In an exclusive insight from the NetSPI “Agent of Influence” podcast, Ryan Hays, Global Head of Red Team at Citigroup and recognized among the Top 100 Information Security Professionals, delivers a crucial perspective on why human expertise remains irreplaceable in cybersecurity despite rapid advancements in automation and artificial intelligence.
The Unmatched Value of Human Expertise in Cybersecurity
Ryan Hays, a seasoned cybersecurity executive with 23 years of experience spanning offensive and defensive cyber operations, recently sat down with Nabil Hanan, Field CISO at NetSPI, for a compelling discussion on the realities of modern offensive security. During the podcast, Hays provided critical analysis separating proven security strategies from industry hype, emphasizing why human-led approaches continue to outperform fully automated solutions.
Deconstructing the “Automated Red Teaming” Narrative
Addressing one of cybersecurity’s most prevalent buzzwords, Hays offered an unequivocal assessment: “I think ‘automated red teaming’ is a marketing term at the moment.” He attributes its traction primarily to targeting small and medium-sized businesses that “don’t know any better” about true security needs.
Hays maintains that the core of authentic red team exercises remains fundamentally human-centric. “You’re not going to fully automate red team ever. There’s too much human thought process that needs to go in place and just too many decision points that need to happen that AI or machine learning are not going to be able to simulate appropriately without introducing risk,” Hays explained.
His primary concern is that organizations purchasing automated solutions often develop a false sense of security, checking compliance boxes without understanding their actual defensive capabilities against determined, intelligent adversaries.
The Strategic Role of Automation: Force Multiplier, Not Replacement
While dismissing full automation, Hays clarified that he advocates for a symbiotic model where technology enhances human expertise rather than replacing it.
Phase-Based Efficiency
Hays identified the reconnaissance phase as a prime example where automated tools excel at parsing massive datasets that human analysts can then interrogate for strategic insights.
The Operator’s Imperative
Hays emphasized that this model only succeeds when operators possess deep expertise. “They need to understand what they’re doing. When a tool breaks, how do you fix it? If you don’t understand the underlying functions… you’re going to get lost.” This highlights the critical need for continuous investment in skilled professionals, not just software solutions.
Leadership’s Critical Role
Hays pointed to management as an essential component, guiding operators on when to “stop, look at the data, and decide” which tool or tactic to employ next, thereby injecting human intelligence into automated processes.
Overcoming the Purple Teaming Paradox: From Animosity to Alignment
The conversation progressed to applying red team findings through purple team exercises, where Hays identified two primary challenges:
- Funding and Resources: Ensuring adequate budget and personnel allocation for collaborative exercises
- Cultural Animosity: The often-contentious relationship between offensive (red) and defensive (blue) teams that hinders progress
“There’s a lot of animosity between the two teams,” Hays noted, describing common organizational dysfunction where both sides forget they share the ultimate goal of enhancing enterprise security.
The “Defensive Red Team” Methodology: A Novel Approach to Realism
Hays revealed a unique philosophy he has implemented in building red teams: fostering a “defensive red team” mindset. This approach requires operators to base all actions on intelligence gathered during engagements, mirroring real external attackers who lack innate knowledge of the environment.
Central to this methodology is a rigorous “show your work” policy. “Every time they type a command and hit enter, they have to show me their work… What’s your train of thought?” Hays mandates. This extensive documentation serves a dual purpose: ensuring rigorous tradecraft and creating invaluable educational tools during purple team debriefs.
“It sheds a little bit of light that the blue team doesn’t actually get to see when it’s a real adversary,” he said, transforming engagements from simple tests into masterclasses in adversary emulation for entire security organizations.
Red Teaming as Business Philosophy: Expanding Beyond Cybersecurity
Looking beyond immediate technical applications, Hays envisions red teaming principles expanding far beyond cybersecurity departments. He advocates applying red team thinking to all layers of business decision-making.
“Red teaming should be at every single layer of decision-making within a business… thinking about an M&A merger and acquisition: what are the adverse reactions that could happen?” This perspective positions red teaming not merely as a technical function, but as a critical business discipline for comprehensive risk assessment and strategic planning.
Key Takeaways: Fostering Collaboration and Gamifying Success
When asked for overarching advice, Hays emphasized prioritizing relationship-building between red and blue teams: “I’ve been in environments where it’s so much hate and discontent that nothing gets fixed… It’s the only way anything is actually going to get done.”
To achieve this, he suggests gamifying the process to replace animosity with healthy competition. Initiatives like having the blue team treat the red team to dinner if they catch them early in their attack chain (or vice versa) can build camaraderie and transform security into a more collaborative, mission-focused endeavor.
About Ryan Hays
Ryan Hays is the Global Head of Red Team at Citigroup, one of the world’s leading global banks. As a seasoned offensive security leader and former U.S. Navy professional, he possesses extensive experience in building and managing red teams, developing purple teaming strategies, and enhancing enterprise security posture through realistic adversary emulation. Recognized among the Top 100 Information Security Professionals, Hays specializes in offensive and defensive cyber operations, risk mitigation, and strategic security leadership in highly regulated financial environments. He is also a frequent public speaker, mentor, and contributor to the global cybersecurity community.
About NetSPI
NetSPI is a recognized leader in enterprise penetration testing and attack surface management, providing offensive security solutions that help organizations secure their most critical assets. The Agent of Influence podcast features in-depth conversations with top cybersecurity experts exploring pressing industry challenges and innovations.
Source: Agent of Influence podcast, hosted by Nabil Hanan. The full episode with Ryan Hays is available on YouTube, Spotify, Apple Podcasts, and at NetSPI.com/podcast.
