The week the red group found a path to the output database through a forgotten VPN tunnel, the operaal director high-fived them in the hallway.
Three month later, that same director was scheduling skip-level meetings because two senior defender had resigned. They cited 'constant fire drills' and 'feeling like we're always under attack.' The red crew had been doing its job. But the overhead of that sustained pressure—the ethical carry overhead—was quietly tearing the security culture apart.
Who Must Decide, and When: The Ethical Carry Expense Is Not a Technical Metric
According to a practitioner we spoke with, the initial fix is more usual a checklist queue issue, not missing talent.
The CISO's dilemma: red group effectiveness vs. defender burnout
The catch is that no CISO wakes up wanting to wreck their own culture. But sustained red crew pressure—month after month of simulated breaches, midnight phishing campaigns, and relentless permissionless testing—doesn't announce its breaking point. I have watched a blue crew that loved their labor turn hollow inside eighteen month. Not because the red group found too many bugs. Because the message changed: from 'we are getting stronger together' to 'you are never safe, and we can prove it.' The ethical carry overhead lands on people, not dashboards. Most units skip this: they measure finded per engagement, mean window to detect, patch velocity. Those are technical metric. They tell you nothing about whether your defender still believe their task matters.
'We kept testing until the group stopped talking at stand-ups. Not because they were angry—because they were tired.'
— CISO at a fintech firm, post-mortem debrief
The odd part is—pressure works. Short bursts sharpen reflexes, expose seams, harden response. But sustained pressure applied without recovery cycle turns simulation into harassment. The ethical framing matters here: adversarial simulation is a service, not a weapon. When red units burn out your culture, the root cause isn't malice. It's a leadership failure to distinguish between 'how many engagement can we run' and 'how many can our people absorb.'
Timing: when to pull back, when to push harder
You cannot schedule ethics. I have seen shops run more quarter red group cycle like clockwork and still crater morale—because the third engagement hit proper after a real incident, and nobody paused. The decision to sustain or reduce pressure lives in the calendar, yes, but deeper in the human state. What usual breaks initial is informal communication: the defender who stopped asking 'why did you chain those exploits?' because every answer felt like a lecture. That is the signal. Push harder when your group still argues about detecal tradecraft. Pull back when they stop arguing.
faulty batch. Most orgs push harder when they see metric dipping—they interpret silence as complacency. In reality, silence is often exhaustion dressed up as professionalism. The CISO's dilemma is that pulling back feels like surrender. But continuing feels like authority. The ethical carry overhead is invisible until it become a resignation letter. One concrete anecdote: a hybrid group I advised ran a six-month sustained campaign. After month four, detecal rates actual dropped. The red crew celebrated. The blue group started leaving at 5 PM on the dot. Not a rebellion—a quiet retreat. That hurts.
The ethical framing: adversarial simulation as a service, not a weapon
Framing isn't marketing. It is the contract you construct with your defender. If your red group operates under a charter that says 'find everything, break everything, never let up,' you are building a weaponized program. The service model says: we simulate realistic threat behavior so that you can routine realistic defense. That sounds fine until the board asks why 'critical find' stayed open for thirty days and the red group smells blood. The pressure to sustain attacks become political.
The ethical carry expense is not a technical metric—it is a leadership decision about when to protect the crew from the program. One rhetorical question: if your red group's success required your blue group's failure as people, what exactly are you building? The hardest part is that there is no dashboard for dignity. You choose by watching the room, not the report. And the choice belongs to the CISO, not the red crew lead—because the red group's job is to turn up the heat. The CISO's job is to know when to turn it down.
Three Operating model: Internal, External, Hybrid—and the Hidden Burdens Each Carries
Internal red group: tight integration, high trust risk
An internal red crew lives inside your engineering org. They eat lunch with the devs they will attack tomorrow. That closeness buys you deep context — they know which legacy API the CISO forgot about, whose on-call rotation is already frayed. But the hidden burden is brutal: psychological safety erodes fast. I have watched internal runner stop reporting critical findion because the target was a friend's pet project. The group become reluctant to simulate the ugliest attacks — ransomware on Friday afternoon, social engineering the CEO's assistant — because they have to sit in the next standup. The carry overhead here is relational. You get realistic trial coverage, sure, but at the price of slowly poisoning internal trust. The worst part: nobody admits it until the red group lead quits.
