{"id":15284,"date":"2025-12-08T07:02:36","date_gmt":"2025-12-08T07:02:36","guid":{"rendered":"https:\/\/newestek.com\/?p=15284"},"modified":"2025-12-08T07:02:36","modified_gmt":"2025-12-08T07:02:36","slug":"offensive-security-takes-center-stage-in-the-ai-era","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15284","title":{"rendered":"Offensive security takes center stage in the AI era"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/sara-madden-344a665\/\">Sara Madden<\/a> is looking to take a more offensive approach to safeguarding her company.<\/p>\n<p>The Convera CISO wants to add a red team to stress test the financial services company\u2019s systems and identify where defenses should be bolstered. She also wants to incorporate <a href=\"https:\/\/www.csoonline.com\/article\/652476\/4-steps-for-purple-team-success.html\">purple teaming<\/a>, where red and blue teams collaborate to improve overall security.<\/p>\n<p>\u201cI think offensive security is a place we need to get to, because [we] can use the information obtained from it to fine-tune the security program and controls,\u201d Madden says.<\/p>\n<p>Madden is not alone in her desire to add an offensive program to advance her cybersecurity strategy.<\/p>\n<p>Enterprise security\u2019s remit is defensive in nature: to protect and defend the company\u2019s systems, data, reputation, customers, and employees. But CISOs like Madden have been increasingly adding offensive components to their strategies, seeing attack simulations as a way to gain valuable information about their technology environments, defense postures, and the weaknesses hackers would find if they attack.<\/p>\n<p>Now a growing percentage of CISOs see offensive security as a must-have and, as such, are building up offensive capabilities and integrating them into their security processes to ensure the information revealed during offensive exercises leads to improvements in their overall security posture.<\/p>\n<p>\u201cIt\u2019s super important to have time and resources dedicated to [using] threat intelligence and conducting tabletop exercises and getting to the point where you have purple teaming,\u201d Madden says, \u201cbecause you don\u2019t want to always be on your heels.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"components-of-offensive-security\">Components of offensive security<\/h2>\n<p>Offensive security, or OffSec for short, is the practice of using attacker-style tactics to find and fix vulnerabilities in an organization\u2019s own IT environment.<\/p>\n<p><a href=\"https:\/\/www.ey.com\/en_us\/people\/dan-mellen\">Dan Mellen<\/a>, global and US cyber CTO at professional services firm EY, defines it as the organization\u2019s \u201cidentification and exploitation of vulnerabilities before adversaries do.\u201d<\/p>\n<p>Mellen sees several buckets of activities involved in offensive security, starting with vulnerability management at the bottom end of the maturity scale, and then moving up to attack service management and <a href=\"https:\/\/www.csoonline.com\/article\/571697\/penetration-testing-explained-how-ethical-hackers-simulate-attacks.html\">penetration testing<\/a>, to <a href=\"https:\/\/www.csoonline.com\/article\/569703\/threat-hunting-explained-taking-an-active-approach-to-defense.html\">threat hunting<\/a> and adversarial simulations, such as <a href=\"https:\/\/www.csoonline.com\/article\/570871\/tabletop-exercises-explained-definition-examples-and-objectives.html\">tabletop exercises<\/a>.<\/p>\n<p>\u201cThen there\u2019s the concept of <a href=\"https:\/\/www.csoonline.com\/article\/4083612\/the-soc-parachute-needs-more-than-packing-it-needs-practice.html\">purple teaming<\/a> where the organization looks at an attack scenario and what were the defenses that should have alerted but didn\u2019t and how to rectify those,\u201d he says.<\/p>\n<p>Other offensive security components include:<\/p>\n<ul class=\"wp-block-list\">\n<li><strong>Red teaming<\/strong>, where ethical hackers simulate real-world attacks to test detection and response capabilities. <a href=\"https:\/\/www.csoonline.com\/article\/3618336\/top-tips-for-cisos-running-red-teams.html\">Red teams aim to emulate threat actors<\/a> by using stealthy tactics to bypass controls and achieve objectives such as data exfiltration or privilege escalation.<\/li>\n<li><strong>Adversary emulation<\/strong>, where security pros re-create known threat actor <a href=\"https:\/\/www.csoonline.com\/article\/3497597\/5-best-practices-for-running-a-successful-threat-informed-defense-in-cybersecurity.html\">tactics, techniques, and procedures (TTPs)<\/a> based on threat intelligence to validate defensive tools and train incident response teams under real-world conditions.<\/li>\n<li><strong>Social engineering assessments<\/strong>, which test humans and processes through phishing, pretexting, and other manipulation techniques to identify vulnerabilities and weaknesses. It\u2019s similar to the way pen testing tests technology systems.<\/li>\n<li><strong>Security tool evasion testing<\/strong>, which tests how well an organization\u2019s security technologies detect and block evasive techniques such as obfuscation, encryption, or living-off-the-land tactics, and tests whether those security technologies can be bypassed via malicious techniques.<\/li>\n<\/ul>\n<p>Some of these offensive security components \u2014 namely vulnerability management, pen testing, and phishing \u2014 have been longstanding elements of most enterprise security programs. For example, 88% of security leaders consider pen testing to be a \u201cvital component of their organization\u2019s overall security efforts,\u201d according to the <a href=\"https:\/\/resource.cobalt.io\/ciso-perspectives-report\">2025 CISO Perspectives Report<\/a> from cybersecurity software maker Cobalt.<\/p>\n<p>Many CISOs also have had team members with specific offensive security skills for many years. In fact, the Offensive Security Certified Professional (OSCP), the Offensive Security Experienced Penetration Tester (OSEP), and the Offensive Security Certified Expert (OSCE) certifications from <a href=\"https:\/\/www.offsec.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">OffSec<\/a> are all credentials that have been in demand for years. Of late, the field of <a href=\"https:\/\/www.csoonline.com\/article\/3957786\/top-16-offsec-pen-testing-and-ethical-hacking-certifications.html\">OffSec, pen testing, and ethical hacking certifications<\/a> has grown considerably.