Skip to content

Discover why insider threats have overtaken external attacks and how AI is making them harder to detect — Read the Release

2020 Red and Blue Team Survey Reveals Positive Trends 

  • Aug 18, 2020
  • Sam Humphries
  • 5 minutes to read

Table of Contents

    In 2019, Exabeam conducted its first study of red/blue team testing. Testing by red teams and defended by blue teams is a popular method for companies to find and address their most significant vulnerabilities and security gaps. For clarification on what we mean by red team and blue team, because there are many different descriptions and even capitalizations which can change the meanings, we are talking offensive (red) versus defensive (blue) cybersecurity teams. A red team could be a group of internal or external security experts that emulate tactics used by cybercriminals against a company’s current security defenses. Blue teams comprise the organization’s internal security personnel whose goal is to stop these simulated attacks. 

    Exabeam recently conducted a similar survey of red and blue teams in 2020. In comparing the results from both studies, we were excited to see several positive trends. 

    • More companies are conducting red team exercises. Our 2020 survey revealed 92% of companies are performing red team exercises, compared to 72% in 2019.
    • Thirty-six percent more firms are conducting blue team exercises, and blue teams are more effective. In our 2020 survey, 96% of respondents indicated they’re performing blue team tests. Eleven percent of these companies always catch their red teams. In comparison, in 2019, 60% of companies conducted blue team exercises, and only 2% of respondents indicated they always caught their red teams.  
    • Security investments are up by 6%This year’s survey reveals 80% of companies have increased their security investment as a result of red and blue team exercises. In 2019, 74% of security professionals reported increasing security infrastructure investments as a result of red and blue team testing.

    What’s behind the positive trends?

    More than likely, the growing number of cyberattacks is a key driver for the increase in red and blue team exercises. There are potentially other factors at play. As more companies move to the cloud and a higher number of employees work remotely, the number of attack vectors also grows, which in turn increases the type and amount of exercises. Regulatory compliance may be another driver. Companies are facing increasing regulations, some of which require them to perform regular tests to protect customer data and protect consumer privacy. 

    Red and blue teams have more technology and intelligence at their disposal now to address these growing cyber risk challenges. Machine learning (ML) and artificial intelligence (AI) systems can be used by blue teams to learn the characteristics of attacks. AI and ML can also automate their work. Furthermore, data about vulnerabilities, attacks, and cybercriminal activities is growing. Take the MITRE ATT&CK framework for example that provides a globally-accessible knowledge base of adversary tactics and techniques garnered from real-world and historical information. By aggregating and analyzing this data, blue teams can be more efficient in identifying the types of attacks that they’re more likely to experience. The improvement in endpoint protection tools also allows blue teams to go on the offensive with threat hunting.

    Users and entity behavior analytics (UEBA) is another solution blue teams are using to respond to threats proactively. UEBA solutions use analytics technology, including machine learning and deep learning, to discover abnormal and risky behavior by users, machines, and other entities on your corporate network.

    SOAR (security orchestration, automation and response) is another tool that is becoming more popular to help teams proactively manage threats. SOAR, a collection of compatible software programs, allows an organization to collect information about security threats and respond to low-level security events without human intervention. Blue teams can use SOAR playbooks to automate low-level security defenses. 

    2020 red team and blue team survey results

    Take a closer look at our 2020 findings to see how your company compares:

    Red team exercises are conducted regularly by most companies

    Our survey found 92% conduct red team exercises regularly. Of those, 26% conduct exercises once a month or more, 25% once every 2-6 months, and 32% once every 7-11 months, 8% once a year.


    2020 Red and Blue Team Survey
    Ninety-two percent of respondents conduct red team exercises regularly.

    Blue teams conduct defensive exercises regularly

    In terms of security teams and their defensive capabilities, 96% perform tests regularly. Of those, 4% conduct tests once a month or more, 46% once every 2-6 months, 38% once every 11 months, and 8% once a year.  


    2020 Red and Blue Team Survey
    Figure 2: Ninety-six percent of respondents conduct blue team exercises on a regular basis to test their defensive capabilities.

    Purple teaming exercises shift from passive to active.

    Purple teams are composed of members from red and blue Teams. The goal of purple teaming is to encourage information sharing between red and blue team members to improve a company’s overall security program. Red and blue teams test controls in real-time, more closely simulating, and responding to an actual attack. Purple teaming allows organizations to conduct more complex what-if scenarios to test controls and processes.