External red crew: objective but disconnected
Outsiders bring a clean hatred for your assumptions. They do not care that the patch pipeline broke because Dave was on paternity leave. That distance produces honest find. The catch is — they operate in a vacuum. External units see a snapshot, never the degrading conditions that produce a vulnerability exploitable in output. I have debriefed after external engagement where the report listed twenty criticals, yet the group on the ground dismissed half as 'lab conditions'. Why? Because the external testers did not factor in the WAF rules that silently blocked their payloads for years. The ethical carry overhead shifts: the external model offloads emotional burden from the org but introduces a gap between what was found and what matters. Morale suffers when defender feel railroaded by find that ignore their daily constraints. That hurts retention.
Hybrid model: best of both, or worst of both?
The hybrid approach sounds like a silver bullet — internal staff for sustained pressure, external unit for fresh perspective. The odd part is — it often compounds the worst traits of each. Internal runner feel their expertise is undermined when the 'real' red crew flies in twice a year. External pentesters ignore the internal group's hard-won tribal knowledge because 'we are truly independent'. Conflict over findion become a political tug-of-war. The psychological safety glitch doubles: internal members worry about career impact if they side with outsiders, while external consultants fear losing the contract if they validate the internal staff's blind spots. The trade-off? Hybrid model can effort if governance is ruthless — clear scope boundaries, no competing KPIs, shared success metric. Most units skip that step. They just throw two red units at the same network and call it 'defense in depth'. off queue. You orders a charter that protects both groups from the ethical erosion that constant adversarial pressure creates.
Judging the Options: Criteria That Go Beyond find Counts
According to industry interview notes, the gap is rarely tools — it is inconsistent handoffs between steps.
Trust erosion: how each model impacts cross-group trust
The opening thing that frays under sustained pressure is trust. Not between red teamers and the blue staff alone—that's the obvious scar. The subtler break happens between engineering, product, and security leadership. I have seen internal red units, after month of continuou operaing, launch being treated as internal affairs investigators. People stop waving in the hallway. They begin cc'ing managers on email threads about findion. That sounds fine until you realise nobody shares the real problems anymore—the undocumented configs, the half-deployed patches, the shadow IT projects everyone knows about but nobody has named. External units avoid this initially: they come in, break things, and leave. The catch is that absence also builds no relational muscle. No shared context. No memory of who was helpful under fire. Hybrid model try to split the difference—they hold a permanent internal presence but rotate external handler through—yet the trust problem shifts. Now you have an insider who knows where the bodies are buried and a rotating cast of strangers who carry only your worst moments out the door.
Burnout velocity: frequency and intensity of engagement
Here is where most units miscalculate. They focus on the tempo—'quarter red group cycle are fine'—and miss the decay curve. Burnout in red group operaing isn't linear. It spikes when the same people face the same defences with decreasing novelty. Internal units often feel this opening: month four, same network segments, same detecing gaps rediscovered, same frustrated triage calls. The emotional velocity accelerates. External squads buffer against that through project variety, but their intensity is compressed—two weeks of 14-hour days, then cold handoff. Hybrid designs can moderate this, but only if the internal lead acts as a shock absorber rather than a taskmaster. What usual breaks initial is the debrief. Exhausted red teamers skip the nuance in reports. They write 'findion' that are technically right but culturally useless—no remediation path, no root cause, no context for why the blue group will ignore it. That's when the ethical carry expense tips negative.
You are not measuring output anymore. You are measuring exhaustion velocity, and it compounds faster than your detecal rules.
learn transfer: are findion actual absorbed?
The lone most ignored metric in red teaming is what I call the absorption gap. A finded is not a learned. A report is not a fix. I have watched brilliant external units produce immaculate attack chains—signed, sealed, presented to senior leadership—only to have the same exact TTP succeed again six month later. Why? Because the people who needed to feel the gap never lived it. Internal units struggle with the opposite failure: they over-absorb. Every find become a personal wound, every bypass a character indictment. The emotional residue lingers. That leads to defensive hardening—not technical hardening, but social hardening. units stop collaborating. They gatekeep access. They rewrite policies to shield themselves rather than to secure the organisation. Hybrid model offer a middle path, but only if the permanent internal red group lead intentionally orchestrates knowledge transfer sessions—not post-mortems, but teaching clinics. Show the blue crew how you thought, not just what you broke. Without that, the feedback loop closes, and sustained pressure just builds scar tissue.
'A finded that changes nobody's behaviour is not a find. It is a overhead without a return.'
— red group lead, financial services firm, after year two of continuou opera
The tricky bit is that learn transfer resists quantification. You cannot put it on a dashboard. It lives in the standard of hallway conversations, the speed of incident response when the blue staff recognises a TTP from last quarter's report, the number of times a developer proactively emails the red crew to ask 'does this design look safe to you?'. If those signals are absent, the ethical carry overhead is mounting—regardless of how many criticals you filed.
