Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Architecting An Offensive Security Blueprint: 2023 Insights From the Ponemon Institute

Dark purple background with report design on right side with text and bar graphs featuring architecting an offensive security blueprint..


In today’s unsteady economic climate, prioritizing security investments can be challenging for security teams, C-Suites, and Boards alike. When every dollar counts, making pragmatic choices that ensure security solutions address observed and anticipated cybersecurity risks is of the utmost importance. Cybersecurity isn’t an isolated problem so gleaning insights from peers’ offensive security strategies can provide innovative insights leading to proactive augmentations in your own organization.

We decided to take flight with this notion and enlisted the expertise of the esteemed Ponemon Institute for our latest report, 2023 The State of Offensive Security. To design the blueprint for this research, Ponemon surveyed nearly 700 IT and security practitioners in small, medium, and large enterprises who actively leverage offensive security practices. Looking at some of the most elite, mature security programs, we sought to uncover types of offensive security services used, drivers behind implementation, important criteria for hiring third-party vendors, and the most pressing threats mitigated by offensive security techniques. The results present a strong case for offensive security services with 64% of respondents stating that their organizations have benefited from offensive security testing and achieved security and governance goals.

If you find yourself having a case of offensive security FOMO (fear of missing out), look no further. The 2023 State of Offensive Security report offers a deep dive into the motivations behind enterprises’ approaches to offensive security – why they use it and the types of attacks they are most concerned about. Get an insider’s view into how mature security organizations leverage different types of offensive security testing on applications, cloud environments, IoT devices, and internal and external networks. And mature organizations don’t just wait for adversaries to knock on the door – they emulate them, and pressure test the existing security controls with Red Teaming. In fact, 51% of respondents stated that testing different data breach scenarios was important to their Red Team engagements, with 47% of respondents reporting that Red Teaming is highly effective in improving security preparedness. The report not only reveals the current state of offensive security for mature organizations, but also where they plan to invest their resources in the future, such as 56% of respondents that plan to increase investment in Red Teaming in the next one to two years. In essence the report serves as a snapshot into offensive security solutions that provide tangible, valuable ROI to determine future investments.

FIGURE 1 - Most important red team exercises. 

Most important red team exercises.

The survey results emphasized that there is no shortage of reasons why enterprises are increasingly turning to offensive security testing for a proactive security outlook. As the attack surface only continues to expand across cloud environments, applications, third-party software supply chains, and IoT devices, corporate drivers like compliance regulations, mergers and acquisitions, and executive oversight add further complexities to the threat landscape that security teams are facing.

FIGURE 2 - Why organizations invest in offensive security testing.

Why organizations invest in offensive security testing.

Adversaries have access to more attack paths than ever before, and mature organizations are taking an all-hands-on deck approach to defend forward with offensive security to combat threats. With the variety of cyber threats currently plaguing organizations as seen in the research results below, investing in and enforcing a proactive approach to perilous issues like ransomware is a top-of-mind issue for offensive security adopters.

FIGURE 3 - The types of cyber threats driving offensive security investments.

Types of cyber threats driving offensive security investments.

In 2023 and beyond, cybersecurity is used for far more than protecting ones and zeroes racing through networks. Our research reflects the breadth and depth of offensive security and how it enables enterprises to achieve important security goals beyond a basic technical defense posture. Objectives like brand reputation protection, reasonable cyber insurance premiums, and validation of defense controls and technologies can all be met with implementation of offensive security testing solutions as shown by surveyed organizations.

FIGURE 4 - Goals achieved by using offensive security testing.

Goals Achieved by Using Offensive Security Testing

Regardless of the state of your security program, this study offers a sensible and actionable opportunity to see how your current security strategies align with elite, mature organizations. We hope your organization gains fresh insights to the problems that offensive security can solve or reduce, how competitors and industry counterparts are winning the race against time, and where offensive security investments should be made to combat evolving cyber threats.

Download the full report here.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Tom Eston

About the author, Tom Eston

VP of Consulting and Cosmos at Bishop Fox

Tom Eston is the VP of Consulting and Cosmos at Bishop Fox. Tom's work over his 15 years in cybersecurity has focused on application, network, and red team penetration testing as well as security and privacy advocacy. He has led multiple projects in the cybersecurity community, improved industry standard testing methodologies and is an experienced manager and leader. He is also the founder and co-host of the podcast The Shared Security Show; and a frequent speaker at user groups and international cybersecurity conferences including Black Hat, DEF CON, DerbyCon, SANS, InfoSec World, OWASP AppSec, and ShmooCon.
More by Tom

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.