The short answer
A penetration test answers: "within this defined scope, what can a competent attacker find and exploit?". A red team answers: "against our trained blue team, with realistic objectives and full freedom of method, can a skilled adversary achieve a defined business-critical impact?". Pentests are scoped, time-bound, technically focused, and primarily about finding vulnerabilities. Red teams are objective-driven, stealth-focused, broader in technique, and primarily about testing detection and response.
Penetration testing — methodology
A pentest follows a structured methodology — CREST, OWASP, PTES, NIST 800-115. The scope is defined in writing: target list, IP ranges, applications, user accounts, time windows, rules of engagement. The blue team is generally aware that testing is happening. The objective is broad coverage of the in-scope environment, vulnerability discovery, and exploitation to demonstrate impact.
A typical Malaysian pentest engagement runs for 1-4 weeks of testing effort depending on scope, plus 1-2 weeks for reporting and retest. Deliverables include an executive summary, technical findings with CVSS and business-impact rating, evidence pack and remediation roadmap. The output is suitable for satisfying audit requirements (PCI DSS Requirement 11, ISO 27001 control A.8.29, BNM RMiT baseline pentest cadence). See our pentest service.
Red team — methodology
A red team engagement is goal-driven. The client agrees one or more crown-jewel objectives — "exfiltrate this dataset", "execute a wire transfer", "deploy ransomware to the production estate" — and the red team is given freedom of method to achieve it. The blue team is typically not informed in advance. The engagement window is longer (4-12 weeks), allowing time for stealth, low-and-slow movement and adaptation.
Techniques span technical (zero-day-style exploitation, custom implants, defence-evasion), human (phishing, vishing, physical pretexting) and supply-chain (vendor compromise, fourth-party). The deliverable includes an attack narrative mapped to MITRE ATT&CK, a measured comparison of attacker time-to-objective versus defender time-to-detect/respond, and a detection-engineering gap analysis. See our red team service.
Intelligence-led testing — the regulated-FI tier
Intelligence-led penetration testing (also threat-led penetration testing, TLPT) is the highest-tier offensive engagement. It starts with bespoke cyber-threat intelligence on adversaries actually targeting your sector, builds attack scenarios from real recent campaigns, and emulates those TTPs end-to-end. For Malaysian banks, this is the BNM RMiT clause 10.49 engagement. See our intelligence-led service.
Intelligence-led tests typically combine red team execution with formal blue-team measurement (purple team handover) and regulator-ready reporting. Comparable frameworks internationally include CBEST (Bank of England), TIBER-EU (ECB), iCAST (HKMA) and AASE (MAS).
When to choose pentest, red team or intel-led
- Pentest — annual baseline assurance, new application launches, after major releases, audit and compliance evidence (PCI DSS, ISO 27001, RMiT baseline). The bread-and-butter cadence for every regulated organisation.
- Red team — when you have a mature security programme and want to test detection and response under realistic adversarial pressure. Typical for organisations with internal SOC, EDR-deployed estate and incident-response playbook in place.
- Intelligence-led — for BNM-regulated banks (RMiT 10.49 expectation), NCII operators, and any organisation where regulator-grade assurance of cyber resilience is required.
Regulatory perspectives
BNM RMiT
The Policy Document expects baseline penetration testing on a regular cadence across critical systems, plus intelligence-led testing for critical environments under clause 10.49. Examiners look for both layers. A pentest alone will not discharge the 10.49 expectation; an intelligence-led test alone will not satisfy the broader baseline-testing expectation. See RMiT compliance.
PCI DSS
PCI DSS v4.0.1 Requirement 11 specifies internal and external penetration testing on the cardholder data environment. Red teaming is not mandatory but is recognised under Requirement 12.10.2 / 12.10.3 as part of incident-response testing. The PCI Council's guidance on penetration testing remains a useful baseline.
CSAR / Cyber Security Act 2024
The Cyber Security Act 2024 and its Cyber Security (Risk Assessment and Audit) Regulations (CSAR) create audit and risk-assessment obligations for NCII entities. Penetration testing is one input into the CSAR risk assessment; for sector lead entities with mature programmes, red teaming may also feature.
Sample engagement comparison
| Aspect | Pentest | Red team | Intel-led |
|---|---|---|---|
| Duration | 1-4 weeks | 4-12 weeks | 8-16 weeks |
| Blue team awareness | Yes | No | No |
| Scope | Defined targets | Objectives | CTI-driven scenarios |
| Primary goal | Find vulnerabilities | Test detection/response | Regulator-grade assurance |
| Regulatory fit | Baseline RMiT, PCI DSS 11 | Mature programmes | RMiT 10.49, BNM, NCII |
Procurement guidance
Do not procure a red team if you do not have a SOC, EDR-deployed estate and a working IR playbook. The output will be a series of obvious wins, not actionable detection-engineering gaps — and you will have spent red-team budget on what a pentest would have surfaced. Conversely, do not procure baseline pentesting only and assume it discharges RMiT 10.49 — examiners will not accept the substitution.
A defensible 2026 cadence for a Malaysian regulated enterprise looks like: quarterly external vulnerability scanning, annual application and external pentests, biennial intelligence-led test (for RMiT-supervised entities), and an annual purple-team or scoped red-team exercise where programme maturity supports it.
Related reading: VAPT in Malaysia, BNM RMiT Intelligence-Led Pentest.