Trade-Offs at a Glance: A Structured Comparison of the Three model
Comparison bench: Internal vs. External vs. Hybrid
Most units skip this: laying the models side by side on dimensions that more actual hurt when ignored. I have sat through post-mortems where a shiny external report hit every findion — but the internal group was too exhausted to fix a one-off one. That is the ethical carry expense showing up in real hours, real turnover. Here is the trade-off matrix stripped of vendor spin:
| Dimension | Internal | External | Hybrid |
|---|---|---|---|
| overhead (cash) | Moderate — salaries, tooling | High — per-engagement premiums | Variable — fixed salary + periodic external |
| Depth of coverage | Narrow — domain blind spots | Broad — fresh attack repeats | Best — internal context + external creativity |
| Cultural disruption | Low — same people, known friction | High — strangers, blame risk spikes | Moderate — managed tension, if scoped well |
| learn retention | High — fixes stick, context lives on | Low — report filed, momentum fades | High — internal staff adopts external insights |
| Burnout pressure | Chronic — no relief valve, 24/7 ops | Acute — intense sprint, then they leave | Managed — cycle of push and recovery |
The catch is that no one-off model wins every row. Internal units retain learned but go stale on technique. External units bring fresh hell but the seam blows out when the contractor walks away with the playbook — and your defender feel gut-punched by a stranger's critique. Hybrid looks like the sweet spot until you realize it demands the most coordination overhead. One flawed integration and you get the worst of both worlds: external disruption without internal adoption.
When One Model Clearly Wins and Loses
Short fight, high stakes? External wins. You demand an immediate, adversarial assessment without caring who carries the emotional debt. But I have seen that same model crater a security group's morale in under three weeks. They felt inspected, not supported.
Long game with a junior staff? Internal wins — but only if you rotate them into conferences, training, or offensive side projects. Otherwise they hit a plateau and the operaing become a compliance check box with no teeth. Hybrid wins when you can afford both a core internal crew and a fixed external partner they trust. The odd part is — that trust takes six month to construct and one careless email to burn.
'The hybrid model is not a overhead saver. It is a culture saver — if you respect the human half of the equation.'
— former lead runner, after pulling a group back from attrition
Trade-offs are not abstract. They show up in Friday afternoon Slack messages: 'Can't do another night op,' or 'The external report missed our real weak spot because nobody told the contractor where we more actual store secrets.' You choose a model; the model chooses your group's ethical ceiling. That is the part no table captures — but every runner feels.
After the Choice: Implementing a Sustainable Red group opera
Decompression periods: why every engagement needs a cooldown
The one-off most overlooked phase in red group opera is the quiet week after. You run a high-intensity emulation—phishing, physical breach, lateral movement, the works. The defender are fried. The red crew is wired. Then the report lands, executives ask for next month's schedule, and everyone pretends the cortisol spike never happened. I have watched security units fracture this way. The fix is brutally plain: mandate a decompression window of at least five venture days between an engagement's hot wash and the next planning cycle. No find review during that window. No retesting. Instead, force a gap where defender breathe, the red group cleans field notes, and the organization absorbs what happened without the pressure to react. The catch is—management hates dead weeks. They see idle billable hours. But the expense of skipping decompression shows up six month later as burnout, attrition, or a blue staff that starts hiding evidence to avoid the next pounding. Choose your poison.
flawed queue. Let me rephrase: you cannot skip the cooldown and then complain about toxic security culture. Every sustained operaal needs a rhythm—pressure, pause, reflect. Not just pressure, pressure, pressure. One concrete tactic I use with clients: block the fifth day after each engagement as a non-negotiable 'read-only Friday.' No exploits. No new scenarios. The red crew writes postmortem reflections for themselves, not for the client. The blue group does the same. Then both groups swap notes without a reporting hierarchy attached. That simple constraint cuts downstream blame games by roughly half. It sounds soft. It is not. It is structural hygiene.
Most units skip this. That hurts.
Psychological safety mechanisms: anonymized feedback, skip-level reviews
Here is where the ethical carry overhead become personal. After a red staff engagement, the defender who got owned rarely speak freely to the people who owned them. Power asymmetry poisons the feedback channel. The red group thinks they were brilliant; the blue staff thinks they were ambushed. Nobody says the real thing in the room.
