What is an 'Orange team'?

There are a number of companies that do this. Typically, the organization defines the scope of the team, clearly defines the activities, trains and supervises.

I have seen it done as part of the Security Awareness Champions programme that allows people who have been active in improving the security of their peers using the tools and processes available to everyone. This new level of training is a type of "reward" for being a leader in security among their peers.

By tapping into the Champions programme, you give employees something to aim for and you get those who are truly showing interest in security and not those who are attracted only to the "hacking" part.

After that, it all depends on what your organisation wants to tackle. I've seen phishing teams (phish your peers!), physical security teams (Mission Impossible your way into the building!), and application security teams (break our product!).