Simulated threats vs. real adversaries expose a critical gap that many executives overlook. Penetration tests and red team engagements operate under scoped timelines and rules of engagement that nation-state actors like APT29, APT41, and Lazarus Group simply don't follow. These groups can dwell inside a network for months before acting, and stopping a red team is not evidence of resilience against them. This article walks executives through six practical recommendations for building a security program that accounts for the actual threat, from adopting an assume-compromise mindset to locking down identity infrastructure, investing in threat intelligence, and engaging government resources like CISA.

Penetration tests and red team engagements are valuable tools in any organization's security program, but they operate under constraints that fundamentally limit how well they simulate the most dangerous adversaries in the world. A penetration test is typically scoped, time-boxed, and conducted under rules of engagement that protect business continuity.  Testers agree to keep certain systems out of scope, avoid causing outages, and wrap up in a few weeks. Red teams push further, but they still operate within a budget, a timeline, and a mandate that no real adversary respects. Nation-state threat actors have none of these restrictions. They can spend months or years quietly probing a network, and they are run by intelligence agencies with geopolitical objectives rather than a statement of work. 

The resource disparity alone makes a direct comparison difficult. A nation-state cyber program such as groups like APT29 (Russia's Cozy Bear), APT41 (China), or Lazarus Group (North Korea) may employ hundreds of full-time specialists across offensive research, malware development, signals intelligence, and human intelligence. They develop or acquire zero-day exploits, which are vulnerabilities with no existing patch, and they hoard them specifically for high-value targets. A red team, by contrast, generally works with known techniques and publicly available tooling because that's what's practical and ethical within an engagement. The result is that even the best red team is simulating a capable but resource-constrained attacker instead of one backed by a nation's intelligence budget. 

Patience and persistence are the most underappreciated differences. Nation-state actors are famous for dwell time, which is the period between initial compromise and detection. This has historically stretched to hundreds of days in high-profile breaches. They move slowly and deliberately, blending into normal network traffic, establishing multiple redundant footholds through more sophisticated implants, and waiting for exactly the right moment to act on their objective. A red team operating over a 4-5 week engagement can’t replicate this. They need to move faster to show results within the engagement window, which changes the entire character of the intrusion. Real nation-state operations also frequently combine cyber intrusion with human intelligence, social engineering of insiders, and supply chain compromises.  Social engineering is often covered in penetration testing and red team engagements; however, the patience and persistence from advanced APTs is at a different level. 

This isn't an argument against penetration testing or red teaming, both are genuinely useful for identifying gaps, validating controls, and building defensive muscle memory. The point is that organizations should not treat a red team that was unsuccessful in gaining internal access, elevated access in the environment, or failed to reach objectives, as a reliable indicator that the organization is safe from attack from a determined attacker. Particularly organizations in critical infrastructure, defense, finance, or any sector of geopolitical interest. These engagements test your defenses against a capable attacker operating under artificial constraints. Attackers such as nation-states operate with superior resources, unlimited time, zero rules, and a specific and deeply researched interest in their targets. The threat model is categorically different, and security programs should be designed with that reality in mind. 

One of the most well-intentioned but consequential beliefs held in many boardrooms today is that a successful red team engagement, particularly one where the team was eventually detected and stopped, is meaningful evidence of resilience against a nation-state level threat.  That’s just not the case and understanding why requires an honest look at what a red team is and what it isn’t. 

A red team is a group of skilled professionals operating under a contract. That contract defines what they can touch, what they cannot, how long they have, and the objectives that determine what success looks like. They are working against your defenses for weeks, not years. They are using techniques that, while sophisticated, are largely drawn from the same public knowledge base your defenders have access to. While they can attempt to bypass endpoint security products through various methods, they are not developing custom implants with more sophistication, such as kernel implants, that are built specifically to evade endpoint detection. They are not correlating your network behavior with intelligence gathered from monitoring your executives' travel patterns, public filings, or foreign signals collection. And more critically, they stop when the engagement ends. A nation-state doesn’t. 

This is not a criticism of red teams. The best ones provide enormous value and should absolutely be part of a mature security program. The issue is the conclusion that is drawn from the results. When a red team is detected in three weeks, that is useful data about your detection capabilities against a known threat profile operating under time pressure. It tells you almost nothing about whether a patient, well-resourced intelligence operation that has been quietly observing your network for eight months would have been caught. Those are simply different problems. 