    Our survey found 96% of respondents conduct purple team exercises. Of those, 34% perform tests once every 2-6 months, 50% once every 7-11 months, and 12% once a year.


    2020 Red and Blue Team Survey
    Figure 3: Ninety-six percent of respondents conduct purple team exercises on a regular basis highlighting the importance of information sharing.

    Most companies use external firms to conduct red team tests

    Our 2020 survey found 92% of respondents use external firms to perform red team exercises on a regular basis. Of those, 1% conducts tests once a month or more, 25% once every 2-6 months, 39% once every 7-11 months, and 27% once a year. 


    2020 Red and Blue Team Survey
    Figure 4: Ninety-two percent of respondents rely on external firms to perform red team exercises.

    The majority believe internal and external red teams are equally effective

    According to our survey, the majority of respondents 54% believe internal and external red teams are equally effective in testing blue units. Twenty-four percent claimed internal teams are more productive, whereas 19% stated external teams are better.


    2020 Red and Blue Team Survey
    Figure 5: The majority of respondents, 54%, believe internal and external red teams are equally effective testing blue teams.

    Room for improvement

    While 92% of respondents noted that their blue teams catch their red teams, only 11% always catch their red teams. The majority, 55%, sometimes catch their red teams, and 7% rarely or never catch their red teams. Security teams falling in this category can use findings and implement recommendations from these exercises to improve their security posture and readiness. 


    2020 Red and Blue Team Survey
    Figure 6: Only 11% of respondents state their blue teams catch their red teams.

    Red and blue team exercises influence security investments

    Similar to 2019, the majority (98%) of respondents have increased investments in their security infrastructure as a result of red and blue team testing.


    2020 Red and Blue Team Survey
    Figure 7: Most companies (98%) have increased their security investment due to red/blue team exercises.

    Threat detection and incident response are major blue team skills gap

    According to the survey, the top defensive skills blue teams need to work on include threat detection (49%), incident response (47%), and flexibility/openness to change in a WFH environment (44%). In a recent study, The Exabeam 2020 State of the SOC Report, 82% of SOC professionals say they are confident in their ability to detect threats, despite stating that threat hunting and the ability to remediate threats effectively was a critical skill they feel they lack.

    Last year our survey results revealed communication/teamwork and knowledge of threats/tactics were the most significant skill gaps.


    2020 Red and Blue Team Survey
    Figure 8: Threat detection and incident response were the most prominent gaps in blue team skills.

    Improving threat detection and incident response

    We noted earlier, the growing adoption of tools including UEBA and SOAR help security teams, proactively hunt for threats. In addition to helping red and blue teams to share metrics and information to get the most out of a simulated attack, running these exercises helps test the readiness of your organization to unexpected threats. The ability to coordinate response across the organization is equally important.  

    To find out more about how UEBA solutions can help blue teams read our post, How Exabeam Helps Blue Teams Counter Red Team Attacks.

    Sam Humphries

    Sam Humphries

    Marketing Director, EMEA | Exabeam | Samantha Humphries is the Marketing Director, EMEA at Exabeam. She has been happily entrenched in the cybersecurity industry for over 20 years. During this time she has helped hundreds of organizations of all shapes, sizes, and geographies recover and learn from cyberattacks, defined strategy for pioneering security products and technologies, and is a regular speaker at security conferences around the world. In her current regeneration, Sam is part of the Security Strategy team at Exabeam, and she heads up marketing for EMEA. She authors articles and blogs for various security publications, has a strong passion for mentoring, and often volunteers at community events, including BSides, The Diana Initiative, and Blue Team Village (DEFCON).

    More posts by Sam Humphries

    Learn More About Exabeam

    Learn about the Exabeam platform and expand your knowledge of information security with our collection of white papers, podcasts, webinars, and more.

    • Data Sheet

      Exabeam Success Services

    • Blog

      Enabling OJK Regulatory Compliance and Cyber Resilience for Indonesia’s Banking and Financial Sector With Exabeam

    • Report

      From Human to Hybrid: How AI and the Analytics Gap Are Fueling Insider Risk

    • Report

      From Hype to Help: How AI Is (Really) Transforming Cybersecurity in 2025

    • White Paper

      A CISO’s Guide to the New Era of Agentic AI

    • White Paper

      A CISO’s Guide to Rethinking Insider Risk

    • Show More