I am of the opinion that a purely technical analysis of IT security also falls short for SMEs. Regular penetration tests are very important for a mature security concept, but they alone are not enough to protect companies sustainably against real cyber attacks and Advanced Persistent Threats (APTs). In addition, the Red Team Approach can be an effective tool for companies, but of course this also strongly depends on the respective company itself, the desired goal/added value, the available budget and also the current IT security level of the company.
The Red Team Approach can help to get an undistorted picture of the current ACTUAL state of the IT security culture in one's own company. As already mentioned, I consider the tool of the Red Team Approach to be very important, but each client is individual and it must be weighed up whether a Red Team Approach also makes sense in relation to the current IT security level of the client.