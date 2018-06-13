The X-Force Red team doesn’t “just do vulnerability assessment, which is what most folks think of when it comes to offensive security,” according to Thomas. It also uses both automated and manual tools and conducts code reviews and physical security testing.

In other words? The team does exactly what cybercriminals do.

Physical security is perhaps the most popular assessment. This tactic is where a team member tries — with full authorization, of course — to enter a company’s premises and hack its network from the inside, as in the now notorious doughnut example above. When they begin an engagement, members of the team usually find a vulnerability within a day or so.

“We have never been to a client that we haven’t gotten into their network and found something serious,” Thomas said. “While it’s depressing to think that holes are everywhere, it’s a positive thing because we help our customers find and patch these holes and better secure their environments.”

During his time at IBM, Thomas has worked on improving the IBM X-Force Red portal, which customers use to retrieve reports and schedule work for teams. He also worked on a project to expand an internship program.

“There are not a lot of opportunities for offensive security positions at the college level, so we are ramping that up,” Thomas said. “That helps feed our employee pipeline too.”