Red Team vs. Blue Team: How They Impact Your Cybersecurity Career

Defending organizations’ IT networks and data has never been tougher for tech and cybersecurity pros. A report from consulting firm Accenture finds survey respondents reported an average of 270 separate attacks on their infrastructure in 2021—a 31 percent increase from the previous year.

With cybersecurity threats on the rise, private firms and government agencies are looking to invest in security, even with the threat of a possible economic downturn in the U.S. and elsewhere. Research firm Gartner predicts an 11 percent increase in security spending between 2022 and 2023, with the total hitting $187 billion next year.

A portion of this spending is likely to help boost defenses against various cybersecurity threats, which means more investment in Red team and Blue team engineers. These two highly specialized groups, which are sometimes found in-house or hired via consulting firms, help test defenses against attacks, as well as come up with recommendations for cybersecurity improvements.

“Regarding how the teams work together: it’s a symbiotic relationship between sparring partners. Red and Blue teams ‘ping-pong’ ideas off of each other, make modifications, and gradually improve each other’s knowledge, understanding, and posture,” said Tim McGuffin, director of adversarial engineering at LARES Consulting.

What Are the Differences Between Red and Blue Teams?

While Red and Blue teams work together, their roles are distinctive. 

Red team engineers, for instance, play the role of the adversary. They “attack” networks and infrastructure to look for weak points and poor security configurations. “This role includes performing adversary emulation, a type of Red team exercise where the Red team emulates how an adversary operates, following the same tactics, techniques, and procedures, with a specific objective similar to those of realistic threats or adversaries. It can also include creating custom implants and [command-and-control] frameworks to evade detection,” according to the SANS Institute.

A Blue team engineer (or Blue teamer) can have several titles and is usually an in-house security professional tasked with engineering and architecture, incident triage and response, security tool administration and more, according to SANS. Their primary purpose during a security tabletop exercise is to stop the Red team attacker and neutralize the threat.

For tech or cybersecurity pros looking to advance or try a new career, Red and Blue team engineers can have notably different salaries. A Red teamer currently commands a base salary of about $108,400 in the U.S., according to statistics from Glassdoor. A Blue team engineer, however, can expect a base pay of about $48,900, according to the same data—but that could also climb as high as $108,000, with many companies offering much greater base pay.

What Skills Are Needed for Red and Blue Team Engineers

Red and Blue team engineers need specific skillsets to take on these jobs.

For instance, a Blue teamer needs deep knowledge of the specific area they’re protecting within their organization (for example, cloud architecture and platforms), as well as working knowledge of how this area of the company interacts and affects other departments and divisions. If the engineer is working within a security operations center (SOC), they would need to understand defensive monitoring and triaging alerts, how those are generated within the system, what the logging pipeline is like, and the ability to infer the origin of any future malicious activity.

“This goes back to the operational security fundamentals as well as a solid understanding of the business, system components and connections, what accounts were involved, and institutional knowledge,” McGuffin told Dice. “That’ll help triage and rapid escalation of true positives so they can be reacted to promptly, because threat actors like ransomware operators are going for speed and impact, so minutes lost in triage can be bad.”

The skills are different for a Red team engineer. They must understand threat actors and their capabilities and techniques, as well as how to perform some of those techniques in a simulated situation to test defenses. 

“Using that combination of knowledge and skills, a Red teamer looks for opportunities for an attacker to compromise processes, data or identities within the company,” Aaron Turner, CTO for SaaS protection at security firm Vectra, told Dice. “The wider experience the Red teamer has—across physical and network security, supply chain and vendor operation—the more effective they are. For example, a good Red teamer will analyze the physical security controls around technology infrastructure where a physical weakness could be exploited to gain privileged access to networks, data or identity infrastructure.”

While both positions can serve as entry-level careers for those interested in cybersecurity, Blue teamers tend to have greater responsibility. “It is possible for someone to get an entry-level job within each of these disciplines, but the progression applies that generally, it’s easier to break things than fix things. So, the Blue teamers usually have greater responsibility and therefore need to keep themselves current on a wider domain of knowledge,” Turner added.

Justin Wynn, principal consultant for adversary ops at security consulting firm Coalfire, noted that the most challenging tasks of these exercises are usually the responsibility of the Blue team engineers. “Blue team is a grueling job—even if they’ve secured everything as best they can, there’s always the looming threat of a zero-day, which can compromise an asset and require them to respond to an incident in real time,” Wynn told Dice. “The Red team only needs to get lucky once and advanced threats can have undisclosed exploits or sit and wait for an opportunity to present itself.”

Whether technologists and cybersecurity experts find themselves drawn to Red or Blue teams, Wynn noted that preparing for these roles requires a similar mindset and attention to specific details and training.

“Each role requires a deep technical understanding of how the technologies work and the related security concerns,” Wynn added. “The skillset required to effectively manage these requirements is endless, often requiring a well-rounded team with a deep understanding of networking, full-stack development, common security vulnerabilities, and more—all while staying on the bleeding edge of developing security issues.”

Where Can Aspiring Red and Blue Teamers Start?

In general, only the largest private companies can house both a Red and Blue team within their security organization. In many instances, enterprises will have Blue teamers in-house and turn to consulting firms to provide Red teamers to help with tabletop exercises and testing defenses.

Several experts noted that aspiring Red and Blue teamers can find numerous opportunities to test their skills. “For folks who are just starting their journey and want to get involved in Red teaming, the best thing to do is find an organization without a lot of resources and volunteer to do some work,” said Vectra’s Turner. “For example, municipal governments and public school districts—all of these need to secure their environments, but generally do not have the budget to pay for a full Red team engagement. Working through local security organizations like ISSA or InfraGard, a beginner could establish relationships to create a volunteer Red teaming organization, sort of like how volunteer firefighters work.”

For those looking to add a certification to their resume, the SANS Institute offers several courses for cybersecurity pros. For example, SANS recommends its “SEC530: Defensible Security Architecture and Engineering: Implementing Zero Trust for the Hybrid Enterprise” course for Blue teamers. Meanwhile, its “SEC565: Red Team Operations and Adversary Emulation” course is geared toward Red teamers.

“There’s foundational knowledge that should be required for both teams,” McGuffin added. “One person doesn’t have to know every one of these, but it’s suitable for at least someone on the team to have knowledge in these areas and share that knowledge when necessary. Network and system architecture, operating system and systems administration fundamentals and a functional understanding of their organization’s core business and assets are all good to know.”