Episode 7: Red Team Village: Break stuff, make friends | The Job Security Podcast

Introduction

Welcome to The Job Security Podcast, where we explore the unique perspectives and stories of the people who make the cybersecurity industry what it is. This week, we’re diving into one of DEF CON’s most dynamic communities: Red Team Village.

Every year at hacker summer camp, Red Team Village builds and fosters a collaborative environment for security professionals to develop and enhance their offensive security skills. They take the theoretical and combine it with real-world application through trainings, conference events, CTFs, and networking opportunities. If you like breaking stuff and learning from your peers, Red Team Village isn’t just a nice place to visit—it’s a great place to call home.

Joining us today are Mike Lisi, current CEO of Red Team Village, and Wes Turner, co-author of “Redefining Hacking” and seasoned red team operator. Both are cybersecurity veterans who have helped shape Red Team Village into what it is today. As organizations increasingly rely on AI and automation to enhance their security operations, the role of offensive security practitioners continues to evolve—and Red Team Village is at the forefront of helping the community adapt.

What is Red Team Village?

Dave Johnson: If somebody were to walk up to you and say, “Hey, what is Red Team Village and what can I expect?” What would you say?

Mike Lisi: The focus here, as you really covered in the intro, is that we’re here to share our skills, share our knowledge with folks that are interested in offensive security. It’s not necessarily just the advanced folks that are trying to transition into red team roles—that is a big part of it—but we really try and cover across the spectrum of offensive security. Things that they can learn, things that they can share, things that they can do.

At the village this past year at DEF CON, we really focused on that hands-on aspect. We had workshops where somebody would come in and talk about a subject for an hour or two hours—more of your typical presentation with a big screen and a podium. Then we had this other thing called “tactics,” which was really like a small little task that you can learn.

Mike Lisi: If you’re just really curious about something but maybe you don’t want to dedicate an hour, you just want to learn about what you could learn more about, we had folks contributing to the tactics. They would just show you one little thing. Like, “Hey, here’s a basic intro to buffer overflow. Here’s something basic on API security.” You could watch, interact, participate, or just hover and learn and see if it tickles your interest.

That’s really what our focus is, and we’ve been really lucky that the community comes forward to share that knowledge. Everybody’s not holding it tightly—they’re here to open that up and really let other people know how they can get better at offensive security.

Red teaming vs. penetration testing: Understanding the difference

For those new to cybersecurity, the distinction between red teaming and penetration testing can be confusing. While both involve offensive security techniques, they serve different purposes and operate with different goals.

Wes Turner: It’s a bit gray, sometimes spicy. A lot of it is the focus and the outcomes of it. Red teaming is more focused on objectives, whereas pen testing might be on coverage and identifying vulnerabilities.

A red team might have the goal of not just “I want domain admin and every vulnerability along the way,” but “Hey, I want to access a specific piece of data or achieve a specific objective, and however I get there, I get there.” They tend to be larger in scope and longer in duration than your typical pen test.

Mike Lisi: I operate more on the pen testing space. In my focus when we’re doing penetration tests, our goal isn’t to be covert. Our goal isn’t to evade all the defenses and test the reaction times of the defenders or blue teams. Our goal is to find where those holes are, what they are, if they can be exploited, and then what those impacts could look like.

On a maturity scale, red team is for organizations that have gone through vulnerability assessments, understanding their assets and infrastructure, and then moved on to pen testing to identify where they’re lacking—missing patching, missing specific real big things. Once we have that matured, then we go into red team with specific objectives to really test the team out: “We think we’ve patched all this stuff. We think we’ve implemented these solutions. Are they actually working and how well are we able to detect this stuff?”

How AI is changing red teaming (without replacing red teamers)

Dave Johnson: Is AI affecting that definition at all right now? Is that changing the way we’re thinking about red teaming in either the structure or the methodology?

Wes Turner: From a red team perspective, AI is a tool. It’s increasing my effectiveness by maybe around 20-30%, depending on whatever I’m doing. I’m able to write code POCs quicker. Sometimes I’m asking questions of something. If I have local models, it’s great to dump a whole bunch of data that’s taken from an engagement and parse through all that data at scale to find “Hey, what’s important in this data?”

