Why the question keeps coming up
Malaysian CISOs and risk officers are routinely asked the same question by their boards: “We already do penetration testing — do we also need BAS? Do we need a red team?” The answer depends on what gap each modality actually closes. They are not substitutes; they answer different questions, on different cadences, against different audiences. Picking the wrong one wastes budget and leaves real exposure unaddressed.
The three modalities defined
Penetration Testing. A point-in-time, scoped expert assessment. Testers attempt to find and exploit vulnerabilities in a defined target (an application, a network segment, a cloud account) within an agreed time-box. The output is a list of findings with reproducible evidence and remediation guidance. Testers may or may not avoid blue-team detection — the goal is coverage of the scope, not stealth.
Red Team Operations. A multi-week, scenario-driven adversarial exercise that emulates a realistic threat actor across the full kill chain — initial access through objective. Blue team is not informed. Stealth, evasion and detection avoidance are central. Output is an attack narrative, a measure of detection and response performance, and a purple-team handover.
Breach & Attack Simulation (BAS). A continuous, automated execution of known adversary techniques against your live environment — typically via a vendor platform (SafeBreach, AttackIQ, Cymulate, Picus, Mandiant Security Validation). Each technique is replayed safely (no real damage) and the platform measures whether your controls detected and prevented it. Output is a continuously updated control-effectiveness scorecard.
Comparison matrix
| Criterion | Pentest | Red Team | BAS |
|---|---|---|---|
| Cadence | Annual / on-change | Annual or 18-24 month | Continuous (daily) |
| Scope | Defined target | Full kill chain, scenario-led | Control validation, all techniques |
| Output | Findings list with evidence | Attack narrative + MTTD/MTTR | Real-time control scorecard |
| Cost (typical Malaysian range) | RM 15K-80K per engagement | RM 60K-200K per engagement | RM 150K-500K annual platform + ops |
Use-case decision tree
Use a pentest when: you have a new or recently changed application, segment or cloud account that needs assurance; an annual compliance attestation requires it (PCI DSS, ISO 27001, BNM RMiT scoped tests); a customer or regulator demands evidence; or a specific area of your stack has known unverified risk.
Use red team when: you need to test detection and response (not just controls); you must satisfy BNM RMiT 10.49's intelligence-led testing expectation; the board needs assurance that the security investment actually withstands adversary pressure; or you suspect existing pentests have not been finding what real attackers would.
Use BAS when: you have a mature SOC and SIEM and want to continuously measure detection coverage; you are deploying new controls and want immediate before/after validation; you need to demonstrate ongoing control effectiveness to examiners; or your detection-engineering team needs a feedback loop faster than annual pentests can provide.
For most regulated Malaysian organisations the right answer is not “pick one.” It is: pentest annually for scoped assurance, BAS continuously for control validation, and intelligence-led red team every 18-24 months for adversary realism.
BNM RMiT mapping
The RMiT Policy Document supports — and in places implies — all three modalities, though it explicitly names only intelligence-led testing.
- Pentest: implied throughout the cyber-resilience chapter; demanded by examiners as routine assurance evidence on critical systems and any material technology change.
- Red team / intelligence-led: directly named in the cyber-resilience chapter (around paragraph 10.49 in current versions). The highest-assurance modality and the strongest examiner signal.
- BAS: not named explicitly but increasingly viewed by examiners as the operational evidence of continuous control effectiveness — a defensible proof point that gaps surfaced by an annual pentest stay closed throughout the year.
Specific clause numbers and current text take precedence — confirm against the published RMiT Policy Document at bnm.gov.my.
Sequencing the programme
A defensible three-year offensive programme typically looks like this:
- Year 1: Establish baseline pentests across critical applications and infrastructure. Stand up BAS platform and tune to a sustainable alert cadence.
- Year 2: Run first intelligence-led / red team engagement against highest-priority crown jewel. Continue BAS continuously. Scoped pentests on annual cycle.
- Year 3: Repeat intelligence-led against a different crown jewel. Use BAS to track remediation closure rate and control drift between annual pentests. Add purple-team uplift sprints from red team findings.
For execution: see our BAS service, penetration testing hub, intelligence-led testing, and our red team operations service.