Penetration testing is evolving through two groundbreaking shifts: Attack Surface Management and Continuous Penetration Testing. Now, imagine a world where penetration testers operate continuously rather than during isolated periods—a world where the offensive team runs its own version of a Security Operations Center (SOC). But in this SOC, the alerts don’t signal potential breaches; they highlight new opportunities for penetration testing.
These approaches move beyond static checklists and annual assessments, enabling dynamic, real-time engagements. To support these advancements, I’ll share actionable methods organizations can adopt to boost their cyber resilience through offensive services like penetration testing. We’ll also delve into Offensive Security Operation Centers (Offensive SOCs), where Security Information and Event Management (SIEM) systems generate alerts—or opportunities—for penetration testers to act on.
Part 1: The Shortcomings of Traditional Pen Testing
Penetration testing is often used to determine if a business can be hacked or not, but its limitations are evident. Organizations struggle to define the scope of pen tests, often excluding unknown shadow IT and legacy systems that hackers are likely to exploit. Additionally, pen tests are typically conducted once a year, leaving gaps in security posture. The reactive nature of traditional testing doesn’t align with the agile, continuous innovation of modern businesses.
A Fundamental Problem – Scope
One of the core issues with penetration testing is scope. Attackers don’t care about the scope defined in a pen test, but penetration testers need to factor it in. Real attackers exploit what they find, whether it’s an overlooked DNS server or a forgotten user account. This mismatch between traditional pen testing and real-world threats underscores the need for a more dynamic approach to penetration testing, typically by continuously understanding the digital attack surface.
The Proposed Solution – Digital Footprint Reports
To address these gaps, I proposed starting with a Digital Footprint Overview many years ago. Instead of convincing my customers to buy a penetration test, I encouraged them to first consider a “no scope” overview. What could penetration testers find by just scanning and searching?
A digital footprint serves as a way for penetration testers to conduct reconnaissance, scanning, and attack surface discovery in advance of a possible penetration test. This approach allows testers to aim far and wide to identify assets, shadow IT, and general security hygiene across the environment. Reconnaissance is an integral part of penetration testing, but unfortunately an art long forgotten by many penetration testing companies today.
This process involves mapping all external-facing assets, including social media accounts, leaked credentials, shadow IT, third-party providers, open network services/ports, and much more. By gaining visibility into what attackers might find, organizations can identify high-risk areas early. This early visibility builds trust between security teams and stakeholders, creating a foundation for more effective collaboration.
Once a digital footprint has been established—and preferably only then—should one start to talk about defining the scope of a penetration test. Perhaps even more important than what to include is determining what not to include.
While Attack Surface Management platforms can provide digital footprints today, I implore penetration testers and companies not to rely solely on automation. Instead, complement automation with human intelligence. I often apply the Pareto Principle to this approach: automation can handle 20% of the effort and uncover 80% of the attack surface. However, that last 20%—where the truly valuable systems reside—requires the remaining 80% of the effort, driven by deep, manual testing.
Part 2: Offensive SOC – Taking Attack Surface Management and Continuous Penetration Testing to New Heights
The next evolution in penetration testing moves from annual engagements to a continuous, year-round effort. Penetration testers must focus on how emerging attack techniques and Cyber Threat Intelligence (CTI) impact the existing attack surface over time, not just once a year. They must understand that while a target might not be exploitable today, but that could change tomorrow as vendors announce vulnerabilities or Common Vulnerabilities and Exposures (CVEs) become Known Exploitable Vulnerabilities (KEVs).
Penetration testing must answer critical security questions:
- Is an organization vulnerable to newly disclosed exploits because of missing patches?
- Has a recent credential exposed accounts in the environment?
- Have new assets, services, or misconfigurations emerged?
At the same time, security teams must maintain ongoing discovery of new assets, changes, and opportunities for exploitation. This dynamic, real-time model ensures that organizations remain resilient against evolving threats.
Beyond Traditional Reconnaissance: Continuous Attack Surface Management
Effective reconnaissance is crucial for successful penetration testing. This is where Attack Surface Management (ASM) evolves the one-time digital footprint exercise into a continuous cycle of reconnaissance, discovery, and monitoring. Organizations must track how their attack surface changes continuously, as new domains, services, or vulnerabilities emerge. Continuous ASM helps detect and mitigate risks in real time, ensuring that attackers have fewer opportunities to exploit gaps in security.
Many perceive this continuous reconnaissance as mere 'scanning,' but it’s far more than that. I’m often asked, ‘How often do you scan?” The answer might surprise you. It’s not just about scanning.
Offensive SOC: Turning Continuous ASM Into Actionable Insights
Continuous attack surface management relies on dozens of sensors, each operating on different schedules or triggers. Some are event-based, while others continuously gather real-time data, such as information from certificate transparency logs.