There are a lot of ways I’m using it to level up my skills and my effectiveness to make me a more effective red team operator. But it’s not necessarily replacing me.

A lot of the tools we’ve seen in regards to “AI is gonna do something”—it’s just not there. I don’t think it’ll be there for a while. There are great tools out there, definitely products for sale like Expo or Cyber Auto Agent. There are AI-enabled tools like Burp has AI. They make you more effective. Tools like Expo Auto Agent will find certain vulnerabilities—they’re gonna find some cross-site scripting and other things.

Wes Turner: I appreciate having “Here’s a finding we can definitely deliver on,” but then can I take this cross-site scripting further where that particular AI can’t? So it can help you with the larger attack surface, but in regards to replacement, I don’t think we’re gonna be there for a while.

But definitely, if you’re not using AI, you’re gonna be replaced by someone who is using AI better than you.

This perspective aligns with how organizations are approaching AI and automation in defensive security as well—using AI to augment human expertise rather than replace it entirely.

New attack surfaces: AI infrastructure vulnerabilities

As organizations adopt AI technologies, they’re creating new attack surfaces that red teamers are already beginning to exploit. The patterns emerging mirror what happened with IoT devices and other rapidly deployed technologies.

Wes Turner: One of the biggest things we’re seeing—just like we saw with IoT devices—is that what’s old is new again. We’re seeing the same thing with AI. You’re essentially moving that trust boundary.

Even if I have a local model and I’m not reaching out externally, a lot of folks are exposing company data by breaking that trust boundary with external models. Once we step into MCP servers—it’s great, it runs local, totally fine. That trust boundary is at least limited to that localhost unless you pop that dev’s box.

But now that we want to scale that—so that dev has a local MCP server, now you have 20 devs that have the same local server—why aren’t we hosting this internally? Let’s push that internally. Maybe we still don’t have auth on it. So now you just have this exposed endpoint internal that gives you access to a whole other system with a bunch of data.

We’re just seeing a lot of those older vulnerabilities kind of resurface themselves. Auth is definitely a big one. A lot of the MCP servers don’t have proper authentication. We’re seeing aspects of remote code execution, both on localhost or remote servers. There are a lot of opportunities, whether it’s the vulnerability side or “where is our data exposed now?”

Mike Lisi: They’re likely using AI in some capacity. So let’s make sure they’re using it responsibly, especially in industries where sensitive data exposure is problematic—healthcare, financial, those types of things.

If you’re looking at it from an offensive perspective, if they do have something internally that they’re leveraging for AI and it’s training on all their documents and procedures, it becomes a really juicy target for attackers. You can go to one spot now and find out everything you want to know because it’s all easily accessible.

The vibe coding problem: When AI writes insecure code

Another emerging challenge related to AI in offensive security is what Wes calls “vibe coding”—the practice of having AI generate code without proper review.

Wes Turner: A lot of companies are embracing vibe coding. There’s this expectation: “30% of your code is gonna be AI-coded, we want to see a lot more of that.” It’s gonna increase our effectiveness, but you have to responsibly use it.

If I just vibe code this, don’t review it, “looks good to me,” get push—it’s gonna go wrong. Again, have those safeguards in place. It’s one thing if you have some CI/CD pipeline running tests on everything—that’s great.

But I’m sure we’ve all been in that loop of “Hey, create a function that does this.” I run it, it doesn’t work. I tell the model “I got this error,” and the model’s supposed to say “You’re right, it doesn’t work. Let me go ahead and fix that for you.” And then you get stuck in that loop of recreating that function over and over trying to get it to work, until you’re able to ask it better or truly understand what that error does.

Wes Turner: We can’t get away from it. It’s just: how do we do it responsibly?

Mike Lisi: We’re seeing a lot of new vulnerabilities that are the same things we’ve seen in the past because we’re using AI agents for coding. They don’t always implement security most effectively. Now we have these vulnerabilities that we thought we squashed really well in the past popping up again, just due to those security misses that AI tends to have in coding models.

