What to know about red team testing and the law

Why testers and lawyers need to be on the same page

An organization that spends money on red teaming has a lot to think about, including whether test results should be granted attorney-client privilege.

"Those records could be discoverable in the case of a lawsuit," said Kip Boyle, a fractional CISO and founder of consulting firm Cyber Risk Opportunities. "Don't be sloppy about this. You can't get privileged just by copying attorneys on emails. That's not enough."

Boyle said attorney-client privilege could be especially important when an organization chooses not to mitigate a finding revealed by red team testing. That detail, he cautioned, could become a smoking gun in some eventual lawsuit.

What's essential is preparation, Patariu said. Trying to assert attorney-client privilege after an engineering group or product team conducts red team testing won't stand up to a challenge in court, he said. "It's going to look like you're just trying to hide the documents."

To create a proper red team testing initiative, Patariu advised seeking legal advice before testing begins. In-house testers can't unilaterally assert attorney-client privilege. "If there's no lawyer in the to or the from field, that is the first place that assertion will fail," Patariu said.

A formal testing program matters, the panelists said, because it can serve as a basis for determining whether a business is taking reasonable cybersecurity precautions. An organization that has documented its adversarial testing will be in a much better position to respond to difficult questions should they face regulatory action or a lawsuit.

"Is it going to be a bunch of scattered Jira tickets and people in meetings saying, 'Oh, yeah, I think we do testing,'" Patariu said. "You have to have results. And then the question is: How did you mitigate it? What did you do after the fact? That's all part of this."

With AI, the testing is different

AI expands the attack surface, and agentic AI expands it even further.

Testing an AI model is important, of course, but so is testing where that AI goes next. A business that puts an AI model into action in a product or service also needs to test how securely the AI performs in that product or service, Patariu said.

Security teams also need to be concerned about the potentially harmful actions an AI agent could take while completing its assigned task. "It's very different than just looking at an output," Patariu said. "You're going to say, 'Well, do I have to test for that?' And the answer is: Of course you do."

The 2025 incident in which a vibe coding agent deleted a production database is one such example of how agentic AI can go wrong. The risks might be new, but they aren't unheard of.

"We've all heard about the person who let the AI agent into their email and [the agent] was deleting all sorts of email. These things are known," Patariu said. "It's out there in the press. So, you have to think about these known issues. And are you testing for them?"

An organization that can't prove it did the testing will give the impression that its security program is inadequate, Patariu said.

That proof will take the form of reports adversarial testers provide, and the quality of those reports will matter. "If you're hiring a red team, focus on the reports," Melo said. "Get samples if you can." It's important to know how testers communicate their findings, he said, especially if authorities and regulators start asking questions.

AI models want to be helpful, and, as Melo pointed out, they are designed to provide as much help as possible. They are simply not good at saying no. That reality makes native guardrails insufficient and red teaming all the more important, Melo said.

Phil Sweeney is an industry editor and writer focused on cybersecurity topics.