Red Team ROI 2026.
Forty engagements, measurable outcomes.

Five numbers from the dataset.

• →Median detection uplift between first and second red team engagement was 34 percentage points across the dataset.
• →MTTR fell 47% on average between engagement one and engagement three — but plateaued sharply after that without detection-engineering investment.
• →Median observed dwell-time on the standard build dropped from 11.3 days to 2.6 days between first and third engagement.
• →Annual-cadence programmes produced 1.8x the detection uplift of bi-annual programmes at comparable per-engagement spend.
• →Programmes that skipped post-engagement detection-engineering follow-through showed near-zero retention of uplift at the next engagement.

Preview of all twelve sections.

1. 01

   Executive summary

   Top-line findings: median detection uplift between first and second engagement, MTTR reduction curve, the percentage of engagements that hit the crown-jewel objective on the first attempt.

2. 02

   Methodology & dataset

   How the forty engagements were selected (TIBER-EU and CREST STAR-aligned), the metric definitions we used, and the boundary cases where ROI could not be cleanly attributed to the red team.

3. 03

   Detection uplift between engagements

   The detection-rate delta from engagement N to N+1, plotted against SOC headcount, EDR vendor, and tooling maturity. Where the curve flattens, and the marginal-spend cliff at the third engagement.

4. 04

   MTTR reduction — the response timeline

   Mean-time-to-detect, mean-time-to-acknowledge, mean-time-to-contain. Where the bulk of MTTR savings actually accrue, and the two SOC process changes that drove most of the improvement.

5. 05

   Observed dwell-time during simulation

   Median dwell-time on the standard build, on AD-joined endpoints, on cloud workloads. The dwell-time delta after EDR replacement vs. after detection-rule investment vs. after SOC analyst training.

6. 06

   Three SOC maturity inflection points

   Where additional red team spend starts producing diminishing returns: the SIEM-content inflection, the detection-engineering team inflection, and the threat-intel-feed inflection. With the spend ranges that mark each.

7. 07

   Crown-jewel objectives — what stops a red team

   Which controls actually prevented crown-jewel attainment in the dataset: phishing-resistant MFA, conditional access enforced at session level, segmented privileged tier, EDR with kernel-level prevention.

8. 08

   Purple-team transition — when and why

   The trigger conditions that pull a programme from black-box red team to collaborative purple team: SOC maturity threshold, detection-engineering staffing, and the audit-committee question that usually forces the conversation.

9. 09

   Failure modes — expensive theatre

   The three patterns that produced no measurable ROI in the dataset: scope too narrow to test the SOC, no post-engagement detection-engineering follow-through, and the operator-rotation problem that destroys engagement continuity.

10. 10

    Cost models — programme vs. one-off

    Day-rate vs. fixed-fee economics, the multi-engagement retainer break-even point, and why the annual-cadence model produced 1.8x the detection uplift of the bi-annual model in the dataset.

11. 11

    Board-facing reporting that lands

    The four-slide red team summary format that audit committees in the dataset actually engaged with. What to keep, what to cut, and how to frame the failure cases without diluting the message.

12. 12

    Procurement guidance

    The six questions to put to a red team vendor that correlate with measurable detection uplift in the dataset — and the three vendor signals that correlated with the expensive-theatre failure modes.

Written by the operators who ran the engagements.

Read alongside.