| SecurityWeek’s Cyber Insights 2026 examines professional opinions on the anticipated evolution of greater than a dozen areas of cybersecurity curiosity over the following 12 months. We spoke to tons of of particular person consultants to achieve their professional opinions. Right here we discover offensive safety; the place it’s at the moment, and the place it’s going. |
Cyber pink teaming will change extra within the subsequent 24 months than it has previously ten years.
Malicious assaults are growing in frequency, sophistication and harm. Defenders want to search out and harden system weaknesses earlier than attackers can assault them. That requires pink groups to do extra, sooner.
Offensive safety
“Offensive safety is solely a department of safety that focuses on attacking methods to establish weak point so as to harden them/defend them higher,” says Matt Mullins, head hacker at Reveal Safety.
Eyal Benishti, CEO and founder at IRONSCALES calls it ‘proactive protection’.
“Offensive safety is about proactively simulating attacker habits to prioritize assault floor strengthening. It contains, however extends past, conventional penetration testing into pink teaming and bug bounty packages, offering steady, intelligence-led validation of how attackers really function. It combines human ingenuity, automation, and adversarial simulation to show weaknesses earlier than they’re exploited,” expands Julian Brownlow Davies, Senior VP of offensive safety & technique at Bugcrowd.
Pentesting and pink teaming are the 2 major parts of offensive safety. Their strategies of operation overlap, however they serve two separate functions. Pentesting seeks to search out and exploit bugs or weaknesses. Crimson teaming seeks to check a system’s capability to face up to an precise assault.
“Conventional pentesters have a tendency to supply snapshot views – nice for compliance however restricted in depth. Crimson groups function extra like actual adversaries: persistent, stealthy, and state of affairs based mostly. Organizations with larger safety maturity are shifting towards pink workforce operations as a result of they supply extra significant insights into gaps throughout folks, processes, and expertise,” says Benishti.
Each features are evolving and can additional evolve throughout 2026 and past. “Because the risk panorama evolves, so will offensive safety – shifting from remoted workouts to steady, built-in packages,” he continues. “The long run is extra preemptive: combining offensive insights with risk intelligence, AI, and automation to remain forward of attackers as an alternative of reacting to them.”
Whereas the function of the impartial pentester continues, it’s more and more merging into bug bounty looking. “The mannequin is shifting towards coordinated offensive operations run by means of managed or crowdsourced platforms. The gang gives attain and variety whereas the pink workforce gives technique and narrative realism,” explains Davies.
We are going to consider pink teaming since it’s usually – not all the time – carried out in-house.
Some organizations make use of exterior pink workforce specialist companies; others have their very own in-house workforce. “It will depend on the dimensions, threat profile, and maturity of the group. Enterprises with mature safety packages are investing in in-house pink groups for steady protection and institutional information,” suggests Benishti.
That stated, he provides, “exterior pink groups nonetheless play a significant function – particularly for unbiased assessments, specialised experience, and to keep away from inner blind spots. A hybrid mannequin is rising: in-house groups for ongoing ops, exterior companions for recent views.”
Pablo Zurro, senior product supervisor at Fortra, provides, “Each are legitimate and complement one another. An inner pink workforce will have the ability to run extra periodical workouts and take a look at the weakest factors of the corporate whereas exterior consultants will simulate exterior attackers higher and can have the ability to leverage their expertise and discovered classes in different prospects, which could be very helpful at the least every year.”
Offensive safety must also hunt down employees most definitely to be prone to social engineering. “It’s obligatory since people are in all probability the weakest factors of the defensive chain,” continues Zurro, including, “It’s not obligatory to be aggressive and damage folks’s emotions. Typically doing innocent phishing/vishing/smishing simulations is nice sufficient.”
Goncalo Magalhaes, head of safety at Immunefi, says, “Everyone seems to be prone to social engineering. Offensive safety isn’t about figuring out ‘smooth targets’ within the workforce; it’s about constructing a company-wide tradition the place everybody with entry to company methods adopts a safety mindset.”
With the rising sophistication and scale of AI-enhanced social engineering, this a part of offensive safety will develop into more and more pressing and vital.
The first function of pink teaming is to find how effectively the system can face up to assaults. This implies pink groups want real-time visibility throughout their whole ecosystem which suggests each asset, pathway, and third-party connection that helps mission methods. “That features not solely {hardware} and endpoints but in addition purposes, workloads, and APIs that always function silent backdoors into crucial methods,” says Christian Terlecki, director of federal at Armis.
However the pace and scale of AI-assisted malicious assaults implies that future pink teaming should develop into automated and steady somewhat than periodic.
One other present evolution is into fixing somewhat than merely discovering weaknesses. “Hardly ever do pink groups ‘personal’ remediation,” says Mullins.
“Historically, offensive [red] groups establish points; defensive [blue] groups repair them. However that wall is crumbling,” suggests Benishti. “Extra organizations now count on pink groups to collaborate with blue groups to prioritize fixes, retest patches, and information remediation. Whereas offensive safety received’t absolutely ‘personal’ the repair, it more and more performs a hand in ensuring points are resolved – not simply reported.”.
However collaboration by itself doesn’t remedy the standard downside: pink groups can generate large vulnerability lists that overwhelm engineering groups. “Discovering vulnerabilities is desk stakes. Fixing them routinely – that’s the way forward for pink teaming,” suggests Alex Polyakov, co-founder and CTO at Adversa AI.
“AI is starting to bridge the hole between figuring out and fixing points. What was once separate steps can now occur in the identical workflow. AI methods can discover vulnerabilities, recommend protected fixes, and validate them,” agrees Wout Debaenst, AI pentest lead at Aikido Safety.
The function of AI in the way forward for offensive safety
Offensive safety suffers from the identical conundrum afflicting most areas of cybersecurity: there’s a rising want for extra output at a sooner tempo whereas companies battle with an ongoing and worsening abilities scarcity, and tighter budgets to make use of the few accessible.
Synthetic intelligence is the goose anticipated to supply the golden resolution: extra, sooner, higher, 24/7 automation – with fewer people required.
Would that life have been that easy!
Benefits of AI
Jason Soroko, senior fellow at Sectigo, sees 4 major benefits supplied by AI. First, “AI gives pace and effectivity by processing and analyzing massive datasets a lot sooner than people, rapidly figuring out potential vulnerabilities.” Second, “It enhances superior risk detection, as machine studying fashions can acknowledge complicated patterns and novel assault vectors that conventional strategies would possibly miss.”
Third, “AI methods allow steady monitoring by working 24/7, offering fixed vigilance in opposition to rising threats.” And fourth, he provides, “Useful resource optimization is achieved by automating routine duties, permitting human consultants to give attention to extra complicated points that require human instinct and experience.”
Few folks see AI changing pink groups within the quick time period – however most settle for they’ll help the pink groups. “We’ll see agentic AI purposes operating pink workforce engagements, however the extra refined and novel assaults will in all probability come from well-funded AI assisted groups that may (largely) all the time be able to beating the machines,” says Zurro.
“I don’t see a alternative within the mid-term, however extra a human/machine symbiosis that may increase the bar to the next degree,” he provides.
Polyakov is all in. “AI is exceptionally good at this work. Crimson teaming requires creativity, pattern-breaking pondering, and the power to attempt 1000’s of unconventional assault paths. People get drained. AI doesn’t. People suppose linearly. AI explores in parallel.”
He provides, “Paradoxically, the identical ‘hallucination’ that creates issues in regular LLM utilization turns into a characteristic in offensive safety – it fuels novel assault concepts and sudden exploit chains when harnessed appropriately by consultants. In pink teaming, AI’s hallucinations aren’t bugs – they’re superpowers.”
