A Beginner’s Guide to Red Team vs Blue Team

Table of Contents

• What is Red Team vs Blue Team?
• What is a Red Team?
• What is a Blue Team?
• The Red Team vs Blue Team Process
• Cybersecurity Careers on Red Team and Blue Team
• Learning Red Team vs Blue Team at Fullstack Academy

Cybersecurity is like a game of chess, with “red teams” and “blue teams” charged with attacking and defending cyberspace. Josh Mann, a lead cybersecurity instructor at Fullstack Academy, breaks down the main responsibilities and top skills of red and blue team members. Plus, find out how Fullstack Academy incorporates red team vs blue team into their Cybersecurity Bootcamp curriculum to increase their students’ hireability after bootcamp graduation! 

🚀 Ready to launch your cybersecurity career? Enroll in the full-time or part-time online Cybersecurity Bootcamp at Fullstack Academy! Applications for the next cohort are due by April 2nd, 2024. 

What is Red Team vs Blue Team?

“Red team versus blue team” is how most cybersecurity works! The red team versus blue team approach borrows from the military concept of having an attacking and defending team. The red team is trying to attack a system, whereas the blue team is trying to defend that system from attackers. It’s like a game of chess where you have to defend your systems, predict what the attackers are attempting, and then determine how to detect and analyze what attackers are doing and respond accordingly. 

Is red team vs blue team something that all organizations, no matter what size, incorporate into their cybersecurity strategy? 

Generally, most companies have a lot of blue team-type of material in their environment. Some companies will include red team services within their own organization to look for ways to attack themselves.

What is a Red Team?

The red team in cybersecurity are those who are trying to attack to get into a system. They are looking for any sort of weakness that might exist in a blue team's defenses. They're going to script out and automatically send as many attacks as they can. 

The red team operates like someone trying to break into a house. They are going to check every window to see if it's open, wiggle the door to see if it's unlocked, and look for any vulnerabilities or weaknesses in the structure that they can exploit.

The top skills a red teamer needs to have are: 

• Resiliency
• Grit
• Drive to figure out the puzzle
• Persistence

They often say in the industry that the great thing about being on the red team is you only have to be successful once! It doesn't matter if you fail a hundred times, if you're successful on the 101st try, you write your report about how you got into the system and get all the credit.

What is a Blue Team?

The blue team is responsible for surveying and defending systems. They are tasked with looking for people who break the rules that will then allow them access to a system. 

If we’re thinking back to the house burglary scenario, the blue team’s main concern is how to keep the house safe. They are making sure the doors and windows are sealed and locked, but they’re also interested in how to be prepared and respond to an extraordinary situation like a rock being thrown through a window. 

The top skills a blue teamer needs to have are: 

• Keen investigative skills
• Detail-oriented
• Methodical

The blue team member is examining logs and looking for anomalies. There's a lot more investigation as they read through reports and logs and cite any details that could indicate a potential threat. 

The Red Team vs Blue Team Process

The way that a red teamer attacks is broken down into a variety of phases. Some frameworks that are often used in the industry, like the MITRE ATT&CK Framework as well as the Cyber Kill Chain, break up the steps that an attacker would do. 

• For example: The red team will do reconnaissance. They'll explore the system, figure out how to get in, and how to attack it. Then they'll move into a stage where they will try to exploit the system to see if they can get in. If they can, they will try to make sure they don't get detected so they can test how far they can get into the system. 

The blue team will often work with the red team to plan a break-in. Taking what they learn from the red team’s efforts, the blue team will then build their strategies. 

Does the red team and blue team ever work together?

Since the red team is emulating what real adversaries of an organization would be doing, it gives the blue team a practical test example to prepare for instead of having to fail in real life. 

Additionally, sometimes organizations will have a “purple team" where they mix the blue team and red team. In that scenario, the red team will attack using some of the newest discovered vulnerabilities and guide the team on how to protect against the new threats that are detected in the threat space.

