NATO should create “hybrid red teams” to preempt Russian attacks
As Russia's hybrid warfare intensifies, we need systematic "red" cooperation to expose and fix vulnerabilities before Moscow exploits them first.
We know this pattern all too well by now: Russia launches another hybrid attack, more powerful or more creative, against NATO countries, which is accompanied by another announcement of security measures, programs, and mobilizations until the next attack comes and the cycle repeats itself.
While learning from one’s mistakes is often touted as highly effective, it can be just as deadly when implemented on a national scale. Relying on hindsight and passive prevention is no match for an innovative and constantly adapting adversary. Neither reactive hindsight nor foresight will see all the gaps in our security systems that need to be closed. In that case, only the next attack will reveal what we have missed.
What if we infiltrated our enemy's country? What if we joined a red team and led an attack on our security systems?
What is the red team merger?
The red teaming discussed here is a well-known practice in cybersecurity, where independent experts conduct simulated, non-destructive attacks to identify vulnerabilities in targeted systems before real adversaries can exploit them. Widely used in the commercial sector, the approach has recently been adopted by artificial intelligence companies, which deploy red teams to investigate the latest major language patterns for potential vulnerabilities by deliberately pushing their security systems with malicious requests.
But the formation of the red team has roots much further back in the world of defense. In Cold War war games, the original “red team” pitted the Soviets against a “blue team” representing Western forces. Over time, the concept moved from the tabletop world to the real world, with red teams tasked with testing the security of military and other critical installations.
The most famous of these was OP-06D, known as Red Cell. Created in 1984 and led by former SEAL Team Six commander Richard Marcinko, it carried out simulated terrorist-style attacks on U.S. naval facilities. The team exposed serious security vulnerabilities by infiltrating naval bases, planting dummy bombs on aircraft, and placing simulated payloads aboard a nuclear attack submarine.
After the terrorist attack on Pan Am Flight 103 in 1988, red teams were also employed to test airport security. An FAA Red Team reportedly breached airport security with “ridiculous ease,” succeeding up to 90% of the time, while a national study of Red Teams found that over two-thirds of firearms made it through screening. More scandalously, Logan International Airport was described in a 1999 internal memo as being in a “critical state of noncompliance” with security regulations, a warning that was ignored by FAA leadership. Suffice it to say, two 9/11 flights departed from Logan.
What is the hybrid union of red?
It follows that the union of red teams can be brutally effective in very different environments. Now is the time to apply it to one of the most daunting security challenges of our time, hybrid warfare. In other words, it is time to unite hybrid red teams: dedicated teams that realistically mimic and build on Russian hybrid tactics to test critical cyber and physical infrastructure, exposing and fixing vulnerabilities before an actual attack occurs.
Imagine a squadron of highly trained former special forces operators, like Marcinko’s Red Cell, but immersed in Russian hybrid warfare and tasked with a wider range of objectives. They would be given considerable operational latitude and institutional independence to conduct controlled attacks, then report after each exercise in a rigorous and structured manner to the appropriate authority and work with it to correct any weaknesses discovered. Their work, methods, and findings would, of course, remain classified.
Just as important as the execution of the attack would be its credibility. Hybrid red teams would have to think like Russians to design the most credible hybrid attack scenarios. This would require not only ingenuity and an open mind, but above all a deliberate detachment from Western prejudices and the adoption of Russian strategic culture, the logic of escalation and tolerance for risk. Being a red team means not only acting, but also thinking like your enemy. Perhaps this would be the greatest challenge: breaking free from the chains of your own prejudices and cognitive limitations.
Then, to have a tangible effect, hybrid red cooperation must be a structured and scaled effort, with multiple red teams covering as much critical infrastructure as possible in the shortest possible time. It must also be internationalized, with national and mixed teams operating in all NATO countries and sharing knowledge. Much can be learned by executing the same attack scenarios against similar installations in different countries, as well as by having different teams strike the same location in sequence.
While every NATO country should urgently incorporate such a practice into its security system, the frontline states most exposed to Russian hybrid threats on the eastern and northern flanks should make this an immediate priority. Precisely because hybrid pressure is already acute and the risk of escalation is real, Nordic and Baltic capitals, as well as Warsaw and Bucharest, should move faster to adopt the red hybrid alliance in the shortest possible time.
The real enemy of the red team
Red team attacks can be incredibly effective at uncovering serious flaws in security systems, and paradoxically, this can be the biggest problem. No one likes to have their mistakes and flaws pointed out, and institutions and the people who govern them are no exception. Exposing a vulnerability is one thing, fixing it is another.
A telling example of the gap between exposing vulnerabilities and actually fixing them is the case of the FAA Red Team in the years leading up to 9/11. In his 2003 testimony before the National Commission on Terrorist Attacks on the United States, Bogdan Dzakovic, an aviation safety official, accused the FAA of ignoring the warnings of his Red Team. He argued that FAA leadership preferred to maintain a “facade of security” to shield itself from accountability, to preserve public trust and bureaucratic stability, and to avoid economic and operational disruption in the airline industry.
It is not difficult to imagine that some findings from the hybrid red team tests could similarly unsettle the leadership of the targeted institutions. Fearing the consequences of the exposed vulnerabilities, they might choose to hide the results and hope that nothing will happen. In today’s circumstances, betting that a known vulnerability will not be exploited by Russia sooner or later is a risk we cannot afford.
This is why hybrid red teams must be institutionally independent from the organizations they test. Reporting to civilian leadership rather than sector operators is essential, as only political authority can overcome bureaucratic resistance and implement corrective actions across stubborn or risk-averse institutions.
The key to preventing hybrid attacks
As Russia’s hybrid war against the West escalates, the prospect of a truly devastating or lethal first strike is becoming real. The key to deterrence does not lie in conventional, often demonstrative, reactive measures, such as deploying thousands of security personnel to guard railways, power plants, or undersea cables. This approach is neither sustainable in the medium term nor efficient, as it spreads limited resources across too many potential targets.
In contrast, red hybrid cooperation offers a way to test the security of critical infrastructure in practice and in a tolerant environment. This means adopting a proactive defensive posture that exposes vulnerabilities early and increases the costs to Russia in time, effort, and money of breaching our systems. In this sense, red hybrid cooperation could be useful in strengthening Western resilience and deterrence at a time when both are needed more than ever, reports Defense24.