What happens at Red Team Village: Workshops, tactics, and community

Wes Turner: I think what might not have been said is essentially a village is a small conference. It’s a conference within a conference that’s focused on a singular topic.

With that, a lot of it is just come on in. We always have swag tables, so we’re always giving out good sweet swag. We appreciate all the sponsors for making that happen. There’s definitely talks going on that you can peek around the corner and see what’s going on, get a feel for some of the talks that are happening.

The tactics, like Mike said earlier, are very approachable. You just walk up to them. We have multiple stations, so there’s usually something available. They’re 10-15 minutes long, so you just shouldn’t have to wait long.

Wes Turner: There are a lot of other folks that are just hanging around, talking to each other—maybe a talk just let out and they’re talking with the speaker afterwards. There are a lot of opportunities to just explore and have a good time.

We have a kids section as well that we’ve done for five or six years now. There are tons of opportunities—even bring your family. I brought my son this past year. There are a lot of folks that bring their children as well. There’s a little bit of something for everyone.

There are tons of volunteers as well that are helping shape it. We try to make ourselves as approachable as possible. If folks are coming in and they’re not sure what to do, we try to grab them, ask some questions, guide them around the village, and give them that intro. Then we hope they find something that resonates with them.

Security control validation: Purple teaming for real impact

One emerging focus area for Red Team Village—and for red teaming generally—is security control validation. This represents a shift from pure offensive exercises to collaborative approaches that directly improve defensive capabilities.

Wes Turner: As a red team, I can do some cool things, have a cool story: “Hey, look at this awesome thing I did.” But at the end of the day, if we’re not improving the security controls of the company, why am I here?

A lot of it is: how do you prove your security controls? How do you validate that? How do you create metrics around it? How do you raise that to leadership? How do you make the right investments into those security controls?

Really partnering with the blue team side and the organization at large to ensure that we’re raising our security posture across the board.

Dave Johnson: Is that something you’ve noticed—getting commitment from businesses within the results of testing? Are you seeing improvement?

Wes Turner: Definitely. I think one of the biggest things is, as we partner across the org, we’re showing: “Here’s these vulnerabilities. Here’s what kind of security control tests we did.”

When that org says, “Hey, I want to pick a new security product, we’re gonna replace whatever EDR solution, I went to Gartner and picked in the right quadrant for whatever tool, I read all the marketing on it—how do I know it’s effective?”

That’s something we can offer: “We’ll do all the security control validation, do the testing, both of the existing product and the new product.” We’ll do those demos with them and partner on them and show the value—”You’re moving in the right direction, making the right decisions.”

Wes Turner: So it’s changing that focus from an adversarial mindset that we’re always bringing to the table, where sometimes they might be a little more defensive and not as open to the tests we’re doing. But when you’re partnering with them to make sure we’re showing them the value in their decision making that we can provide—I think it’s a great opportunity there, and we see a lot more support and cross-org support.

Beyond DEF CON: Where else to find Red Team Village

Dave Johnson: Where else is Red Team Village aside from DEF CON?

Mike Lisi: Historically, it’s largely been DEF CON. But as the community has grown around Red Team Village, we’ve been getting more requests to support other conferences, other events. The village thing has taken off a lot, so you see a lot more conferences incorporating villages into their events. That opens up new opportunities for us to spread our awareness and what really drives the organization.

We also have a lot of really awesome people on our team that want to continue to offer opportunities. DEF CON is expensive to get to, and we have some really awesome talks there. People really want to engage in that and follow that and watch those, and it’s not always possible.

Mike Lisi: One of the team members, Corey, decided, “Hey, last year we’re just gonna invite all those speakers back—or as many as we can—and just do a live stream for everybody that couldn’t get to DEF CON.” Just sit at home, watch it, you get the same people coming back doing those workshops again.

We’re trying to build on that a little bit more with the village, trying to be selective in where we’re able to go because our funding only goes so far. But it’s opened up a lot of new opportunities.

