Validated offensive · ATT&CK coverage · DORA TLPT
Pentesting vs Red Team vs BAS: three offensive models and when to choose which
All three are offensive exercises, but they answer different questions. The common mistake is asking for a red team when you need pentest, or expecting pentest to deliver what only a red team can. Here we break them down with cost, cadence and regulatory fit (DORA TLPT, NIS2, ISO 27001).
One-page summary
Each exercise answers a different question. Pentesting answers "what vulnerabilities does this scope have?". Red team answers "could we detect and contain a real adversary before impact?". BAS answers "how much ATT&CK coverage does my defensive stack deliver this week vs last?".
Pentesting
Scope validation
Bounded question. Web application, internal infrastructure, network segment, API. Short window (1-4 weeks). Output: list of vulnerabilities, severity and remediation plan.
View service →Red team
Adversarial simulation
Organisational question. Objective (data, critical system, evidence of impact), stealth, long window (2-4 months). Output: operation timeline, SOC coverage and detection-and-response recommendations.
View service →BAS
Continuous validation
Defensive question. Automated technical scenarios against controls; weekly ATT&CK coverage metric. Ideal for purple team work and iterative SOC improvement.
BAS glossary entry →Comparison table
The three models coexist in a mature offensive programme. This table compares them on the axes any buying committee will look at.
| Dimension | Pentesting | Red team | BAS |
|---|---|---|---|
| Question answered | Which vulnerabilities exist | Would we detect and contain | How much our stack detects today |
| Scope | Bounded (app, infra, segment) | Whole organisation, with goal | Continuous, over deployed controls |
| Information model | White/grey-box | Black-box, stealthy | Full coordination |
| Duration | 1-4 weeks | 2-4 months | Continuous operation |
| SOC aware | Yes | No (debrief at the end) | Yes, collaboratively |
| Typical cadence | Annual + per critical release | Annual or biennial | Continuous, weekly/monthly tuning |
| Indicative cost (Spain) | €8-40k per exercise | €60-150k per exercise | €40-90k/year (platform + operation) |
| Regulatory fit | PCI DSS, ENS High, ISO 27001, NIS2 | DORA TLPT, critical banking, defence | NIS2 (measures), continuous improvement |
| Main deliverable | Technical report + remediation | Operational timeline + SOC recommendations | Continuous dashboards + weekly deltas |
| Strongest at | Depth of a scope | Full adversarial realism | Continuous defensive metric |
What to ask for depending on the moment
Moment 1
No offensive programme yet
Ask for pentesting on your critical surface (main application, perimeter, most exposed segment). It establishes the vulnerability baseline and starts the relationship with the offensive team. Red team and BAS come later.
Moment 2
Operational SOC, no adversarial validation
Add BAS. After 6-12 months of stable SOC operation, BAS validates whether detection is maturing or stalling. ATT&CK coverage moves from narrative to actionable weekly metric.
Moment 3
DORA or financial resilience applies to you
Ask for a red team within TLPT scope. DORA requires TLPT every three years for critical entities. Preparation takes 6-9 months: targeted CTI, regulator authorisation, scenarios and purple team debrief. It cannot be improvised.
Moment 4
Mature offensive programme
The three coexist in coordinated cadence: continuous BAS, pentest per critical release, red team annually or biennially with purple team feeding back into the SOC. A mature organisation does not choose between the three; it orchestrates them.
Common mistakes
- Asking for red team when you need pentest. A warned red team measures little and the result is a vulnerability list a pentest would have produced at half the price.
- Telling the SOC about the red team. The value of the exercise evaporates: what you measure is not response, it is theatre. If you cannot sustain operational opacity, call it an advanced pentest.
- Buying BAS without a SOC. BAS produces thousands of control events; without someone to process and translate them into improvements, it is expensive noise. BAS without an operational SOC is hard to justify.
- Check-the-box pentest. A pentest at minimum rate with a thin methodology generates a report that gets signed and filed but improves nothing. Demand methodology, team profile and sample reports.
