Same Problem, Different Angles: When Red Team and Blue Team Actually Talk to Each Other

Melissa is a content strategist with a 20-year background in writing instruction and editorial work across B2B and B2C industries. She joined the security world five years ago as a BHIS penetration-test report editor, helping her team to sharpen the structure and impact of every client report. Lately, she’s been digging into the stories behind BHIS’s tools, analysts, and culture—capturing narratives of how cybersecurity really works behind the scenes.

There is a certain kind of conversation that doesn’t get written up in a post-mortem, doesn’t generate a ticket, and never makes it into an end-of-quarter report. It happens on the margins—at a conference, in a hallway, or, in this case, at 30,000 feet above sea level. It’s the conversation where two people who are solving the same problem from opposite ends of the table finally sit down next to each other.

Hayden Covington, who leads SOC operations at Black Hills Information Security, had that conversation on a flight home from a security conference. The person sitting next to him was Beau Bullock, one of BHIS’s Senior Security Consultants. It was the first time they’d met in person.

What came out of it wasn’t a formal knowledge transfer or a structured debrief. It was just two people, curious about each other’s work, talking shop at altitude.

What I find interesting about that—and what I keep coming back to in this series—is how much of what makes BHIS’s culture work doesn’t happen inside a process. It happens in the spaces between.

“We’re Solving the Same Problem From Different Sides”

To understand why that plane conversation mattered, it helps to understand why it’s rare.

In most cybersecurity organizations, red teams and blue teams don’t interact much. The separation is structural and, to a degree, intentional. Red teams run offensive engagements: they simulate real-world attackers, test assumptions, probe for weaknesses. Blue teams—SOC analysts, incident responders—monitor live environments, detect anomalies, and respond to what’s happening right now. Different objectives, different timelines, different pressure. The adversarial framing is even baked into the naming convention.

Melissa: Hayden, when you think about the relationship between the SOC and the red team at most companies, how would you describe it?

Hayden: “Honestly, most of the time, you’re just doing completely different jobs. There’s no built-in back-and-forth. No natural overlap.”

Beau: “On our side, we’re usually focused on a specific engagement. We’re trying to answer: Can we get in? How far can we go?”

Hayden: “And on our side, it’s, ‘What’s happening right now, and how fast can we stop it?’ Same domain. Different lenses and opposing technical goals.”

And in most companies, that’s where the relationship ends: cleanly separated, clearly defined, rarely questioned.

At BHIS, the line still exists—but it’s more permeable than most. Sometimes by design. Sometimes informally. Sometimes on an airplane.

The Flight

Melissa: Tell me about actually sitting next to Beau for a few hours.

Hayden: “We had just wrapped up this big event, and on the flight back, I ended up sitting next to Beau. It was the first time I’d met him in person, actually. I’d heard great things and was kind of intimidated—but he’s super friendly. We just started talking shop.”

Melissa: What kind of things?

Hayden: “It was this perfect mix of casual and deeply technical. Beau was telling me about some stuff he was working on in cloud pentesting. And I’m sitting there taking mental notes—like, we need to make sure we can detect that. Then he’s like, ‘What are you guys struggling to catch lately?’ and suddenly we’re just bouncing ideas back and forth.”

Melissa: That doesn’t sound like the usual red team/blue team dynamic.

Hayden: “Not at all. It wasn’t competitive; it was collaborative. He even mentioned a technique he’d submitted to Microsoft for review, and I asked, ‘Hey, would you mind if we try to write a detection for that?’ And he was like, ‘Go for it.’”

Melissa: That’s not just cool. That’s rare.

Hayden: “It is. But that’s kind of the BHIS difference. Red team and blue team aren’t at odds here. We’re teammates working toward the same goal: providing the best security possible for our clients. The adversary is outside the building—not across the table.”

No meeting. No agenda. No structured knowledge transfer.

Just: what are you seeing? What are you doing? What should we be paying attention to?

“You Can’t Detect What You Don’t Know Exists”

There’s a line that comes up a lot when you talk to SOC analysts about their work: reactive versus proactive. The tension between the two is real. Most detections are built in response to something that already happened, like an attack that worked somewhere, a write-up, a shared IOC. The playbook is always, by definition, written after the fact.

Hayden: “A lot of detections come from things that have already happened: an attack worked somewhere, we read about it, and we build a detection for it.”

Hayden: “But that’s reactive. That’s not always what saves you. Sometimes what saves you is catching the thing that hasn’t been written up yet.”

That’s where the cross-pollination with the offensive side matters. Beau’s team isn’t just running engagements. They’re developing techniques, submitting research, staying close to the edge of what’s currently possible for an attacker. That knowledge, shared freely, becomes the basis for a detection that doesn’t exist yet.

Melissa: Are you concerned that sharing offensive techniques too openly helps the bad guys?

Beau: “I don’t think so. Because if defenders don’t know what’s possible, they can’t defend against it.”

It’s a philosophy that runs counter to a lot of instincts in the industry. But it’s also what enables a SOC to move from reacting to anticipating.

An Undesigned Feedback Loop

What struck me when Hayden described that flight—and what he kept coming back to—is that the information wasn’t flowing just one way.

Beau: “A lot of what we end up using comes from what’s actually happening in the real world—what Hayden’s team sees.”

Melissa: So the SOC feeds the red team too?

Beau: “Yeah. We’ll see something in the wild and think, how did that actually work? Then we figure out how to replicate or expand on it.”

