In this dual-perspective session, a red teamer and blue teamer join forces to pull back the curtain on the cat-and-mouse game between attackers and defenders. By presenting both sides of the same example engagement, we'll show how easy it is to spot pentesters in the wild, what mistakes give them away, and how SOC analysts can use that knowledge to tell the difference between authorised testing and genuine threats, cutting false positives and keeping focus on what matters.

We'll walk through the same scenarios from opposite sides of the fence, covering the tradecraft, the slip-ups, and the detection opportunities that only become clear when you understand both viewpoints. From the red team side, that means being honest about the OPSEC failures that creep in under real engagement conditions, the tool signatures we know defenders can spot and hope they won't, and the gap between how pentesters work and how real adversaries actually operate.

From the blue team side, we'll cover what defender visibility actually looks like during an example engagement, why testers behave differently to regular users, and how context determines whether an alert is worth acting on or just noise.

Real adversaries don't always operate the way pentesters do, and that gap matters for detection. We'll look at why some approaches hold up against both and others don't, including how living-off-the-land techniques appear from each side of the fence, and what lateral movement and credential usage actually looks like when it's genuine compromise rather than a scheduled test.

Environment-aware detection outperforms generic rule sets, and we'll back that up with case studies from both perspectives: authorised activity that triggered alerts and real threats that didn't. We'll also cover how red team feedback sharpens detection logic over time and keeps alert fatigue from becoming a coverage problem.