Part 3 of a five part series on the cybersecurity industry.

The Offensive Cyber Market: Who Builds the Attacks, Who Buys Them and Why It Is Bigger Than You Think

A founder I met at Cybertech Tel Aviv this year described his product to me in one sentence. "We sell red team engagements as a SaaS subscription, so the buyer never has to call a consultant again." I asked him what category Gartner puts that in. He laughed and said, "different one every quarter." That is the offensive market in 2026.

Offensive cybersecurity is the part of the industry most outsiders misunderstand. It is not malicious hacking sold as a product. It is the discipline of thinking like an attacker on behalf of a defender. Running simulated attacks, hunting for zero day vulnerabilities, emulating the playbook of a specific ransomware group and selling the lessons back to the organization being tested (Cyber Security Associates).

The market is smaller than the defensive side, but the deals are bigger, the margins are better and the buyer is usually more sophisticated. It also includes the most regulated and controversial corner of the entire cybersecurity industry, lawful intercept and commercial surveillance, which is worth understanding even if you would never invest in it.

Offense as defense

The single most important trend in this market is that offensive capabilities are increasingly being packaged as defensive outcomes. A breach and attack simulation platform is, under the hood, an offensive toolkit. It is sold to a Chief Information Security Officer ("CISO") as a way to validate that the defensive stack actually works. The interesting investments sit on that boundary.

What follows are the ten main offensive categories, in roughly increasing order of regulatory exposure.

Penetration Testing Services and Platforms

Penetration testing, or "pen testing," is an authorized, scoped attack against a defined target. A web app, a network segment, a mobile app. The goal is to surface as many exploitable vulnerabilities as possible within a fixed timeline (Cyber Security Associates). It is delivered as a professional service or, increasingly, as Pen Test as a Service ("PTaaS"), a platform that lets enterprises run scoped tests on demand.

Almost every company that needs System and Organization Controls 2 ("SOC 2"), the Payment Card Industry Data Security Standard ("PCI DSS"), the Health Insurance Portability and Accountability Act ("HIPAA") or any customer requested attestation is a buyer. Product security teams also buy it for a deep look at a specific release before shipping. Cobalt, HackerOne, Bugcrowd and the Big 4 consultancies all play here. Israeli vendors include Pentera for autonomous pen testing and Sygnia (acquired by Temasek) for high end offensive services (Tracxn).

Red Teaming and Adversary Emulation

Red teaming is the bigger, scenario based version of pen testing. Ethical hackers emulate the Tactics, Techniques and Procedures ("TTPs") of real world threat actors, a specific ransomware group, a nation state actor, and run the engagement against an organization's people, processes and technology (IBM). Unlike pen tests, red team engagements are objective driven ("exfiltrate the crown jewel database") and often play out against a defending blue team that does not know an engagement is in flight.

The buyers are mature security organizations. Large banks, defense contractors, hyperscalers, governments. The kind of organization that has already passed the basics and wants to see how its detection and response actually performs under pressure. Bishop Fox, IBM X Force Red, Mandiant and a long list of boutiques deliver these engagements. Israeli boutiques include Sygnia, Security Joes and Cytactic, plus offensive consulting from Check Point and CyberProof.

Breach and Attack Simulation and Adversarial Exposure Validation

This is where offense meets defense in software form. Breach and Attack Simulation ("BAS") platforms continuously and safely simulate attacker techniques against your live environment to validate whether your controls actually block and detect them. BAS focuses on isolated technique checks. The newer Adversarial Exposure Validation ("AEV") category, defined by Gartner in 2024, validates full multi stage adversary campaigns, including the Security Operations Center ("SOC") response chain (SCYTHE).

CISOs and detection engineering teams at organizations that have already invested heavily in defensive tooling are the buyers. They want to prove the stack actually works against real world TTPs. SafeBreach, Cymulate, AttackIQ, Picus Security, XM Cyber, SCYTHE and Pentera are the key vendors (AmbiSure). This is one of Israel's strongest offensive subsegments. SafeBreach, Cymulate, XM Cyber (acquired by Schwarz Group) and Pentera are all Israeli founded.

Vulnerability Research and Exploit Development

This is the discipline of finding new, often zero day, vulnerabilities in software and hardware, and in some cases developing reliable exploits for them. The outputs flow into bug bounty programs, defensive products, government capabilities or, in the gray and black markets, to brokers.

On the legitimate side, large vendors like Microsoft, Google and Apple run bounty programs. Platforms like HackerOne, Bugcrowd, Intigriti and the Zero Day Initiative ("ZDI") aggregate researcher findings. Governments and law enforcement agencies also buy vetted exploit research from firms like Crowdfense and Zerodium. This is also the ethically heaviest part of the industry. The same vulnerability that gets sold to Microsoft for $250,000 might fetch ten times that from a non Western government broker. Israeli participants include the offensive research labs of Check Point Research and SentinelLabs, plus boutique shops like Toka.

Offensive Security Frameworks and C2 Tooling

This is the actual software that red teamers and pen testers use to compromise systems, maintain persistence and move laterally inside a network. The category includes commercial Command and Control ("C2") platforms like Cobalt Strike, open source frameworks like Metasploit, Sliver, Caldera and Mythic, and a broader ecosystem of password crackers (Hashcat), credential dumpers and lateral movement tools like BloodHound (GitHub: 0xor0ne).

