The question comes up in almost every initial consultation we have with security leaders: should we get a penetration test or a red team assessment? The answer depends entirely on what you are trying to learn about your organization's security posture, and most organizations asking this question for the first time need the former, not the latter.
These two services are fundamentally different in scope, methodology, duration, and cost. Conflating them leads to misaligned expectations and wasted budget. This guide breaks down the distinctions clearly so you can make the right investment for your current security maturity level.
What a penetration test actually does
A penetration test is a focused, time-boxed security assessment designed to identify as many vulnerabilities as possible within a defined scope. The scope might be a web application, an API, an internal network, or a cloud environment. The goal is comprehensive vulnerability discovery.
Pentesters work with your team, not against it. The security team knows the test is happening. The testers receive credentials, documentation, and environment access. There is no element of surprise because surprise is not the point. The point is thoroughness. A good penetration tester will methodically examine every endpoint, every input field, every authentication mechanism, and every authorization boundary within scope.
Typical penetration test engagements run one to three weeks. A web application pentest might take five to ten business days depending on the application's complexity. A network penetration test covers internal or external infrastructure over a similar timeframe. The output is a detailed report listing every vulnerability found, rated by severity, with evidence and remediation guidance.
At Lorikeet Security, our web application penetration tests start at $7,500, API assessments at $7,500, and network penetration tests at $8,000. These are not commodity scans. Each engagement involves manual testing by experienced consultants who understand business logic, authentication flows, and the kinds of vulnerabilities that automated tools consistently miss.
What a red team assessment actually does
A red team assessment is an adversary simulation. The red team's objective is not to find every vulnerability but to achieve specific goals that a real attacker would pursue: gaining access to sensitive data, compromising domain admin credentials, exfiltrating intellectual property, or demonstrating the ability to deploy ransomware.
Red teams work against your team, by design. Only a handful of senior stakeholders know the assessment is happening. The security operations center, the IT team, and the incident response team are deliberately kept in the dark. The red team's success or failure tells you something a penetration test cannot: whether your people and processes can detect and respond to a sophisticated attacker operating in your environment.
Red team engagements typically run four to eight weeks, sometimes longer. The operators spend significant time on reconnaissance, developing custom tooling, crafting social engineering pretexts, and planning attack chains that avoid detection. They move slowly and deliberately because stealth is a core requirement. Getting caught early means the assessment fails to test the full kill chain.
Red team assessments start at $25,000 and can exceed $75,000 depending on scope, duration, and the inclusion of physical security testing and social engineering components. The cost reflects the specialized expertise required: custom implant development, evasion techniques, operational security, and the ability to think and operate like a real threat actor.
Side-by-side comparison
The following table summarizes the key differences. If you are evaluating which assessment type to invest in, these dimensions are what matter most.
| Dimension | Penetration Test | Red Team Assessment |
|---|---|---|
| Primary Goal | Find as many vulnerabilities as possible | Test detection and response against realistic attack scenarios |
| Scope | Defined and narrow (specific app, network, API) | Broad, often the entire organization |
| Duration | 1-3 weeks | 4-8 weeks or longer |
| Stealth | Not required; security team is aware | Essential; tests whether defenders detect activity |
| Attack Vectors | Technical vulnerabilities within defined scope | Technical, social engineering, physical, supply chain |
| Methodology | Systematic, comprehensive coverage | Objective-driven, follows realistic kill chains |
| Cost | $7,500 - $25,000+ | $25,000 - $75,000+ |
| Output | Vulnerability report with severity ratings | Attack narrative, detection gap analysis, response evaluation |
| Best For | Finding and fixing technical vulnerabilities | Testing people, processes, and detection capabilities |
The security maturity model: when to upgrade
The decision between penetration testing and red teaming is not about which is better. It is about which is appropriate for your current security maturity. Investing in a red team assessment before your organization has the fundamentals in place is like hiring a mystery shopper before your store has inventory on the shelves.
Stage 1: Vulnerability discovery (start here)
If your organization has never had a penetration test, or if your last test revealed critical and high-severity findings that have not been remediated, you are in the vulnerability discovery phase. Your priority is understanding what is broken and fixing it. A red team assessment at this stage would simply confirm what a penetration test can tell you at a fraction of the cost: there are exploitable vulnerabilities.
What to invest in: Regular penetration tests across your critical assets. Lorikeet's Offensive Security Bundle at $37,500 per year covers two web application pentests, one network pentest, one API assessment, quarterly vulnerability scanning, attack surface management, and client portal access. This gives you the recurring coverage needed to find and fix vulnerabilities continuously.
Stage 2: Hardened environment (build detection)
Once your penetration test results consistently show low-severity findings and your remediation cycle is measured in days rather than months, you have reached the hardened environment stage. Your technical controls are solid. Now the question becomes: can your security team detect and respond to an attacker who gets past those controls?
This is the stage where you need detection and response capabilities: SIEM, EDR, security operations center monitoring, and an incident response plan. Without these, a red team assessment would simply demonstrate that nobody is watching, which is already obvious if you have no detection stack.
