What is your ‘real’ security posture? (Part 2)

Issue 6 2025 Editor's Choice, Information Security, Infrastructure

In the second part of this series of articles from BlueVision, we explore the human element: social engineering and insider threats and how red teaming can expose and remedy them. The first article is at www.securitysa.com/26130r


Christo Coetzer

Technical controls can be implemented with reasonable consistency, but humans remain inherently variable and unpredictable. Red teaming comes into its own when it comes to testing the human aspect of security through sophisticated social engineering campaigns that exploit cognitive biases, authority dynamics, and helpful instincts. A well-crafted phishing email might bypass email filtering systems and exploit an employee's desire to be helpful to apparent colleagues.

A convincing pretext call might elicit sensitive information from a help desk analyst who follows inadequate verification procedures. A tailgating attempt might reveal that staff hold doors open rather than challenging unfamiliar faces in sensitive areas.

These scenarios test whether security awareness training has changed behaviour or merely satisfied compliance requirements. They reveal whether your culture genuinely prioritises security or if your policies exist only on paper, while day-to-day operations prioritise convenience and speed.

Furthermore, red teaming can simulate insider threat scenarios, demonstrating what a malicious employee with legitimate access could achieve. These exercises often reveal excessive privilege allocation, insufficient segregation of duties, and inadequate monitoring of privileged user activities, vulnerabilities that external penetration testing cannot identify.

Measuring resilience, not just controls

Traditional security metrics focus on control implementation: the percentage of systems patched, the number of security training hours completed, and the mean time to remediate vulnerabilities. These metrics measure activity, but not effectiveness. Red teaming provides outcome-based metrics that actually matter, such as: time to detection; effectiveness of containment; accuracy of impact assessment, and restoration timeframes.

A red team engagement might demonstrate that, while your organisation patches systems within defined service-level agreements, your detection capabilities give adversaries a 45-day dwell time before suspicious activity triggers an investigation. This finding is far more valuable than knowing that 95% of systems are patched within 30 days because it reveals the actual risk exposure period during which adversaries can operate undetected.

Similarly, measuring how quickly and effectively your incident response team contains a simulated breach provides genuine insight into organisational resilience. For example, can you:

• Isolate compromised systems without causing unnecessary operational disruption?

• Preserve evidence while containing the threat?

• Accurately scope the breach to determine what data or systems were affected.

These capabilities determine whether a security incident remains manageable or escalates into a crisis.

Driving meaningful security improvements

The ultimate value of red teaming lies not in the exercise itself, but in the improvements it drives. A comprehensive red team report should provide actionable recommendations prioritised by the demonstrated risk they address. These recommendations often challenge existing security strategies, revealing investments that offer minimal security value and highlighting gaps in critical areas.

Organisations embracing red teaming move beyond checkbox compliance towards genuine security maturity. They accept that testing by adversarial simulation provides the most reliable assessment of defensive capabilities. They create feedback loops in which red team findings inform security architecture decisions, detection engineering priorities, and updates to incident response procedures.

This continuous improvement cycle, where defences are repeatedly tested and refined through adversarial simulation, represents the only reliable path towards genuine defensibility. Without this testing, organisations remain blind to the effectiveness of their security investments, discovering their true security posture only when facing real adversaries under the worst possible circumstances.

Embracing adversarial testing

The question is not whether your organisation can benefit from red teaming, but whether you can afford to operate without it. In an environment where sophisticated threat actors constantly evolve their techniques and where the cost of breaches continues to escalate, understanding your actual defensive capabilities is not optional; it is essential.

Red teaming reveals uncomfortable truths, exposing gaps between security perception and reality. However, these truths are gifts, offering opportunities to strengthen defences before adversaries exploit them. Organisations that embrace regular red team engagements demonstrate security maturity and a realistic understanding of risk that their peers lack.

Ultimately, the only way to know if you are truly defensible is to be attacked by skilled adversaries operating without constraints. The choice is whether those adversaries are your red team, operating under controlled conditions with the goal of making you stronger, or genuine threat actors whose objectives involve maximum damage. The former provides an opportunity for growth; the latter, a lesson learned too late.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

New campaign exploiting Google Tasks notifications
News & Events Information Security
New phishing scheme abuses legitimate Google Tasks notifications to trick corporate users into revealing corporate login credentials, which can then be used to gain unauthorised access to company systems, steal data, or launch further attacks.

Read more...
New commercial and technical appointments at Veeam
News & Events Infrastructure
Veeam Software has announced two senior appointments in its South African business as it continues to invest in local market growth and partner and customer engagement.

Read more...
What’s in store for PAM and IAM?
Access Control & Identity Management Information Security
Leostream predicts changes in Identity and Access Management (IAM) and Privileged Access Management (PAM) in the coming year, driven by evolving cybersecurity realities, hybridisation, AI, and more.

Read more...
The challenges of cybersecurity in access control
Technews Publishing SMART Security Solutions Access Control & Identity Management Information Security
SMART Security Solutions summarises the key points dealing with modern cyber risks facing access control systems, from Mercury Security’s white paper “Meeting the Challenges of Cybersecurity in Access Control: A Future-Ready Approach.”

Read more...
Access as a Service is inevitable
Technews Publishing SMART Security Solutions ATG Digital Access Control & Identity Management Infrastructure
When it comes to Access Control as a Service (ACaaS), most organisations (roughly 90% internationally) plan to move, or are in the process of moving to the cloud, but the majority of existing infrastructure (about 70%) remains on-premises for now.

Read more...
Securing your access hardware and software
SMART Security Solutions Technews Publishing RBH Access Technologies Access Control & Identity Management Information Security
Securing access control technology is critical for physical and digital security. Every interaction between readers, controllers, and host systems creates a potential attack point for those with nefarious intent.

Read more...
Privacy by design or by accident
Security Services & Risk Management Infrastructure
Africa’s data future depends on getting it right at the start. If privacy controls do not withstand real-world conditions, such as unstable power, fragile last-mile connectivity, shared devices, and decentralised branch environments, then privacy exists only on paper.

Read more...
Phishing and social engineering are the most significant risks
News & Events Information Security
ESET Research found that phishing accounted for 45,7% of all detected cyberthreats in South Africa, with higher-quality deepfakes, signs of AI-generated phishing websites, and short-lived advertising campaigns designed to evade detection.

Read more...
Access trends for 2026
Technews Publishing SMART Security Solutions RR Electronic Security Solutions Enkulu Technologies IDEMIA neaMetrics Editor's Choice Access Control & Identity Management Infrastructure
The access control and identity management industry has been the cornerstone of organisations of all sizes for decades. SMART Security Solutions asked local integrators and distributors about the primary trends in the access and identity market for 2026.

Read more...
Access data for business efficiency
Continuum Identity Editor's Choice Access Control & Identity Management AI & Data Analytics Facilities & Building Management
In all organisations, access systems are paramount to securing people, data, places, goods, and resources. Today, hybrid systems deliver significant added value to users at a much lower cost.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.