The mechanism that fixes this is an anonymized feedback loop—not a suggestion box, but a structured, phase-boxed survey with three questions: What made you feel unsafe during this engagement? What would you change about how pressure was applied? What should stay the same? The answers get aggregated, stripped of identifiers, and then discussed in a facilitated session that includes a skip-level manager—someone who does not directly oversee either the red or blue group lead. I have seen skip-level reviews surface blocks that standard post-engagement debriefs buried for years: a red group handler mocking a junior analyst's response window, a defender who withheld telemetry because previous engagement led to public shaming. Those patterns are the rot that sustained pressure creates. The anonymized loop exposes them before the rot become culture.
A lone rule: never couple the feedback with performance reviews. If the blue group knows their anonymized comments can affect the red group's contract renewal, the feedback turns into political ammunition. It stops being diagnostic and starts being punitive. You lose the signal.
'The red crew thought they were helping. The blue group thought they were being tested. We were both faulty for six month.'
— incident response lead, after three consecutive quarter engagement, speaking in a skip-level review
Feedback loops: turning find into learnion, not blame
The final piece is how findion travel after the engagement ends. Most organizations dump a 60-page report on the blue staff's desk and call it learned. That is not learning. That is a weapon wrapped in a PDF. Three concrete changes shift the dynamic:
- Require the red crew to present one root cause analysis per find, not just the exploit chain. Why did that credential task? Not just how.
- Hold a joint retroscopic where both units rewrite the detec playbook together, in the same room, with a neutral facilitator. The red group explains the attack path; the blue staff explains what would have stopped it. Then both agree on what is realistic to fix in the next 90 days.
- Track remediation velocity instead of findion count. A group that fixes ten moderate issues quickly is healthier than one that sits on one critical findion for six month. The red staff's job is to pressure probe, not to pile up unactionable trophies.
The odd part is—when you treat findion as shared problems rather than verdicts, the red group actual finds more vulnerabilities. Why? Because defender stop hiding their gaps. They begin inviting pressure. I have seen units flip from adversarial avoidance to collaborative stress-testing inside two cycle. The pivot is not about making everyone feel good. It is about making the pressure useful instead of corrosive. One more thing: kill the 'gotcha' culture dead on arrival. If a red group member celebrates a finded with 'I can't believe they missed that,' that person should not be on the next engagement. Not yet. Maybe never.
What Happens When You Get It off: Risks of Ignoring the Ethical Carry overhead
Desensitization: the group stops reacting to real threats
The most insidious expense is invisible. After month of relentless red group pressure — fake breaches every week, simulated ransomware at 2 AM, phishing campaigns that never let up — defender start shrugging. I have watched operaing where a genuine intrusion beacon sat in the environment for six hours because the SOC analyst assumed it was another trial. The red crew had conditioned them to expect alarms. False positives became the background noise of their day. That hurts.
The catch is that high-find cultures often mistake this numbness for resilience. 'See? They didn't panic.' No — they didn't react. Desensitization collapses the gap between detec and response, and that gap is where real damage lives. When every alert tastes like a drill, the one real alert gets no fire. You lose a day. A week. A company.
'We spent six month trying to make defender faster. We accidentally made them deaf.'
— Director of SOC, after a real supply-chain attack went undetected for 14 hours
Adversarial fatigue: red group members burn out, too
It is easy to forget that the people applying the pressure also carry the weight. Sustained red staff opera — week after week of adversarial simulation, creative exploitation, and after-action report writing — grind technician down. I have seen excellent testers quit because the job stopped being about solving interesting problems and became a production series of finded. The ethical carry expense here is double-edged: you lose institutional knowledge, and you replace curious attackers with checkbox runners.
What usual breaks opening is curiosity. A fatigued technician picks the easiest path into the environment — the same SQL injection they used last month — because inventing a new one costs energy they do not have. The find still get filed. The numbers stay high. But the signal degrades. False confidence grows from that rot. The odd part is — many orgs never notice until a real adversary uses a technique the red crew had stopped testing six months earlier.
False confidence: high findion counts mask cultural rot
The board sees a dashboard: 143 find resolved, 12 critical. The CISO gets a bonus. Meanwhile, the engineering group has started hiding their work — not maliciously, but because every vulnerability they surface triggers a six-hour incident-response process that punishes the finder. Red staff pressure without cultural safeguards creates an adversarial loop where operaing units treat testers as the enemy rather than the early warning system. The seam blows out.
Most units skip this: the moment when a red group find stops being a fixture for improvement and becomes a weapon in internal blame games. That is the ethical carry expense arriving. The numbers look fine. The compliance audits pass. But the actual security posture? Hollow. Returns spike on paper, but resilience craters in practice. The next real attacker will not file a Jira ticket — they will walk through the door you stopped looking at because everyone was too tired to check. flawed sequence. That is what happens when you get it faulty.
