What Terence Tao’s Red Team Analogy Gets Right About Security

ByZach Varnell

Terence Tao, often called the greatest living mathematician, recently wrote about the nature of red and blue teams — builders and breakers. Their work is dual, he says. Both roles matter, but they operate under very different rules.

He notes that imperfect contributors can still help on a red team if their output is reviewed by someone competent. In security, that imperfect contributor is often the vulnerability scanner. Without a sharp eye to filter the noise, you end up with the infamous scanner dump: pages of unverified, poorly prioritized findings that confuse developers and miss the big picture.

Even when the engagement isn’t formally called a red team test, that’s effectively the role we take. We think like attackers, probe for weaknesses, and surface issues that matter.

Tao also makes a sharper point: “a red team report that contains both a serious vulnerability and a more trivial one is more useful than a report that only contains the serious issue.” That challenges the testers who find one critical bug and call it a day. They land something high-risk and move on, while the rest of the app remains full of exposed edges and weak assumptions waiting to be exploited.

Tao’s broader point is that AI tends to be more useful on the red team side, critiquing human output rather than generating complex work from scratch. The same holds true in security. Automated platforms have their place, but they cannot replace experienced testers any more than a grammar checker can write a novel.

Security still needs human judgment. Someone who can think like an attacker, read between the lines, and tell the difference between noise and real risk. That’s not something you can automate away.

That’s how we treat scanners, automation, and AI alike. As tools, not senior testers. They can help improve human work, but they don’t decide what goes in the report.

If you’re preparing for an audit or planning to bring in a vendor, I put together a free guide on how to avoid the most common pentest mistakes. It covers what weak tests tend to miss, how to ask sharper questions, and what a useful report should actually deliver.

Similar Posts