{"id":7711,"date":"2026-04-07T09:01:00","date_gmt":"2026-04-07T09:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7711"},"modified":"2026-04-07T09:01:00","modified_gmt":"2026-04-07T09:01:00","slug":"the-rise-of-proactive-cyber-why-defense-is-no-longer-enough","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7711","title":{"rendered":"The rise of proactive cyber: Why defense is no longer enough"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

For more than two decades, cybersecurity has been built on a reactive model: detect intrusions, patch vulnerabilities, respond to incidents, and repeat. That model is now under sustained pressure from a threat environment that is faster, more coordinated, and increasingly automated.<\/p>\n

Two recent developments illustrate how quickly that model is breaking down. Earlier this month, the White House released its long-awaited cyber strategy<\/a> that elevates proactive or offensive cybersecurity to the top of its priorities. At this year\u2019s RSA Conference, Sandra Joyce<\/a>, who leads Google\u2019s Threat Intelligence Group, unveiled the company\u2019s threat disruption unit, outlining plans to use legal authorities and technical capabilities to thwart cyber threat groups actively.<\/p>\n

Together, these developments reflect a shift already under way \u2014 from purely defensive models toward efforts to disrupt adversaries before attacks reach their targets.<\/p>\n

\u201cWhat we\u2019ve been doing for the past 20 years hasn\u2019t been working,\u201d Glenn Gerstell<\/a>, former general counsel of the National Security Agency and now senior adviser at the Center for Strategic and International Studies, tells CSO. \u201cWe have been inherently playing catch-up on defense \u2026 and the gap is getting wider.\u201d<\/p>\n

That assessment is now shaping both government strategy and private-sector operations. The United States is explicitly trying to shape adversary behavior rather than absorb attacks, while major technology providers are investing in capabilities designed to disrupt threat actors before they reach their targets.<\/p>\n

The shift is often described as \u201cproactive cyber\u201d or \u201cactive defense,\u201d but the language obscures how constrained \u2014 and how operational \u2014 the change actually is.<\/p>\n

The collapse of response time<\/h2>\n

The urgency behind that shift is grounded in how quickly modern attacks now unfold. The traditional sequence \u2014 initial access, lateral movement, data exfiltration \u2014 has collapsed into tightly coordinated, near-simultaneous activity across multiple actors.<\/p>\n

\u201cThe median time between initial access and the handoff to the secondary threat group has dropped from eight hours in 2022 to just 22 seconds in 2025<\/a>,\u201d Joyce emphasized during an RSA keynote.<\/p>\n

That compression reflects a broader structural change. Cyber operations are no longer linear campaigns but ecosystems, where access brokers, operators, and monetization specialists operate in parallel. Artificial intelligence is accelerating that model by automating key phases of exploitation and movement.<\/p>\n

\u201cAgentic approaches for exploit development will allow adversaries to outpace human-driven controls,\u201d Joyce said.<\/p>\n

John Hultquist<\/a>, chief analyst at Google Threat Intelligence Group, says that once an intrusion is under way, defenders are already behind. \u201cActive defense is looking for opportunities outside of the castle walls, before the actor shows up inside or starts hitting the castle walls.\u201d<\/p>\n

Gerstell describes the same imbalance more bluntly. \u201cThe bad guys \u2026 have the advantage,\u201d he says.<\/p>\n

What \u2018proactive cyber\u2019 means<\/h2>\n

Despite the more aggressive language, this shift toward private-sector involvement doesn\u2019t envision vigilante-style payback by aggrieved organizations. It instead embraces a more systematic effort to interfere with adversaries earlier in the attack chain using authorities and capabilities that already exist.<\/p>\n

\u201cTo be clear, this is not hacking back,\u201d Joyce said. \u201cThis is the legal and ethical use of intelligence to protect our own platforms.\u201d<\/p>\n

In practice, that approach combines civil litigation, coordinated takedowns, public exposure of tools, and product hardening. The goal is to impose cost and friction across the ecosystem rather than to stop individual intrusions.<\/p>\n

\u201cOur goal is to shift the economics of the entire ecosystem, to make cyber threat operations so costly, so difficult, so risky, that it is no longer a viable path for any adversary,\u201d Joyce said.<\/p>\n

Hultquist underscores that this kind of disruption has real but limited effects. \u201cWe\u2019re looking for operations that will have a longer-lasting effect on adversaries, or we can repeat at such a tempo that we can actually maintain the effect,\u201d he says.<\/p>\n

That dynamic is central to how proactive cyber is now being framed. Disruption is not a permanent solution; it is a way to degrade adversary capability and buy time.<\/p>\n

Gerstell offers a practical boundary for where that activity becomes more controversial. \u201cIf you\u2019re doing something only on your own network, it sounds defensive,\u201d he says. \u201cIf you\u2019re doing something on somebody else\u2019s network, it sounds offensive.\u201d<\/p>\n

Why the private sector is central<\/h2>\n

The shift toward proactive cyber is rooted in who controls the terrain. \u201cThe private sector operates the very infrastructure that adversaries abuse,\u201d Joyce said.<\/p>\n

At the same time, the scale of cyber threats exceeds what the government can handle alone.<\/p>\n