Considerations
“We nonetheless want human consultants to conduct complicated and complex operations, as gen-AI is kind of silly at these duties, and can in all probability stay the identical within the close to future,” warns Ilia Kolochenko, CEO at Immuniweb, and accomplice in cybersecurity at Platt Regulation LLP. “Whereas some distributors pompously promote ‘automated penetration testing’ or declare that their AI has changed human consultants, it’s technically inaccurate and incorrect, to place it mildly.”
He additionally raises regulatory issues. “In legislation, the notion of a penetration take a look at stays fairly steady: involvement of impartial and certified human consultants.” He warns that offering regulators with a report generated by an AI instrument may result in penalties.
“One of many primary issues is the potential for AI methods to generate false positives or miss sure vulnerabilities that require human instinct and contextual understanding,” says Amit Zimerman, co-founder and CPO at Oasis Safety .”Moreover, AI methods have to be correctly educated, which will be resource-intensive, and should not all the time account for the nuances of each distinctive atmosphere or assault vector.”
Paradoxically, higher educated pink teaming AI additionally turns into a possible risk if dangerous actors pay money for the AI. “That is notably crucial in cybersecurity, the place instruments meant to guard might be repurposed for malicious assaults. It’s essential that organizations undertake strict governance and moral pointers when deploying AI in these contexts,” he warns.
Soroko provides the dependency threat. “Over-reliance on AI may diminish human experience and instinct inside cybersecurity groups.”
The usage of agentic AI will improve, designed to boost the efficiency of the pink workforce. However agentic AI introduces a brand new assault floor that may be exploited by attackers.
For pentesting
AI guarantees a fast enhance to the pentesting facet of offensive safety. It has the potential to search out vulnerabilities in code with out the need to know the enterprise context across the code. It additionally has the potential – sooner or later, we’re not there but – to repair the vulnerabilities within the code. However this implies it’s equally priceless to any attacker capable of see the code.
“Nonetheless, gen-AI nonetheless lacks the contextual reasoning required to uncover unknown vulnerabilities or design bespoke assault paths. In consequence, human pentesters will proceed to be irreplaceable within the 12 months forward,” feedback Simon Phillips, CTO of engineering at CybaVerse.
AI can also be getting used in-house to generate new code by means of vibe-coding. “This new period of constructing software program by means of AI is taking off at the moment, but it surely’s additionally a serious safety concern as loads of the code is being created poorly by novice immediate engineers,” he continues.
The rising requirement for speedy checks on in-house code earlier than it reaches manufacturing could combine into the continual operate of the pink workforce within the coming years, leaving exterior pentesting to bug hunters and periodic pentest engagements to fulfill compliance functions.
Meantime, “AI-driven SAST instruments will redefine code safety, detecting logic and architectural flaws that conventional scanners overlook. These instruments are quickly turning into indispensable for pentesters and DevSecOps groups, automating code assessment and vulnerability discovery,” feedback Gianpietro Cutolo, employees risk analysis engineer at Netskope.
However he provides, “The offensive potential is equally vital, demonstrated by the truth that an AI agent now holds the highest rank on HackerOne within the US, signaling a future the place each defenders and attackers leverage the identical clever tooling to outpace one another.”
Aikido’s Debaenst factors to analysis: “Ninety-seven % of organizations plan to undertake AI for pentesting, and 9 out of ten consider it should ultimately take over many of the discipline,” he says. “The shift is already underway.”
The way forward for AI and pink teaming
“In 2026, AI will play a supporting function, serving to pink groups work sooner and canopy extra floor. Nonetheless, it received’t substitute human researchers. As an alternative, we’ll see pink teamers utilizing AI like a power multiplier that automates the fundamentals to allow them to give attention to superior ways and deeper testing,” says Emmanouil Gavriil, VP of labs at Hack The Field.
On the similar time, he provides, “Crimson teamers in 2026 will must be extra adaptable than ever. Conventional exploitation abilities are now not sufficient. The assault floor now contains cloud methods, IoT units, and AI-powered instruments, every requiring totally different abilities. The job is now not about mastering one area, however studying to navigate many, and doing it constantly.”
