For many years, organizations have incorporated automated security processes into their development cycles, relying on tools such as vulnerability scanners and CI/CD pipelines to protect applications.
<img fetchpriority="high" decoding="async" class="aligncenter wp-image-8015 size-large" src="https://blog.it-eam.com/wp-content/uploads/2026/04/img-1-1024x528.webp" alt="Ciclo DevSecOps ilustrando as etapas de desenvolvimento e operações com práticas de segurança integradas, como análise de código, testes de vulnerabilidade e monitoramento contínuo." width="474" height="244" srcset="https://blog.it-eam.com/wp-content/uploads/2026/04/img-1-1024x528.webp 1024w, https://blog.it-eam.com/wp-content/uploads/2026/04/img-1-300x155.webp 300w, https://blog.it-eam.com/wp-content/uploads/2026/04/img-1-768x396.webp 768w, https://blog.it-eam.com/wp-content/uploads/2026/04/img-1-1536x792.webp 1536w, https://blog.it-eam.com/wp-content/uploads/2026/04/img-1.webp 1826w" sizes="(max-width: 474px) 100vw, 474px" />
Automated testing has become routine in DevSecOps, promising a strong defense against threats. But is that enough to ensure real protection in a world where attackers exploit the supply chain, use social engineering, and may even be infiltrated within your own organization?
In most cases, the answer is no. Automation detects known vulnerabilities, but overlooks logical flaws, business rule manipulation, and weaknesses in human processes that only the perspective of a real attacker can reveal. This is where the<a href="https://it-eam.com/blog/seguranca/red-team-technology-people-and-processes" target="_blank" rel="noopener"> Red Team</a> mindset becomes a differentiator, simulating real-world attacks to expose what these tools cannot see.
<h2 data-section-id="1xd0pih" data-start="1023" data-end="1049">Adversarial Perspective</h2>
Imagine a developer creating an order approval feature that validates only numeric values, without checking business logic such as inventory limits or multi-factor authentication in critical flows.
Automated tools approve the code. But a Red Team, adopting an adversarial perspective, tests possible manipulations: what if an attacker injects an order with a negative value to reverse balances, or abuses a password reset endpoint through parameter manipulation? This external perspective focuses not only on the code itself, but on how legitimate features can become attack vectors.
While development teams prioritize speed and usability, the Red Team asks: “How could this be exploited in a real-world context?” This integration into DevSecOps reveals invisible flaws, such as those seen in the <a href="https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/">Storm-0558 attack against Microsoft</a>, where Chinese hackers used forged identity tokens to access executive emails, exploiting authentication gaps that automated pipelines did not detect. Without an adversarial perspective, these flaws can go unnoticed.
<img decoding="async" class="aligncenter wp-image-8014 size-large" src="https://blog.it-eam.com/wp-content/uploads/2026/04/img-2-1024x770.webp" alt="Diagrama do ataque Storm-0558 mostrando a falsificação de tokens de autenticação e o uso indevido de chaves MSA para acessar sistemas Microsoft e aplicações corporativas." width="474" height="356" srcset="https://blog.it-eam.com/wp-content/uploads/2026/04/img-2-1024x770.webp 1024w, https://blog.it-eam.com/wp-content/uploads/2026/04/img-2-300x226.webp 300w, https://blog.it-eam.com/wp-content/uploads/2026/04/img-2-768x578.webp 768w, https://blog.it-eam.com/wp-content/uploads/2026/04/img-2-1536x1155.webp 1536w, https://blog.it-eam.com/wp-content/uploads/2026/04/img-2.webp 1589w" sizes="(max-width: 474px) 100vw, 474px" />
<h2 data-section-id="1pou5fb" data-start="2135" data-end="2154">Real-World Cases</h2>
In February 2026, a cyberattack on Change Healthcare, reported in the HHS OCR Bulletin 2026-045, allowed ransomware to encrypt healthcare systems through stolen phishing credentials, exploiting business flows without contextual validations. This is a classic example of lateral movement, mapped to MITRE T1021. DevSecOps tools failed because the issue was logical: accumulated permissions enabled escalation without detection.
Another recent case was the CrowdStrike incident in March 2026, listed in the CISA Known Exploited Vulnerabilities Catalog as EUA-2026-032, where flaws in kernel updates were manipulated to bypass EDRs. The case highlights how Red Team simulations could have identified persistence vectors, mapped to TA0003, beforehand.
<h2 data-section-id="1qrjh6x" data-start="2906" data-end="2943">Maturing Organizational Resilience</h2>
Integrating Red Team practices into DevSecOps goes far beyond running isolated tests. It is about strengthening the organization’s security culture as a whole, not only within the security team.
Organizations with higher security maturity incorporate Red Team gates into their delivery pipelines. These checkpoints introduce adversarial scenarios before each deployment, requiring technical validations, business rule testing, and continuous team preparation. The result is a more resilient posture, capable of identifying risks that traditional scanners would hardly detect.
This approach also addresses one of today’s greatest security challenges: the human factor. The Verizon Data Breach Investigations Report, DBIR 2026, points out that human error and credential abuse remain among the main vectors involved in security incidents. By simulating phishing campaigns, unauthorized access, insider abuse, and operational failures, the Red Team helps reduce real-world impacts and turns learning into continuous improvement.
In addition to reducing incidents, organizations that adopt this model gain regulatory efficiency. Standards such as the European Union’s NIS2 Directive require greater maturity in risk management, incident response, and security governance. Continuously tested environments tend to be better prepared for audits.
The evolution of the threat landscape shows that purely reactive security is no longer enough. Modern attacks exploit human factors, fragile processes, and predictable behaviors. When the adversarial perspective becomes part of the development cycle, architecture stops merely reacting and starts anticipating movements, becoming better prepared for unpredictable threats.
<h2 data-section-id="1ftu4gy" data-start="4663" data-end="4698">Reduced Risk, Protected Business</h2>
Ultimately, attacks also exploit vulnerable processes and people. Adopting Red Team practices within DevSecOps means investing in resilience and security maturity, where technology, people, and operations evolve together.
Because effective protection starts with the ability to think like an attacker before they think for you.
To learn more about Red Team, <a href="https://www.youtube.com/playlist?list=PLkRj2rAoaIOxiJoAOrCNMcjkoXzT-qU3w">follow us on social media</a>!