<\/p>\n<p>Offensive security technologies are not new, either.<\/p>\n<p>However, experts say advancements in vendor products thanks to the addition of automation, analytics, and artificial intelligence have increased the effectiveness of offensive security programs while also lowering the barrier of entry for security teams to add OffSec to their operations.<\/p>\n<p>\u201cWe\u2019re seeing a lot of tech providers bring capabilities to market to support this proactive, or offensive, approach,\u201d Mellen says.<\/p>\n<h2 class=\"wp-block-heading\" id=\"challenges-to-offsec-operations\">Challenges to OffSec operations<\/h2>\n<p>Still, many security departments have yet to adopt a comprehensive offensive security program \u2014 with small and midsize companies being the most likely to have little to no OffSec elements, Mellen says, adding that limited resources \u2014 budget, staff, skills \u2014 create a common barrier to implementing or maturing offensive security.<\/p>\n<p>Another factor that keeps CISOs from incorporating more offensive security into their strategies is concern about exposing vulnerabilities they don\u2019t have the ability to address, Mellen adds. \u201cThey can\u2019t unknow that they have those vulnerabilities if they\u2019re not able to do something about them, although the hackers are going to find them whether or not you identify them,\u201d he says.<\/p>\n<p>Still, Mellen and others contend that it\u2019s critical for CISOs to implement and expand OffSec measures now as hackers increasingly leverage AI to launch more targeted and more sophisticated attacks at a faster clip. To counteract hackers\u2019 growing capabilities, experts say CISOs must become faster in identifying and closing security gaps \u2014 which is exactly what OffSec enables CISOs to do.<\/p>\n<p>\u201cOffensive security is more important than it was before, because threat actors are using AI-enabled tools to develop attacks we haven\u2019t experienced before. Back when hackers were using script kiddies, attacks were fairly predictable,\u201d says <a href=\"https:\/\/www.linkedin.com\/in\/acardwell\/\">Aimee Cardwell<\/a>, CISO in residence at tech company Transcend and former CISO of UnitedHealth Group. \u201cNow hacks are so esoteric, they\u2019re almost hard to understand. And if you\u2019re only relying on scanning, you\u2019re not catching potential vulnerabilities early enough or at all. You need to continuously be looking for them through offensive security.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-business-case-for-offsec\">The business case for OffSec<\/h2>\n<p>Mellen says CISOs can use the information gleaned from their offensive security programs to create business cases for additional investments in the security program. \u201cThat data-driven evidence can go a long way to quantifying risk and quantifying the effort and cost to remediation,\u201d he explains.<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/billdunnion\/?originalSubdomain=ca\">Bill Dunnion<\/a>, CISO of telecommunications company Mitel, sees a strong case for adopting more offensive security measures in his own organization.<\/p>\n<p>\u201cTo me, offensive security is to think like the bad guys. I have to think, \u2018What would I do? How would I get in? Can I find those back doors and windows that have been left open?\u2019 so I can find them and fix them,\u201d he says. \u201cWhat you don\u2019t know in the world of security can kill you, so what offensive security does for me is that it helps me identify the unknowns. And once I know something is there, I can mitigate it.\u201d<\/p>\n<p>Dunnion already has some OffSec components in his cyber strategy, including vulnerability management, pen testing, and threat hunting, but wants to expand such capabilities. For example, he wants to create a formal threat hunting program rather than doing threat hunting on an ad hoc basis \u2014 as his team does now.<\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/utkarsh121\/?originalSubdomain=ca\">Utkarsh Choudhary<\/a>, senior manager of IT security at Deloitte Canada, is another proponent of adopting more OffSec elements, seeing it as \u201csending out scouts and testing out walls and fences to see if those controls really work.\u201d<\/p>\n<p>\u201cIt is more systematic and a continuous approach of validating,\u201d he adds, noting that offensive security has become an essential element because of the increasing complexity of today\u2019s enterprise IT environment and the typical organization\u2019s ever-expanding attack surface.<\/p>\n<p>Choudhary also points out that many OffSec components, such as pen testing, are required by business partners and clients, and by certain regulations and frameworks such as ISO 270001.<\/p>\n<p>Like others, Choudhary says OffSec practices help organizations better understand their risks. \u201cIt provides you an empirical assessment and forces honesty in the organization,\u201d he says. \u201cIt validates what you\u2019re doing well and what you\u2019re not doing well. It proves to the organization if something isn\u2019t sufficient. It gives you a true proof of risk.\u201d<\/p>\n<p>To maximize the value, however, Choudhary and others say organizations must move beyond <em>having<\/em> OffSec components to <em>integrating<\/em> their offensive program with their defensive one.<\/p>\n<p>\u201cOffense doesn\u2019t displace defense; it strengthens what defense has been missing. Offense enhances the defense posture,\u201d Choudhary says. \u201cOffensive security adds a security layer to defense, so it\u2019s not either, or even both, but that they have to work in concert. And that makes the organization more proactive rather than reactive, because it lessens the opportunities for hackers to get in.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Sara Madden is looking to take a more offensive approach to safeguarding her company. The Convera CISO wants to add a red team to stress test the financial services company\u2019s systems and identify where defenses should be bolstered. She also wants to incorporate purple teaming, where red and blue teams collaborate to improve overall security. \u201cI think offensive security is a place we need to&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15284\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15284","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15284"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15284\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}