How to red team on a shoestring

The goal of red teaming is to emulate danger and measure how effective your defenses are. You can also use it to train teams in a safe context.

Startups don't have the resources to conduct operations like this. But you might still be able to enjoy the general approach.

The key is in leveraging your existing software development lifecycle.

  1. Security subject-matter experts develop threat models with stakeholders.
  2. Product managers collaborate with SMEs to come up with attacker stories.
  3. During development, software engineers write test generators against those requirements.
  4. Site-reliability engineers generate tests and run them against the production environment.
  5. Management reviews testing results every sprint.

Incidents caused by tests in production trigger your incident response plan. You can then use these opportunities to train staff, test detection capabilities, calculate response times, and measure the efficacy of plans against expected results.

It won't be as exciting as classic red teaming exercises, but you will be able to go far with a small budget.

I hope you found this valuable

I send out an e-mail whenever I publish new content. It's free. No spam. Unsubscribe whenever you want.