For more than two decades, cybersecurity has been built on a reactive model: detect intrusions, patch vulnerabilities, respond to incidents, and repeat. That model is now under sustained pressure from a threat environment that is faster, more coordinated, and increasingly automated.
Two recent developments illustrate how quickly that model is breaking down. Earlier this month, the White House released its long-awaited cyber strategy that elevates proactive or offensive cybersecurity to the top of its priorities. At this year’s RSA Conference, Sandra Joyce, who leads Google’s Threat Intelligence Group, unveiled the company’s threat disruption unit, outlining plans to use legal authorities and technical capabilities to thwart cyber threat groups actively.
Together, these developments reflect a shift already under way — from purely defensive models toward efforts to disrupt adversaries before attacks reach their targets.
“What we’ve been doing for the past 20 years hasn’t been working,” Glenn Gerstell, former general counsel of the National Security Agency and now senior adviser at the Center for Strategic and International Studies, tells CSO. “We have been inherently playing catch-up on defense … and the gap is getting wider.”
That assessment is now shaping both government strategy and private-sector operations. The United States is explicitly trying to shape adversary behavior rather than absorb attacks, while major technology providers are investing in capabilities designed to disrupt threat actors before they reach their targets.
The shift is often described as “proactive cyber” or “active defense,” but the language obscures how constrained — and how operational — the change actually is.
The collapse of response time
The urgency behind that shift is grounded in how quickly modern attacks now unfold. The traditional sequence — initial access, lateral movement, data exfiltration — has collapsed into tightly coordinated, near-simultaneous activity across multiple actors.
“The median time between initial access and the handoff to the secondary threat group has dropped from eight hours in 2022 to just 22 seconds in 2025,” Joyce emphasized during an RSA keynote.
That compression reflects a broader structural change. Cyber operations are no longer linear campaigns but ecosystems, where access brokers, operators, and monetization specialists operate in parallel. Artificial intelligence is accelerating that model by automating key phases of exploitation and movement.
“Agentic approaches for exploit development will allow adversaries to outpace human-driven controls,” Joyce said.
John Hultquist, chief analyst at Google Threat Intelligence Group, says that once an intrusion is under way, defenders are already behind. “Active defense is looking for opportunities outside of the castle walls, before the actor shows up inside or starts hitting the castle walls.”
Gerstell describes the same imbalance more bluntly. “The bad guys … have the advantage,” he says.
What ‘proactive cyber’ means
Despite the more aggressive language, this shift toward private-sector involvement doesn’t envision vigilante-style payback by aggrieved organizations. It instead embraces a more systematic effort to interfere with adversaries earlier in the attack chain using authorities and capabilities that already exist.
“To be clear, this is not hacking back,” Joyce said. “This is the legal and ethical use of intelligence to protect our own platforms.”
In practice, that approach combines civil litigation, coordinated takedowns, public exposure of tools, and product hardening. The goal is to impose cost and friction across the ecosystem rather than to stop individual intrusions.
“Our goal is to shift the economics of the entire ecosystem, to make cyber threat operations so costly, so difficult, so risky, that it is no longer a viable path for any adversary,” Joyce said.
Hultquist underscores that this kind of disruption has real but limited effects. “We’re looking for operations that will have a longer-lasting effect on adversaries, or we can repeat at such a tempo that we can actually maintain the effect,” he says.
That dynamic is central to how proactive cyber is now being framed. Disruption is not a permanent solution; it is a way to degrade adversary capability and buy time.
Gerstell offers a practical boundary for where that activity becomes more controversial. “If you’re doing something only on your own network, it sounds defensive,” he says. “If you’re doing something on somebody else’s network, it sounds offensive.”
Why the private sector is central
The shift toward proactive cyber is rooted in who controls the terrain. “The private sector operates the very infrastructure that adversaries abuse,” Joyce said.
At the same time, the scale of cyber threats exceeds what the government can handle alone.
“There’s no world in which the government can do all the things,” Cynthia Kaiser, former FBI cyber deputy director and now SVP at Halcyon, tells CSO. “When I was at the FBI, there was no world in which you could do all the things.”
That has led to a push for deeper operational integration between government and industry, combining private-sector visibility and speed with public-sector authority.
Adam Maruyama, former CTO and DoD and NSA analyst and counterterrorism expert, says the shift toward more proactive action is necessary but lacks clear rules. Acting earlier in the attack chain, he notes, raises questions about how those operations should be conducted across jurisdictions and how they should be coordinated with allies.
“Once you start acting outside your own network, you’re immediately dealing with questions of jurisdiction and coordination,” Maruyama tells CSO. “Those aren’t fully worked out.”
Without that clarity, more assertive disruption efforts risk creating friction even among partners, particularly when infrastructure sits outside US control.
National Cyber Director Sean Cairncross framed the goal as correcting an imbalance. “The risk calculus on our adversary side in this space doesn’t seem to be calibrated correctly,” he said at the McCrary Institute Cyber Summit in March.
But Cairncross drew a clear boundary around private-sector action. “I am not talking about private sector industry or companies engaging in a cyber offensive campaign,” he said. “That’s not what we’re talking about.”
The fault lines: How far is too far
Agreement on the need to act earlier does not extend to agreement on how far those actions should go.
Kaiser sees a practical path in focusing on criminal actors, where legal authorities are clearer, and escalation risks are lower. “I think the least risky way in which industry can help on this front is with criminal actors,” she says, pointing to infrastructure takedowns and recovery of stolen funds.
She also argues that legal frameworks may need to evolve. “The primary thing I’d like to see is re-looking at the laws as they exist now and seeing if there are ways in which industry can help more with taking down infrastructure and clawing back stolen funds,” she says.
Others are more cautious. Maruyama points to the complexity of globally distributed infrastructure. “What if their infrastructure is hosted not in North Korea, but in France … or a semi-allied country like Malaysia?” he asks.
Hultquist reinforces caution from an operational standpoint, but stresses the importance of effectiveness in targeting. That is one reason why Joyce said in her keynote that whatever tactic Google uses against adversaries, it intends for them to “stay burned.” He says, “We are committed to operations that have lasting effects.”
Who can do this
Even if those tensions are resolved, the ability to carry out proactive disruption is concentrated among a small number of actors.
“This is something that Google can do [and that] Microsoft has done and can do,” Gerstell says. “A medium-sized company probably can’t.”
The requirements include not just technical capability but legal authority, operational scale, and control over infrastructure. Large platform providers can act within environments they own and can absorb the risks associated with disruption. Most enterprises cannot.
Even among organizations that could act, willingness varies. “Some of them could do it, but don’t want to,” Gerstell says.
What should CISOs do?
For enterprise security leaders, the shift toward proactive cyber does not expand their mandate to take on offensive or disruption roles. Instead, reinforcing core cybersecurity fundamentals remains the priority.
“The basic blocking and tackling is still critical,” Gerstell says.
Kaiser frames the enterprise role as participation rather than initiative. “What more can we all do?” she asks, particularly in supporting takedowns and recovery efforts where industry can act “more quickly and nimbly than the government can.”
That participation requires operational readiness: the ability to share telemetry quickly, preserve evidence, and respond in real-time when providers or law enforcement act against adversary infrastructure.
For CISOs, that means upstream disruption does not reduce the need for internal resilience. Even as governments and large cybersecurity providers increase pressure on attackers, enterprises should expect continued activity — often from the same actors operating in slightly different ways.
At the same time, the legal limits remain clear. Acting outside an organization’s own environment introduces risks that most enterprises are not equipped to manage. The practical role for CISOs is not to become more aggressive, but to operate effectively in a system where others increasingly handle disruption.