- hello@group8.co
- 12 Marina View, Singapore
Cybersecurity conversations in Singapore are shifting. What used to centre on annual audits and checklist-based compliance is now moving towards something more dynamic, realistic, and reflective of real-world threats. Red teaming is gaining traction because organisations are starting to realise that knowing what should be secure is not the same as knowing what can actually be exploited.
This growing interest is also driven by the changing nature of cyber risks. Attacks today are no longer isolated technical incidents. They are coordinated, persistent, and often designed to test people, processes, and technology all at once. Red teaming, which simulates real attacker behaviour, is increasingly seen as a way to uncover blind spots that traditional testing may never surface.
For years, audits have been the backbone of cybersecurity assurance. They provide structure, documentation, and a clear benchmark against regulatory expectations. However, audits tend to focus on whether controls exist, not whether they hold up under pressure.
In practice, many breaches happen in environments that have passed audits with flying colours. The issue is not that audits are useless, but that they are limited by design. They often rely on snapshots in time, interviews, and documentation reviews. Attackers, on the other hand, operate continuously and creatively.
The Monetary Authority of Singapore (MAS) recognises this gap. As digital banking, cloud adoption, and interconnected financial ecosystems grow, the regulator is signalling that resilience matters just as much as compliance. Red teaming addresses this by testing how systems behave when someone actively tries to break in, move laterally, and achieve a real objective.
Red teaming is often misunderstood as just another form of penetration testing. While there is overlap, the mindset and scope are different. A red team acts like a real adversary, using a mix of technical exploits, social engineering, and operational tactics to test an organisation end to end.
Instead of asking, “Is this control in place?”, red teaming asks, “Can we still get through despite the controls?”. The goal is not to produce a long list of vulnerabilities, but to demonstrate realistic attack paths and business impact.
This approach forces organisations to look beyond individual systems. It highlights how small weaknesses, when combined, can lead to serious consequences. It also tests detection and response, not just prevention, which is a critical shift in thinking.
MAS has consistently emphasised technology risk management, but recent guidance and industry discussions suggest a stronger push towards proactive assurance. The financial sector is a prime target for sophisticated threat actors, and the cost of disruption extends far beyond financial loss.
By encouraging red teaming, MAS is nudging firms to mature their security posture. This is not about replacing audits or existing testing frameworks. It is about complementing them with exercises that reflect modern threat realities.
The 2026 timeline gives organisations space to adapt. Skills need to be developed, internal teams need to understand how to interpret results, and governance structures must evolve. Red teaming outputs are often uncomfortable, as they expose real weaknesses rather than theoretical ones. That discomfort is part of the value.
One of the strongest arguments for red teaming is its focus on outcomes. Instead of isolated findings, organisations see how an attacker could access sensitive data, disrupt operations, or compromise critical systems.
This clarity helps leadership teams make better decisions. Investments can be prioritised based on actual risk rather than assumed risk. Incident response plans can be tested under pressure, revealing gaps that tabletop exercises may miss.
Red teaming also improves collaboration across teams. IT, security, risk, and business units are forced to work together to understand what happened and why. Over time, this builds a more realistic and shared understanding of cyber risk.
It is important to be clear that red teaming does not make traditional testing obsolete. Vulnerability assessments and penetration testing remain essential. They help organisations maintain baseline hygiene, identify known issues, and validate specific controls.
Many organisations continue to rely on VAPT services as a foundation. These services are particularly useful for regular testing of systems, applications, and infrastructure, ensuring that common weaknesses are identified and addressed promptly.
Red teaming builds on this foundation. While VAPT focuses on breadth and coverage, red teaming focuses on depth and realism. Together, they provide a more complete picture of security posture.
One of the challenges organisations face is the pace of change. Systems are updated, new services are launched, and configurations shift constantly. A test conducted six months ago may no longer reflect reality.
This is why discussions are emerging around the merits of making it continuous and automated. While not every aspect of red teaming can be automated, there is growing recognition that assurance needs to keep pace with operational change.
MAS’s direction reflects this reality. Resilience is not something that can be proven once a year. It needs to be demonstrated repeatedly, under different conditions, and against evolving threat techniques.
Red teaming does more than test systems. It challenges assumptions and behaviours. When teams see how an attacker actually succeeded, it often changes how they think about security in their day-to-day work.
Developers become more aware of how small coding decisions can be exploited. Operations teams gain insight into how misconfigurations can cascade. Leadership teams better understand why certain controls matter.
This cultural shift is one of the less discussed, but highly valuable, outcomes. Security becomes less about passing tests and more about protecting the organisation’s ability to operate and serve customers.
While MAS has not mandated red teaming in a prescriptive way, the direction of travel is clear. Firms that wait until expectations are formalised may find themselves scrambling to catch up.
Early adopters have the advantage of learning gradually. They can refine their approach, build internal capability, and integrate findings into governance processes. This makes future regulatory engagement far smoother.
Preparation also involves choosing the right partners. Red teaming requires technical expertise, threat intelligence, and an understanding of regulatory context. It is not something that should be treated as a one-off exercise.
MAS’s push towards red teaming reflects a broader shift in cybersecurity thinking. Compliance remains important, but confidence in real-world resilience is becoming the true benchmark. Organisations that embrace this approach are better positioned to handle the threats of tomorrow, not just explain incidents after they happen.
If your organisation is considering how to evolve beyond audits and traditional testing, Group8 can help. With experience across advanced testing, strategic security advisory, and practical risk reduction, Group8 works alongside teams to build resilience that stands up to real attacks, not just paperwork.