Alethe Denis Discusses Her Approach To Security Testing, Building An Ethical Red Team And Providing Value To Clients

With cyber security crime cases accelerating at the speed of light, companies must strengthen their defense capabilities and proactively discover vulnerabilities. Red teaming is a non-hostile group or individual that challenges a system or an organization by simulating a potential adversary.
The concept of red teaming originated in the military, where it was used to analyze the efficiency of safety measures from an external perspective. Over time, the concept evolved into a cyber security training exercise used by businesses in critical infrastructure, financial institutions, and other corporate environments across multiple industries. In the beginning, red teaming exercises were mostly penetration testing and vulnerability assessments. Alethe Denis, who is best known for social engineering, open-source intelligence (OSINT), and performing security assessments and training, and currently serving as a senior Security Consultant on the red team at Bishop Fox, believes that traditional approaches are no longer sufficient.
Historically, red teaming has often focused on physical breaches, such as bypassing locks, tailgating, or gaining access to restricted areas. While these tactics remain important, Alethe emphasizes the need to go further. Modern red teaming must evaluate the interplay between physical security, cybersecurity protocols, and human policies. "We've had clients tell us outright that they're not interested in testing physical vulnerabilities they already know exist, like locks or doors," the consultant says. "Instead, they want us to test whether their staff can detect and challenge unauthorized individuals."

This evolution has been driven by the growing complexity of threats, which often blur the lines between physical and digital security. While breaking into a server room to achieve domain admin might have been the 'trophy' for red teams in the past, Alethe stresses that the goal is now broader: to assess the entire organization's ability to detect and respond to threats, from perimeter breaches to network intrusions.
This cyber security consultant also explains, "The purpose of red teaming now isn't just finding security weaknesses—it's to help organizations validate their systems, align internal teams, and prepare for real-world threats."
One of the most significant changes Alethe has observed is the increasing importance of social engineering in red teaming engagements. While some technical professionals shy away from the human element, this social engineer sees it as the most critical component. "Once we get inside the building, it's astonishing how many people won't question our presence," she notes. "Most employees are hesitant to challenge someone who appears to have already been granted access. People are naturally inclined to avoid confrontation and stick to their routines."
This reliance on social engineering has yielded surprising results. Alethe recounts a retail engagement where her team used a fake work order with a forged digital signature to gain access to a store's back office. The keyholder not only allowed them to inspect the surveillance systems but also took photos of sensitive equipment on their behalf. "The longer we're in the building, the more comfortable people get with our presence," Alethe explains. "That comfort leads to assumptions that we're supposed to be there, which compounds over time and increases our chances of success exponentially."
While the human element is a rich area for testing, it also presents ethical and operational challenges. Alethe emphasizes the importance of clear communication and planning between clients and red teams to avoid dangerous situations. "Our first priority is always a consultant's safety, alongside the legal and ethical boundaries when scoping and setting the rules of the engagement. This helps us avoid putting our consultants in harm's way during the simulated task," she says. "For example, some states allow security guards to conceal vs open carry firearms. Knowing that upfront is very important for us because it changes how we approach the engagement. Without that information, we could unknowingly put ourselves at risk."
Alethe also highlights the need for collaboration between physical and information security teams within organizations. "I've seen situations where infosec decided to test physical security without informing the physical security or facilities team at that organization. This lack of coordination can lead to confusion and even compromise the results of the test."
Furthermore, Alethe and her team prioritize ethical testing methods that align with clients' objectives. "We're not here to dress up in tactical gear and brute force our way into buildings with paint on our faces. Our focus is on delivering meaningful outcomes—validating incident response plans, testing policies and procedures, and ensuring security teams are prepared to handle real-world threats."
One of the biggest misconceptions about red teaming is that it's a 'one-size-fits-all' service. Alethe points out that many clients don't fully understand what they need, which places a significant responsibility on consultants to guide them. "Offensive security testing is still relatively new and not well-defined," she explains. "Some consultants design engagements to benefit themselves rather than the client, either due to inexperience or a lack of maturity in their approach. My team and I focus on delivering the best value by tailoring engagements to meet each client's specific objectives."
Looking ahead, Alethe envisions red teaming becoming even more integrated and strategic. She also encourages aspiring red team professionals to focus on continuous learning and adaptability. "The field is always changing, and so are the threats we face. To stay ahead, you need to be curious, adaptable, and have a willingness to be receptive to new ideas," she concludes.
© Copyright IBTimes 2024. All rights reserved.