Last year we got invited down to Brazil to do a village at Hackers to Hackers. It was a really cool experience because now you’re in a completely different hemisphere, and you’re interacting with people that are just as passionate, just as skilled as anybody else that you meet. It really surprised me just how much passion there was everywhere that we went.

Volunteering at Red Team Village: Networking through service

Mike Lisi: Honestly, this is the advice that I give to most folks that are trying to get more involved in the community. When you’re looking to build up your network, being a participant and an attendee at a conference—that’s kind of the base level. You can interact with a lot of folks, make some connections.

If you’re running it, obviously you have a lot of opportunity—a lot of people are looking at you. You have a lot of visibility there.

Somewhere in the middle is where you have the speakers and the volunteers. I was a volunteer for Red Team Village for a number of years before I got elected to lead everything. By volunteering, I had this whole new experience of a conference that I never had before, and I established some really strong relationships with folks that had similar interests to me.

Mike Lisi: I would sit down with another volunteer—in this case, it was my friend Ken. “Oh, I help run Red Siege Security, we do red teaming and stuff.” We collaborated on work opportunities and established a relationship, and that’s something that really wouldn’t have happened as easily if I were just an attendee.

You establish some really strong relationships. That’s awesome for growing your network. We have folks that work at really large companies—Google, Cisco, really big companies. If you have a really strong relationship with them, you’re gonna have a much easier time if you’re looking for a job or looking for connections.

I really advocate to volunteer for anything that’s associated with something you’re interested in, because then you’re gonna really establish some awesome friendships, networking opportunities, and you never know where it’s gonna take you.

How to volunteer:

• Watch for calls on Red Team Village Discord
• Follow announcements on Twitter/X and email
• Sign up through Google forms when events are announced
• Mix of returning and new volunteers welcomed
• Can also just show up and ask to help!

Sponsorship opportunities: Supporting the community

Dave Johnson: How could somebody get involved as a sponsor or vendor for your party or the conference?

Wes Turner: That’s a huge challenge for us every year. We want to show value to our sponsors because they give us so much each year, and we’re always trying to figure out how do we give back and show them what they’re paying for.

We run into challenges, especially in the new space. DEF CON has rules on what we can do with sponsors and what’s available, and the Las Vegas Convention Center has additional rules. We found it restrictive and tough to figure out how to give back to our sponsors and show them the value.

One of the ways we did that was the party. We appreciate it takes decent money to throw that party, and we want to make sure we’re not just taking money and throwing a party—how do we give back?

Wes Turner: Luckily the spot we’ve rented the last few times has a nice outdoor area, large enough that we can invite all of our sponsors, and we don’t have to worry about breaking any rules. We’re able to give them free rein in that area, and it’s off to the side.

If you want to get in and get more swag and talk to our sponsors, you can definitely get over there and do that. Or if you just want to hang out and party on the arcade side, great times either way.

All of our sponsors have given us resounding feedback about how awesome it is in regards to the engagement they can have with everyone attending. They love that engagement—whether they’re looking to hire or looking to make customer acquisition. There are quite a few contacts made during that.

To become a sponsor: Email sponsors@redteamvillage.io

Redefining Hacking: The book behind Red Team Village

Dave Johnson: Are there any books you would recommend that people read to really get into Red Team Village or just red teaming in general?

Wes Turner: I actually have one in front of me right now—”Redefining Hacking.”

Dave Johnson: You were a co-author on that. Can you tell us about this book?

Wes Turner: I’m just a lowly co-author—huge shout out to Omar Santos, one of the Red Team Village founders, and Savannah Law, another one of the previous core leads with Red Team Village.

Just happy to be part of that little crew there to work on that book. It was essentially about a year or so, a little over a year worth of effort to make all that happen. We were trying to capture a lot of the talk around quantum computing, AI, how do we integrate that, what are the thoughts as things are evolving in regards to pen testing, red teaming, and cybersecurity in general.

