, etc, etc. And even all this changes all the time.
So, no, there is no line and PENTESTING IS NOT RED TEAMING!