Security is not a point-in-time exercise. It’s a cycle of testing, fixing, and starting over. Organisations that treat it as anything less quickly fall behind.

In the last decade, we’ve seen how offensive security practices such as penetration testing, combined with follow-up patching and mitigation strategies, have significantly strengthened defences. For instance, Active Directory hardening, EDR solutions, and endpoint security have evolved considerably thanks to insights from attack simulations.

Repeated internal testing followed by corrective actions will help reduce misconfigurations, close or reduce privilege gaps, and ultimately shrink the overall attack surface. A positive outcome of defensive maturity is that attackers often now have to spend more effort to execute a successful attack.

Modern Attackers Have an Easy Entry

Many significant attacks in 2025 didn’t rely on basic exploit methods alone to reach their end goal. Multiple techniques, including social engineering, MFA fatigue, misconfigured cloud services, token abuse, and trusted third-party access were also used to enable lateral movement.

For instance, Salesforce suffered a breach related to SalesLoft-Drift SaaS, now considered the largest SaaS supply chain breach in history. ShinyHunters/UNC6395, started with the exploitation of a vulnerability in an integration point between Drift and Salesforce. Once inside, attackers were able to get oAuth tokens and refresh tokens for hundreds of companies globally.

And, an attack against Marks & Spencer was one of a number of attacks on major UK retail outlets. The attack happened when malefactors used social engineering tactics and compromised third-party access to trick the retailer’s service desk employees into resetting their own user ID and password for the company’s internal systems.

As attackers evolve to incorporate varying techniques to reach their end goal, the security industry must continue to do the same.

Real Attackers Don’t Respect Security Silos

Whether mass exploitation or a targeted attack, the bad guys are often patient, taking their time to understand the victim’s environment before trying to break in. Stronger defences have the ability to delay or even thwart these attempts, many of which exist because offensive security exposed where defences were weakest, pointing out how attackers might get in, where their controls could fail, and how small issues together can add up to major risks.

Because offensive security is an ecosystem rather than a single activity, network, cloud, identity, and email attack paths all intersect. If you only test one of these environments in isolation, then you are missing how real attacks happen. A mature offensive security programme reflects this reality by using tooling and expertise to test across environmental and stage-level attacks.

As a result, an organisation’s offensive security suite should consist of a full-scale array of tools and services that help companies conduct proactive assessments of their defensive posture. This is tested using several methods including penetration testing, Red Team engagements, and Adversary Simulation to identify vulnerabilities, verify controls, and enhance an entity’s security posture.

We also now have tools and techniques to simulate AI-assisted attacks, targeted cloud abuse, and advanced phishing scenarios that conventional defences cannot stop. These capabilities extend and augment penetration testing and red teaming by helping teams test situations that were onerous or time-consuming to recreate a few years ago.

Change as the Main Goal of Testing

Offensive security is often misunderstood as purely a vulnerability-finding exercise. In practice, its value lies in context.

Penetration testing and adversary simulation provide real-world evidence of how vulnerabilities can impact a company’s overall resilience by showing whether segmentation can prevent an attacker from moving around the network, whether endpoint controls will slow them down, and whether or not the alerts will get to the right person at the right time. The insights from these tests can directly influence changes to network architectures, configurations for endpoints, and identity strategies.

Testing is only valuable as offensive security though if the results are used to create actionable recommendations that result in actual change. These fixes must, in turn, be tested to ensure they are effective. This very feedback loop converts testing into a resilient process.

A Human – Machine Balance

Today’s adversaries use a combination of automation and human insight. Examples of this include using AI to create phishing content, automated scanning and reconnaissance techniques, as well as scripted methods to exploit vulnerabilities. All of these are coordinated and controlled by a person who can assess and adjust the course if one method fails.

This is why defenders must operate similarly.

Most modern attacks are successful due to human factors. A hasty decision, a missed configuration change, or a patch applied too late. Offensive security has strengthened technical controls to the point that people are now the simplest way into a business.

This means there needs to be a balance between automation and human intelligence. Automation can provide rapid scale and consistency, while human expertise provides intuitive reasoning, creative problem solving, and a level of critical thinking and judgment.

Effective offensive security programmes will always use automation to rapidly evaluate large volumes of data and identify potential vulnerabilities and areas of risk and will use human expertise to analyse and understand the results from these evaluations, examine the edge cases, and see through the eyes of a bad actor.

Closing the Loop

Offensive security doesn’t work on its own. It should be part of the defence-in-depth strategy together with security awareness and detection and response.

Threat intelligence proves priority. Knowing that a vulnerability has been identified is helpful, but realising it’s being exploited changes priority. Training employees limits repeated exposures to common attack vectors, while an automated response facilitates immediate actions when required.

