Editor’s note: The following is a sponsored blog post from QA.
There exists in cyber security a traditional rivalry between “Red” and “Blue” teams. This is no longer appropriate or sustainable, in a context where rapid tech advancements and the rise of AI-driven threats pose more important challenges. Many security teams remain siloed, divided by offensive and defensive: red and blue. This divide can lead to unintended “culture wars,” where collaboration takes a back seat to competition.
The bad guys are coordinating. The dual nature of cybercrime is blurred by organized crime and nation-state sharing tactics, resources, and constant innovation. So why aren’t we doing the same? I believe, for cybersecurity teams to be truly successful today, we must rethink the way our teams operate. We need a culture of collaboration that transcends these color-coded roles; it’s crucial to stay ahead of the increasingly sophisticated threats. As a former CISO, I’ve led both offensive and defensive teams, and made plenty of mistakes in my time.
Here are my observations and recommendations for this new age:
Red vs. Blue Should Be a Partnership, Not a Competition
The core issue with “Red vs Blue” culture is that it turns two critical functions into competing forces. While red teams are more likely to be focused on exposing vulnerabilities, blue teams are busy defending them. But this rivalry can create friction, where collaboration is seen as secondary to individual success.
In my experience, both teams have the same goal: protecting the organization. This requires them to work together, not in opposition. Red teams are essential in identifying weaknesses, but without blue teams understanding and integrating those insights into their defenses, it can be costly. Blue teams can also benefit from red team expertise, an adversarial mindset to harden defenses proactively.
Build a Culture of Shared Responsibility
Organizations can achieve this by creating opportunities for red and blue teams to engage in joint post-incident reviews and regular knowledge-sharing sessions.
Rather than framing these around failure or blame, focus on continuous improvement and mutual learning. Stop gate-keeping offensive training and skills just for the red team: open these skills and insights to blue team members also.
The speed of technology change means collaboration is no longer an option.
You don’t need me to explain the speed of technology change, the pace at which AI has evolved in this past year alone. Remember, though, the tools, techniques and tactics of cybercriminals evolve in step with it.
AI and machine learning are enabling both attackers and defenders to automate tasks, scale operations and find new vulnerabilities. However, as fast as technology changes, one thing remains constant: cybersecurity is a team effort.
Cybercriminals have a reputation for being highly organized and collaborative. Threat actors often operate in proxy group ecosystems, sharing tools, techniques and even resources. On our side, if red and blue teams continue to operate in silos, we’re already a step behind. We need to match the coordination in response, if not exceed it.
My recommendation is to move towards a purple team approach. While far from being a new concept, this idea, where offensive and defensive roles collaborate continuously, is still mostly ignored.
This doesn’t mean eliminating red and blue team dynamics, but creating a more fluid and integrated workflow, in which both teams can engage in proactive strategies, share insights and develop solutions together.
Break Down Silos with Cross-Functional Teams
Silos plague cybersecurity beyond just the “red vs blue” thinking we have covered. Key functions like software engineering and operations are often disconnected from security initiatives. This not only limits visibility but also slows down response times and undermines overall resilience.
Cross-functional teams that blend red, blue and other security roles are essential for breaking down these barriers. These teams allow for real-time communication, quicker decision-making, and a more holistic view of security issues. When everyone is aligned on the same objectives, teams don’t just react to threats but can start to anticipate them.
I advise all cybersecurity teams to implement cross-functional incident response teams that bring together individuals from offensive, defensive and operational roles. This ensures that when a cyber event occurs, all perspectives are heard and represented, so solutions are comprehensive rather than an isolated perspective.
Collaboration and Communication as Core Security Skills
In cybersecurity, technical expertise often takes priority. We focus on hiring the best talent by skill, but in today’s environment, technical skills alone aren’t enough. Collaboration and the ability to communicate are now essential skills that need to be developed and valued, in the same way as critical thinking and problem-solving.
Effective communication and collaboration are not just about talking; they are about integrating different perspectives to create stronger defenses. This becomes even more important as teams are increasingly distributed across geographies and time zones, making digital collaboration tools and practices a necessity.
Build a Sustainable Team
Building and sustaining a robust cybersecurity team is crucial for any organization, and the ongoing team effort required for success should not be underestimated.
Achieving this requires thoughtful design, strategic talent acquisition beyond tech skills-based recruitment alone, and continuous professional development.
No one wants to hire a “square peg” for the cyber “round hole.” Allow your team members to fit and move between red and blue teams without salary sacrifice, as they develop, learn and grow. Each of these components plays a vital role in ensuring the team can effectively anticipate, respond to and mitigate evolving cyber threats together.
As technology continues to evolve and threats become more complex, organizations can no longer afford to let red vs. blue rule-bound perceptions hold them back. Hackers don’t follow the rules; neither should you. Break this archaic rule and create a unified approach that fosters collaboration, breaks down silos, leverages diverse skill sets and encourages continuous learning.
