A human-first guide to red teaming

Red teaming is one of the most effective ways to understand how an attacker might compromise your organisation and this has to include revealing how your people respond under realistic pressure. Because red teams deliberately behave like real adversaries, one of the biggest risks of a red teaming engagement are the emotional effects. Employees can feel embarrassed, anxious, or even betrayed. Operational teams can feel exposed. And managers can find themselves managing fallout that they never expected.

 

When the human impact isn’t handled carefully, trust in your organisations could be lost faster than any system can be exploited, leaving the entire exercise doing more harm than good.

 

Who you might upset (and why it matters)

Any employee may feel deceived if they fall for a phishing email, or realise it was their account that was used in the red teaming exercise to gain access. Even when no blame is ever intended or explicitly expressed, the emotional response can still be strong. For example, worry about being punished, discomfort at seeing their name in a report, or a general uneasy feeling that their employer has crossed a line and invaded their privacy.

 

Security operations teams will be affected differently because they shoulder the burden of responding to what looks like a genuine incident, often late at night. This can leave them feeling blindsided when they later discover the situation was artificial. Without preparation or context, this can cause frustration or a sense that senior leadership purposely set them up to fail.

 

Managers and HR teams can also be pulled unexpectedly into the aftermath, needing to support distressed staff or address complaints about the test. And budget-holders, service providers, or vendors will feel exposed if the exercise causes extra work, unexpected costs, or incidents that fall outside their remit.

 

Even external stakeholders such as unions, regulators and customers may be upset if they hear about a test that appears to have overstepped.

 

These are all responses people have to the testing matter. If people feel tricked or embarrassed, they will become disengaged from the security culture that the red teaming should be strengthening. A loss of trust leads to fewer incident reports, higher staff turnover and ultimately greater vulnerability. In other words, the human impact of the testing becomes a security risk itself.

 

Practical steps for avoiding harm

Criminals targeting your staff and employees don’t care about their wellbeing and will persuade them using every emotional manipulation technique they can. But as an employer you have a duty of care to your employees and stakeholders and can’t be blasé about this. You need to accept that there is a limit to how far a simulation should go, so there’s balance to how realistic it could ever be.

 

Before the first phishing email is sent or the first exploit is run, the foundations have to be set in policy, legal agreements and organisational culture. Staff should understand, in general terms, that the organisation conducts periodic security testing and work systems may be used in controlled exercises. HR, legal and security leaders should all be completely aligned on what is allowed and the lines that must never be crossed. Without this clarity, even the best intentions can create unnecessary anxiety or legal complications.

 

A small, trusted control group should provide governance over the exercise, who can intervene if something starts to cause genuine harm. They act as a safety valve, ensuring the drive for realism never overrides wellbeing. Briefing and consulting with HR and legal early on and throughout the process is important. They will help agree the rules of engagement and any escalation paths should an issue arise. 

 

The guiding principle when designing the test should be to minimise unnecessary harm. Social engineering scenarios are best simulated when they are as close as possible to actual business processes and while the most effective pretexts are those that are personal, sensitive and emotive, they should be avoided because it is not worth the harm they could cause.  Pretexts involving bonuses, pay, disciplinary action or any deeply personal content can trigger strong emotional reactions and should be avoided. And if you need to simulate a compromise, try to avoid intrusive access to personal content and keep any use of real employee accounts as light as possible.

 

Protecting privacy in reporting is another essential part of harm reduction. Reports should focus on lessons, processes and systemic issues rather than highlighting any individual mistakes. Names should be removed wherever possible and, when referencing individual actions is unavoidable, it should be done with context and sensitivity.

 

Good preparation also includes practical considerations such as agreeing escalation thresholds, budget constraints and communication boundaries with internal teams and external suppliers. This prevents supplier frustration or surprise costs. The same is true for operational security teams. They will need just enough notice to know that a red team will happen but not so much that the exercise loses realism. Establishing a reasonable window for when the red teaming ends and the explanation begins helps avoid resentment and burnout.

 

Perhaps the most overlooked part of preparation is planning for the possibility of harm. Even with the best design, someone may feel embarrassed, stressed or uncomfortable. Having HR support, counselling routes and a clear communication plan ready ensures those feelings are acknowledged and addressed quickly.

 

Run the test then focus on the debriefing

The post testing debrief is where trust is either repaired or broken. A red team that simply “wins” and walks away leaves behind embarrassment and resentment. A red team that focuses on shared learning builds resilience and strengthens culture.

 

The debrief should feel safe, honest and above all blame free. It should highlight strengths as well as weaknesses and provide clear next steps for improvement. Employees need to feel valued for their participation and, where appropriate, recognised for their vigilance. When people recognise that the purpose was growth, not to catch people out and embarrass them, they become more engaged.

 

Things often missed

Having an opt-out or safeguard process, even if rarely used, will give HR a way to quietly exclude those individuals who might be negatively affected.

 

Importantly, measuring success shouldn’t just be about technical metrics. Cultural indicators such as psychological safety, reporting rates and engagement levels provide a much fuller picture of the exercise’s real impact.

 

Public perception and external communication also matter, especially if an exercise unexpectedly becomes visible outside the organisation. And for the lessons to mean anything, there must be a visible and planned commitment to follow-through with improvements.

 

Red teaming is invaluable. It exposes blind spots, tests resilience and improves both technology and processes. But its power comes with responsibility. A red team that forgets the human side risks damaging trust, staff morale and cyber-security culture. Empathy needs to guide planning, and privacy must be protected. The challenge is simple – the red teaming should be realistic enough to learn but considerate enough not to harm. When you get that balance right, red teaming will be one of the most constructive cyber-security tools you have.

 

---

 

Gemma Moore is co-founder and director of Cyberis

 

Main image courtesy of iStockPhoto.com and PeopleImages