Organisations that use offensive security demonstrate maturity and improve their overall security posture by integrating these solutions into their broader security operations and shifting from being reactive to continuously improving.

So, Is Offensive Security Keeping Pace?

Yes, but again, not all by itself.

Offensive security has matured substantially. Threat actors are using more sophisticated and realistic tactics, tools have improved in capability, and the insights these solutions provide are more actionable than ever.

Properly implemented, it can keep pace with attackers as they hone their craft. There is no silver bullet, so the solutions that gain your trust will be those that can be incorporated into a disciplined process of testing, learning, and adapting.

Offensive security is most effective when used from the outset, as a catalyst that leads to better decision-making, more effective controls, and quicker responses.

The post Is Offensive Security Keeping Up with the Latest Cyber Attacks? appeared first on IT Security Guru.

Filigran has unveiled XTM One, an AI-native orchestration layer designed to automate Continuous Threat Exposure Management (CTEM) workflows, as organisations struggle to keep pace with growing volumes of threat intelligence, vulnerabilities and attack data.

The launch reflects a broader challenge facing security teams. While many organisations have invested heavily in threat intelligence, attack surface management and security validation tools, turning that information into meaningful action remains difficult. Security teams are often left moving manually between platforms to understand which threats matter, whether they are exploitable, and what remediation steps should be prioritised.

CTEM has emerged as one of the industry’s preferred frameworks for addressing that problem. Rather than relying on periodic assessments, CTEM aims to create a continuous cycle of discovery, prioritisation, validation and remediation that adapts as threats evolve. Filigran has been positioning its OpenCTI and OpenAEV platforms as key components of that approach, arguing that organisations need to move beyond simply identifying vulnerabilities and focus on understanding which exposures present genuine business risk.

XTM One sits above those platforms as an orchestration layer, coordinating AI agents across the CTEM lifecycle. The company says this allows security teams to automate tasks such as intelligence enrichment, threat reporting, attack scenario generation and remediation planning without constantly switching between tools.

“The volume of CVEs, threat actors, and attack campaigns has reached a scale no human team can process manually,” said Julien Richard, co-founder of Filigran. “XTM One is not AI as a feature. It is AI as the operating system for threat management. Security teams deserve automation that works the way they work.”

The announcement highlights how security vendors are increasingly moving beyond AI assistants and copilots towards more autonomous agent-based systems. Rather than helping analysts complete individual tasks, agentic approaches seek to coordinate entire workflows across multiple products and data sources.

According to Filigran, early users of its broader XTM Platform have achieved up to 70% faster threat detection and response cycles and reduced preparation time for offensive security testing by up to 80%.

Industry analysts suggest this kind of automation may become increasingly necessary as organisations adopt CTEM programmes at scale.

“As the scale of threats outpaces human capacity to respond to alerts, security teams are hitting a wall when they need to optimize remediation to mitigate security risk. The shift toward an agentic AI orchestration layer is needed for CTEM to help security teams scale,” says Melinda Marks, Cybersecurity Practice Director at Omdia. “By leveraging an open-source foundation to automate utilizing needed context for threat intelligence and remediation, Filigran is enabling the speed, transparency, and evidence-based risk reduction required to scale defenses at the pace of the adversary.”

A key aspect of the launch is flexibility around AI deployment. Organisations can use Filigran’s models or bring their own large language models through BYOLLM support, while on-premises deployment options are intended to address data sovereignty requirements in regulated industries and government environments.

The company also believes AI could help address one of the long-standing barriers to threat intelligence adoption: usability.

“The biggest barrier to threat intelligence adoption has always been complexity,” said Jean-Philippe Salles, VP of Product Management at Filigran. “XTM One makes advanced threat management accessible to more teams through natural language interaction. Junior analysts can become productive faster, while experienced practitioners gain automation that removes repetitive work.”

The launch comes as investors increasingly view CTEM and threat exposure management as one of cybersecurity’s next major growth categories, particularly as organisations seek more evidence-based ways to prioritise cyber risk.

“Filigran is redefining how organisations operationalise threat intelligence at scale,” says Karine Peters, Managing Director at T.Capital. “Their AI-native approach to extended threat management, combined with one of the strongest open-source communities in cybersecurity, positions them to lead a category that legacy vendors have struggled to modernise. That conviction is why we invested.”

Whether agentic AI becomes the catalyst that finally makes CTEM achievable for security teams remains to be seen. What is clear is that as threat volumes continue to rise, organisations are increasingly looking for ways to automate the journey from intelligence gathering to validated defensive action, rather than simply collecting more data.

The post Filigran uses AI agents to make CTEM practical for overstretched security teams appeared first on IT Security Guru.