We may have touched upon a red team/blue team exercises previously, but it is certainly relevant for this discussion thread. Having a red and blue team of professionals to help protect an organization would suggest maturity. In other words, we would assume an organization with a red and blue team to have an advanced security program and architecture. With that said, it does not mean an organization with a less mature cybersecurity program could not or should not deploy a red/blue team. Constant red/blue team exercises against an organizations security posture can prove beneficial.

For example, a metric associated with the red team is, MTTC (mean time to compromise) or MTTP (meant time to privilege escalation).

The Blue team, on the other hand, would have a metric such as ETTD (estimated time to detection) or ETTR (estimated time to recovery).

With these two examples, how could we use such metrics to enhance an organization's security posture?