Kevin Ott first entered the world of cybersecurity through structured corporate networks and a dual-degree program at Deutsche Bank. Yet beneath the suit and structured workflows, a passion was already brewing: the thrill of simulated attacks, the hunt for vulnerabilities, and the drive to expose weaknesses before real attackers do. Today, Kevin is a Principal Red Team Consultant at NVISO Security and an instructor at the SANS Institute, where he teaches others how to break systems for a greater good.

Kevin doesn’t see Red Teaming as just testing defenses. For him, it’s about realism, trust, and sharpening the edge of enterprise resilience. We met Kevin to dive deep into the mindset of a modern red teamer; one who blends ethical offense with educational impact, and who sees cyber threats as both a technical and cultural challenge.

How did your journey into Red Teaming begin and what keeps you passionate about it?

‍“I actually started on the other side - classic corporate cybersecurity. I studied Business Informatics in a dual program at Deutsche Bank, working in network security. But even back then, Pentesting fascinated me. After graduating, I quickly realized the corporate world with all its meetings and slow politics wasn’t for me. I’d already started learning a lot on my own, and in 2016, I made the jump into Pentesting professionally. From there, Red Teaming was a natural evolution. It’s just so much more holistic. You’re not just looking at one app or one piece of the network; you’re simulating full-scale, real-world attacks. That complexity, that realism - that’s what excites me.”

What’s the biggest difference between traditional Pentesting and Red Teaming?

“It comes down to mindset and maturity. Many companies do Pentests because they have to check a box, meet compliance. Red Teaming is different. Clients usually want it. They’ve reached a certain security maturity and are ready to challenge themselves. That makes the work more collaborative and rewarding. With new regulations like DORA, Red Teaming is becoming mandatory in some sectors, but I hope the spirit of voluntary rigor doesn’t get lost.”

How do you plan and execute a real-world Red Team simulation?

‍“Our Red Team engagements simulate the entire attack lifecycle. Often that includes spear-phishing campaigns. We don’t just test generic awareness; we craft personalized, situation-specific lures based on real-world data. If a company just went through a merger, or announced a new project, we’ll use that context. The idea is to mirror what a real attacker would do. We dig deep, profile employees, and craft attacks so tailored they feel legitimate. That’s how we uncover real gaps and also sometimes live in a target’s environment for months without being detected.”

How has AI changed the game for Red Teamers and defenders?

‍“I was skeptical at first. But today, AI is a game-changer. I use it to write phishing emails, generate landing pages and even clone websites from a single screenshot. Tools like ChatGPT or Claude help us craft convincing assets in minutes. Some of my colleagues are even pushing deepfakes and voice cloning into simulations. On the flip side, defenders are still relying on outdated advice like ‘watch for grammar mistakes’, when AI now writes flawless English. The threat landscape has shifted, and most companies aren’t prepared for how good these attacks have become.”

You’re also an instructor at SANS. What motivates you to teach?

“I’ve learned so much from others - blog posts, talks, open-source tools. It’s time to give back. At SANS, I teach Red Teaming and co-develop new courses focused on phishing, initial access, and AI-driven attacks. There’s professionally enriching about watching a student finally grasp a hard concept they’ve struggled with. Teaching isn’t just about sharing knowledge, it’s about shaping the next generation of red teamers.”

From a technical standpoint, what simple shift could make organizations more secure today?

‍“User awareness is still underrated. And not in the checkbox training sense. Real, contextual awareness is necessary. But also, if one click can take down your entire organisation, that’s not a user problem; it’s an architectural flaw. Companies need layered defenses, fast response, and most of all, agility. Threats evolve fast. If your defenses can’t keep up, you’re falling behind. AI isn’t optional anymore. It’s how attackers scale. It should be how defenders do too.”

You’ve seen the frontlines of simulation, what’s a moment that really stuck with you?

‍“There’s always this tension: you design a super sophisticated phishing campaign, and nobody bites. Then you throw in something simple like a fake Teams login or SharePoint link, and suddenly four or five users fall for it. It’s a wake-up call. Complexity doesn’t always equal effectiveness. But the real magic happens when users report those attacks. The organizations that shut us down fastest are the ones where users are alert and empowered. That’s real defense in action.”

Finally, any resources you'd recommend to those who want to understand the threat landscape better?

‍“I’m not a podcast guy myself, but there are two I always recommend. Darknet Diaries is a classic; it tells real cyber stories with depth and drama. And You Are F***ed, that one’s about Germany’s first declared cyber disaster in Anhalt-Bitterfeld. It’s completely wild. The Bundeswehr had to get involved, which shows just how bad things can go when the systems fail.”

Kevin, thank you for showing us what it means to think like an attacker, but act with purpose. Your perspective reminds us that security isn’t just about defense. It’s about insight, curiosity, and staying one step ahead.

‍