Rethinking Cyber Security folklore: Notes from a Red Team Lead
Rethinking Cyber Security folklore: Notes from a Red Team Lead
Author:
André Lima, Red Team Lead
The security industry has a folklore problem. For years, we’ve recycled advice that made sense in 2005 – like avoiding public WiFi, or rotating passwords every 90 days – while ignoring that the world fundamentally changed. Encryption became ubiquitous. Browser security hardened. Mobile operating systems locked down. Yet we kept repeating the same myths, distracting users from what actually stops compromises: updated software, password managers, and Multi Factor Authentication (MFA). Often, these basics are overlooked because they sound too simple and boring, and the providers risk looking outdated if they recommend these. Hacklore.org launched in November 2025 with 80+ CISOs signing an open letter to finally retire this outdated guidance. It’s about time the security community acknowledged that the basics have changed, and our advice needs to catch up with reality. Now this is basically what you can find at Stop Hacklore!, as well as 2025 NIST password guidelines: key updates for businesses | Proton. I recommend a read to go deeper into the myths and new updated recommendations I mentioned but, also into many more I didn’t. That being said, I thought I would add a bit more to this.
Some of the things that have always bothered me are the misconceptions about definitions that everyone just assumes are right, because they are hearing it from alleged experts. Even though you get a different, sometimes opposing definition every time you ask someone new. Concepts like Red Team, Penetration Test, Purple Team, and so one. I’m always surprised when client companies’ eyes just lit up after I explain these concepts to them in simple terms. A befuddled expression while realizing that someone else purposefully used big words in a desperate attempt to make them sound smarter than they really are. A tactic unfortunately used by many, since it’s easy to get a positive response from a non-expert as they will assume it is just too complex of a subject for them to wrap their heads around.
I, however, tend to go the other way. As Einstein said: “If you can’t explain it simply, you don’t understand it well enough”. Besides, I prefer when my work does the talking for me, as we enforce very high standards at Telenor Cyberdefence.
Other misleading folklore:
- Everyone needs a red team: false! The whole purpose of a Red Team is to quantify performance of a Blue Team. The metrics used will be better, the more experienced the Red Team is. So, it makes no sense to try and force a Red Team project into a company without a group of people whose only job is to secure their systems (often with a SOC), which one would call a Blue Team.
- Macs don’t get malware: utterly false. The origins of this one are based on the fact that the financial incentive for any Threat Actor out there has always been in the bigger market share of Windows Operating Systems, so naturally there will be a preference for developing malware as well as exploiting Windows systems. This has created the illusion of “Macs are safer”. However, there are more and more people starting to use Macs and, lately, you can see an adjustment in the cyber criminal’s focus.
“Red Canary observed four times as many macOS threats in 2024 than in 2023.”
redcanary.com
- My company will ignore AI and therefore I’m safe from all its perils: false. The equivalent of shadow IT pops up, as individual users will use alternative options if you don’t give them one, and now you end up with copies of internal documents, and possibly Intellectual Property (IP) circulating around all the big AI providers.
And one can see the attempt of the industry to fight back some of the folklore. This has reflected in guidance from the European Central Bank, in helping companies identify good providers by looking at their “R&D Capability”, in regard to TIBER testing, clearly trying to shift the focus from what providers are saying, to what providers are actually doing.
3.5.3 R&D capability
Good indicators of RTT technological competence are the quality and depth of their technical R&D capability. Some RTT will constantly develop specific methodologies to address different environments, such as infrastructure, security solutions AV, XDR. NDR. EDR. Email security solutions, Secure web Gateway etc.), mainframe, web applications, wireless, mobile, etc.
As an experienced professional, the thing I value most is honesty and transparency, at this point in my life. The world just works better when everyone tells the truth. I don’t mind someone I’m working with not knowing something. If I know they don’t, I can work with them and plan accordingly. A lot better than having the project crash and burn due to unreasonable timelines based on falsehoods. The same applies with our clients. There is a huge misunderstanding about “the client is always right”. While it does apply in some industries, its application in the consulting world is simply misplaced. In any interaction with a client, we are usually the actual experts in the room when it comes to Cyber Security. And with that, comes a huge responsibility to educate the client, the industry and, above all, be clear and concise about the messaging.