Security culture reset

Red Team Sucks is not a strategy.

The phrase is a symptom. The answer is partnership, signal, empathy, and curiosity. Red Team is not the opposing blade. Red Team is the whetstone: a controlled partner that helps Blue sharpen for the real fight.

Start the reset Read the whetstone doctrine

In one sentence

Same Team, One Fight.

Catching Red is a checkpoint, not the win. The win is a trusted signal, a humane response path, a better protected user, and a detection or control that still works when the adversary changes infrastructure, tooling, timing, or technique.

Whetstone doctrine

Red Team sharpens Blue. It is not there to fight Blue.

Red Team is a controlled adversary simulation. It creates pressure without the full blast radius of a real compromise. The point is not to win a duel. The point is to leave the organization sharper than it was before the exercise began.

1

Treat Red as a sharpening partner.

Red exposes seams, not personal failure. Every path they take is a chance to improve telemetry, response, hardening, recovery, and the judgment needed to handle the real thing.

2

Do not optimize for the exercise artifact.

Detections built around Red’s budget, lab constraints, tool defaults, IP space, or known payloads may catch the exercise while missing the adversary. That is not winning. That is gaming the test.

3

Leave the user more protected, not more blamed.

Users are customers of the security program. If they clicked, typed, approved, or trusted the wrong thing, the job is to understand why and make the safer path easier next time.

Why it matters

Turning the exercise into a contest dulls both edges.

“Red Team sucks” usually points at friction: embarrassment, fatigue, alert pressure, unclear rules, or a belief that Red exists to score points. That frame pushes Blue toward defensive theater instead of durable readiness.

1

It rewards scoreboard behavior.

If the goal becomes “catch Red,” teams start building traps for the people in the exercise instead of detections for the adversaries outside the building. The metric looks good while the risk stays.

2

It mistakes suspicion for maturity.

A mature Blue Team does not need to treat every Red action as an insult. It asks what signal existed, what signal was missing, and what response would have worked under real pressure.

3

It turns users into punchlines.

“The user was stupid” is not a root cause. People are busy, distracted, under-trained, overloaded, and trying to do their jobs. Security has to meet them with customer service, empathy, and curiosity.

Better questions

Replace the race with a diagnosis.

The fastest way to improve the exercise is to stop asking who won and start asking what got sharper. These questions keep the conversation specific, testable, and useful.

Stop asking:

  • Did we catch Red?
  • How do we stop this exact tool next time?
  • Which user messed up?
  • How do we prove Red cheated or got lucky?

Start asking:

  • What adversary behavior did this represent?
  • What signal should have existed across endpoint, identity, network, SaaS, or logs?
  • What made the unsafe user choice feel reasonable in the moment?
  • How do we validate the response against variations, not just the original run?

Practitioner commitments

Blue has a job in the reset.

Collaboration cannot mean “be nicer” and stop there. It needs explicit behaviors from detection, response, and user-facing security teams that convert exercise pressure into operational confidence.

Detection

Build signal that generalizes.

  • Detect behavior chains, not just tool strings, provider names, or exercise infrastructure.
  • Document the adversary behavior each rule is supposed to catch.
  • Test detections against variants: different tooling, hosting, timing, and opsec levels.
  • Measure false positives, false negatives, and analyst action cost.
  • Retire rules that only exist to catch the last Red Team run.
Response

Own the path from alert to confidence.

  • Turn detections into triage steps, containment options, and escalation paths.
  • Ask Red for reproduction details, tradecraft, and safe re-test support.
  • Validate whether the alert drives the right decision quickly enough.
  • Capture what evidence was missing and how to get it next time.
  • Close the loop with lessons learned, not just alert closure.
Users

Treat people like customers.

  • Assume users are trying to do their jobs, not trying to fail security tests.
  • Interview with curiosity before writing policy, training, or blame language.
  • Make the safe path obvious, fast, and compatible with real work.
  • Explain risk in plain language without humiliation or gotcha theater.
  • Use Red’s user-facing scenarios to improve service, not shame.

What not to do

Cheating the exercise is not defending the enterprise.

Direct rule: do not prepare your blade to fight the whetstone itself. Detections that only trigger on Red Team constraints create a false sense of security and waste the one safe chance you had to learn.

Vanity detections

  • Alerting on a commercial C2 string with no behavior context.
  • Blocking a whole budget cloud provider because Red used it once.
  • Matching known Red Team staging paths, filenames, or default lab conventions.
  • Writing rules that collapse as soon as Red changes payload, host, timing, or domain age.

Useful detections

  • Suspicious process ancestry combined with rare outbound behavior.
  • Identity events that show impossible travel, token abuse, consent risk, or abnormal MFA behavior.
  • Cross-source corroboration across endpoint, DNS, proxy, identity, cloud, SaaS, and email.
  • Rules with known limits, test cases, response steps, and a plan for tuning over time.

Starter kit

A 30-day reset you can actually run.

Do not start with a culture poster. Start with one Red Team path and use it to build signal, response clarity, and a better user experience that survive realistic variation.

1

Pick one user-facing or detection-heavy path.

Choose phishing, MFA fatigue, SaaS consent, endpoint execution, credential reuse, lateral movement, data access, or any path where the current response feels adversarial or brittle.

2

Separate behavior from exercise artifact.

Write down what Red actually represented: the adversary behavior, required telemetry, expected analyst action, expected user experience, and known blind spots.

3

Build one response path.

For each alert or user report, define the first decision, evidence needed, containment options, customer-facing language, escalation owner, and definition of confidence.

4

Ask Red to vary the pressure.

Re-test with changed infrastructure, tooling, timing, user lure, opsec level, and data path. If the signal survives variation and drives the right response, you got sharper.

Measure what matters

Use metrics that expose readiness, not ego.

Culture improves when the operating system improves. These measures show whether Red Team work is becoming trusted signal, faster response, kinder user interaction, and fewer repeat failures.

TTS Time to signal: how quickly the right telemetry becomes visible.
TTU Time to understand: how quickly analysts know what happened and why it matters.
UX User experience quality: how clearly and respectfully security guides the person involved.
Variant % Detection survival rate across changed tools, infrastructure, timing, and tradecraft.

The pledge

Hold the line on the culture you want.

The goal is not to make Red comfortable at the expense of truth. The goal is to use controlled pressure to build signal, response quality, and user trust before real attackers force the lesson.

I will treat Red Team as a whetstone, not an enemy blade.

I will not call it winning when I only detected the constraints of the exercise.

I will treat users like customers: with empathy, curiosity, and clear service.

I will build signal and response paths for real adversaries: Same Team, One Fight.

Back to top Read the companion reset