Licensed pen testing firms, internal red teams at large enterprises, government cyber units and security training providers are the legitimate buyers. Commercial vendors gate sales carefully because the same tools, in the wrong hands, are exactly what ransomware operators use. Israeli firms that build offensive frameworks or red team tooling include Cobwebs Technologies, now part of Penlink, and Wintego Systems. Both sit closer to lawful intercept territory.

Phishing Simulation and Social Engineering Platforms

These are platforms purpose built to launch realistic phishing, smishing, vishing and now deepfake based social engineering campaigns against an organization's own employees, with measurable reporting and tied in training.

HR, IT security and awareness teams everywhere are buyers. The line between this and the defensive Security Awareness category has almost disappeared. KnowBe4, Hoxhunt and others sell both the attack simulation and the training that follows. Israeli vendors include CybeReady and Lucy Security, the last of which has significant Israeli operations.

Offensive OSINT and Reconnaissance

This is the tooling and tradecraft for Open Source Intelligence ("OSINT") gathering. Mapping a target's external attack surface, employees, supply chain, leaked credentials and exposed services before a single packet is sent. The buyers are red teams, threat intel teams, fraud investigators, law enforcement, corporate investigations groups, journalists and competitive intelligence functions.

Maltego, Shodan, SpiderFoot and Recorded Future are widely used. Israeli vendors include Cobwebs Technologies, Webz.io, which sells dark web and deep web data, and Rayzone Group, which builds intelligence platforms for governments.

AI Red Teaming and Adversarial Machine Learning

This is a fast emerging discipline focused on attacking AI systems themselves. Prompt injection, jailbreaks, training data poisoning, model extraction and adversarial inputs that cause models to behave unsafely. As enterprises deploy Large Language Models ("LLMs") into production, attackers now have a new surface to probe (EC Council University).

The buyers are foundation model labs (OpenAI, Anthropic, Google DeepMind), enterprises deploying Generative AI ("GenAI") in regulated workflows and government AI safety bodies. Vendors include HiddenLayer, Protect AI, Lakera and a growing roster of services boutiques. Israel has become a leader in this niche. Aim Security, Pillar Security, Lasso Security, Prompt Security and Apex Security all focus on attacking and protecting LLM applications.

Lawful Intercept, Government Hacking and Forensic Acquisition

This is the most regulated and most controversial corner of the offensive market. It includes Lawful Intercept ("LI") platforms used by telecoms to comply with wiretap orders, mobile forensic tools that extract data from seized devices (Cellebrite, Magnet Forensics, Grayshift) and so called commercial spyware used for targeted surveillance. NSO Group's Pegasus is the best known example, though it is far from the only one.

Law enforcement, intelligence agencies, militaries and customs authorities are the only legitimate buyers, and only in jurisdictions where their use is legal. The category attracts intense scrutiny from human rights groups and is subject to growing export controls. The U.S. Commerce Department has blacklisted several vendors in the last three years. Israel is the global epicenter of this segment, for better and worse. NSO Group, Cellebrite (NASDAQ listed), Paragon Solutions, Candiru, Quadream (now wound down) and Cognyte, formerly Verint's cyber unit, all originated here.

For investors, this is the part of the market where reputation and regulation matter as much as the technology. A single human rights report can wipe out a multi hundred million dollar valuation. Almost every major U.S. institutional investor has formally avoided the sub sector since the 2021 Pegasus disclosures.

Bug Bounty and Crowdsourced Security

This is the category that incentivizes independent researchers worldwide to find and responsibly disclose vulnerabilities in exchange for cash rewards. The model has gone fully mainstream. Even the U.S. Department of Defense runs "Hack the Pentagon."

The buyers are tech companies at scale, governments, financial institutions and an increasing number of mid market firms. HackerOne, Bugcrowd, Intigriti and YesWeHack are the leading platforms. Israeli participants in adjacent crowdsourced and disclosure workflows include HackenProof, which is Ukrainian Israeli, and Sasa Software.

Our view: two investment theses

The offensive market has two natural investment theses, and they could not be more different.

The first is the productization thesis. Anything that turns a service engagement into a recurring software contract is structurally attractive. BAS and AEV are the most obvious examples, and the public market multiples on the leaders reflect that. Continuous automated pen testing platforms, including the new wave of agentic offensive tools, are the most likely candidates to repeat the pattern over the next 24 months. The Israeli BAS roster (SafeBreach, Cymulate, XM Cyber, Pentera) is the strongest cluster of vendors in the world at this game.

The second is the regulated market thesis, and it is the harder one. Lawful intercept and commercial surveillance generate real revenue and real cash flow, but the regulatory risk is genuinely binary, and the reputational risk for a Limited Partner ("LP") is non trivial. Most generalist investors steer clear. Which is precisely why the sub sector keeps producing standalone exits at unusual multiples.

The category that does not yet have its winners is AI red teaming. It is too early to call. But the structural argument, that every enterprise deploying GenAI will need continuous adversarial testing, is strong enough that the leaders here will look obvious in retrospect.

Final Thoughts

Offense is the smaller side of the cyber industry but it is the more interesting one for investors who can read it. The productization thesis is where the institutional capital can comfortably play. The regulated edge is where the asymmetric returns live, and where the asymmetric reputational risk lives too. Israel sits on both sides of that line in unusually concentrated form. An investor who wants exposure to offensive cyber has to decide, post 2021, which side of that line they are willing to underwrite.