Security is not a point-in-time exercise. It’s a cycle of testing, fixing, and starting over. Organisations that treat it as anything less quickly fall behind.
In the last decade, we’ve seen how offensive security practices such as penetration testing, combined with follow-up patching and mitigation strategies, have significantly strengthened defences. For instance, Active Directory hardening, EDR solutions, and endpoint security have evolved considerably thanks to insights from attack simulations.
Repeated internal testing followed by corrective actions will help reduce misconfigurations, close or reduce privilege gaps, and ultimately shrink the overall attack surface. A positive outcome of defensive maturity is that attackers often now have to spend more effort to execute a successful attack.
Modern Attackers Have an Easy Entry
Many significant attacks in 2025 didn’t rely on basic exploit methods alone to reach their end goal. Multiple techniques, including social engineering, MFA fatigue, misconfigured cloud services, token abuse, and trusted third-party access were also used to enable lateral movement.
For instance, Salesforce suffered a breach related to SalesLoft-Drift SaaS, now considered the largest SaaS supply chain breach in history. ShinyHunters/UNC6395, started with the exploitation of a vulnerability in an integration point between Drift and Salesforce. Once inside, attackers were able to get oAuth tokens and refresh tokens for hundreds of companies globally.
And, an attack against Marks & Spencer was one of a number of attacks on major UK retail outlets. The attack happened when malefactors used social engineering tactics and compromised third-party access to trick the retailer’s service desk employees into resetting their own user ID and password for the company’s internal systems.
As attackers evolve to incorporate varying techniques to reach their end goal, the security industry must continue to do the same.
Real Attackers Don’t Respect Security Silos
Whether mass exploitation or a targeted attack, the bad guys are often patient, taking their time to understand the victim’s environment before trying to break in. Stronger defences have the ability to delay or even thwart these attempts, many of which exist because offensive security exposed where defences were weakest, pointing out how attackers might get in, where their controls could fail, and how small issues together can add up to major risks.
Because offensive security is an ecosystem rather than a single activity, network, cloud, identity, and email attack paths all intersect. If you only test one of these environments in isolation, then you are missing how real attacks happen. A mature offensive security programme reflects this reality by using tooling and expertise to test across environmental and stage-level attacks.
As a result, an organisation’s offensive security suite should consist of a full-scale array of tools and services that help companies conduct proactive assessments of their defensive posture. This is tested using several methods including penetration testing, Red Team engagements, and Adversary Simulation to identify vulnerabilities, verify controls, and enhance an entity’s security posture.
We also now have tools and techniques to simulate AI-assisted attacks, targeted cloud abuse, and advanced phishing scenarios that conventional defences cannot stop. These capabilities extend and augment penetration testing and red teaming by helping teams test situations that were onerous or time-consuming to recreate a few years ago.
Change as the Main Goal of Testing
Offensive security is often misunderstood as purely a vulnerability-finding exercise. In practice, its value lies in context.
Penetration testing and adversary simulation provide real-world evidence of how vulnerabilities can impact a company’s overall resilience by showing whether segmentation can prevent an attacker from moving around the network, whether endpoint controls will slow them down, and whether or not the alerts will get to the right person at the right time. The insights from these tests can directly influence changes to network architectures, configurations for endpoints, and identity strategies.
Testing is only valuable as offensive security though if the results are used to create actionable recommendations that result in actual change. These fixes must, in turn, be tested to ensure they are effective. This very feedback loop converts testing into a resilient process.
A Human – Machine Balance
Today’s adversaries use a combination of automation and human insight. Examples of this include using AI to create phishing content, automated scanning and reconnaissance techniques, as well as scripted methods to exploit vulnerabilities. All of these are coordinated and controlled by a person who can assess and adjust the course if one method fails.
This is why defenders must operate similarly.
Most modern attacks are successful due to human factors. A hasty decision, a missed configuration change, or a patch applied too late. Offensive security has strengthened technical controls to the point that people are now the simplest way into a business.
This means there needs to be a balance between automation and human intelligence. Automation can provide rapid scale and consistency, while human expertise provides intuitive reasoning, creative problem solving, and a level of critical thinking and judgment.
Effective offensive security programmes will always use automation to rapidly evaluate large volumes of data and identify potential vulnerabilities and areas of risk and will use human expertise to analyse and understand the results from these evaluations, examine the edge cases, and see through the eyes of a bad actor.
Closing the Loop
Offensive security doesn’t work on its own. It should be part of the defence-in-depth strategy together with security awareness and detection and response.
Threat intelligence proves priority. Knowing that a vulnerability has been identified is helpful, but realising it’s being exploited changes priority. Training employees limits repeated exposures to common attack vectors, while an automated response facilitates immediate actions when required.
Organisations that use offensive security demonstrate maturity and improve their overall security posture by integrating these solutions into their broader security operations and shifting from being reactive to continuously improving.
So, Is Offensive Security Keeping Pace?
Yes, but again, not all by itself.
Offensive security has matured substantially. Threat actors are using more sophisticated and realistic tactics, tools have improved in capability, and the insights these solutions provide are more actionable than ever.
Properly implemented, it can keep pace with attackers as they hone their craft. There is no silver bullet, so the solutions that gain your trust will be those that can be incorporated into a disciplined process of testing, learning, and adapting.
Offensive security is most effective when used from the outset, as a catalyst that leads to better decision-making, more effective controls, and quicker responses.
