A red team engagement and a venture investment share a structural similarity that I did not appreciate until I had done both for several years: in both cases, you are attempting to reason about a system's failure modes before they manifest under adversarial conditions. In a red team exercise, the goal is to find the attack paths that the defensive team did not model — the combinations of misconfigurations, trust relationships, and privilege escalation vectors that individually look benign but chain together into a kill chain. In venture diligence, the equivalent exercise is finding the business model assumptions that look reasonable in isolation but, under specific market conditions or competitive pressures, compound into company-level failure. The mental discipline is similar: generate hypotheses about how this system breaks, then test them against available evidence.
The most important red team cognitive tool for venture diligence is threat modelling applied to the business rather than the technical system. When I evaluate a security startup, I build a threat model for the business: who are the adversaries (competitors, regulatory bodies, market structure changes, incumbent consolidation), what assets are they trying to degrade or capture (the startup's distribution, technical differentiation, team, customer relationships), and what attack vectors do they have available? This sounds abstract, but it produces concrete diligence questions. If a startup's primary distribution advantage is a co-sell partnership with a cloud provider, the relevant question is not just "how strong is this relationship?" but "what is the partner's incentive to maintain this relationship when the startup reaches a size where it starts competing with the partner's own security offerings?" Partners in cloud ecosystems routinely turn competitive at scale — this is not pessimism, it is the base-rate behaviour of the market. The question is whether the startup has enough of its own distribution infrastructure to survive a partner-goes-competitive scenario.
The second red team discipline I bring to diligence is assumption enumeration. A red team assessment at a mature stage will often find that the most dangerous attack paths exploit assumptions that the security team made explicitly and correctly in their own threat model — but that have become invalid over time as the environment changed. The firewall rule written in 2018 that allowed traffic from the internal monitoring VLAN was correct when that VLAN contained only the monitoring servers. When a network reorganisation in 2021 expanded the VLAN to include developer workstations, the rule became a lateral movement opportunity. Business assumptions work the same way: they are correct at a point in time and become dangerous when the environment changes around them. In diligence, I try to identify which assumptions the founding team has made about their market, their buyers, and their technology dependencies — and then stress-test each against "what changes in the next three years that would make this assumption wrong?"
We should be honest about the limits of this approach. Red team thinking in diligence is better at finding fragility than identifying strength. A company can survive a rigorous adversarial diligence process and still be a mediocre investment because the upside analysis requires different cognitive tools — understanding market dynamics, category creation potential, team execution capability under ambiguity. We have the red team lens as a filter rather than as a ranking system: companies that cannot survive a structured adversarial stress test on their business model get removed from consideration, but passing the stress test does not tell you which of the remaining companies will produce the best outcomes. The best investments we have made have passed the adversarial filter and then compelled us on fundamentally different grounds: the team's depth of technical insight, the clarity of the problem definition, the evidence of genuine product-market pull even at very early stages.
There is also a category of diligence failure that adversarial thinking actively produces: motivated reasoning in the negative direction. If you approach every investment looking for reasons it will fail, you will find them — and in security especially, the threat landscape provides an endless supply of scenarios in which any given company's product is insufficient. The discipline is to run the adversarial analysis and then ask whether the identified fragilities are fatal or navigable. A company with a brittle cloud-provider distribution dependency has a real problem — it is navigable if they have twelve months of runway and a plausible diversification plan, and it is fatal if they have three months and no alternative. Context determines severity, as it does in every well-run red team engagement.