Subho Halder, co-founder and CEO at Appknox, says, “By 2026, AI will automate many facets of offensive safety testing, operating simulations, probing for vulnerabilities, and flagging potential dangers at unprecedented pace. Single-agent AI methods, able to reasoning, studying, and self-correcting, will execute refined, repeatable exams throughout massive codebases and environments.”
Immunefi’s Magalhaes summarizes the best way ahead. “AI is rising as an extremely highly effective instrument, each for automating duties and amplifying what small groups can accomplish. In safety, which means fewer folks could also be wanted to ship sure companies. On the offensive facet, we’re beginning to see early indicators of AI brokers that transfer sooner than human researchers and draw from broader information bases.”
So, sure, he continues, “AI brokers will remodel offensive safety and risk looking; automation is a game-changer, however provided that it’s used along side people. The best utilization is for agentic methods to deal with steady automated testing whereas people present strategic oversight and catch the blind spots that even superior AI misses.”
The long run for offensive safety
A lot of pink teaming is being streamlined. That is obligatory merely by means of the expansion and pace of assaults and the dimensions and complexity of the property that have to be defended.
“The offensive safety panorama is about to vary extra within the subsequent 24 months than within the final 10 years. In 2026, we’ll see the primary actual convergence: automated offensive testing that understands context, state, and enterprise logic, not simply endpoints. Suppose DAST that behaves like a artistic attacker – chaining vulnerabilities, exploiting misconfigurations, and validating affect the best way a human red-teamer would,” says Alankrit Chona, CTO and co-founder at Simbian.
“Offensive and defensive safety will start to merge, creating an ecosystem the place AI-driven instruments probe methods constantly, uncovering weaknesses and hardening them in the identical cycle,” suggests Travis Volk, VP world expertise options and GTM Service at Radware.
“The boundary between pink teaming, penetration testing, and steady assurance will blur. The subsequent part is pre-emptive safety, a everlasting state of validation,” says Bugcrowd’s Julian Brownlow Davies.
“Crimson, blue and coverage groups working in isolation is now not tenable; the gaps between them create blind spots that attackers readily exploit,” provides Merlin Gillespie, operations director at Cybanetix. “The concept pink teaming, blue teaming and coverage writing can dwell in their very own discrete ivory towers is proving painfully outdated.”
A lot of the long run for pink teaming will depend on how AI continues to evolve. It holds large promise however nonetheless suffers from points. The most important benefits will come from the usage of agentic AI – however there’s a battle of priorities right here. A major operate of agentic is the power to function autonomously with out human intervention.
Typically of agentic use, the ultimate however logical step of impartial autonomous remediation is blocked. Persons are not able to relinquish final management. However will this final perpetually? AI has largely given attackers the benefit. They transfer sooner as a result of a mistake isn’t damaging. Defenders transfer extra slowly as a result of a mistake might be catastrophic to the enterprise.
“There’s nonetheless an imbalance as attackers function with fewer constraints whereas defenders are tangled in knowledge silos and compliance overheads,” feedback Michael Adjei, director of methods engineering at Illumio.
So, with threats growing sooner than defenders can react and remediate, will there come a time when enterprise is pressured to undertake agentic AI autonomous remediation from inside a single automated pink/blue workforce? That’s, in any case, the Shangri-La of AI cybersecurity – a very self-healing system.
It’s ironic that whereas AI is ready to see and analyze what is going on within the current, we stay utterly at midnight over the place future AI could also be taking us.
Associated: Zero to Hero – A “Measured” Strategy to Constructing a World-Class Offensive Safety Program
Associated: FireCompass Raises $20 Million for Offensive Safety Platform
Associated: Crimson Teaming AI: The Construct Vs Purchase Debate
Associated: How Do You Know If You’re Prepared for a Crimson Crew Partnership?