\u201cThere\u2019s no world in which the government can do all the things,\u201d Cynthia Kaiser<\/a>, former FBI cyber deputy director and now SVP at Halcyon, tells CSO. \u201cWhen I was at the FBI, there was no world in which you could do all the things.\u201d<\/p>\n

That has led to a push for deeper operational integration between government and industry, combining private-sector visibility and speed with public-sector authority.<\/p>\n

Adam Maruyama<\/a>, former CTO and DoD and NSA analyst and counterterrorism expert, says the shift toward more proactive action is necessary but lacks clear rules. Acting earlier in the attack chain, he notes, raises questions about how those operations should be conducted across jurisdictions and how they should be coordinated with allies.<\/p>\n

\u201cOnce you start acting outside your own network, you\u2019re immediately dealing with questions of jurisdiction and coordination,\u201d Maruyama tells CSO. \u201cThose aren\u2019t fully worked out.\u201d<\/p>\n

Without that clarity, more assertive disruption efforts risk creating friction even among partners, particularly when infrastructure sits outside US control.<\/p>\n

National Cyber Director Sean Cairncross<\/a> framed the goal as correcting an imbalance. \u201cThe risk calculus on our adversary side in this space doesn\u2019t seem to be calibrated correctly,\u201d he said<\/a> at the McCrary Institute Cyber Summit in March.<\/p>\n

But Cairncross drew a clear boundary around private-sector action. \u201cI am not talking about private sector industry or companies engaging in a cyber offensive campaign,\u201d he said. \u201cThat\u2019s not what we\u2019re talking about.\u201d<\/p>\n

The fault lines: How far is too far<\/h2>\n

Agreement on the need to act earlier does not extend to agreement on how far those actions should go.<\/p>\n

Kaiser sees a practical path in focusing on criminal actors, where legal authorities are clearer, and escalation risks are lower. \u201cI think the least risky way in which industry can help on this front is with criminal actors,\u201d she says, pointing to infrastructure takedowns and recovery of stolen funds.<\/p>\n

She also argues that legal frameworks may need to evolve. \u201cThe primary thing I\u2019d like to see is re-looking at the laws as they exist now and seeing if there are ways in which industry can help more with taking down infrastructure and clawing back stolen funds,\u201d she says.<\/p>\n

Others are more cautious. Maruyama points to the complexity of globally distributed infrastructure. \u201cWhat if their infrastructure is hosted not in North Korea, but in France \u2026 or a semi-allied country like Malaysia?\u201d he asks.<\/p>\n

Hultquist reinforces caution from an operational standpoint, but stresses the importance of effectiveness in targeting. That is one reason why Joyce said in her keynote that whatever tactic Google uses against adversaries, it intends for them to \u201cstay burned.\u201d He says, \u201cWe are committed to operations that have lasting effects.\u201d<\/p>\n

Who can do this<\/h2>\n

Even if those tensions are resolved, the ability to carry out proactive disruption is concentrated among a small number of actors.<\/p>\n

\u201cThis is something that Google can do [and that] Microsoft has done and can do,\u201d Gerstell says. \u201cA medium-sized company probably can\u2019t.\u201d<\/p>\n

The requirements include not just technical capability but legal authority, operational scale, and control over infrastructure. Large platform providers can act within environments they own and can absorb the risks associated with disruption. Most enterprises cannot.<\/p>\n

Even among organizations that could act, willingness varies. \u201cSome of them could do it, but don\u2019t want to,\u201d Gerstell says.<\/p>\n

What should CISOs do?<\/h2>\n

For enterprise security leaders, the shift toward proactive cyber does not expand their mandate to take on offensive or disruption roles. Instead, reinforcing core cybersecurity fundamentals remains the priority.<\/p>\n

\u201cThe basic blocking and tackling is still critical,\u201d Gerstell says.<\/p>\n

Kaiser frames the enterprise role as participation rather than initiative. \u201cWhat more can we all do?\u201d she asks, particularly in supporting takedowns and recovery efforts where industry can act \u201cmore quickly and nimbly than the government can.\u201d<\/p>\n

That participation requires operational readiness: the ability to share telemetry quickly, preserve evidence, and respond in real-time when providers or law enforcement act against adversary infrastructure.<\/p>\n

For CISOs, that means upstream disruption does not reduce the need for internal resilience. Even as governments and large cybersecurity providers increase pressure on attackers, enterprises should expect continued activity \u2014 often from the same actors operating in slightly different ways.<\/p>\n

At the same time, the legal limits remain clear. Acting outside an organization\u2019s own environment introduces risks that most enterprises are not equipped to manage. The practical role for CISOs is not to become more aggressive, but to operate effectively in a system where others increasingly handle disruption.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

For more than two decades, cybersecurity has been built on a reactive model: detect intrusions, patch vulnerabilities, respond to incidents, and repeat. That model is now under sustained pressure from a threat environment that is faster, more coordinated, and increasingly automated. Two recent developments illustrate how quickly that model is breaking down. Earlier this month, […]<\/p>\n","protected":false},"author":0,"featured_media":7712,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7711","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7711"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7711"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7711\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7712"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7711"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7711"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7711"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}