The Cybersecurity Status Quo: Red vs. Blue Teams

It is no secret that the challenges faced by cybersecurity teams are broad, including limitations in budget, time, and talent.  Despite these challenges, the organization expects the security team to deliver a mature cybersecurity program that ensures the protection of the technical infrastructure and organization’s most critical digital assets.  

Typically when building a security program, a team will start with the basic security controls and gradually add additional defenses in a ramp-up to a general assessment.  This assessment could be a gap analysis for a specific framework, such as NIST 800-53, PCI-DSS, or CIS 20 or may include more general technical and non-technical efforts  to identify key vulnerabilities. Once baseline controls are in place, the organization is ready for what may be considered the “ultimate” assessment – the penetration test.  After one or more of these assessments, the Blue Team is tasked with fixing the identified issues while the Red Team moves onto another assessment or removes themselves from the picture altogether.

The Collaborative Gap in Cybersecurity

Thus, the current assessment paradigm involves multiple assessments by multiple teams (internal or external) where security issues and gaps get identified and then handed over to engineers or analysts responsible for investigating and ultimately remediating the risk.  This is a perfectly logical approach – but logic doesn’t always equate to efficiency. The time required to conduct an assessment, deliver the findings, remediate and then reassess the issues can take months (if not years).  The existing paradigm also suffers from frictions which hinder collaboration and may even foster adversarial relationships. As mountains of findings pile up with limited resources for remediation, Blue Team begins to feel pummeled from multiple directions. Red Teams that lack exposure to the challenges of remediation may lose sight of the true goal – enhancement of an organization’s cybersecurity posture.  Additionally, a Red Team can often get comfortable in their current set of attack techniques because the Blue Team is slow to resolve known issues.  This degrades the skillsets of Red Team operators who lack incentives to stay on the “bleeding edge” of real-world tactics, techniques and procedures.

The current paradigm for proactive security is heavily focused on periodic assessments with a defined start and stop to Red Team activities. This regimented engagement lifecycle, in which activities are performed separately and at separate times, contributes to the “us versus them” adversarial relationship that too often develops.  Red Team activities are seldom communicated in a clear, consistent and timely fashion. Blue Team activities are not made visible to the Red Team, depriving them of the intelligence needed to refine the attack vectors to test blind spots.  The lack of coordination extends to the methods we use for communication and coordination. Data generated, aggregated and enriched by both teams remains siloed in the tribes, spread out across multiple tools and platforms.  Consolidation and analysis of progress data lags current activities, resulting in stale analytics for stakeholders and decision makers. Reports are abstracted into additional reports and presentations, depriving leaders with the real-time views of progress needed to support resource decisions. The inefficiencies inherent in the current paradigm combined with the constraints of time, talent, and budget ultimately result in security programs that are far too heavily reactive.


red v blue v.3

How PlexTrac Challenges the Status Quo

Security efforts are performed in parallel and in a wide variety of physical and logical environments. Scan results, tests, assessments and IR reports are generated in a wide variety of formats. Just as we need to “normalize” log data to separate signal from noise, we need to normalize the results of our information security efforts. If we want a Blue Team member to gather value from an application security scanner, we can’t hand them a BurpSuite XML export. Similarly, we wouldn’t expect a Red Team member to easily identify the “signal” if presented with a full NIST 800-53 assessment. Perhaps most importantly, we can’t expect senior leaders in our organizations to gather meaningful insights from all the mechanisms for risk identification if we don’t provide them with some common structure to present findings and overall risk.

Normalization does not, and should not, equate to filtering. Data should not be discarded in order to facilitate the understanding of secondary users. But because risk identification efforts do produce results in such a plethora of formats, our tools need to be flexible enough to capture as much data as desired while providing a structure that empowers secondary users to gain insights. Even once normalized, not all consumers will need or want to be presented with all data. Thus our solutions should provide the same degree of flexibility in presentation as provided during aggregation. Today, many cybersecurity leaders struggle with workarounds to parse and present data such as Jira dashboards. While these workarounds can be effective, they represent an unnecessary investment of time by people that should be doing security – not analytics. Purple Team solutions should make the tailoring of data effortless and be capable of providing it in various mediums.

PlexTrac was designed from the ground up to be the aggregation, normalization and presentation platform that purple teams need to facilitate collaboration and coordination. 

My Post copy 3


PlexTrac supports collection of all sources used to identify information security risk, to include:

  • Importation of all leading network and application scanner results
  • Manual findings from penetration tests, to include an infinitely-customizable field set
  • Questionnaire / Framework-based assessments such as PCI, NIST, CIS, COBIT, ISO, etc.


 By organizing all risks into a common data structure, PlexTrac facilitates rapid understanding by secondary consumers. Ultimately, the method by which risk is identified is irrelevant; critical risks uncovered during a compliance inspection are no less valuable than those discovered by a crack pentest team. Normalizing risk data provides the conceptual framework for leaders to understand risk from all sources and make informed resource decisions.


Presentation: PlexTrac’s advanced analytics allow leaders to view the data the need with a few easy clicks in a convenient web-based platform, without the need for creation of custom dashboards or excel macros. Because remediation efforts are tracked within the Platform, the data is never stale. Custom export templates allow for standardized and professional traditional document-based presentation, tailored to exactly the data you intend to present.

Check Out Our Latest Posts

What is Ransomware?

What is Ransomware? Linkedin Twitter Youtube Facebook Ransomware has quickly...