Red Teaming in Singapore: When a Pentest Isn't Enough

The difference between pentesting and red teaming

Penetration testing answers a specific question: can someone break into this system, and if so, how? You define a scope, the consultants attack those targets, and you get a report listing what they found. It's the right starting point for most organisations in Singapore, and it's what most regulatory frameworks expect. We cover that in detail in our penetration testing guide for Singapore.

Red teaming asks a different question entirely: if a motivated adversary targeted your organisation, how far would they get before your security team noticed?

The scope is open-ended. The red team chooses their own targets, their own methods, and their own timing. They don't just test your technology. They test your people, your processes, your detection capabilities, and your incident response. The defenders, usually called the blue team, don't know exactly when the attack is coming or what form it will take. That's the point.

A penetration test finds technical flaws. A red team assessment Singapore engagement tests whether your organisation can actually defend itself.

Why Singapore organisations move to red teaming

Singapore's financial sector drives most of the demand. Banks, insurers, and payment institutions regulated by the Monetary Authority of Singapore (MAS) have been doing penetration testing for years. Many have mature vulnerability management programmes. They patch fast, they test regularly, and their technical security is reasonably solid.

But here's what keeps CISOs at those institutions awake: the next breach probably won't come from an unpatched server. It'll come from a convincing spear-phishing email that tricks a finance employee into wiring money. Or an attacker who walks into the office behind someone and plugs a device into the network. Or a compromised vendor with privileged access.

These are not scenarios a standard VAPT engagement covers. Penetration testing is scoped to specific systems. Red teaming is scoped to the organisation.

Outside finance, we're seeing growing interest from healthcare providers handling patient data, government-linked companies, and large enterprises in Singapore that have invested heavily in security operations centres and want to validate whether their SOC actually works under pressure.

What a red team engagement actually covers

A red team assessment in Singapore typically runs four to eight weeks. The team operates with minimal prior knowledge of the target environment, just like a real attacker would. Here's what that looks like in practice.

Reconnaissance and open-source intelligence. The team profiles the organisation using publicly available information. LinkedIn profiles, job postings, GitHub repositories, domain registrations, leaked credentials from previous breaches. An experienced red team can map your technology stack and identify high-value targets before they send a single probe.

Technical exploitation. External infrastructure, web applications, wireless networks, VPN portals, cloud environments. The red team chains vulnerabilities together to establish a foothold, then moves laterally through the network. This overlaps with penetration testing, but the difference is intent. The red team isn't cataloguing every flaw. They're looking for the fastest path to the objective.

Social engineering. Phishing campaigns, pretexting phone calls, impersonation, even physical tailgating. Social engineering is often the most effective attack vector in Singapore engagements because organisations invest heavily in technical controls but underinvest in human-facing security awareness. A well-crafted phishing email targeting a system administrator, using information scraped from their conference talks and GitHub activity, works more often than it should.

Physical access testing. Not every engagement includes this, and it requires explicit approval, but some organisations want to know whether someone can walk into their office, access a restricted floor, or plug an unauthorised device into the network. Singapore's dense urban environment makes physical security particularly interesting. Shared office buildings, interconnected spaces, and visitor management systems all create opportunities.

Objective-based execution. The engagement has a defined goal. Exfiltrate a specific dataset. Gain domain admin. Access a particular system. Compromise a user account with financial authorisation. The red team documents their attack path from initial access to objective completion, including every detection opportunity the blue team missed.

Purple teaming: closing the detection gap

Traditional red teaming ends with a report. The red team attacks, the blue team defends, and afterwards everyone reviews what happened. That model has value, but it has a structural problem: the red team learns a lot during the engagement, and the blue team learns very little until it's over.

Purple teaming Singapore engagements fix this by running the attack and defence in tight coordination. The red team executes a specific technique. The blue team observes it in real time and attempts detection. They discuss what was visible in the logs, what alerts fired, and what was missed. Then they iterate.

This collaborative approach produces something a standard red team report can't: improved detection rules, tuned SIEM alerts, and a blue team that has actually practiced defending against the specific techniques they're most likely to face. For organisations in Singapore that have invested in a security operations centre, purple teaming is often more valuable than a standalone red team exercise because it directly improves the security monitoring you're already paying for.

