Press TechRound interviews Secure.com CEO on the future of AI security
Read

Why Is Offensive Testing So Hard to Scale?

Red teams can't keep up with growing attack surfaces. See why offensive testing is hard to scale, and how autonomous red teaming can help.

Key Takeaways

  • Skilled red teamers are scarce, and hiring more of them isn’t a real fix. The gap between demand and supply keeps growing every year.
  • Your attack surface changes daily. A pentest from last quarter tells you almost nothing about the risk sitting in production today.
  • Mapping every test to MITRE ATT&CK by hand takes real time and real expertise, which is exactly what most teams don’t have enough of.
  • Autonomous red teaming and adversary emulation let you test continuously instead of once a year, without needing a bigger team.
  • Testing alone isn’t the finish line. Someone still has to close the exposure a red team finds, fast, before an attacker gets there first.

A mid size fintech company ran its annual pentest in January. The report was solid. Every finding got fixed within a month. Then in October, an attacker walked through a cloud misconfiguration that didn’t even exist when the test happened. Nobody lied on that report. The environment had simply moved on without it.

That’s the honest answer to why is offensive testing hard to scale. It’s not that red teams are bad at their jobs. It’s that the format they work in was built for a slower world, and scaling it up has turned into one of the hardest problems in security.

Coverage gap

A pentest is a snapshot. Attackers work every day.

Same fintech company, same year — mapped against when a real breach happened.

Tested Breach Untested window
Traditional pentest 2 engagements / year
JanMarMayJulSepOctDec

Even the July test missed it — the misconfiguration attackers used in October didn’t exist yet when either test ran.

Autonomous red teaming Always on
JanMarMayJulSepOctDec

New services get probed within hours of appearing — the October gap never opens.

Why Human Red Teams Can’t Keep Up

Good offensive security work takes years to learn. You need people who understand how real attackers think, not just how to run a scanner. That kind of talent is rare, and it’s getting rarer relative to demand.

The Talent Squeeze Is Real

Talent squeeze

Hiring more red teamers isn’t the fix

2025 ISC2 Cybersecurity Workforce Study · 16,000+ security professionals surveyed

33%

Understaffed

say their org doesn’t have the resources to staff its team properly

48%

Exhausted

feel worn out just trying to keep up with new threats and tools

89%

Already breached

had a real incident that traced back to a skills gap

Nearly 9 in 10 teams have already paid for this gap. Adding headcount doesn’t close it — the specialty is too scarce to hire out of.

The 2025 ISC2 Cybersecurity Workforce Study surveyed more than 16,000 security professionals worldwide, and the picture it paints is rough:

  • A third of respondents said their organization doesn’t have the resources to staff its team properly.
  • Almost half said they feel exhausted just trying to keep up with new threats and tools.
  • Nearly nine out of ten had already dealt with a real security incident that traced back to a skills gap.

Red teaming sits at the sharp end of that shortage. It’s a specialty within a specialty, and specialties like that don’t scale by posting a job listing.

What It Actually Takes to Red Team Well

To run offensive testing at a professional level, you need people who know:

  • How adversaries actually move through a network, not just how a checklist says they should
  • Cloud environments, identity systems, and application logic well enough to chain small issues into a real breach
  • How to write up findings that get taken seriously by both engineers and executives

There simply aren’t enough of these people to go around, and the ones who exist cost a lot and book up fast. Hiring your way out of this problem doesn’t work. Even well-funded teams end up waiting months for a slot on an external red team’s calendar, then waiting again for the next one.

Your Attack Surface Grows Faster Than Any Test Cycle

Say you do land that red team engagement. It runs for two weeks. The report lands a month later. By the time your team starts fixing findings, how much has actually changed underneath them?

What Changes Between Two Tests

Quite a bit, usually. A single quarter can bring:

  • New services deployed without a security review
  • Cloud configs that drift away from their original, tested state
  • Employees onboarded and offboarded, each one changing your identity footprint
  • Third-party integrations added without anyone flagging them to security

The Cloud Security Alliance points out that new technology like AI tools, cloud services, and connected devices keeps expanding what attackers can target, making it harder for testers to even map every entry point, let alone test it.

