Attack yourself first: the logic behind offensive security

The recent surge in cyberattacks on major UK retailers such as the Co-op and Marks & Spencer has brought home the harsh reality of today’s threat landscape. These breaches haven’t just exposed sensitive data—they’ve caused millions in lost revenue, long-term operational disruption, and reputational damage. For cybercriminals, attacks of this scale serve as proof of the damage they can inflict—and a blueprint for future campaigns.

Cyber threats are no longer rare occurrences. They are relentless, increasingly automated, and difficult to detect. Attackers are exploiting misconfigurations, weak credentials, and unseen trust relationships to move laterally and escalate access—rendering traditional defenses like firewalls and periodic scans no longer sufficient.

Thanks to advances in AI, launching a sophisticated cyberattack now costs next to nothing. Today’s adversaries—from nation-state actors to cybercrime groups—are deploying AI-powered agents capable of disrupting not only individual organizations, but entire sectors. The UK retail incidents may have made headlines, but similar techniques are being used across industries—quietly eroding systems over time.

If there’s one takeaway from these breaches, it’s that they are a wake-up call—an opportunity to separate what’s assumed to be secure from what’s proven to be. Marks & Spencer’s decision to accelerate their tech transformation is the right move, but only if it’s grounded in security that’s continuously validated, not just promised.

Why passive defense is no longer enough

Traditional cybersecurity measures—like firewalls, antivirus software, and compliance checklists—were built for a slower, more predictable threat landscape. They aim to block known threats and tick regulatory boxes, often relying on periodic assessments and static defenses.

But today’s threat actors move faster than these systems can react. They use automation and AI to adapt, persist, and exploit weaknesses in real time. In a world where threats evolve daily, a reactive approach simply can’t keep pace. Organizations need strategies that assume compromise, move proactively, and adapt with the same agility as the attackers they face.

A radically faster threat landscape

We’re in a new reality. With generative AI, developing weaponized exploits no longer requires deep technical expertise—just the right prompt. What once took weeks of work by highly skilled attackers can now be achieved in minutes by anyone with access to the right tools. This levelling of the playing field has dramatically accelerated the pace of cyberattacks.

The moment a vulnerability (CVE) becomes public, attackers begin exploiting it almost instantly. There’s no longer a buffer for defenders to respond. The asymmetric advantage we thought we had—people, process, tools—is eroding because the adversary has something more powerful: tempo. The result is a cyber environment defined by speed, where hesitation or outdated defenses can be costly.

Offence is the best defense

As cyber threats evolve in both speed and sophistication, traditional security measures—while still necessary—are no longer enough on their own. Tools and audits tend to focus on ticking regulatory boxes rather than addressing the weaknesses most likely to be exploited in real-world attacks.

To stay ahead, organizations need to go beyond passive defense and adopt a more adversarial perspective. Offensive security does just that—actively probing systems for weaknesses using techniques such as penetration testing, red teaming, and social engineering simulations. These controlled exercises expose gaps that conventional tools often overlook, giving teams the chance to fix them before malicious actors do.

This shift in approach is becoming crucial. As attackers grow faster and more opportunistic, defenders must become equally agile. Offensive security replaces assumptions with evidence—offering a clear, action-oriented view of where security holds firm and where urgent improvements are needed.

What UK businesses must do now

Many organizations are responding to rising cyber threats by increasing patching cycles and ramping up alert monitoring. But volume alone doesn’t equal security. The real challenge is not visibility, but prioritization. Rather than trying to fix everything at once, security teams must understand where cyber criminals are most likely to strike—and act accordingly.

This is where adversarial testing plays a vital role. Simulating the techniques used by real attackers helps uncover the vulnerabilities that matter most. It moves businesses away from reactive models and towards a more strategic, evidence-based approach to defense.

For UK companies—especially in exposed sectors like retail—key steps include:

• Implementing continuous security testing to keep pace with constant change
• Reviewing and updating incident response strategies to reflect evolving threats
• Investing in threat intelligence and red-teaming to sharpen detection and resilience

Speed isn’t the enemy—assuming you're secure is. Modernizing in a post-breach window can make you stronger, but only if every new system, integration, or control is tested like an attacker would.

Too many organizations skip this step. They make the mistake of equating 'new' with 'secure' and implement changes without knowing what risks they’re introducing. We’re not in the age of zero-days anymore.

We’re in the age of zero hours. The organizations that stay secure won’t be those that react the loudest—but those that challenge assumptions and prove their defenses work, day in and day out.

The role of leadership

Cybersecurity can no longer be treated as a siloed IT concern — it’s a critical business issue that belongs on the board agenda. From operational continuity to customer trust, cyber resilience underpins every facet of modern enterprise. That’s why leadership alignment is essential. Security decisions must be cross-functional, embedded into digital transformation efforts and tied directly to business risk and reputation.

Security-by-design isn’t a checkbox—it’s a mindset. And the only way to know you’re getting it right is to validate like the adversary. That’s how you build real resilience, restore trust, and come back stronger.

From assumptions to assurance

In a threat landscape defined by speed and unpredictability, being proactive isn’t optional — it’s essential. UK retailers and businesses across sectors must move beyond reactive measures and start thinking like attackers. The organizations that will lead in security aren’t those with the most tools, but those with the discipline to test, question, and validate every assumption — before it’s too late.

We've featured the best encryption software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro