Organizations across industries are experiencing significant escalations in cyberattacks, particularly targeting critical infrastructure providers and cloud-based enterprises. Verizon’s recently released 2025 Data Breach Investigations Report found an 18% YoY increase in confirmed breaches, with the exploitation of vulnerabilities as an initial access step growing by 34%.
As attacks rise in volume and impact, many organizations turn to security tools and compliance standards as their first line of defense. While both are important and necessary components to mitigating cyber risk, they alone are not a silver bullet solution. Effective security requires people, process, and technology, but people must serve as the primary drivers. Your tools and checklists are only as strong as the practitioners implementing them at scale.
This heightens the importance of investing in offensive operations training across every role in the security function. Too often, offensive operations are considered the singular domain of red teams and penetration testers. That narrow view limits its value. Ethical hacking, penetration testing, and other offensive skills provide critical insights that benefit numerous roles on a security team. It equips practitioners with a deeper understanding of how threat actors think and operate—foundational knowledge that directly strengthens an organization’s collective security posture.
CISOs that prioritize investments in this form of immersive, high-impact training can upskill their workforce and create more agile teams prepared to adapt in the face of evolving threats. For an inside look, here’s how learning how to hack benefits four non-offensive security roles.
New Practitioners: Grasping the Threat Landscape
The cybersecurity workforce is evolving, unlike any industry. Efforts to offset global staffing shortages have ushered millions of new practitioners into the field in recent years. While this has helped to increase headcount, skill development is still lagging. Our SANS GIAC 2025 Cyber Workforce Research Report found that 52% of security leaders indicate their primary challenge is not the number of available professionals, but the lack of individuals with the right skills.
New practitioners, especially those from conventional IT roles and non-security backgrounds, benefit immensely from exposure to offensive training. Reading about attacker tactics, techniques, and procedures (TTPs) in reports or courseware is valuable, but it doesn’t compare to executing them in a scenario-based simulation. By actively replicating common attack paths like exploiting a misconfigured web server or bypassing access controls, practitioners begin to understand how threat actors capitalize on control gaps. This experience cultivates a more intuitive grasp of risk, teaching newcomers to approach security problems from a tactical perspective.
Understanding attacker methodology also encourages better prioritization. It becomes easier to identify which vulnerabilities are most likely to be exploited and which alerts truly indicate malicious activity. Exposure to attacker tooling, from open-source frameworks to commercial payloads, gives practitioners a more grounded view of what the real-world threat landscape looks like. This knowledge accelerates their readiness to contribute meaningfully to detection engineering, triage, remediation, and various other efforts.
Incident Handlers: Staying Two Steps Ahead
The integration of generative AI into TTPs has made the common threat actor increasingly capable of causing irremediable harm with a single breach. This means incident response demands speed, clarity, and precision now more than ever—the margin for error is razor thin. While tools and automation assist in detection, practitioners must be positioned to maximize operational efficiency in complex security environments. In turn, incident handlers who understand how adversaries operate are better equipped to move beyond simple playbooks and respond with intent. Offensive training sharpens this instinct. Practicing privilege escalation, persistence techniques, or lateral movement in simulated environments equips handlers to recognize attacker objectives and anticipate next steps, even before alerts are triggered.
Attackers often follow repeatable workflows. Once you’ve performed these techniques yourself—such as abusing misconfigured Active Directory permissions or exploiting token impersonation—you become more attuned to subtle indicators of compromise that detection tools may overlook. Moreover, a deeper knowledge of adversary behavior supports faster root cause analysis and containment. Knowing the constraints and habits of threat actors allows response teams to hunt proactively, isolate affected systems more accurately, and recommend remediations that address root weaknesses.
Forensic Analysts: Contextualizing Digital Artifacts
Digital forensics depends on the ability to reconstruct events using logs, memory dumps, file systems, and other artifacts. While forensic tools provide visibility, their outputs often lack clear meaning without practical context. Analysts who have studied and executed offensive techniques are more likely to recognize the operational patterns behind technical data. That insight could mean the difference between a basic report and one that truly reflects attacker activity.
When an analyst have created malicious payloads or evaded logging mechanisms in a training environment, they can better decipher the nuances of what a tool is flagging. This aids in recognizing forged timestamps, tampered registry keys, or anomalous process execution sequences. Analysts are then able to formulate stronger hypotheses and trace lateral movement with greater precision.
Security Managers: Validating Strategy with Adversary Insight
Security managers are often tasked with aligning cyber defenses to organizational priorities and evolving business risks. While they may not be writing detection rules or responding to incidents directly, their decisions have a lasting impact on risk posture and program maturity. Managers who have participated in the right ethical hacking programs gain strategic clarity that is difficult to acquire otherwise. They know what high-quality penetration testing looks like, how real adversaries exploit systemic weaknesses, and where their teams may have blind spots.
That perspective helps managers avoid overreliance on toolsets or compliance frameworks that provide a false sense of assurance. When you understand how adversaries chain together low-severity vulnerabilities, bypass weak configurations, or exploit human behavior, you are better positioned to ask the right questions of vendors and internal teams. It also allows you to define more meaningful red team objectives, assess ROI from testing efforts, and ensure remediation efforts focus on exploitable gaps, not just policy violations.
Ready to sharpen your edge? Join me at two upcoming live training events, SANS San Antonio and SANS Offensive Operations East, for our SEC560: Enterprise Penetration Testing course and turn attacker insights into strategic advantage. Elevate your team’s capability where it counts—on the front lines.
Note: This article was expertly written and contributed by Jon Gorenflo, SANS Principal Instructor. Learn more about this background and courses here.