Even in organizations where red and blue are kept formally separate, a feedback loop still exists—real-world attacks happen, the SOC sees and analyzes them, the red team studies and refines them, and the SOC learns to detect the refined version. Most organizations let that loop run slowly, through reports and post-mortems and delayed handoffs.

At BHIS, it runs faster. Because people are allowed to talk to each other.

Hayden described another scenario where BHIS runs continuous penetration testing for a customer that also uses the SOC: “Corey Ham, the CPT lead, will sometimes reach out after an engagement and ask something like, ‘Did you guys catch this?’” And I can pull the logs and say, ‘Actually, yes, here’s when we saw it.’”

Hayden: “Corey will ask like, ‘Hey, did you guys see this?’ And I’ll be able to let them know. He’s like, ‘How did you see that that early? Like, we didn’t even do anything yet.’”

That’s not a canned demo. That’s the real-time record of two teams working the same environment from different angles, comparing notes.

From “Interesting” to Action

After that flight, Hayden didn’t file the conversation away for a future all-hands. He got to work.

Hayden: “I got off the plane, opened my laptop, and started writing detections. I think I submitted four or five tickets to the team.”

Melissa: Immediately?

Hayden: “Immediately. I was like—do we have the logs for this? Can we even see this?”

That gap between awareness and action is exactly where a lot of security value quietly disappears. Someone learns something useful at a conference, files it in memory, plans to follow up. The intention is real. The follow-up is, let’s face it, usually lost in how busy we all get, so it’s just reliable.

What Hayden described isn’t merely a cultural preference for speed. It’s a specific kind of discipline: the habit of translating a good conversation into a detection before the feeling of urgency fades.

And it matters in ways that aren’t always visible from the outside.

In When the SOC Goes to Deadwood, the team found themselves managing a live ransomware incident together, in real time, in a conference room at Wild West Hackin’ Fest. There was no runway to figure out how to collaborate. The preparation had already happened—through conversations like the one on that flight, through the habit of staying curious about each other’s work.

“We’d Be Foolish Not to Use This”

BHIS occupies an unusual position in the security industry: it’s a penetration testing company that also runs a SOC. That means the offensive and defensive work aren’t happening in separate buildings, or separate companies, or even entirely separate conversations.

Hayden: “We’re already doing all this offensive work. We’d be foolish not to take advantage of that on the defensive side.”

He mentioned BHIS’s history of writing advanced threat detections, including a multi-year engagement rewriting detection logic for a large client’s security teams. That kind of depth comes not from watching the industry but from being inside the attack logic, internalizing how adversaries think, and building detections that anticipate rather than react.

Hayden: “We have a lot of experience writing advanced threat detections to pick up on attack logic as soon as it happens, or potentially before it happens in some cases. And since we’re a pen testing company, there’s so much opportunity for getting relevant and current attacks.”

That’s the structural advantage. But Hayden is clear that the advantage only materializes if people actually use it—if they’re willing to ask questions across the aisle, share what they’re seeing, and stay curious about work that isn’t technically their job.

What This Looks Like from the Customer Side

Some customers, Hayden told me, keep the SOC blind during a penetration test. They want to see whether the team catches it without knowing it’s coming. He understands the impulse.

Hayden: “I think that makes sense. But it also shows a lack of trust. And if they trust us to do our jobs, we can do our jobs better.”

The alternative—where the customer gives BHIS a heads-up—yields something more useful than a pass/fail: a real picture of what’s visible, what’s not, and what to do about it. Hayden and his colleagues sit down after the engagement and walk through the logs together. Here’s what we did. Here’s what you saw. Here’s what you missed.

Believe it or not, not all companies have that conversation.

For customers on the receiving end, this translates into faster detection of techniques that haven’t made it into the mainstream threat intelligence feeds yet. It also provides better context when something goes wrong. Not because BHIS has better tools, necessarily, but because the people using those tools are already having the conversations that most organizations save for after the incident.

What This Means for How BHIS Operates

Organizations that grow tend to harden their silos. It’s not malicious—it’s how scale works. Roles get defined, processes get formalized, and the informal exchanges that used to happen naturally start to require scheduling. By the time a company is big enough to need a lot of coordination, the culture that made coordination easy has often already eroded.

BHIS hasn’t eliminated that pressure. But it seems to have found ways to work against it through a culture that treats cross-functional curiosity as a professional value, not a distraction.

Hayden: “That collaborative nature—the red team and blue team don’t have to be us vs. them. It can be collaborative. And you can take that and be angry about it, or you can take that and use it to collaborate and improve and provide overall better service for your customers.”

That almost sounds like a mission statement. But it’s really just a description of a choice that Hayden and Beau made on a plane, and that Hayden made when he opened his laptop in the airport.

---

There’s a version of this story that gets written as a capabilities overview. It would mention detection engineering and threat intelligence sharing and collaborative incident response. It would be accurate. It would also miss the thing that makes it work.

The thing that makes it work is that Hayden was a little intimidated when he recognized Beau at the gate … and introduced himself anyway. That Beau’s response to “can I try to write a detection for that?” was “go for it.” That when Hayden landed, he didn’t wait for a meeting.

Security is a technical discipline. But the organizational cultures that make it work are human ones.

BHIS has managed to hold onto something that most companies only notice after they’ve lost it: the knowledge that sits right across the aisle, available to anyone willing to lean over and ask.

Check out more in this series:

• Inside the BHIS SOC: A Conversation with Hayden Covington 
• When the SOC Goes to Deadwood: A Night to Remember