Real skills every red and blue teamer needs

The tools keep changing; but the fundamentals of red and blue team skill remain steady. As a cybersecurity practitioner, practical skills are the foundation of your career. When we interviewed Omar Khawaja (CISO at Databricks), he said: 

“I used to think technical security controls were the most important part of a security program, then I realised it was important to not just have controls but for the controls to be part of some comprehensive framework (compliance!). Then I evolved my thinking to consider the business as the most important stakeholder (risk management). Along the way, I learned that in a complex organisation, people and process are immensely more important than technical controls.”

In the Middle East, we’re seeing Khawaja’s journey repeat itself. Over the past five years, organisations in Saudi Arabia, the UAE and Qatar have evolved from compliance-heavy to capability-led – investing in threat-led testing, purple teaming, and hands-on training.

And that shift mirrors the global move embodied in the NIST Cybersecurity Framework 2.0 (released in 2024) which adds a new GOVERN function alongside the familiar identify–protect–detect–respond–recover cycle. 

The message is that security isn’t just a tech problem. It’s a governance, culture, and human one. 

The real work of red and blue

Red teaming today is less about spectacle, and more about simulation. Frameworks like MITRE ATT&CK give structure to adversary behaviour, and red teamers map each phase to show defenders how an attack unfolds in the wild. 

Blue teams now often use counterpart frameworks, like MITRE’s D3FEND, to catalogue countermeasures: network traffic analysis, identity hardening, forensic visibility. 

Together, these frameworks create a shared language of attack and defence. 

Across Europe and the GCC, intelligence-led testing frameworks (such as TIBER-EU and the UK’s CBEST) have made simulations mainstream – and in Saudi Arabia the SAMA ‘Financial Entities Ethical Red-Teaming Framework’ is helping bring equivalent threat-led red-team assurance to the financial sector. For security leaders in Riyadh, Dubai and Doha, this is the next step in maturity: turning once-a-year compliance exercises into continuous learning loops. 

And if you’re a practitioner who wants to solidify your skills within systems that real organisations use, mapping your own learning, certifications and skills against these frameworks can help you find the language to describe your own value. 

Learning through play 

For fledgling cybersecurity practitioners, learning the real-world applications of frameworks like these can be a lot more fun than it might first appear. Capture the Flag (CTF) competitions have exploded across the Middle East; from SAFCSP’s national red-team labs in Saudi Arabia to Cyber Quest in the UAE. They turn theory into muscle memory.

When we spoke to Heba Farahat (Senior Cybersecurity Consultant at Liquid C2) about CTFs, she said: 

“I believe that CTFs offer one of the most effective ways to learn about cybersecurity in a gamified manner.”

When she started out, her team ranked among the top five in several regional competitions. Now she designs the challenges herself:

“Over the years, the number of participants doubled, attracting players from 15 different countries, with women comprising over 60% of the participants.”

That statistic is a marker of real cultural change. Women’s participation in GCC cyber programmes is growing fast, fuelled by communities such as Women in Cyber Security Middle East. It’s reshaping what the regional skills pipeline looks like.

What do the frameworks really teach? 

Beneath the surface, all the major frameworks agree on one thing: skills are adaptive. 

The NICE Workforce Framework for Cybersecurity (NIST SP 800-181 Rev 1) breaks cybersecurity work into roles and competencies rather than job titles. MITRE ATT&CK and D3FEND translate those competencies into what an adversary actually does – and what a defender should detect.

For developers, the NIST Secure Software Development Framework (SSDF SP 800-218) and its 2024 AI Profile extend that thinking into code: designing software, and now AI models, with security baked in. For many GCC organisations racing to automate, these frameworks serve as a valuable playbook. 

And while valuable learning does happen through experimentation and play, certifications do matter when it comes to proving proficiency. CREST assessments (recognised by the UK NCSC and adopted globally) test not only offensive skill but also the ability to communicate and manage engagements. That soft-skill emphasis mirrors what the ISC2 Cybersecurity Workforce Study 2024 found: employers now value problem-solving, collaboration, and communication as much as technical depth.

The human edge 

Across cybersecurity, tech is only half the story. In high-pressure environments, the skill that separates good teams from great ones is coordination. 

Red-blue collaborations are built on trust, curiosity, and shared purpose. So as a practitioner building your skill set, whether you’re striving to be red or blue, you need to develop your ability to collaborate and integrate with others. 

CTFs foster coordination. Threat-led exercises formalise it. And frameworks like NIST’s and MITRE’s give it vocabulary. But the real differentiator is still human: how teams learn together, challenge each other, and translate findings into business language.

Instead of chasing every new exploit, consider how you can learn to think like both attacker and defender, and speak the language of risk. Because at the end of the day, cybersecurity is less about fighting, and more about collaboration, empathy, and readiness.