Private Offensive Cyber Operations (?!)
12–15–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, December 15, 2025, and as we close out the year, we’ve got a news story that’s going to flip the script a bit for this show. Today, we’ll be talking about offensive cyber activity, rather than defense.
Private Offensive Cyber Operations (?!)
Last week, Bloomberg had a piece detailing a move from the Trump administration to “to turn to private businesses to help mount offensive cyberattacks against foreign adversaries.”
The reporting notes:
“The White House plans to make public its intention to enlist private companies in more aggressive efforts to go after criminal and state-sponsored hackers in a new national cyber strategy, a draft of which has been viewed by industry officials and experts. The strategy is expected to be released by the Office of the National Cyber Director in the coming weeks.”
While we almost always talk about cyber defense on this show, it’s worth flipping the script a little bit here to explore what this might mean.
Bloomberg notes this proposal “would open lucrative new business opportunities to firms that have traditionally contracted with the government on defensive strategies rather than offensive measures” - so there’s obviously some financial incentive there.
But, offensive cyber operations are a very different beast. We’ve got challenges with attribution, of course, but also with the scope and scale of that offense. Are we just trying to wreck servers? Delete things? Or are we launching our own ransom operations where we also steal things?
There are still far more questions than answers, but I can remember being on a panel more than a decade ago where I got a question about hacking back. My response then was that if you’re good enough to hack back, then you’re in the wrong business. But that doesn’t mean I want private offensive attacks to actually be a business.
We’re looking at this in a very difficult time, because I also saw a formal research paper this week comparing AI agents to humans in offensive tasks. Guess what? The AI outperformed 90% of the human participants.
Given our previous conversations about AI hacking - that it mostly will lower the bar and accelerate the rate of attacks, rather than offering truly novel capabilities - we’d be likely to see that play out in this new offensive regime, as well.
And, what - do we think that nation states or other cyber adversaries won’t hack back?
This all seems like playing with fire, when we are seeing private US companies in the Defense Industrial Base struggle with CMMC compliance, and also seeing healthcare providers lobbying for less-strict cybersecurity requirements under HIPAA.
As usual, I’d encourage you to continue to focus on fortifying your own defenses for now. Things may heat up and get a little wild out there, but control what you can control, plan for the risks you can foresee, and continue to make progress on the things that matter to your and your businesses.
Fundraising
From a fundraising perspective, we saw $6.3B in newly committed capital, almost all of which was led by TPG Credit, who raised $6.2b for its third fund. Congrats to the team over there.
We also saw some good IPO traffic on the US public markets last week, indicating that we may be ready to see more in 2026 - providing some much-needed liquidity for some of these investments.
A reminder as we come to the close of the year that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://arxiv.org/abs/2512.09882
https://defensescoop.com/2025/11/10/cmmc-compliance-dod-enforcement-defense-industry-readiness-gaps/