Red team is an overloaded term: "Analyze software and services from a privacy perspective, ensuring they are in line with Google's stated privacy policies, practices, and the expectations of our users." Doesn't sound like adversary simulation to me.
Yeah, still not the same as actually performing breaches themselves to see how long it takes to compromise, and if they get detected and how long it takes to remediate and evict the adversary. I should have been a bit clearer with what I meant initially.
How do you know there isn’t a team at Google doing this? It’s standard practice at companies of even middling size and Google is so large your friend might just be unaware of it.
A Google security manager told me at a conference when chatting about this in 2016. They were thinking of staffing a breach team, but did not have one then.
Project Zero is different compared to performing end to end breaches. A breach team might use 0-days of Project Zero to actually compromise Google's internal assets to see if their defenders can detect an adversary. FB has such a team and they gave public presentations (one was at RuxCon 2016) how they compromise for instance their domain controllers and stuff.
