Pen Testing: Red, Blue & Purple Teams | CISSP Domain 6 | SkillAssess
cisspSecurity Assessment and Testing· 10 min read· 19 May 2026
Penetration Testing: Red Team, Blue Team, Purple Team — CISSP’s View
Security assessment and testing is the set of activities that validates whether security controls are working as intended. For the CISSP exam, Domain 6 is less technically deep than other domains but requires precise understanding of terminology and process. The exam tests the differences between types of testing, the correct sequencing of assessment activities, and the governance requirements (particularly rules of engagement and authorisation) that must be in place before testing begins.
Types of Penetration Testing: Knowledge-Based Categories
Penetration tests are categorised by how much information the testing team has about the target before testing begins.
Black box testing means the tester has no prior knowledge of the target system. They must conduct their own reconnaissance, enumeration, and vulnerability discovery before attempting exploitation. Black box testing most closely simulates an external attacker with no insider knowledge. It is the most realistic simulation of a real attack from an adversary who has not previously compromised the organisation. The limitation is efficiency: significant time must be spent on reconnaissance that internal security already knows.
White box testing (also called crystal box or full disclosure testing) means the tester has complete knowledge of the target: source code, architecture diagrams, network topology, and credentials. White box testing allows for the most thorough and efficient assessment because the tester can focus directly on finding vulnerabilities rather than discovering the environment. It is most useful for thorough code review, architecture review, and targeted vulnerability assessment. It does not simulate a realistic external attacker but can find vulnerabilities that black box testing would miss.
Grey box testing falls between black and white box. The tester has partial information — perhaps network diagrams but not source code, or user-level credentials but not administrator access. Grey box testing balances realism with efficiency and is often the most practical approach for enterprise engagements.
For the exam: know which box type matches which scenario. External attacker simulation = black box. Thorough internal assessment = white box. Balanced real-world engagement = grey box.
Red Team vs Blue Team vs Purple Team
Organisations use adversarial simulation exercises to test their security controls under realistic attack conditions. The terminology of red, blue, and purple teams describes the different roles in these exercises.
Red team: an offensive team that simulates real-world attack techniques against the organisation's systems and people. Red teams typically operate covertly — the defensive security team (blue team) is not informed of the exercise, so the test evaluates real-world detection and response capabilities. Red teams use the same tactics, techniques, and procedures (TTPs) that real attackers use: phishing, exploitation, lateral movement, and objective achievement (data exfiltration, ransomware deployment). Red team operations are distinguished from penetration tests by their broader scope, longer duration, and focus on achieving specific objectives rather than finding all vulnerabilities.
Blue team: the defensive security operations team that monitors, detects, and responds to threats. In a red team exercise, the blue team responds to the red team's simulated attack without knowing it is a test. The blue team's performance in detecting and containing the simulated attack reveals the real-world effectiveness of detective and responsive controls.
Purple team: a collaborative exercise where the red and blue teams work together, with the red team sharing their attack techniques and the blue team implementing and testing detections. Purple team exercises are more educational and collaborative than traditional red/blue exercises — the goal is to rapidly improve the blue team's detection capabilities by immediately testing whether newly implemented detections catch specific red team techniques.
For the exam: red = offensive/attack simulation. Blue = defensive/detection and response. Purple = collaborative improvement of detection capabilities. Red team exercises test real-world detection. Purple team exercises improve detection capabilities.
Rules of Engagement: Scope, Authorisation, and Legal Considerations
This is the governance dimension of penetration testing and one the CISSP exam emphasises strongly. No penetration test should ever begin without proper authorisation and defined rules of engagement.
Authorisation is mandatory. Conducting a penetration test against systems you do not own or have explicit written permission to test is illegal under computer fraud laws in most jurisdictions (CFAA in the US, Computer Misuse Act in the UK). Even internal security staff require formal written authorisation before testing production systems. The authorisation should come from the system owner, legal counsel, and executive management.
Scope defines what systems, networks, and techniques are within scope for the test and, crucially, what is out of scope. Out-of-scope systems must not be tested. Scope definition should be precise — IP ranges, application URLs, and specific systems — to prevent scope creep and accidental testing of third-party systems.
Rules of engagement define the testing parameters: permitted techniques (is phishing of employees allowed?), time windows (can testing occur 24/7 or only during business hours?), escalation procedures (what happens if a critical vulnerability is discovered that requires immediate notification?), emergency contacts (who does the tester call if something goes wrong?), and reporting requirements.
Third-party systems require separate authorisation. If the target organisation uses a cloud provider, testing cloud infrastructure may require the cloud provider's permission in addition to the organisation's own authorisation. Most major cloud providers have specific policies and notification requirements for security testing.
For the exam: authorisation is always the first step before any penetration testing activity. If a question asks what should be done before beginning a penetration test, the answer involves obtaining written authorisation and defining scope.
Vulnerability Assessment vs Penetration Test: The Critical Distinction
This distinction is directly tested on almost every CISSP exam. Confusing these two activities is a common error.
A vulnerability assessment is a systematic review of systems to identify known vulnerabilities. It uses automated scanning tools (Nessus, Qualys, OpenVAS) to compare system configurations against databases of known vulnerabilities and misconfigurations. A vulnerability assessment identifies what vulnerabilities exist but does not attempt to exploit them. Its output is a list of findings with severity ratings.
A penetration test goes further: it attempts to actively exploit identified vulnerabilities to determine whether they can be used to achieve unauthorised access or accomplish specific attack objectives. A penetration test answers the question: "Can an attacker actually exploit these vulnerabilities to reach our sensitive data or systems?"
The relationship: a vulnerability assessment is typically a prerequisite to a penetration test. You must know what vulnerabilities exist before deciding which ones are worth trying to exploit. A penetration test without a prior vulnerability assessment is less structured and may miss vulnerabilities that automated tools would have found.
For the exam: vulnerability assessment finds vulnerabilities. Penetration test exploits them to determine real-world impact. Both are assessment activities, but penetration testing involves active exploitation.
Breach Attack Simulation and Continuous Testing
Breach Attack Simulation (BAS) platforms use automated software agents to continuously simulate attack techniques against an organisation's security controls and measure whether the controls detect and block the attacks. BAS provides continuous validation rather than point-in-time penetration testing.
BAS is particularly valuable for testing SIEM detection rules, EDR effectiveness, and email security controls. By running simulations continuously, organisations can detect when controls degrade (for example, when a SIEM rule is inadvertently disabled by a configuration change).
Exam Tip
Vulnerability assessment finds weaknesses. Penetration testing exploits them. Always obtain written authorisation before testing. The exam frequently presents a scenario where a security professional begins testing without proper authorisation — this is always wrong, even with good intentions. The correct answer is to obtain authorisation first. Black box = no prior knowledge (external attacker simulation). White box = full knowledge (thorough internal testing). Grey box = partial knowledge (balanced approach).
// PRACTICE_THIS_DOMAIN
Test your knowledge on Security Assessment and Testing
AI-generated practice questions mapped to this domain. Get instant explanations and track your progress.