Cybersecurity Careers on Red Team and Blue Team

What kinds of cybersecurity jobs will include red team and/or blue team responsibilities?

Red team roles are generally those that try to break into systems. A red team cybersecurity job title may be Penetration (Pen) Tester, Ethical Hacker, Exploit Developer, or Vulnerability Assessor.

Blue team roles fall into Cybersecurity Analyst roles. Many blue team roles can be found in the Governance, Risk, and Compliance (GRC) field. As a blue team member in GRC, you’ll be thinking about the acceptable risks to an organization, how to match the best practices with suggested standards, and incident response.

Are red team/blue team skills expected of entry-level cybersecurity professionals?

Usually, an entry-level cybersecurity hire would start off in a blue team. That doesn't mean they can't go straight into the red team; it's just more common to see them go into the blue team. The blue teamers need to know exactly what a red teamer is doing. They need to know what types of attacks are happening, what things their environment is susceptible to, and what they would be seeing, and then build up the protections for that to see if they were attacked. 

Do cybersecurity professionals see any kind of salary bump for having red or blue team skills?

Generally, salary increases are more specific to experience level and tool proficiency. However, for red teams, there are often “bug bounties” where organizations pay large sums of money if you find a weakness in the program and you tell them instead of selling it to cybercriminals. For example, Google will pay thousands of dollars for reporting a bug to them rather than trying to sell it to a cybercriminal! 

Do you need cybersecurity certifications to work on either the red team or the blue team?

Cybersecurity is one of the few industries where experience or certifications like CompTIA Network+ can often work in place of traditional degrees if you can show what you know. Some companies still want degrees, but often job descriptions will say, “Experience in lieu of education is acceptable.”

At this point, is generative AI affecting how red teams or blue teams function?

It is definitely where the future is heading on both teams! There are overblown fears that red teams could be replaced by generative AI, which could automate attacks. Blue teams are using those same skills now to build systems that will automatically look for attacks to catch suspicious things that may be missed by human eyes. The addition of AI tools does not replace the need for experienced red team and blue team professionals, though.

Learning Red Team vs Blue Team at Fullstack Academy

The first section of Fullstack Academy’s Cybersecurity Bootcamp is dedicated to building foundational skills in Linux and Windows, networking, Python, and scripting. Building on those skills, students learn the rules of what a computer system is supposed to do. Then, we take students into the red team and show them how to get a computer to not follow the rules. Once students have learned they can break the rules and make the computer do something it wasn't supposed to, they can learn how to detect and catch it on the blue team, seeing how obvious an attack was.  

What specific skills or tools will students learn in the Cybersecurity Bootcamp?

Students will work in a variety of different cybersecurity tools, often built into a purpose-built Linux system, called Kali Linux, that has a lot of these tools pre-installed for students. There are tools to examine what's happening on the network and tools to make a web request. Then you can make slight adjustments to get what you want instead of what is supposed to happen.

Do you think having a working understanding of red team/blue team improves Fullstack Academy’s students' hireability?

Absolutely! One of the best things about going through a program like this is students get hands-on with these tools to see exactly what an attacker or defender would be doing in these situations. They gain experience at Fullstack Academy instead of only gaining theoretical knowledge of types of attacks and what companies use. 

Do you have any former students who are now working on red or blue teams? 

We’ve had alumni land roles in both situations. It is less common for students to wind up in a red team, especially right after the program, but it does happen. I’ve definitely seen students get hired onto blue teams as Cybersecurity Analysts, Defenders, or Incident Responders in a variety of different organizations!

What is your advice to incoming students who want to end up working on a red or blue team? What can they do to make the most of their time at Fullstack Academy?

Find out what excites you and have the grit to keep moving forward in the program. Keep an enthusiasm for learning and growing. The industry changes so fast and you’ll need to keep learning. Maintain a sense of curiosity and you’ll be very successful! 

Find out more and read Fullstack Academy reviews on Course Report. This article was produced by the Course Report team in partnership with Fullstack Academy.