(520) 462-0516

info@threatintel-solutions.net

Threat Intel Solutions

Let’s Talk

What CISA’s Red Team Disarray Means for US Cyber Defenses

![Picture of Becky Bracken, Senior Editor, Dark Reading](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt07f8ecb5868dd4fd/6750aa66113e14656849e053/becky_mug_2024.jpg?width=100&auto=webp&quality=80&disable=upscale ‘Picture of Becky Bracken, Senior Editor, Dark Reading’) [Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken)March 21, 2025 4 Min Read ![Messy desk showing computer, mouse, files, and bread](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt5d9bd75757ce9647/67dc920abe6fa203ac8d9bf5/office_chaos_Primoz_Jenko_Alamy.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale ‘Messy desk showing computer, mouse, files, and bread ‘) Source: Primoz Jenko via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/cisa-red-team-disarray-cyber-defenses)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/cisa-red-team-disarray-cyber-defenses)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/cisa-red-team-disarray-cyber-defenses)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/cisa-red-team-disarray-cyber-defenses&title=What%20CISA’s%20Red%20Team%20Disarray%20Means%20for%20US%20Cyber%20Defenses)[](mailto:?subject=What CISA’s Red Team Disarray Means for US Cyber Defenses&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20What%20CISA’s%20Red%20Team%20Disarray%20Means%20for%20US%20Cyber%20Defenses%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fthreat-intelligence%2Fcisa-red-team-disarray-cyber-defenses) The Cybersecurity and Infrastructure Security Agency (CISA) has clarified in a statement that it didn’t lay off hundreds of red teamers, among other roles sliced, it just killed their contracts.The move, along with letting go all probationary employees from the federal government including CISA, which [was reversed](https://www.cisa.gov/news-events/news/cisa-probationary-reinstatements) following a court ruling against the terminations, is part of the Elon Musk Department of Government Efficiency (DOGE) effort to slash government spending. But there are concerns the effort could lead to a disruption of critical threat intelligence information that US organizations inside, and outside, of government rely on to protect their own networks from cyberattack. On Feb. 28, Christopher Chenoweth, a senior penetration tester at the Department of Homeland Security (DHS) took to LinkedIn to announce DOGE had canceled the government contract he and more than 100 other red teamers were working on.’The following Wednesday, DOGE cut a second CISA red team also doing mission-critical work,’ [he wrote](https://www.linkedin.com/posts/christopher-chenoweth-91a68026_on-friday-february-28-2025-at-1600-hours-activity-7304793481518940160-uTUo/). ‘As a result, I and many other experienced red team operators are now seeking new opportunities.’ For the record, Chenoweth’s post comments were filled with high-profile cyber professionals interested in snagging his expertise for themselves. Related:[Wireless Airspace Defense Firm Bastille Reveals Top Threats of 2025](/threat-intelligence/wireless-airspace-defense-firm-bastille-reveals-top-threats-of-2025)Ostensibly seeking to reassure the cybersecurity community, on March 12, CISA posted a statement clarifying that the agency’s red teaming efforts continue ‘without interruption.”The team works directly with network defenders, system administrators, and other technical staff to address strengths and weaknesses across critical infrastructure networks and systems,’ the CISA statement issued on March 12 read. ‘They continue to assist organizations in refining their detection, response, and hunt capabilities to protect the nation’s critical infrastructure from a range of threats.’ Several red teamers working inside CISA declined to comment for this story. But according to DOGE’s own accounting, as of March 19, it had already [cut 3,305 personnel at the agency](https://doge.gov/workforce?orgId=e7e101d1-83f5-4680-b4a9-c2b6b7ae53d4), and the average employee had worked there for an average of nine years and was 46 years old, totaling a cost savings of $459.1 million. There’s no indication that any of those axed jobs being counted by DOGE were contract jobs.In response, former CISA director Jen Easterly set up a [CISA Alumni hiring form](https://docs.google.com/forms/d/e/1FAIpQLSevSiI35rPKHanTF2UZ1x3RuaLe_68htep2ery3VbScbrFFoA/viewform) online to help connect ousted government workers with private sector employers. CISA’s Red Team Value———————The US government’s pen testers and red teamers at CISA are tasked with finding the tricky ways a threat actor could compromise the US government, as well as critical infrastructure, to cause harm. Importantly, once the CISA red team finishes their work, they share that documentation with other US organizations to be used to protect their systems as well.Related:[Black Basta Leader in League With Russian Officials, Chat Logs Show](/threat-intelligence/black-basta-league-russian-officials-chat-logs)For instance, late in 2024, CISA’s red team produced a comprehensive report on what they learned from their [assessment of US critical infrastructure](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-326a) along with a specific ‘Lesson Learned’ bullet list, as well as mitigation recommendations that were intended to serve as threat intelligence for US cyber defenders. Beyond simple indicators of compromise (IoCs), the red team report pointed out the need to for software manufacturers to shore up their networks to help stave off widespread software supply chain attacks, as well as explanations about how the team gained initial access to sensitive networks, their post-exploitation activities, and more.CISA’s staff reductions threaten to weaken multiple services US organizations depend on, from the Known Exploited Vulnerabilities (KEV) Catalog to red teaming efforts, according to Dr. Deepak Kumar, founder and CEO of Adaptiva. ‘It’s good to hear that CISA’s red team is still fully operational, but we have to ask: Do these ‘efficiencies’ mean fewer experts working on critical threats?’ Kumar asks. ‘The cybersecurity landscape is evolving too fast for any loss of momentum.’Related:[Denmark Warns of Increased Cyber Espionage Against Telecom Sector](/threat-intelligence/denmark-warns-increased-cyber-espionage-telecom-sector)US organizations need to prepare for how they plan to fill those critical threat intelligence gaps, should CISA continue to shrink under the pressure of government spending, he adds. If these cuts continue, Dr. Kumar worries it will be left up to individual organizations to find a replacement source for the services CISA provides.’If these changes reduce CISA’s ability to support critical infrastructure, organizations need to be ready to fill that gap themselves,’ Kumar says. ‘Companies should take this as a reminder to double down on their own vulnerability detection and response strategies instead of relying heavily on federal resources, since those may erode further in future.’ [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/threat-intelligence/cisa-red-team-disarray-cyber-defenses)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/threat-intelligence/cisa-red-team-disarray-cyber-defenses)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/threat-intelligence/cisa-red-team-disarray-cyber-defenses)[](https://www.reddit.com/submit?url=https://www.darkreading.com/threat-intelligence/cisa-red-team-disarray-cyber-defenses&title=What%20CISA’s%20Red%20Team%20Disarray%20Means%20for%20US%20Cyber%20Defenses)[](mailto:?subject=What CISA’s Red Team Disarray Means for US Cyber Defenses&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20What%20CISA’s%20Red%20Team%20Disarray%20Means%20for%20US%20Cyber%20Defenses%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fthreat-intelligence%2Fcisa-red-team-disarray-cyber-defenses) About the Author—————-![Becky Bracken, Senior Editor, Dark Reading](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt07f8ecb5868dd4fd/6750aa66113e14656849e053/becky_mug_2024.jpg?width=400&auto=webp&quality=80&disable=upscale ‘Becky Bracken, Senior Editor, Dark Reading’) [Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Dark Reading Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading. [See more from Becky Bracken, Senior Editor, Dark Reading](/author/becky-bracken) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi) More Insights Webinars* [Beyond Replication -& Versioning: Securing S3 Data in the Face of Advanced Ransomware Attacks](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr137&ch=SBX&cid=_upcoming_webinars_8.500001541&_mc=_upcoming_webinars_8.500001541)Mar 25, 2025* [What is the Right Role for Identity and Access Management in Your Enterprise?](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_dels15&ch=SBX&cid=_upcoming_webinars_8.500001529&_mc=_upcoming_webinars_8.500001529)Mar 26, 2025* [Today’s Top Cloud Security Threats](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_wiza63&ch=SBX&cid=_upcoming_webinars_8.500001530&_mc=_upcoming_webinars_8.500001530)Apr 1, 2025* [Memory Safety -& Exploit Management: Real-World Attacks -& Defenses](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa7921&ch=SBX&cid=_upcoming_webinars_8.500001534&_mc=_upcoming_webinars_8.500001534)Apr 3, 2025* [Unifying Cloud Security: A Blueprint for Modern Threat Resilience](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_palo270&ch=SBX&cid=_upcoming_webinars_8.500001533&_mc=_upcoming_webinars_8.500001533)Apr 4, 2025[More Webinars](/resources?types=Webinar) Events* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025* [-[Conference-] Black Hat Asia – April 1-4 – Learn More](https://www.blackhat.com/asia-25/?_mc=we_bhas25_drcuration&cid=_session_16.500329)Apr 1, 2025* [-[Dark Reading Virtual Event-] Cybersecurity’s Most Promising New and Emerging Technologies](https://ve.informaengage.com/virtual-events/cybersecuritys-most-promising-new-and-emerging-technologies/?ch=SBX&cid=_session_16.500328&_mc=_session_16.500328)Mar 20, 2025[More Events](/events)You May Also Like*** ** * ** ***

Related Tags:
NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 923 – Administration Of Human Resource Programs

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 92 – Public Administration

NAICS: 922 – Justice

Public Order

Safety Activities

TA0001 – Initial Access

Blog: Dark Reading

Software Discovery: Security Software Discovery

Software Discovery

Associated Indicators:

Search

Popular Posts

Categories

Pages

Archives

Tags

Follow Us