We use structured frameworks like MITRE ATT&CK to map techniques to detection opportunities during purple team engagements. Each technique gets tested, detections get validated, and gaps get documented in a format that maps directly to SOC operations.

When you need a red team vs when a pentest suffices

Not every organisation in Singapore needs red teaming. If you're still working through your first round of penetration testing, you're not ready. Red teaming assumes you've already done the basics: vulnerability management, patch management, network segmentation, access controls. If those fundamentals aren't in place, a penetration test will give you more actionable findings at a fraction of the cost.

Red teaming makes sense when:

• You've been doing regular penetration testing for at least two to three years and remediation is mature.
• You have a security operations team or managed SOC monitoring your environment.
• You need to validate that your incident response processes actually work under realistic conditions.
• A regulator, board, or key client is asking for advanced adversary simulation.
• You're in a sector where the threat model includes motivated, well-resourced attackers, not just opportunistic scans.

If you're a startup or SME in Singapore that hasn't done a VAPT assessment yet, start there. A targeted penetration test will give you more immediate security improvement per dollar spent.

MAS TRM expectations for advanced testing

The MAS Technology Risk Management guidelines require financial institutions in Singapore to conduct regular penetration testing of critical systems. That's the baseline. From our experience running red team engagements in Singapore, MAS has been progressively raising expectations for larger and more systemically important institutions.

For designated systemically important banks (D-SIBs) and Tier 1 financial institutions in Singapore, MAS expects advanced testing that goes beyond standard vulnerability assessment. This includes threat-led penetration testing, where the scope is driven by relevant threat intelligence. One pattern we've noticed across Singapore financial institutions is that threat-led testing consistently finds gaps that checklist-driven assessments miss. rather than a generic checklist, and adversary simulation exercises that test detection and response capabilities.

The direction is clear. MAS wants financial institutions to test like they'd be attacked, not like they'd be audited. Red teaming and purple teaming engagements, structured around realistic threat scenarios targeting Singapore's financial sector, align directly with this expectation.

If your organisation is preparing for a MAS examination, having evidence of advanced adversary simulation exercises, with documented detection improvements and response playbooks validated under pressure, demonstrates a level of security maturity that checklist-driven testing cannot match.

What to look for in a red team provider

Red teaming requires a different calibre of consultant than standard penetration testing. The engagement is longer, less structured, and demands creativity, patience, and a deep understanding of attacker tradecraft. When evaluating red team providers in Singapore, consider the following.

Ask about the team's operational experience. Have they conducted red team engagements against organisations similar to yours in size and complexity? Can they describe their approach to social engineering campaigns? Do they have experience with physical assessments in Singapore's urban environment?

Check whether they use structured adversary frameworks. A provider who maps their techniques to MITRE ATT&CK can give you detection gaps in a format your SOC can actually use. A provider who just lists what they did without connecting it to your detection capabilities is giving you a pentest report with a bigger price tag.

Understand their rules of engagement process. Red teaming involves real attacks against production systems. The provider should have clear protocols for deconfliction (making sure their activity doesn't trigger a real incident response), escalation, and safety boundaries. If they can't articulate these clearly, find someone else.

Look at the deliverables. A good red team report doesn't just list attack paths. It maps each step to detection opportunities, provides a timeline of actions and corresponding alerts (or missed alerts), and gives specific recommendations for improving detection coverage. For organisations exploring AI-powered security tools, ask whether the provider can also test those systems.

Getting started

Red teaming in Singapore is still early-stage compared to markets like the US or UK, but adoption is accelerating fast. MAS expectations are rising. Threat actors targeting Singapore's financial sector are getting more sophisticated. And organisations that have invested heavily in security operations want proof their investment actually works.

If you're considering a red team assessment, start by evaluating whether your organisation is ready. Have you done regular penetration testing? Is your vulnerability management programme mature? Does your security team have the bandwidth to act on the findings? If the answer is yes to all three, a red team engagement will probably be one of the most valuable security exercises you run this year.

If you're not sure whether you need red teaming or would be better served by a more targeted assessment, we're happy to talk through it. No pressure, no upsell. Just an honest assessment of where you are and what would actually help.