Thirty-two percent of security teams see automated, AI-fueled attacks as the single greatest driver reshaping their offensive security strategies. That’s according to new research from market research firm Omdia and commissioned by Cobalt.
While AI-driven automated attacks are certainly changing the threats organizations face, they’re not the only substantial security challenge they face. The vast majority are defending blindly: Only one in four organizations reports complete real-time visibility into all its data and assets. The other three-quarters are running offensive security programs against a partial map.
That structural gap has many defenders on their heels. Attackers are using AI to find and exploit gaps faster than traditional pen testing cycles can close them. The Omdia, Cobalt-commissioned survey, which included 400 North American IT and cybersecurity professionals, found that 53% say their current offensive security approach produces reports that are obsolete by the time they're delivered, and 48% say existing methods are too infrequent to keep pace with technological change.
More on AI's impact on cybersecurity:
George V. Hulme
Bill Brenner
"The research results give us a good reality check on where people currently are in planning their offensive security strategies within their overall security programs," said Melinda Marks, practice director, cybersecurity at Omdia. "We're seeing an evolution to keep up with two AI-related trends: supporting usage of AI that increases the attack surface due to more productivity and scale, and attackers who are leveraging AI."
AI use certainly is driving broader adoption of cloud services, SaaS platforms, and AI productivity tools, which expand the attack surface faster than most security teams can map. Attackers, meanwhile, have access to the same AI capabilities to automate reconnaissance and accelerate exploitation. Security teams are caught between the two trends.
Traditional offensive security tactics can't keep up
Traditional offensive security wasn’t designed for this speed and scale of attack. Pen testing and bug bounty programs have historically operated as testing mechanisms layered on top of other controls: a way to surface what policies, scanners, and application security tools missed. That exercise remains valuable, but it was built around periodic testing cycles rather than continuous validation. "Security teams typically apply offensive security testing as a way to address any gaps in their other security tools and processes to catch and fix issues before an attacker can find and exploit weaknesses. Offensive security testing can catch anything that was missed," Marks said.
The data shows where organizations are looking to close that gap. Forty-two percent of respondents identified autonomous AI security agents and agentic penetration testing as the technologies most likely to drive the evolution of offensive security programs. A further 24% cited cloud-native attack surface management. Those two categories reflect a recognition that coverage and continuity are the primary program deficiencies, not depth of testing.
Yet the movement toward AI-driven autonomy is proceeding with caution. Only 7% of organizations currently deploy AI agents with full autonomy. The overwhelming majority keep humans in the loop in some form: 34% require human approval for every AI action, 33% treat AI output as advisory, and 27% allow AI to operate autonomously while retaining human oversight. Marks sees that caution as rational, given where the technology is today.
"When organizations are looking to use AI, there is always a concern about whether humans will be replaced," she said. "There are a number of offensive security vendors emerging, leaning more on AI than humans, but the study showed that people still value human cybersecurity skills, oversight, and the creativity and critical thinking needed to defeat attackers."
Fifty percent of respondents said they need humans in the loop but are investing in technology to strengthen their programs. Another 44% said human expertise is central to offensive operations and program success. Only 6% said they aspire to remove humans entirely from the loop.
That’s 94% of organizations wanting to keep humans firmly “in the loop.” Despite aggressive AI adoption across the security industry, fewer than one in fifteen organizations are structurally moving toward autonomous offensive security without meaningful human oversight. The more common expectation is role evolution, not replacement: 60% of respondents said analysts will shift from executing offensive security tasks to supervising autonomous workflows, and 59% expect analysts to focus more on proactive threat hunting and strategic defense. The implication is that AI expands what human practitioners can cover: it doesn't eliminate the need for their judgment.
Organizations are increasing their offensive security spending
The pressure is translating directly into budget commitments. Eighty-eight percent of respondents plan to increase spending on offensive security technologies over the next 12 months, with 23% planning a significant increase. That spending pattern reflects urgency, but urgency alone doesn't determine outcomes.
What matters most is how that budget is applied and how offensive security findings get used. The research shows that integration is improving in 60% of organizations that feed offensive security results directly into SOC detection engineering and rule-tuning processes, and in 56% that route them into centralized risk-based exposure management platforms. That's a meaningful shift from programs that historically generated reports consumed primarily for compliance documentation.
Still, 42% of respondents said findings are used exclusively for compliance reporting and audit evidence. That segment continues to operate a program designed for regulators rather than attackers, a structural mismatch that AI-driven threats will continue to punish. "If attackers are using AI, AI on the defender side is the only way to stay ahead of attackers who are using AI to scale," Marks said.
The data reflect an industry in transition, with a majority investment in modernization, a majority recognition of the AI threat, and a recognition that the human element remains essential, yet execution lags the stated direction. Continuous visibility, agentic testing, and tighter integration between offensive findings and defensive operations are the program features that close the gap. Most organizations say they're moving there. The question is their pace.
