What CISA's Red Team Disarray Means for US Cyber Defenses - Dark Reading

THREAT INTELLIGENCE VULNERABILITIES & THREATS CYBERSECURITY OPERATIONS CYBER RISK NEWS What CISA's Red Team Disarray Means for US Cyber Defenses DOGE is making unexpected moves at CISA, including rehiring fired probationary employees only to put them on paid leave, and reportedly gutting the agency's red teams. Becky Bracken,Senior Editor,Dark Reading March 21, 2025 3 Min Read SOURCE: PRIMOZ JENKO VIA ALAMY STOCK PHOTO The Cybersecurity and Infrastructure Security Agency (CISA) has clarified in a statement that it didn't lay off hundreds of red teamers, but rather just killed their contracts. The move, along with letting go all probationary employees from the federal government, including those working at CISA (reversed following a court ruling against the terminations), is part of Elon Musk's Department of Government Efficiency (DOGE) effort to slash government spending. But there are concerns the effort could lead to a disruption of critical threat intelligence information that US organizations rely on to protect their own networks from cyberattack. On Feb. 28, Christopher Chenoweth, a senior penetration tester at the Department of Homeland Security (DHS) posted on LinkedIn that DOGE had canceled the government contract he and more than 100 other red teamers were working on. "The following Wednesday, DOGE cut a second CISA red team also doing mission-critical work," he wrote. "As a result, I and many other experienced red team operators are now seeking new opportunities." In tandem, Chenoweth's post prompted comments from high-profile cyber professionals interested in snagging his expertise for themselves. Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 On March 12, CISA posted a statement clarifying that red-teaming efforts continue "without interruption" at the agency. "The team works directly with network defenders, system administrators, and other technical staff to address strengths and weaknesses across critical infrastructure networks and systems," the CISA statement said. "They continue to assist organizations in refining their detection, response, and hunt capabilities to protect the nation's critical infrastructure from a range of threats." Several red teamers working inside CISA declined to comment for this story. According to DOGE's own accounting, as of March 19, the agency still has 3,305 personnel remaining, with a total annual cost of $459.1 million. In response, former CISA director Jen Easterly set up a CISA Alumni hiring form online to help connect ousted government workers with private sector employers. CISA's Red Team Value The US government's pen testers and red teamers at CISA are tasked with finding the tricky ways a threat actor could compromise and harm both the US government as well as critical infrastructure. Importantly, once the CISA red team finishes its work, it shares that documentation with other US organizations to be used to protect their systems as well. For instance, late in 2024, CISA's red team produced a comprehensive report on what it learned from its assessment of US critical infrastructure along with a detailed "Lessons Learned" bullet list, as well as mitigation recommendations intended for US cyber defenders. Beyond simple indicators of compromise (IoCs), the red team report pointed out the need for software manufacturers to shore up their networks to help stave off widespread software supply chain attacks, as well as explanations about how the team gained initial access to sensitive networks, their post-exploitation activities, and more. Related:Attackers Abuse LiveChat to Phish Credit Card, Personal Data CISA's staff reductions threaten to weaken multiple services US organizations depend on, from the Known Exploited Vulnerabilities (KEV) Catalog to red teaming efforts, according to Deepak Kumar, founder and CEO of Adaptiva. "It's good to hear that CISA's red team is still fully operational, but we have to ask: Do these 'efficiencies' mean fewer experts working on critical threats?" Kumar asks. "The cybersecurity landscape is evolving too fast for any loss of momentum." US organizations need to prepare for how they plan to fill those critical threat intelligence gaps, should CISA continue to shrink under the pressure to reduce government spending, he adds. If these cuts continue, Kumar worries it will be left up to individual organizations to find a replacement source for the services CISA provides. Related:The Data Gap: Why Nonprofit Cyber Incidents Go Underreported "If these changes reduce CISA's ability to support critical infrastructure, organizations need to be ready to fill that gap themselves," he says. "Companies should take this as a reminder to double down on their own vulnerability detection and response strategies instead of relying heavily on federal resources, since those may erode further in future." About the Author Becky Bracken Senior Editor, Dark Reading Becky Bracken is a senior editor with Dark Reading who brings decades of journalism experience across, radio, print, online and video channels. Becky lends her particular voice and cybersecurity expertise to the Dark Reading Confidential podcast as the host and producer, and moderates the Dark Reading editorial webinars. In addition, she oversees the site's Commentary section, hosts Dark Reading's Black Hat News Desk, and contributes regularly as a writer and reporter. Prior to joining Dark Reading, Becky covered cybersecurity and hosted webinars for Threatpost. Other national media outlets she has contributed to include PBS, SheKnows, Complex, and more.  More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Russia Pivots, Cracks Down on Resident Hackers by Nate Nelson, Contributing Writer OCT 22, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Autonomous, GenAI-Driven Attacker Platform Enters the Chat by Elizabeth Montalbano, Contributing Writer APR 07, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE