The correct answer isBbecausered team exercisesare the best method to identify weaknesses in the technical environment that an attacker could exploit to gain access. A red team exercise simulates realistic attacker behavior and therefore provides a direct and practical way to discover exploitable security weaknesses across systems, defenses, and operational response capabilities.
The other options are not as effective:
A. Threat modelingis useful for identifying possible attack paths and design weaknesses, but it is more analytical than practical.
C. System testingis broad and may not focus specifically on adversarial exploitation.
D. Control self-assessments (CSAs)rely on internal review and are less effective for uncovering attacker-leveraged technical weaknesses.
Exact Extracts supporting the answer:
“To detect vulnerabilities in Internet-facing systems penetration testing is primarily used as it simulates real attacker actions to test security defenses.”
“For a system owner penetration testing offers the greatest level of assurance regarding the effectiveness of implemented security controls.”
“For an Internet-facing application penetration testing is the most effective control assessment type.”
“The BEST way to ensure a corporate network ' s security against external attacks is to perform periodic penetration testing.”
“After various infrastructure changes are made is the best time to perform a penetration test as changes are likely to introduce new exposures.”
These extracts support the principle that simulated attacker activity is the strongest way to identify technical weaknesses exploitable by attackers. Among the given choices,red team exercisesare the closest and best match to that objective.
===========