Wes Turner: At this previous DEF CON, we did a signing. We were able to sign and give away 50 copies to everyone. I think we’re all thinking about what’s some new cool opportunities going forward—maybe there’s another book.

What’s next for Red Team Village in 2026

Mike Lisi: One of the big things we really enjoyed this past year was the introduction of those tactics. What we saw was just this round table with somebody that was knowledgeable about a topic, and then 20 or 30 people just all huddled together talking about it. It was very communal. It was way less formal than sitting in the audience and just watching one person speak.

We really want to expand on that more because I feel like that gets into the heart of that collaboration and community-building aspect that we really like about the village. We’re looking to improve the way we can support those tactics through the platform that Wes and Barrett have created for the CTFs, so we can support whoever’s leading those tactics in an easy way for them to deploy and support it, and then be able to present those to folks at conferences we’re in attendance with.

Mike Lisi: As far as everything for hacker summer camp next year, I would say stay tuned. We really start our planning about the beginning of the year. After August comes by, everybody wants to go into hibernation for a little bit. We’re really just starting to get ramped back up again.

Our website usually has the information that’s most up to date regarding upcoming events, what we need, what we’re looking for, and where we’re gonna have things going on.

Frequently asked questions about Red Team Village

What’s the difference between red teaming and penetration testing?

Red teaming focuses on specific objectives—accessing particular data or systems while evading detection—and tends to be longer in duration and larger in scope. Penetration testing focuses on comprehensive coverage and identifying as many vulnerabilities as possible without necessarily being covert. Pen testing is typically appropriate for organizations still building their security foundation, while red teaming is for more mature organizations that want to test their detection and response capabilities.

Do I need to be an expert to attend Red Team Village?

Not at all. Red Team Village welcomes everyone from beginners to advanced practitioners. The “tactics” sessions are specifically designed for quick learning on specific topics without requiring hours of commitment. You can hover, watch, interact, or fully participate based on your comfort level. The community is there to help newcomers find their way.

How is AI changing offensive security operations?

AI is making red teamers 20-30% more effective by helping with tasks like writing POCs faster, parsing large amounts of engagement data, and answering technical questions using local models. However, AI isn’t replacing red teamers—it’s augmenting their capabilities. The most effective approach is using AI as a tool while maintaining human judgment and creativity for complex attack chains.

What new vulnerabilities are emerging with AI adoption?

Organizations deploying AI infrastructure are creating new attack surfaces that mirror old vulnerabilities. MCP servers without proper authentication, exposed AI endpoints with access to sensitive data, trust boundary issues with external AI models, and insecurely coded applications generated by AI tools are all creating opportunities for attackers. Many “new” AI vulnerabilities are actually classic security mistakes being repeated in new contexts.

How can I get involved with Red Team Village as a volunteer?

Red Team Village posts calls for volunteers on their Discord, Twitter/X, and via email for each event. They welcome both returning and new volunteers and typically use Google forms to collect information. You can also just show up at an event and ask to help—they always have plenty of work to do and will find you something meaningful to contribute.

What makes Red Team Village different from regular conference tracks?

Red Team Village emphasizes hands-on learning and community collaboration rather than passive attendance. The “tactics” format creates intimate round-table discussions with 20-30 people huddled around an expert, fostering genuine knowledge sharing. The village also includes CTFs, networking opportunities, sponsor interactions, and even a kids section, making it a comprehensive community rather than just a series of talks.

Can companies sponsor Red Team Village or send employees?

Yes! Red Team Village actively seeks sponsors to help fund their operations at DEF CON and other events. Sponsors get visibility through the party, access to engaged attendees, and opportunities for hiring and customer acquisition. Companies can also send security teams to attend and learn. Contact sponsors@redteamvillage.io for sponsorship opportunities.

This transcript has been edited for clarity and readability.

For more cybersecurity insights and industry perspectives, subscribe to The Job Security Podcast on Apple Podcasts, Spotify, or your app of choice. Visit redteamvillage.io to learn more about upcoming events and how to get involved. To learn more about how Expel’s AI and automation capabilities support modern security operations alongside offensive security insights, reach out to our team today.