- No debrief. Without a purple team translating TTPs into SOC use cases, the investment stays on the shelf. Real value lies in the defensive improvement that follows, not the report.
- Confusing DORA TLPT with any red team. TLPT requires an authorised provider, targeted CTI and supervision. You cannot repeat last year's exercise and put a DORA stamp on it.
Related services at Hard2bit
Pentesting
Deep validation of a bounded scope using OWASP, PTES and NIST methodology.
View →
Red team
Full adversarial simulation with targeted CTI and purple team debrief.
View →
Pentesting + red team pillar
Whole-programme view of enterprise offensive testing.
View →
Threat hunting
Offensive hypotheses mapped to MITRE ATT&CK on a regular cadence.
View →
Vulnerability management
Backlog and prioritised remediation as continuous evidence.
View →
EDR vs XDR vs MDR
The defensive layer that the offensive layer is measured against.
View →
Frequently asked questions
What is the essential difference between pentesting, red team and BAS?
Pentesting validates the security of a defined scope (application, infrastructure, segment) in a short window. Red team simulates a realistic adversary against the whole organisation with a goal (data, systems, evidence of impact) and stealth, without warning the SOC. BAS (Breach and Attack Simulation) runs technical scenarios continuously to measure defensive coverage. All three coexist; they do not replace each other.
When does classic pentesting fit and when does it fall short?
Pentesting fits when there is a defined scope and a validation goal: an application going to production, a segment that changed, compliance that requires evidence (PCI DSS, ENS High, ISO 27001). It falls short when you want to measure how your security team detects and responds, or when the question is 'could we detect a real attack?'. For that you need red team or BAS.
What is DORA TLPT and how does it relate to red team?
TLPT (Threat-Led Penetration Testing) is the intensive offensive exercise DORA requires every three years for critical financial entities. In practice it is a rigorous red team, run by a certified provider under TIBER-EU or equivalent, with targeted CTI and regulator oversight. It is not classic pentesting: scope is organisational and the goal is to measure real operational resilience, not list vulnerabilities.
Does BAS replace pentesting or red team?
No. BAS automates continuous validation of technical controls against known TTPs (MITRE ATT&CK), but it does not improvise, it does not investigate humans and it does not adapt like a real attacker. BAS is the trampoline between exercises: it tells you how much your SIEM/EDR detects today compared with last week. Pentesting and red team are still needed to validate depth and adversarial behaviour.
What does each cost and how often is it run?
A typical web application pentest: €8-20k, annual or per critical release. A medium internal infrastructure pentest: €15-40k, annual. An enterprise red team: €60-150k per exercise, usually annual or biennial. BAS platform plus managed operation: €40-90k per year in continuous flow. Ranges vary significantly with scope, sector and maturity.
What sequence makes sense if I am starting from scratch?
Usually: first a well-executed pentest of the critical scope to understand the real vulnerability level. Then, when an operational SOC exists (internal or managed), add BAS for continuous validation. Red team comes in when the SOC has 6-12 months of stable operation; earlier than that, the exercise measures little because the operation is still calibrating.
Who in the organisation should know?
It depends on the model. Pentesting is usually white-box or grey-box with open communication. Red team is black-box: very few people inside know about it (typically only CISO and an executive sponsor); the SOC does not find out until the debrief. BAS runs with full coordination because the goal is not to surprise but to measure. The model choice affects the value of the exercise: a warned red team measures very little.
What gets delivered at the end of each exercise?
Pentesting: technical report with findings, severity, evidence and prioritised remediation; closing session with IT. Red team: executive report + detailed operation timeline + organisational recommendations; debrief with the SOC to extract lessons (purple team). BAS: continuous dashboards with ATT&CK coverage, weekly deltas and improvement proposals. Report quality is where you see if the provider is serious.
Which offensive exercise fits you this year?
In 30 minutes we review your critical surface, SOC maturity, regulatory obligations and budget, and propose a sensible 12-month offensive cadence: pentest, BAS, red team or a coordinated mix of all three.