Traditional Red Teaming vs OpenAEV: Why Continuous Validation Matters

Red teaming involves skilled professionals who think like adversaries. They are trained to identify and exploit vulnerabilities to test an organization’s defenses before a real attack occurs.
But here’s the uncomfortable truth: the security coverage validated during an annual red team engagement may not protect you six months later… after system updates, configuration changes, or new threats have emerged. And with the rise in attack frequency and sophistication, this gap is only widening.

This is why traditional, periodic red teaming is no longer enough on its own. Offensive testing needs to be contextual and continuous and not just a checkbox exercise. And this is where Adversary Emulation and Validation (AEV) tools come in.
But should AEV tools, like OpenAEV, replace red teaming entirely? (Spoiler: no.)

In this blog, we’ll compare traditional red teaming with OpenAEV’s capabilities, and explain why modern security teams should leverage both to build lasting resilience.

---

TL;DR

Red teaming and adversary emulation tools like OpenAEV serve different but complementary purposes – and modern security teams need both to stay resilient.

• Traditional red teaming provides deep, creative, human-driven security validation – but it’s periodic, expensive, and results go stale quickly
• OpenAEV continuously simulates real adversary techniques mapped to MITRE ATT&CK, validating whether your detection controls actually work
• The two approaches answer different questions: red teams ask “Can an attacker get in?” , OpenAEV asks “Will we detect it if they try?”
• Together, they form a purple team feedback loop where findings drive continuous detection improvement
• Anchored in MITRE’s Threat-Informed Defense methodology, OpenCTI + OpenAEV give security teams an intelligence-driven, continuously validated security posture

---

OpenAEV: Continuous Exposure Validation

Let’s start with OpenAEV – an open-source Exposure Validation platform that leverages prioritized threat intelligence to simulate real-world attack scenarios, evaluate resilience, and proactively prevent breaches.

It is designed to:

• Simulate adversary techniques safely, with minimal human intervention
• Validate detections across EDR, SIEM, XDR, and SOAR
• Evaluate human and process readiness alongside technical controls
• Run continuously and on-demand through automation
• Map all activity to the MITRE ATT&CK framework

The core objective is simple: evaluate, remediate, and prove security resilience repeatedly, at scale.

Red Teaming: What It Is and Why It Matters

Red teaming is a structured, offensive simulation process designed to challenge an organization’s security controls and assumptions in order to identify real weaknesses. Importantly, red teaming is a process, not a product and is not defined or limited by any single tool.

• Skilled, experienced offensive security professionals
• Outcome-focused scenarios grounded in real threat intelligence or Capture the Flag (CTF)-style engagements
• Custom attack patterns and payloads designed to test detection, response, and communication under realistic attack conditions

When executed well, red teaming answers one of the most important questions in security: Can an attacker break into our environment right now?

Red Teaming: Strengths and Limitations

Red teaming remains one of the most valuable activities in cybersecurity and it continues to evolve alongside the threat landscape. That said, it comes with inherent constraints worth acknowledging.

It is worth noting that these limitations are not failures. They are simply the natural constraints of a human-led model.

How OpenAEV Addresses These Constraints

OpenAEV approaches the problem from a different angle. Rather than asking “Can an attacker get in?”, it asks: “Do the security controls we have in place actually detect malicious behavior, and how quickly?”

It doesn’t replace human expertise, but it enables organizations to test their assumptions continuously, using the latest Tactics, Techniques, and Procedures (TTPs) mapped to real-world threats.

A Practical Comparison

This comparison makes one thing clear: these approaches are not competing for the same role, they are complementary by design.

AEV: not a cheap Red Team

A common misconception is that AEV platforms are simply “budget red teams.” They’re not. They operate on fundamentally different questions:

• Red teaming asks: Can an attacker compromise us today?
• OpenAEV asks: Do our security controls detect malicious behavior, and how fast?

Both questions matter. Answering only one of them leaves a significant blind spot.

OpenAEV and Purple Teaming

Purple teaming bridges the gap between offensive and defensive security. Rather than red and blue teams operating in silos, purple teaming brings them together in a collaborative cycle where attackers and defenders work side by side to identify gaps, build better detections, and validate fixes in real time. The goal isn’t just to find weaknesses, it’s to systematically close them.