<a href="https://www.linkedin.com/in/karinaoliveiraa/"><img decoding="async" class="alignnone wp-image-8024 size-large" src="https://blog.it-eam.com/wp-content/uploads/2026/05/ass-karina_ENG-1024x229.png" alt="" width="474" height="106" srcset="https://blog.it-eam.com/wp-content/uploads/2026/05/ass-karina_ENG-1024x229.png 1024w, https://blog.it-eam.com/wp-content/uploads/2026/05/ass-karina_ENG-300x67.png 300w, https://blog.it-eam.com/wp-content/uploads/2026/05/ass-karina_ENG-768x172.png 768w, https://blog.it-eam.com/wp-content/uploads/2026/05/ass-karina_ENG-1536x344.png 1536w, https://blog.it-eam.com/wp-content/uploads/2026/05/ass-karina_ENG-2048x458.png 2048w, https://blog.it-eam.com/wp-content/uploads/2026/05/ass-karina_ENG-scaled.png 1920w" sizes="(max-width: 474px) 100vw, 474px" /></a>

Automatizações são essenciais no DevSecOps, mas não suficientes para identificar falhas reais. Entenda como a mentalidade de Red Team revela riscos invisíveis em aplicações, processos e no fator humano.

capa-blog

For many years, organizations have incorporated automated security processes into their development cycles, relying on tools such as vulnerability scanners and CI/CD pipelines to protect applications. Automated testing has become routine in DevSecOps, promising a strong defense against threats. But is that enough to ensure real protection in a world where attackers exploit the supply [&hellip;]

How a Red Team Mindset Strengthens DevSecOps