Executives who have been told otherwise by vendors, consultants, or even well-meaning internal security teams deserve a more complete picture. The appropriate question to ask after a red team engagement is not "did we catch them?" but rather "what would our visibility look like against an attacker who had ten times the time, custom tooling we've never seen before, and a specific intelligence interest in our organization?" That question rarely has a comfortable answer, and sitting with that discomfort is exactly where the most productive security investments are born. A red team report is a floor, not a ceiling, and against nation-state adversaries, it may not even be that.

Understanding the threat is only half the equation. The following recommendations are not about abandoning existing security programs, they are about layering the right capabilities and mindset on top of them to better account for the adversary that red teams cannot fully replicate. 

The first mindset shift executives need to make is to move away from a prevention-first mentality toward an assumption-of-breach model. No perimeter defense, no matter how well-funded, is guaranteed to stop a nation-state actor with time and resources on their side. A more important question is how quickly your organization can detect an intrusion and how effectively it can respond. This means investing heavily in detection engineering, endpoint visibility, and network telemetry.  These are the tools that will help you identify when something is wrong and shifting resources into these products rather than pouring budget exclusively into keeping attackers out is a good first step. 

Executives should ensure their security teams have access to credible, sector-specific threat intelligence.  Organizations such as Energy companies, defense contractors, financial institutions, and government suppliers are not targeted randomly, they are targeted with a strategic purpose. Subscribing to intelligence feeds from vendors like CrowdStrike and maintaining relationships with sector-specific ISACs (Information Sharing and Analysis Centers) gives security teams early warning about the tactics, techniques, and procedures that are actively being used against organizations. Awareness of who is likely targeting you and how they operate is a force multiplier for defense.

The majority of serious breaches pivot through compromised credentials and abused privileged accounts. Executives should champion aggressive identity hygiene across the organization: mandatory phishing-resistant MFA (hardware keys or passkeys), strict privileged access workstations for administrators, just-in-time access provisioning, and regular audits of who has access to what. Active Directory and identity infrastructure in general should be treated as crown jewel assets because attackers treat them that way. If a threat actor owns your identity layer, they own your network. 

A Security Operations Center that is purely alert-reactive is not sufficient against a patient, nation-state actor. Executives should push for a proactive threat hunting capability with analysts who are actively going out to look for indicators of compromise rather than waiting for alarms to fire. This pairs with investing in a well-rehearsed incident response plan that has been tested through tabletop exercises at the executive level, not just the technical team. When a serious breach occurs, the decisions made in the first 24 to 48 hours can be what determine the ultimate impact, and executives who have never thought through those decisions before are a liability in that moment. 

Nation-state actors have shown, most visibly with the SolarWinds breach, that compromising a trusted vendor or software provider is often easier than attacking a hardened target directly. Executives need to ensure their organization has a serious third-party risk management program that goes beyond checkbox compliance questionnaires. This means understanding what level of access your vendors and partners have to your network, requiring contractual security standards, and monitoring third-party connections continuously. Your security posture is only as strong as the weakest link in your supply chain.

Many executives are unaware that free, high-quality resources exist specifically for this threat. CISA (Cybersecurity and Infrastructure Security Agency) offers threat briefings, vulnerability advisories, and incident response assistance at no cost. The FBI's Cyber Division actively shares threat intelligence with private sector organizations in sensitive industries. Building a relationship with these agencies before an incident means you have a direct line when something goes wrong, and it keeps your team informed about active nation-state campaigns that may not yet be public knowledge.

Red teams and penetration tests are not the enemy of good security, complacency is. The organizations most at risk from nation-state actors are not the ones who skipped the red team engagement, but the ones who ran it, were happy with the results, and stopped asking hard questions. The adversaries that pose the greatest threat to critical industries are disciplined, well-funded, and in many cases have already decided your organization is worth their time. The only appropriate response to that reality is a security program that is built with the same seriousness of purpose, one that treats detection, identity, intelligence, and response not as line items to be optimized away, but as core organizational capabilities that leadership actively champions and funds.  

Below is a list of items that Echelon Risk + Cyber can assist with, in addressing items to address the various threats posed to your organization by threat actors: