Black Hat 2024: Organizations Are Giving Offensive Security a Fresh Look

Enterprise security is still largely defensive and reactive in nature, but organizations are adding offensive security— taking the fight back to the bad guys — with more frequency, according to Seemant Sehgal, founder and CEO of BreachLock, in comments at the Dark Reading News Desk during Black Hat USA. He also says there's a growing menu of offensive security measures and services available to end-user organizations: Breach attack simulation software; automated penetration testing; pen testing as a service; external attack surface management as a service; and even red teaming as a service.

"Technology will be used more and more to automate [and] to reduce the stress on cybersecurity professionals in terms of how much effort is required to do a simple thing," Sehgal says. And while defensive security remains the dominant model, innovation has rebalanced the equation to include more use of offensive security, thanks to innovations like AI. But in recent years as customers have looked for more ROI justification for security expenditures, offensive security is expected to simplify ROI calculations, Sehgal suggests. "We're going to see that in the next five years, basically a game-changing offensive security balance and the budgets will also continue to shift," in favor of more offense, he adds. With defense security, organizations might buy detection software, then have to analyze volumes of service tickets to find out if it's a blip or a real incident. "But you are only able to do the retrospective [analysis] at the end of the year in terms of what the ROI is with defensive security," Seghal explains. But with something like pen testing as a service, "the ROI in offensive security is almost immediate, provided you are also remediating," Seghal says.

Seemant Sehgal founded BreachLock with two things: 18+ years of experience in the cybersecurity industry and the goal to create a solution that would make cyberspace safer. As the former head of cybersecurity at ING Bank with a multi-million-dollar cybersecurity budget, he dealt with the pain of traditional pen-testing approaches that fell short of what modern businesses need for a strong security posture. A go-getter by nature, Seemant was motivated to solve these pain-points for people walking in the same shoes, and he went on to create a full-stack penetration testing solution.