I’m probably going to take some punches for this, but this seems to be my experience.
I’ve hired lots of Red Teamers, even ones with PhDs and the common thing I find with them is that they suck at writing secure code and Blue Teaming.
They generally understand things like how an exploit works and what the consequences are, and they can provide examples of how they may be mitigated within their reports, however, they can’t write code for shit.
I may be biased because I am a Blue Teamer - but I find that lots of Blue Teamers call themselves “Purple”. In reality, because in order to defend against an attack you need to understand how it works so that enables you to do Red Team tasks, but it doesn’t work the other way around. You don’t need to know whether or how to increase or decrease the strength of a window in order to smash it with a rock.
I’ve seen Red Teamers writing code that they thought was amazing, that if someone else wrote in exactly same way, they’d be able to crack it in a few seconds, but I’ve never seen a Red Teamer who could defend. I’ve only seen Blue Teamers who could attack.
Am I on my own here?