Threat detection, incident response and flexibility in changing work environments are the top areas blue teams must work on.

In a new study, Exabeam, the Smarter SIEM™ company, reveals that 62 percent of blue teams have difficulty stopping red teams during adversary simulation exercises. The top three areas that blue teams must improve upon are threat detection, incident response and flexibility/openness to change while working remotely. When compared to the same study from 2019, this year’s survey shows an increase in technical and adaptability challenges, where the focus fell heavily on teamwork and communication.

This year’s study also shows a positive trend compared to last year’s results when looking at how often blue teams catch red teams, with 37 percent of blue teams reporting they always or often catch these ‘bad actors.’ More than half (55 percent) say they only succeed sometimes and 7 percent rarely or never achieve this feat. In 2019, one-third of respondents said they rarely or never caught red teams.

Despite moving in the right direction, the fact that less than half of blue teams are stopping bad actors a majority of the time demonstrates the priority organizations must place on constantly evaluating and adjusting their security investments to keep up with today’s cybercrimes.

When looking at the results, the study indicates that many companies are consciously taking these steps, with 50 percent increasing security investment and 30 percent adding to their security infrastructure as a result of these exercises. Seventeen percent have done both, and just 2 percent have not adjusted their security tools or budget in response.

In addition to threat detection, incident response and flexibility, communication and teamwork (41 percent), knowledge of threats/tactics (38 percent) and persistence (20 percent) were also listed as valuable skills blue teams should focus on.

On average, organizations conduct red team exercises every five months — breaking down to 26 percent once a month, another quarter every 2-6 months, 32 percent every 7-11 months, and 8 percent once a year. Just 7 percent don’t utilize red teams at all. Blue team exercise frequency reflected similar percentages and averaged out to every six months.

New to this year’s report, 92 percent of respondents tap external red teams without prior knowledge of their internal security systems to help their teams prepare for real-life cyberattacks. However, 54 percent found internal and external red teams equally effective, with a slightly higher percentage (24 percent) citing internal red teams as more effective than external (19 percent).

“An additional study recently reported that more than 80 percent of businesses have experienced a successful cyberattack since the start of the pandemic. Paired with the fact that just over a third of respondents are frequently stopping simulated attacks, these trends illuminate the security fallout caused by the remote work shift, tighter budgets and increasingly sophisticated attack techniques,” said Steve Moore, chief security strategist, Exabeam. “These red team/blue team exercises can be valuable proof points when presenting budgetary and technological needs to the C-suite and board to help keep up with these changes. While there is always room for teams and security postures to mature, it is extremely encouraging that so many companies are regularly performing these tests to identify their weak spots and shore up their defenses.”

In this year’s study, Exabeam also found that many companies use the ‘purple team’ approach, in which the red and blue teams come from their own staff and work together to determine security preparedness. One-third run these simulations every 2-6 months, while 50 percent perform them every 7-11 months, and 12 percent report yearly tests. Again, only 7 percent do not have purple teams in place.

To learn more, visit

*This study is the result of a survey of 307 cybersecurity practitioners, conducted by Censuswide