Stage 3: Ready for red teaming
You are ready for a red team assessment when you have all of the following in place: regular penetration testing with consistently improving results, 24/7 security monitoring with a SOC or managed detection service, endpoint detection and response deployed across your environment, an incident response plan that has been tested through tabletop exercises, and security staff who are actively monitoring alerts and investigating anomalies.
At this stage, a red team assessment provides immense value. It tells you whether your detection capabilities work against a sophisticated adversary, where your blind spots are, how quickly your team responds, and whether your incident response procedures hold up under pressure.
Rules of engagement matter more than you think
Regardless of which assessment type you choose, the rules of engagement define the boundaries and ensure the assessment is safe, legal, and productive. For penetration tests, rules of engagement are relatively straightforward: define the scope, agree on testing windows, establish communication channels, and document any systems that are off-limits.
For red team assessments, rules of engagement are more nuanced. They must address social engineering boundaries (is phishing in scope? vishing? physical access attempts?), define what constitutes a safety check versus a detection event, establish deconfliction procedures so real security incidents are not confused with red team activity, and specify what happens if the red team discovers evidence of a real compromise during the engagement.
Critical point: A red team assessment without clearly defined rules of engagement is a liability, not a security investment. The rules protect both the organization and the red team operators. They ensure the assessment tests what it is supposed to test without causing operational disruption, legal exposure, or safety risks.
Common misconceptions that cost organizations money
- "A red team test is just a more expensive pentest." They test fundamentally different things. A pentest finds vulnerabilities. A red team tests whether your organization can detect and respond to exploitation of those vulnerabilities. Paying red team prices for what is essentially a penetration test is a waste of budget.
- "We need a red team assessment because our industry requires it." Very few compliance frameworks explicitly require red teaming. PCI DSS, SOC 2, ISO 27001, and HIPAA all require penetration testing, not red team assessments. Some financial regulators (TIBER-EU, CBEST) do require threat-led penetration testing, which is closer to red teaming, but these apply to a narrow set of financial institutions.
- "Red teaming replaces penetration testing." It does not. Red team assessments are objective-driven and will follow the path of least resistance to achieve their goals. They will not comprehensively test every endpoint in your web application or every host on your network. You need both: penetration testing for breadth of coverage and red teaming for depth of adversary simulation.
- "We should do a red team assessment first to see how bad things are." If you suspect things are bad, a penetration test will confirm it faster and cheaper. Red teaming is most valuable when you believe your defenses are strong and want to validate that belief.
Building a multi-year offensive security program
The most effective approach is not choosing one assessment type permanently but building a program that evolves with your security maturity. Here is what a well-structured offensive security program looks like over three years.
Year one: Establish a baseline with comprehensive penetration testing across your critical assets. Web applications, APIs, network infrastructure, and cloud environments should all be assessed. Fix the critical and high-severity findings. Implement vulnerability scanning to catch new issues between pentests. Lorikeet's Offensive Security Bundle provides this foundation at $37,500 per year with recurring assessments built in.
Year two: Continue regular penetration testing while building detection and response capabilities. Deploy EDR, implement SIEM, and establish SOC monitoring. Begin tabletop exercises to test your incident response plan. Your penetration test results should show meaningful improvement from year one.
Year three: With solid technical controls and active detection capabilities in place, add red team assessments to your program. Run one or two red team engagements per year alongside your regular penetration testing. The red team findings will now be actionable because you have the detection infrastructure to address the gaps they identify.
For organizations that want comprehensive coverage from day one, Lorikeet's Full Stack Bundle at $99,000 per year combines the Offensive Security Bundle with 24/7 SOC, SIEM, EDR, and incident response retainer, giving you both the testing and detection capabilities needed to mature quickly. Red team assessments can be added as standalone engagements once the program is established.
How to evaluate an offensive security firm
Whether you are hiring for penetration testing or red teaming, the quality of the firm matters enormously. Here are the questions that separate experienced operators from vendors running automated tools.
- Ask for sample reports (redacted). The report quality tells you everything about the engagement quality. Look for clear evidence, reproduction steps, and actionable remediation guidance.
- Ask about their methodology. Pentesters should reference OWASP, PTES, or NIST. Red team operators should reference MITRE ATT&CK, adversary simulation frameworks, and custom tooling development.
- Ask about the team's experience and certifications. OSCP, OSCE, OSEP, and GPEN are strong indicators for penetration testing. CRTO, GXPN, and real-world red team experience matter for red teaming.
- Ask what percentage of testing is manual versus automated. If the answer is primarily automated, you are paying for a vulnerability scan with a pentester's logo on it.
- Ask about retesting. Good firms include a retest period to verify that your remediations actually fixed the identified vulnerabilities.
The bottom line
Start with penetration testing. It is the foundation of any offensive security program and the most cost-effective way to identify and fix vulnerabilities in your applications and infrastructure. Graduate to red teaming when your security maturity warrants it, when you have detection capabilities worth testing and a security team ready to learn from the results.
If you are unsure where your organization falls on the maturity spectrum, start with a conversation. We can help you assess your current state and recommend the right assessment type for your situation and budget.
Not Sure Which Assessment You Need?
We will help you determine the right offensive security investment for your organization's maturity level and budget. No pressure, just straightforward guidance.
