Red teaming, where ethical hackers simulate real-world attacks to test detection and response capabilities. Red teams aim to emulate threat actors by using stealthy tactics to bypass controls and achieve objectives such as data exfiltration or privilege escalation.Adversary emulation, where security pros re-create known threat actor tactics, techniques, and procedures (TTPs) based on threat intelligence to validate defensive tools and train incident response teams under real-world conditions.Social engineering assessments, which test humans and processes through phishing, pretexting, and other manipulation techniques to identify vulnerabilities and weaknesses. It’s similar to the way pen testing tests technology systems.Security tool evasion testing, which tests how well an organization’s security technologies detect and block evasive techniques such as obfuscation, encryption, or living-off-the-land tactics, and tests whether those security technologies can be bypassed via malicious techniques.Some of these offensive security components, namely vulnerability management, pen testing, and phishing, have been longstanding elements of most enterprise security programs. For example, 88% of security leaders consider pen testing to be a “vital component of their organization’s overall security efforts,” according to the 2025 CISO Perspectives Report from cybersecurity software maker Cobalt.Many CISOs also have had team members with specific offensive security skills for many years. In fact, the Offensive Security Certified Professional (OSCP), the Offensive Security Experienced Penetration Tester (OSEP), and the Offensive Security Certified Expert (OSCE) certifications from OffSec are all credentials that have been in demand for years. Of late, the field of OffSec, pen testing, and ethical hacking certifications has grown considerably.Offensive security technologies are not new, either.However, experts say advancements in vendor products thanks to the addition of automation, analytics, and artificial intelligence have increased the effectiveness of offensive security programs while also lowering the barrier of entry for security teams to add OffSec to their operations.”We’re seeing a lot of tech providers bring capabilities to market to support this proactive, or offensive, approach,” Mellen says.
Challenges to OffSec operations: Still, many security departments have yet to adopt a comprehensive offensive security program, with small and midsize companies being the most likely to have little to no OffSec elements, Mellen says, adding that limited resources, budget, staff, skills, create a common barrier to implementing or maturing offensive security.Another factor that keeps CISOs from incorporating more offensive security into their strategies is concern about exposing vulnerabilities they don’t have the ability to address, Mellen adds. “They can’t unknow that they have those vulnerabilities if they’re not able to do something about them, although the hackers are going to find them whether or not you identify them,” he says.Still, Mellen and others contend that it’s critical for CISOs to implement and expand OffSec measures now as hackers increasingly leverage AI to launch more targeted and more sophisticated attacks at a faster clip. To counteract hackers’ growing capabilities, experts say CISOs must become faster in identifying and closing security gaps, which is exactly what OffSec enables CISOs to do.”Offensive security is more important than it was before, because threat actors are using AI-enabled tools to develop attacks we haven’t experienced before. Back when hackers were using script kiddies, attacks were fairly predictable,” says Aimee Cardwell, CISO in residence at tech company Transcend and former CISO of UnitedHealth Group. “Now hacks are so esoteric, they’re almost hard to understand. And if you’re only relying on scanning, you’re not catching potential vulnerabilities early enough or at all. You need to continuously be looking for them through offensive security.”
The business case for OffSec: Mellen says CISOs can use the information gleaned from their offensive security programs to create business cases for additional investments in the security program. “That data-driven evidence can go a long way to quantifying risk and quantifying the effort and cost to remediation,” he explains.Bill Dunnion, CISO of telecommunications company Mitel, sees a strong case for adopting more offensive security measures in his own organization.”To me, offensive security is to think like the bad guys. I have to think, ‘What would I do? How would I get in? Can I find those back doors and windows that have been left open?’ so I can find them and fix them,” he says. “What you don’t know in the world of security can kill you, so what offensive security does for me is that it helps me identify the unknowns. And once I know something is there, I can mitigate it.”Dunnion already has some OffSec components in his cyber strategy, including vulnerability management, pen testing, and threat hunting, but wants to expand such capabilities. For example, he wants to create a formal threat hunting program rather than doing threat hunting on an ad hoc basis, as his team does now.Utkarsh Choudhary, senior manager of IT security at Deloitte Canada, is another proponent of adopting more OffSec elements, seeing it as “sending out scouts and testing out walls and fences to see if those controls really work.””It is more systematic and a continuous approach of validating,” he adds, noting that offensive security has become an essential element because of the increasing complexity of today’s enterprise IT environment and the typical organization’s ever-expanding attack surface.Choudhary also points out that many OffSec components, such as pen testing, are required by business partners and clients, and by certain regulations and frameworks such as ISO 270001.Like others, Choudhary says OffSec practices help organizations better understand their risks. “It provides you an empirical assessment and forces honesty in the organization,” he says. “It validates what you’re doing well and what you’re not doing well. It proves to the organization if something isn’t sufficient. It gives you a true proof of risk.”To maximize the value, however, Choudhary and others say organizations must move beyond having OffSec components to integrating their offensive program with their defensive one.”Offense doesn’t displace defense; it strengthens what defense has been missing. Offense enhances the defense posture,” Choudhary says. “Offensive security adds a security layer to defense, so it’s not either, or even both, but that they have to work in concert. And that makes the organization more proactive rather than reactive, because it lessens the opportunities for hackers to get in.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4101929/offensive-security-takes-center-stage-in-the-ai-era.html