Now, imagine your ASM solution continuously recording changes—from events, scans, security tools, and more—and feeding that intel to a SIEM system. The SIEM generates alerts on these changes, deltas, and developments in the attack surface, as well as the latest trends in the CTI space. This forms the foundation of a Security Operations Center—but this time, an offensive one: an Offensive SOC.
Continuous Penetration Testing complements ASM by verifying and exploiting changes as they happen. I’ve coined this concept the 'Offensive SOC,' distinct from its defensive counterpart.
Looking ahead, the ultimate goal is a unified approach—a Purple Team SOC—where offensive and defensive efforts seamlessly work together.
Part 3: What About Red Team Exercises to the Rescue?
Red Team exercises often come to mind as a possible solution for continuous security validation. However, they have several challenges associated with them. Below, I highlight some of these challenges and explain how the Offensive SOC addressed them.
Stealth vs. Transparency
One of the most notable differences between Red Team Exercises and an Offensive SOC is their approach to stealth. Red Team Exercises prioritize stealth to mimic real-world attackers, often aiming to evade detection and challenge the Blue Team’s ability to identify and respond to threats. In contrast, an Offensive SOC does not emphasize stealth. Instead, it operates transparently, collaborating closely with the Blue Team to deliver continuous alerts and insights, often through APIs or integrated tools, to facilitate immediate remediation.
Physical and People In-Scope
Red Team Exercises often extend beyond digital attacks to include physical penetration testing and direct engagement with individuals (e.g., social engineering). Offensive SOCs, however, typically focus on digital attack surfaces, continuously probing for vulnerabilities over time. While an Offensive SOC may not involve physical or personal targeting, it compensates with persistent, real-time vulnerability detection and mitigation.
Social engineering may yield a positive result, however, I’d rather assume it works—assume breach—and focus on the actual testing and continuous improvements.
Goals and Prioritization
The ultimate goal of a Red Team Exercise is to achieve a specific breach, such as compromising a high-value asset. They simulate the actions of a motivated attacker to assess the organization’s ability to detect and respond to targeted attacks. In contrast, an Offensive SOC emphasizes mean time to prevent vulnerabilities, striving for rapid identification, reporting, and remediation of issues before they can be exploited. This approach fosters a continuous improvement cycle, aligning with change management processes that adapt to evolving threats, new CVEs, and updated attack techniques.
Scope and Duration
Both approaches start with a wide scope, identifying broad attack surfaces. However, Red Team Exercises typically narrow their focus to high-value targets as the engagement progresses. They are time-bound, often lasting a few weeks to several months. Offensive SOCs, being continuous in nature, maintain a wide scope over time, ensuring ongoing coverage and adaptability. They operate indefinitely, acting as an enduring offensive layer in the organization’s security posture.
Integration with the Blue Team
A key differentiator is how these approaches interact with the Blue Team. Red Team Exercises often operate independently, with limited or no direct collaboration during the engagement. Instead, their goal is to evaluate the Blue Team’s effectiveness post-engagement through debriefings and after-action reports. Offensive SOCs actively collaborate with the Blue Team, providing real-time data and actionable insights to improve defensive measures. Conversely,
Part 4: Convergence of Red and Blue
The fundamental difference between an Offensive SOC and a traditional Blue Team SOC lies in the role of the SIEM. In an Offensive SOC, the SIEM generates alerts for actionable penetration testing opportunities, addressing the agile nature of development and operations. In contrast, a Blue Team SOC focuses on detecting and responding to active attacks.
I believe we’ll see a convergence of these two SOCs into a single, unified 'Super SOC'—one that integrates both offensive and defensive capabilities. This future Purple Team SOC would handle everything: security auditing, penetration testing, alerting, and response, operating as a fully capable and highly efficient security powerhouse.
Let me guess—you didn’t have 'Super SOC' on your Infosec Bingo Card this year, did you?
Offensive SOCs and the Future of Security
In summary, an Offensive SOC delivers continuous, transparent, and collaborative security assessments, prioritizing rapid detection and remediation. Red Team Exercises simulate targeted adversarial attacks to evaluate and improve an organization’s detection and response capabilities. Together, these approaches can complement one another, providing both strategic and tactical insights to strengthen an organization’s overall security posture.
Let the Red Team focus on what they do best and allow Penetration Testing to evolve into its necessary future: Offensive Security Operations Centers.
Want to dive deeper into how an Offensive SOC transforms penetration testing? Watch my webcast Offensive Security Operations with Attack Surface Management and Continuous Pen Testing on demand, where I explore these concepts and methodologies. Don’t miss this opportunity to see how continuous testing can strengthen your security posture.
Let’s continue the conversation—how do you see the Offensive SOC reshaping traditional penetration testing? Share your thoughts with me on LinkedIn!
