Table of Contents
There’s a recurring theme throughout the latest episode of CYBR.HAK.CAST: defenders keep trying to solve attacker problems with compliance paperwork. That disconnect is exactly what Tim Medin wants security teams to stop doing.
Joining hosts Michael Farnum and Phillip Wylie ahead of his appearance at CYBR.HAK.CON later this month, Medin laid out a blunt reality: despite years of tooling improvements, many organizations are still missing the fundamentals attackers exploit every day.
In his view, part of the problem is that defenders often don’t understand how offensive operators actually think.
“We hear this stuff all the time,” Medin said. “You’ve got to cut through the BS to some degree.”
Watch or listen to the full episode:
, and CYBR.SEC.Media
That philosophy forms the foundation of his upcoming conference talk, “Offense for Defense,” which focuses on helping blue teams adopt practical offensive techniques to better understand real-world attack paths. Instead of blindly following security recommendations, Medin argues that defenders need to understand why attackers target certain weaknesses and how adversaries chain together access, privilege escalation, and lateral movement.
The conversation zeroed in heavily on assumed breach penetration testing — a methodology that has become increasingly important as organizations improve perimeter defenses.
Years ago, penetration testers could often rely on unpatched systems, weak password hashes, or exposed services to gain initial access quickly. That’s no longer consistently true. Modern attackers are more likely to enter environments through phishing, stolen credentials, rogue insiders, or compromised endpoints. So penetration testing evolved accordingly.
Previous CYBR.HAK.CAST episodes:
, and CYBR.SEC.Media
Bill Brenner
Instead of pretending attackers always start outside the network, assumed breach testing begins with the premise that the adversary already has some level of access.
That change matters because it exposes architectural weaknesses that traditional perimeter-focused testing often misses.
“You’re not going to make architectural changes during an incident,” Medin said. “Find these things yourself and fix them yourself before the bad guys do.”
The hosts expanded on that point by discussing how defenders can use offensive tools like BloodHound and PingCastle to map Active Directory relationships, identify privilege escalation paths, and uncover hidden trust issues before attackers exploit them. The goal isn’t to turn every sysadmin into a red team operator. It’s to help defenders think critically about attacker behavior instead of treating security as a collection of disconnected controls.
The episode also highlighted a deeper cultural issue inside some organizations: fear.
Medin described situations where companies intentionally limit penetration testing scope because leadership doesn’t want certain vulnerabilities formally documented. Farnum added that some executives only take issues seriously once a third-party assessment validates problems internal teams have already identified for years.
That creates a dangerous dynamic where politics and optics start outweighing actual risk reduction.
In the end, Medin said, attackers don’t care about your compliance status. They care about whether they can move.
Defenders who understand offensive thinking stand a much better chance of stopping them.
