Key Takeaways
- Skilled red teamers are scarce, and hiring more of them isn’t a real fix. The gap between demand and supply keeps growing every year.
- Your attack surface changes daily. A pentest from last quarter tells you almost nothing about the risk sitting in production today.
- Mapping every test to MITRE ATT&CK by hand takes real time and real expertise, which is exactly what most teams don’t have enough of.
- Autonomous red teaming and adversary emulation let you test continuously instead of once a year, without needing a bigger team.
- Testing alone isn’t the finish line. Someone still has to close the exposure a red team finds, fast, before an attacker gets there first.
A mid size fintech company ran its annual pentest in January. The report was solid. Every finding got fixed within a month. Then in October, an attacker walked through a cloud misconfiguration that didn’t even exist when the test happened. Nobody lied on that report. The environment had simply moved on without it.
That’s the honest answer to why is offensive testing hard to scale. It’s not that red teams are bad at their jobs. It’s that the format they work in was built for a slower world, and scaling it up has turned into one of the hardest problems in security.
A pentest is a snapshot. Attackers work every day.
Same fintech company, same year — mapped against when a real breach happened.
Even the July test missed it — the misconfiguration attackers used in October didn’t exist yet when either test ran.
New services get probed within hours of appearing — the October gap never opens.
Why Human Red Teams Can’t Keep Up
Good offensive security work takes years to learn. You need people who understand how real attackers think, not just how to run a scanner. That kind of talent is rare, and it’s getting rarer relative to demand.
The Talent Squeeze Is Real
Hiring more red teamers isn’t the fix
2025 ISC2 Cybersecurity Workforce Study · 16,000+ security professionals surveyed
Understaffed
say their org doesn’t have the resources to staff its team properly
Exhausted
feel worn out just trying to keep up with new threats and tools
Already breached
had a real incident that traced back to a skills gap
Nearly 9 in 10 teams have already paid for this gap. Adding headcount doesn’t close it — the specialty is too scarce to hire out of.
The 2025 ISC2 Cybersecurity Workforce Study surveyed more than 16,000 security professionals worldwide, and the picture it paints is rough:
- A third of respondents said their organization doesn’t have the resources to staff its team properly.
- Almost half said they feel exhausted just trying to keep up with new threats and tools.
- Nearly nine out of ten had already dealt with a real security incident that traced back to a skills gap.
Red teaming sits at the sharp end of that shortage. It’s a specialty within a specialty, and specialties like that don’t scale by posting a job listing.
What It Actually Takes to Red Team Well
To run offensive testing at a professional level, you need people who know:
- How adversaries actually move through a network, not just how a checklist says they should
- Cloud environments, identity systems, and application logic well enough to chain small issues into a real breach
- How to write up findings that get taken seriously by both engineers and executives
There simply aren’t enough of these people to go around, and the ones who exist cost a lot and book up fast. Hiring your way out of this problem doesn’t work. Even well-funded teams end up waiting months for a slot on an external red team’s calendar, then waiting again for the next one.
Your Attack Surface Grows Faster Than Any Test Cycle
Say you do land that red team engagement. It runs for two weeks. The report lands a month later. By the time your team starts fixing findings, how much has actually changed underneath them?
What Changes Between Two Tests
Quite a bit, usually. A single quarter can bring:
- New services deployed without a security review
- Cloud configs that drift away from their original, tested state
- Employees onboarded and offboarded, each one changing your identity footprint
- Third-party integrations added without anyone flagging them to security
The Cloud Security Alliance points out that new technology like AI tools, cloud services, and connected devices keeps expanding what attackers can target, making it harder for testers to even map every entry point, let alone test it.
A once-a-year pentest was never designed to keep pace with an environment that changes every single day. It gives you a snapshot, and snapshots go stale fast. That’s the core reason offensive testing is hard to scale. The testing model is periodic. The risk it’s measuring is not.
Why MITRE ATT&CK Doesn’t Solve the Speed Problem on Its Own
Most mature red teams anchor their work to MITRE ATT&CK, a framework that catalogs the tactics and techniques real attackers use, from initial access to data theft. It’s genuinely useful. It gives everyone a shared language and a way to measure coverage instead of guessing.
But mapping an engagement to ATT&CK is still manual work. Someone has to:
- Decide which techniques matter most for your environment
- Build or configure the emulation for each one
- Run it, then check whether your defenses actually caught it
Do that thoroughly across dozens of techniques and multiple attack paths, and you’ve eaten a huge chunk of a skilled tester’s time before they’ve even started chaining anything together. Adversary emulation, which recreates the specific behavior of real threat groups relevant to your industry, is only as fast as the people configuring it.
What Actually Scales: Autonomous Red Teaming
This is where autonomous red teaming changes the math. Instead of a two-week engagement twice a year, autonomous agents can run adversary emulation continuously, testing new attack paths every time your infrastructure changes, not just when a calendar reminder fires.
How Continuous Testing Works in Practice
Think about what that means day to day. A new cloud service gets spun up on a Tuesday afternoon. Under the old model, nobody tests it until the next scheduled engagement, which could be months away. With autonomous red teaming running quietly in the background, that service gets probed against relevant MITRE ATT&CK techniques within hours of appearing, and the results roll straight into your existing coverage picture instead of sitting in a separate, disconnected report somewhere.
Where Human Testers Still Matter
Autonomous tools don’t make human expertise obsolete. Skilled testers are still the ones who:
- Decide what to test and why it matters to the business
- Interpret business logic risk that a scanner can’t reason about
- Chain findings together in creative ways automation alone might miss
What changes is the volume of routine, repeatable testing that no longer has to sit on a waiting list. Human judgment gets pointed at the hard problems instead of getting spent on repetitive coverage checks.
From finding to fix, without the six-week wait
Watches continuously
Cloud, SaaS, and workload infrastructure monitored for drift and misconfiguration.
Reaches the right owner
Routed automatically via Asset Insight ownership mapping.
Gets a deadline
Tracked with a clear, accountable timeline.
Closed with context
Fixed properly, instead of getting lost in a backlog.
Every exposure is scored by how far an attacker could reach from it, so your team knows exactly what’s at stake before deciding how fast to move.
FAQs
What is the difference between red teaming and adversary emulation?
Can autonomous red teaming fully replace human penetration testers?
How often should offensive security testing happen?
Why does MITRE ATT&CK matter for offensive testing?
The Bottom Line
Offensive testing is hard to scale because it was built around scarce human time, and human time hasn’t gotten any less scarce. The fix isn’t working your red team harder. It’s giving them tools that handle the repeatable parts continuously, so their time goes toward the attack paths that actually need a human brain, while the rest of your infrastructure gets watched and hardened every single day, not just once a year.