But purple teaming is only as good as the intelligence behind it. Without knowing which adversaries and TTPs are most relevant to your environment, you risk testing the wrong things. This is where CTI tools play a critical role by feeding structured threat intelligence into the exercise so that simulations reflect real, current threats rather than generic attack patterns.

OpenAEV delivers the most value when embedded in this kind of purple team workflow, where offensive findings directly inform defensive improvements in a continuous feedback loop.

A typical cycle looks like this:

1. OpenCTI identifies relevant threat actors and TTPs targeting your industry
2. A red team engagement, OpenAEV simulation, or real incident surfaces a detection gap
3. Detection engineers build or update a detection rule

Red teaming typically involves:

1. OpenAEV executes the relevant TTP to validate the fix
2. Results are reviewed, tuned, and documented
3. The scenario is saved and reused in future validation cycles

Over time, this transforms security from a reactive activity into a measurable, repeatable, proactive validation practice, which is This must be one grounded in real-world threat intelligence rather than assumptions.

OpenAEV vs Red Teaming: Choosing the Right Approach

Choosing OpenAEV:

OpenAEV is best suited for teams looking to build continuous, evidence-based confidence in their detection capabilities. It shines when the priority is breadth, repeatability, and speed.

• Understand your ATT&CK coverage for your specific environment using contextual threat intelligence and Priority Intelligence Requirements (PIRs)
• Automate detection validation to maintain continuous confidence in your security posture
• Deliver clear evidence of security effectiveness to leadership or for compliance purposes
• Test a combination of technical, process, and human readiness through tabletop exercises
• Continuously tune your SIEM or EDR as your environment evolves

Choosing Red Teaming:

Red teaming is best suited for deep, scenario-driven assessments that require human creativity and expertise. It goes where automated tools cannot.

• Leverage skilled professionals to simulate sophisticated, multi-stage adversary campaigns
• Test human responses and security controls in physical or highly complex environments
• Uncover creative attack paths that automated tools wouldn’t think to try
• Validate your posture following major infrastructure or architectural changes

The best approach? Do both.

Neither approach alone tells the full story. Used together, they cover each other’s blind spots and create a stronger, more complete security program.

• OpenAEV provides automated, continuous evaluation of your attack surface
• Red teams run periodically with specific, complex objectives
• Findings from red team engagements feed directly into OpenAEV’s automated validation library

This creates a feedback loop where security controls are continuously evaluated and proven to work over time.

There is no one-size-fits-all process, but continuous evaluation is a must-have for modern SOC teams. This is precisely what the MITRE Threat-Informed Defense (TID) framework is designed to support.

Threat-Informed Defense with The MITRE Framework: How Filigran Fits

MITRE’s Threat-Informed Defense (TID) methodology is built on a simple principle: use real-world adversary knowledge to prioritize defenses and continuously validate that they work. It operates across three steps: understand the threat, validate your defenses, and apply what you learn.

Filigran’s platform is designed to support each of these steps directly:

• OpenCTI ingests, correlates, and contextualizes threat intelligence mapped to MITRE ATT&CK, so you know who is targeting you and how.
• OpenAEV automatically executes the relevant TTPs to validate whether your controls actually detect them.
• Together, they create a closed loop: intelligence informs what to test, and validation results sharpen the intelligence picture.

In short: OpenCTI tells you who is coming and how. OpenAEV proves whether you’re ready.

Closing remark

OpenAEV and red teaming are not rivals, they’re complementary mechanisms for continuously testing and improving your defenses. Red teams provide deep, creative, human-driven security validation at a point in time. OpenAEV ensures your defenses remain effective and measurable in between.

Organizations that embrace both – and anchor their approach in the MITRE Threat-Informed Defense methodology, powered by OpenCTI and OpenAEV -will be significantly more resilient. Not because they’ve checked a box, but because they’ve built a proactive, evidence-based, continuously validated security program.

In today’s threat landscape, that’s not a nice-to-have. It’s a necessity.

Enjoy and feel free to ask any questions about it on our Slack community channel !