Organizations across the industry have experienced a significant escalation of cyberattacks. It specifically targets critical infrastructure providers and cloud-based companies. Verizon’s recently released 2025 Data Breach Investigation Report found a 18% increase in confirmed violations and a 34% increase in vulnerabilities as an initial access step.
As attacks increase in volume and impact, many organizations rely on security tools and compliance standards as their first line of defense. Both are important and necessary components to mitigate cyber risk, but they are not just silver bullet solutions. Effective security requires people, processes and technology, but people need to serve as key drivers. Tools and checklists are as powerful as practitioners implement at scale.
This increases the importance of investing in attack operation training across all roles in security functions. In many cases, offensive operations are considered a singular domain of red teams and penetration testers. That narrow view limits its value. Ethical hacking, penetration testing, and other attack skills provide important insights that benefit many roles in the security team. It equips practitioners with a deeper understanding of how threat actors think and operate.
Prioritizing investing in this form of immersive and impactful training, CISOS can help employees develop skills and create more agile teams ready to adapt in the face of evolving threats. For the internal appearance, how does learning how to hack benefit four non-aggressive security roles?
New Practitioners: Understand the Threat Scene
The cybersecurity workforce is evolving, unlike any industry. In recent years, efforts to offset global staffing shortages have seen millions of new practitioners appear on the ground. This helped to increase staffing, but skill development is still behind schedule. The Sans GIAC 2025 Cyber Workforce Research Report found that 52% of security leaders show that the main challenge is not the number of available experts, but a lack of individuals with the right skills.
New practitioners, especially those from traditional IT roles and non-security backgrounds, have benefited greatly from exposure to offensive training. It is worth reading about attacker tactics, techniques, and procedures (TTP) in reports or courseware, but it cannot be compared to running them in scenario-based simulations. By actively replicating common attack paths such as leveraging misunderstood web servers and bypassing access control, practitioners begin to understand how threat actors leverage the control gap. This experience teaches newcomers to understand more intuitive risks and approach security issues from a tactical perspective.
Understanding attacker methodology also encourages better prioritization. It makes it easier to identify which vulnerabilities are most likely to be exploited and which alerts indicate malicious activity. From open source frameworks to commercial payloads, the exposure to attacker tools provides practitioners with a more grounded view of what the actual threat situation looks like. This knowledge will encourage preparation to meaningfully contribute to engineering, triage, repair, and various other efforts.
Incident Handler: Go 2 steps ahead
The integration of generated AI into TTP allows common threat actors to cause irreparable harm with a single violation. This means that incident responses require more speed, clarity and accuracy than ever before. The margin of error is thin razor. Tools and automation aid in detection, but practitioners need to be positioned to maximize operational efficiency in complex security environments. Second, incident handlers who understand how enemies operate are better for being more intentional than simple playbooks. Aggressive training sharpens this instinct. Privilege escalation, persistence techniques, or lateral movement practices in simulated environments are equipped with handlers to recognize the attacker’s goals and predict the next step, even before an alert is triggered.
Attackers often follow a repeatable workflow. If you perform these techniques yourself, they are adjusted by subtle metrics of compromise that detection tools can be overlooked, such as misusing false Active Directory permissions or misusing token spoofing. Furthermore, deeper knowledge of enemy behavior supports faster root cause analysis and containment. Knowing the constraints and habits of threat actors, response teams recommend aggressive hunting, more accurately isolating affected systems, and correcting them to address underlying weaknesses.
Forensic Analyst: Digital Artifact Context
Digital forensics rely on the ability to rebuild events using logs, memory dumps, file systems, and other artifacts. Forensic tools provide visibility, but their outputs often lack clear meaning without actual context. Analysts who have studied and performed offensive techniques are more likely to recognize the operational patterns behind technical data. That insight could mean the difference between a basic report and a report that truly reflects the activity of the attacker.
When analysts create malicious payloads in their training environments or circumvent logging mechanisms, they can better decipher the nuances of what the tool is flagging. This helps to recognize forged timestamps, tampered registry keys, or abnormal process execution sequences. Analysts can formulate more powerful hypotheses and track lateral movements more accurately.
Security Manager: Examining strategies with enemy insights
Security managers are often tasked with aligning cyber defenses with organizational priorities and evolving business risks. Although they may not write detection rules or directly address the case, their decisions have a lasting impact on risk attitudes and program maturation. Managers who participate in the appropriate ethical hacking program will gain strategic clarity that is otherwise difficult to obtain. They know what a high-quality penetration test looks like, how real enemies will exploit systemic weaknesses, and how their teams may have blind spots.
That perspective helps managers avoid excessive reliance on toolsets or compliance frameworks that provide false assurance feelings. Understanding how enemies chain together with low-negative vulnerabilities, bypass weak configurations, and leverage human behavior makes it better positioned to ask the right questions for vendors and internal teams. It also defines more meaningful Red team goals, assesses ROI from testing efforts, and ensures that it focuses on exploitable gaps as well as policy violations.
Are you ready to sharpen your edges? Take part in the SEC560: Enterprise Perentration Testing course and two live training events, Sans San Antonio and SANS Offensive Operations East, transforming attacker insights into strategic advantages. Improve your team’s capabilities to the frontline: where to count them.
Note: This article was skillfully written and contributed by Principal Instructor Jon Gorenflo. For more information about this background and course, please see here.
Source link
