Sara Madden is looking to take a more offensive approach to safeguarding her company.
The Convera CISO wants to add a red team to stress test the financial services company’s systems and identify where defenses should be bolstered. She also wants to incorporate purple teaming, where red and blue teams collaborate to improve overall security.
“I think offensive security is a place we need to get to, because [we] can use the information obtained from it to fine-tune the security program and controls,” Madden says.
Madden is not alone in her desire to add an offensive program to advance her cybersecurity strategy.
Enterprise security’s remit is defensive in nature: to protect and defend the company’s systems, data, reputation, customers, and employees. But CISOs like Madden have been increasingly adding offensive components to their strategies, seeing attack simulations as a way to gain valuable information about their technology environments, defense postures, and the weaknesses hackers would find if they attack.
Now a growing percentage of CISOs see offensive security as a must-have and, as such, are building up offensive capabilities and integrating them into their security processes to ensure the information revealed during offensive exercises leads to improvements in their overall security posture.
“It’s super important to have time and resources dedicated to [using] threat intelligence and conducting tabletop exercises and getting to the point where you have purple teaming,” Madden says, “because you don’t want to always be on your heels.”
Components of offensive security
Offensive security, or OffSec for short, is the practice of using attacker-style tactics to find and fix vulnerabilities in an organization’s own IT environment.
Dan Mellen, global and US cyber CTO at professional services firm EY, defines it as the organization’s “identification and exploitation of vulnerabilities before adversaries do.”
Mellen sees several buckets of activities involved in offensive security, starting with vulnerability management at the bottom end of the maturity scale, and then moving up to attack service management and penetration testing, to threat hunting and adversarial simulations, such as tabletop exercises.
“Then there’s the concept of purple teaming where the organization looks at an attack scenario and what were the defenses that should have alerted but didn’t and how to rectify those,” he says.
Other offensive security components include:
Red teaming, where ethical hackers simulate real-world attacks to test detection and response capabilities. Red teams aim to emulate threat actors by using stealthy tactics to bypass controls and achieve objectives such as data exfiltration or privilege escalation.
Adversary emulation, where security pros re-create known threat actor tactics, techniques, and procedures (TTPs) based on threat intelligence to validate defensive tools and train incident response teams under real-world conditions.
Social engineering assessments, which test humans and processes through phishing, pretexting, and other manipulation techniques to identify vulnerabilities and weaknesses. It’s similar to the way pen testing tests technology systems.
Security tool evasion testing, which tests how well an organization’s security technologies detect and block evasive techniques such as obfuscation, encryption, or living-off-the-land tactics, and tests whether those security technologies can be bypassed via malicious techniques.
Some of these offensive security components — namely vulnerability management, pen testing, and phishing — have been longstanding elements of most enterprise security programs. For example, 88% of security leaders consider pen testing to be a “vital component of their organization’s overall security efforts,” according to the 2025 CISO Perspectives Report from cybersecurity software maker Cobalt.
Many CISOs also have had team members with specific offensive security skills for many years. In fact, the Offensive Security Certified Professional (OSCP), the Offensive Security Experienced Penetration Tester (OSEP), and the Offensive Security Certified Expert (OSCE) certifications from OffSec are all credentials that have been in demand for years. Of late, the field of OffSec, pen testing, and ethical hacking certifications has grown considerably.
Offensive security technologies are not new, either.
However, experts say advancements in vendor products thanks to the addition of automation, analytics, and artificial intelligence have increased the effectiveness of offensive security programs while also lowering the barrier of entry for security teams to add OffSec to their operations.
“We’re seeing a lot of tech providers bring capabilities to market to support this proactive, or offensive, approach,” Mellen says.
Challenges to OffSec operations
Still, many security departments have yet to adopt a comprehensive offensive security program — with small and midsize companies being the most likely to have little to no OffSec elements, Mellen says, adding that limited resources — budget, staff, skills — create a common barrier to implementing or maturing offensive security.
Another factor that keeps CISOs from incorporating more offensive security into their strategies is concern about exposing vulnerabilities they don’t have the ability to address, Mellen adds. “They can’t unknow that they have those vulnerabilities if they’re not able to do something about them, although the hackers are going to find them whether or not you identify them,” he says.
Still, Mellen and others contend that it’s critical for CISOs to implement and expand OffSec measures now as hackers increasingly leverage AI to launch more targeted and more sophisticated attacks at a faster clip. To counteract hackers’ growing capabilities, experts say CISOs must become faster in identifying and closing security gaps — which is exactly what OffSec enables CISOs to do.
“Offensive security is more important than it was before, because threat actors are using AI-enabled tools to develop attacks we haven’t experienced before. Back when hackers were using script kiddies, attacks were fairly predictable,” says Aimee Cardwell, CISO in residence at tech company Transcend and former CISO of UnitedHealth Group. “Now hacks are so esoteric, they’re almost hard to understand. And if you’re only relying on scanning, you’re not catching potential vulnerabilities early enough or at all. You need to continuously be looking for them through offensive security.”
The business case for OffSec
Mellen says CISOs can use the information gleaned from their offensive security programs to create business cases for additional investments in the security program. “That data-driven evidence can go a long way to quantifying risk and quantifying the effort and cost to remediation,” he explains.
Bill Dunnion, CISO of telecommunications company Mitel, sees a strong case for adopting more offensive security measures in his own organization.
“To me, offensive security is to think like the bad guys. I have to think, ‘What would I do? How would I get in? Can I find those back doors and windows that have been left open?’ so I can find them and fix them,” he says. “What you don’t know in the world of security can kill you, so what offensive security does for me is that it helps me identify the unknowns. And once I know something is there, I can mitigate it.”
Dunnion already has some OffSec components in his cyber strategy, including vulnerability management, pen testing, and threat hunting, but wants to expand such capabilities. For example, he wants to create a formal threat hunting program rather than doing threat hunting on an ad hoc basis — as his team does now.
Utkarsh Choudhary, senior manager of IT security at Deloitte Canada, is another proponent of adopting more OffSec elements, seeing it as “sending out scouts and testing out walls and fences to see if those controls really work.”
“It is more systematic and a continuous approach of validating,” he adds, noting that offensive security has become an essential element because of the increasing complexity of today’s enterprise IT environment and the typical organization’s ever-expanding attack surface.
Choudhary also points out that many OffSec components, such as pen testing, are required by business partners and clients, and by certain regulations and frameworks such as ISO 270001.
Like others, Choudhary says OffSec practices help organizations better understand their risks. “It provides you an empirical assessment and forces honesty in the organization,” he says. “It validates what you’re doing well and what you’re not doing well. It proves to the organization if something isn’t sufficient. It gives you a true proof of risk.”
To maximize the value, however, Choudhary and others say organizations must move beyond having OffSec components to integrating their offensive program with their defensive one.
“Offense doesn’t displace defense; it strengthens what defense has been missing. Offense enhances the defense posture,” Choudhary says. “Offensive security adds a security layer to defense, so it’s not either, or even both, but that they have to work in concert. And that makes the organization more proactive rather than reactive, because it lessens the opportunities for hackers to get in.”
No Responses