What happens when you remove timeboxes, rigid scope, and checklist-driven testing from offensive security? In this episode of Ahead of the Breach, we sit down with Andy Grant to explore what it looks like to build an intuition-driven offensive security program, one designed to let skilled engineers follow the signal instead of the schedule.
Drawing from more than a decade in consulting and product security, Andy shares how traditional two-week pentests often cut off discovery just as understanding begins to form. His solution: hire exceptional hackers, give them space to explore, and focus on the most impactful risks rather than superficial coverage metrics.
Moving Beyond the Pentest Mindset
At the core of Andy’s philosophy is a simple shift: stop thinking like an auditor and start thinking like a real adversary. Attackers don’t chase coverage percentages or count cross-site scripting findings, they pursue objectives. They look for footholds, pivot points, and the shortest path to meaningful impact.
An intuition-driven program mirrors that behavior. Engineers are encouraged to explore rabbit holes, threat model from an attacker’s perspective, and decide where their time is best spent. Scope is intentionally flexible, and time restrictions are minimized to allow genuine discovery.
Open Scope, Real Accountability
Freedom doesn’t mean chaos. Guardrails exist in the form of regular check-ins, peer reviews, and structured documentation. Engineers are expected to articulate why they’re pursuing a particular path, what risk they believe exists, and whether the effort aligns with meaningful impact for the business.
Even when critical vulnerabilities aren’t found, the work still delivers value. Deep technical exploration improves organizational understanding of how systems truly behave, not just how documentation says they behave.
Tooling, Automation, and AI as Force Multipliers
The program blends manual expertise with automation and custom tooling. From in-house fuzzing environments and cloud attack surface analysis to code review tooling, engineers build their own methodologies rather than follow a prescribed checklist.
AI plays a growing role as well. It’s used to accelerate proof-of-concept development, identify code hot spots, analyze patch behavior, and simulate black-box adversarial thinking. But the human remains firmly in the loop. Guardrails are critical to prevent false positives, hallucinations, and misplaced confidence.
Rethinking Metrics and Measuring What Matters
One of the more provocative elements of Andy’s approach is his rejection of purely quantitative security metrics. Counting critical findings or tickets can create perverse incentives that distort behavior. Instead, success is measured through impact, depth of understanding, and the quality of security conversations happening across the organization.
High-value findings, executive briefings, and increased trust from engineering teams become the real indicators that the program is working.
Building This Without a Massive Budget
Not every organization can field a full offensive research team. Andy suggests starting smaller: treat it like a research rotation. Give one or two engineers dedicated time to pursue a self-defined investigation, then share the results broadly. Over time, the demonstrated value can help build executive support for expanding the model.
The Mindset Shift That Changes Everything
Perhaps the biggest takeaway from this conversation is that intuition-driven security requires a different kind of practitioner. The best performers in this model thrive in ambiguity, ask better questions than they’re given, and see security research as exploration rather than task completion.
In a world of accelerating release cycles and AI-assisted attackers, the organizations that empower that mindset will stay ahead.