A once-a-year pentest was never designed to keep pace with an environment that changes every single day. It gives you a snapshot, and snapshots go stale fast. That’s the core reason offensive testing is hard to scale. The testing model is periodic. The risk it’s measuring is not.

Why MITRE ATT&CK Doesn’t Solve the Speed Problem on Its Own

Most mature red teams anchor their work to MITRE ATT&CK, a framework that catalogs the tactics and techniques real attackers use, from initial access to data theft. It’s genuinely useful. It gives everyone a shared language and a way to measure coverage instead of guessing.

But mapping an engagement to ATT&CK is still manual work. Someone has to:

  • Decide which techniques matter most for your environment
  • Build or configure the emulation for each one
  • Run it, then check whether your defenses actually caught it

Do that thoroughly across dozens of techniques and multiple attack paths, and you’ve eaten a huge chunk of a skilled tester’s time before they’ve even started chaining anything together. Adversary emulation, which recreates the specific behavior of real threat groups relevant to your industry, is only as fast as the people configuring it.

What Actually Scales: Autonomous Red Teaming

This is where autonomous red teaming changes the math. Instead of a two-week engagement twice a year, autonomous agents can run adversary emulation continuously, testing new attack paths every time your infrastructure changes, not just when a calendar reminder fires.

How Continuous Testing Works in Practice

Think about what that means day to day. A new cloud service gets spun up on a Tuesday afternoon. Under the old model, nobody tests it until the next scheduled engagement, which could be months away. With autonomous red teaming running quietly in the background, that service gets probed against relevant MITRE ATT&CK techniques within hours of appearing, and the results roll straight into your existing coverage picture instead of sitting in a separate, disconnected report somewhere.

Where Human Testers Still Matter

Autonomous tools don’t make human expertise obsolete. Skilled testers are still the ones who:

  • Decide what to test and why it matters to the business
  • Interpret business logic risk that a scanner can’t reason about
  • Chain findings together in creative ways automation alone might miss

What changes is the volume of routine, repeatable testing that no longer has to sit on a waiting list. Human judgment gets pointed at the hard problems instead of getting spent on repetitive coverage checks.

Secure.com · Infrastructure Security Teammate

From finding to fix, without the six-week wait

01 · DETECT

Watches continuously

Cloud, SaaS, and workload infrastructure monitored for drift and misconfiguration.

02 · ROUTE

Reaches the right owner

Routed automatically via Asset Insight ownership mapping.

03 · TRACK

Gets a deadline

Tracked with a clear, accountable timeline.

04 · REMEDIATE

Closed with context

Fixed properly, instead of getting lost in a backlog.

Attack Path Analysis — blast radius per exposure
Entry point
Lateral hop
Crown jewel

Every exposure is scored by how far an attacker could reach from it, so your team knows exactly what’s at stake before deciding how fast to move.

See the Infrastructure Security Teammate

FAQs

What is the difference between red teaming and adversary emulation?
Red teaming is the broader practice of simulating a real attack against your organization to test people, process, and technology together. Adversary emulation is a specific technique within red teaming that recreates the exact tactics of a known threat actor, usually mapped to MITRE ATT&CK, so you can measure whether your defenses catch that particular style of attack.
Can autonomous red teaming fully replace human penetration testers?
Not entirely, at least not yet. Autonomous tools are excellent at running repeatable, high-volume testing continuously across a large environment. Human testers are still better at business logic flaws, creative attack chaining, and judgment calls that don’t fit a predefined playbook. The strongest programs use both together.
How often should offensive security testing happen?
Annual or quarterly pentests are still common, but they leave large gaps given how fast most environments change. Many security teams are shifting toward continuous testing models, where automated adversary emulation runs regularly and human-led red team engagements happen a few times a year to go deeper on high-value targets.
Why does MITRE ATT&CK matter for offensive testing?
It gives your team a shared, standardized way to describe attacker behavior and measure test coverage. Without it, two different testers might describe the same attack completely differently, making it hard to compare results over time or prove to leadership that your defenses are actually improving.

The Bottom Line

Offensive testing is hard to scale because it was built around scarce human time, and human time hasn’t gotten any less scarce. The fix isn’t working your red team harder. It’s giving them tools that handle the repeatable parts continuously, so their time goes toward the attack paths that actually need a human brain, while the rest of your infrastructure gets watched and hardened every single day, not just once a year.