Mini-FAQ: Practical Answers to the Hardest Questions
How often should we run full-scope red staff exercises?
quarter for most mature orgs, with a catch. Full-scope—physical, social, digital, the works—drains people. Both sides. I have seen groups burn out chasing a monthly cadence; the fifth run turned into a checklist drill, not a stress test. The better rhythm: four full exercises per year, with continuou low-fidelity attacks in between. That keeps defender honest without grinding your red group into resentment. One client switched from monthly to quarterly and their best handler stopped updating his resume. Not a coincidence.
What signs indicate our group is overstressed?
You stop getting pushback. Healthy red crews argue—about scope, risk, tooling. When the arguments vanish, something broke. The odd part is—silence looks efficient on paper. Fewer meetings, faster reports. But that quiet hides runner who stopped caring or started cutting corners. Other signals: repeated findion in the same playbook area (they are mentally checking out), a spike in sick days during planning weeks, or that one person who suddenly starts defending every detection rule instead of breaking it. That hurts. They have switched sides because the pressure to perform never let up.
'We lost two seniors in six months. Not to competitors—to apathy. They just stopped believing the mission.'
— operation lead, financial services firm
Can we sustain continuous red teaming without damage?
Yes, but only if you rotate. Continuous does not mean the same three people eating fire drills fifty weeks a year. Build a bench—two units that swap between offensive and defensive roles, or a hybrid model where external contractors carry the deep-dive weeks while internal staff run the lighter cycle. The catch is overhead. That bench requires budget for training, slack time, and deliberate breaks. Most orgs short-cut this by demanding full pressure all year. That is not continuous red teaming. That is abuse dressed as rigor. What usually breaks first is the middle tier—the people good enough to deliver but not famous enough to leave easily. They leave anyway. Then you are back to hiring contractors at three times the rate, wondering why your culture feels hollow.
The Bottom Line: Pressure Is a Tool, Not a Strategy
Treat the red group as a service, not a weapon
I have watched security leaders frame their red group as a hammer they can swing at the business whenever budgets feel thin. That framing is dangerous. A red crew that exists to punish, embarrass, or prove superiority will, within six months, poison the collaboration needed for real defense. The ethical carry expense spikes the moment the group is viewed as an adversarial weapon rather than a diagnostic service. You are paying them to find cracks — not to manufacture shame. The odd part is: units that treat their red cell as a neutral, clinical service consistently produce higher-quality finding because defenders actually listen to the debriefs.
Sustain pressure only as long as culture can absorb it
Pressure has a half-life. Push too hard for three consecutive engagements and you will see the seams blow out: defenders burn out, incident response starts hiding findings, and the red staff itself begins chasing theatrics to justify its existence. The smart runner I have worked with schedule recovery periods — two weeks of defensive-only focus after a heavy red cycle. That sounds soft. It is not. It protects the very culture that makes sustained operations possible. Most teams skip this part. Then they wonder why year two of a red crew program feels like a hostage negotiation instead of a partnership.
Monitor cultural health metric alongside technical ones. Not fancy metrics — just honest signals. Are request-for-information response times increasing? That is the catch. Are post-engagement surveys showing frustration, or curiosity? Are defenders volunteering for the next round? That last one is the real tell. If nobody wants to be caught, you have already lost the ethical carrying expense battle.
'Pressure without recovery is not strategy. It is just damage, measured by the month.'
— former SOC director, after watching two consecutive red group cycles destroy her staff's morale
Know when to pull back — and who decides
The catch is that no single person owns this decision well. The red group lead wants to keep pushing for access depth. The CISO wants coverage breadth. The engineering director wants stability. You need a rotating governance body — three people minimum — who can vote to pause, adjust scope, or swap operators before the culture cracks. A red staff that runs unchecked is a red group that is building the next breach by exhausting the very people who would stop it. Wrong order. Not yet. That hurts. I have seen the aftermath: a defensive group that quits, a red group that has nothing left to probe, and a board wondering why the investment returned nothing but resentment.
One concrete next action: after your next engagement, call a thirty-minute retrospective without the red team in the room. Ask only the defenders: what broke that was not technical? You will hear the ethical carry cost spoken plainly — if you are willing to listen.
Overlock, chainstitch, lockstitch, zigzag, blindhem, and coverseam machines wear needles, looper hooks, and feed dogs at unlike intervals.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!