Offensive Cybersecurity’s Role in Managing Canada’s Cybersecurity Risks: Lessons from the Netherlands

Learning from a Digital Leader: How Proactive Security Practices Strengthen National Resilience

Offensive Cybersecurity practices proactively identify and mitigate cybersecurity vulnerabilities before they can be exploited by bad actors. Given an increasingly hostile cybersecurity landscape, offensive cybersecurity practices are essential to keeping up with malicious actors and emerging threats. Using lessons from the Netherlands, ethical hacker Tony Dong and policy researcher Erik Henningsmoen explore what role offensive cybersecurity can play in managing Canada’s cybersecurity risks.

Canada faces a pivotal moment in managing its cybersecurity risks. Both the scope and sophistication of cyberattacks and the capabilities of cyber threat actors expand each year, while the costs of cybersecurity incidents increase for Canadian businesses. Intensifying levels of cyberattacks endured by Canadian companies do not just amount to private losses, but combine, degrade the Canadian economy, threaten national security, and diminish Canada’s economic competitiveness.

With a more hostile cybersecurity environment emerging globally, Canada can learn from other leading digital economies like the Netherlands in adopting offensive cybersecurity practices to enhance its cybersecurity posture.

Canada Faces an Increasingly Hostile Landscape in Cyberspace

The percentage of Canadian businesses that are affected by cybersecurity incidents dropped from 21% in 2019 to 16% in 2023, yet the most serious types of attacks, such as ransomware incidents, increased during that time. Canada’s largest companies were nearly twice as likely to experience a cybersecurity incident when compared to Canadian businesses overall.

The Canadian Centre for Cybersecurity’s 2025-26 National Cyber Threat Assessment observes that threat actors, including cybercriminal networks and hostile foreign governments, present a significant threat to Canada’s digital networks and sensitive data. Likewise, the Dutch government’s 2024 national cybersecurity assessment notes that “State and criminal actors account for the lion’s share of cyberattacks.” These cyber threat actors, often state-sponsored, are using increasingly sophisticated methods of attack and are adopting novel technologies such as artificial intelligence towards malicious ends.

What are Offensive Cybersecurity Practices? Offensive cybersecurity practices, such as penetration testing, allow security teams to simulate cyberattacks in a controlled environment, enabling businesses to identify and address vulnerabilities in their systems before suffering a real cyberattack. These practices are essential to keeping up with the evolving tactics used by malicious actors in cyberspace. To supplement traditional penetration testing, red team exercises simulate more sophisticated and targeted attacks, often incorporating social engineering methods to test an organization’s readiness to handle real-life cyber incidents.

As an example, one memorable red team exercise Tony was involved in orchestrating in the Netherlands involved a simulated phishing attack crafted around a corporate Christmas party.

By timing the red team exercise to coincide with the holiday season, employees’ lowered vigilance was subtly exploited through a forged email, seemingly from a company receptionist, inviting them to click a spoofed Google Docs link to submit dietary requirements for the event. Lowered employee awareness levels in the runup to the Holidays and the convincing design of the phishing email led many to unwittingly provide invaluable insights into potential security gaps that could later be exploited by the red team.

This example emphasizes the importance of conducting red team exercises that closely mirror real-world threats. By regularly running these kinds of scenarios, organizations can continuously assess and improve their cybersecurity defenses, both in terms of technology and human behavior, ensuring they’re better equipped to handle emerging risks.

Offensive Cybersecurity Practices in the Netherlands

When comparing cybersecurity practices between Canadian and Dutch companies, there is a striking contrast in their approaches to offensive security measures, such as pentesting and red team exercises. As of 2023, only 56% of Canadian businesses report carrying out pentests on their networks. Dutch companies are far more proactive, with 88% adopting internal policies on the use of pentests. Globally, 83% of companies surveyed in Fortra Core Security’s 2024 pentesting report conduct pentests on an at least yearly basis.

The discrepancy between Canadian companies and their Dutch and global peers underscores a gap in cybersecurity rigor, as pentests are a critical tool for identifying vulnerabilities before they can be exploited by bad actors. According to a 2025 study by CDW, companies that pentest at least annually reduce both cyber infiltration incidents, as well as data breaches, when compared to companies who do not regularly carry out pentests.

The lower adoption rates of offensive cybersecurity techniques by Canadian companies may be a factor driving a heightening average cost of cybersecurity incidents in Canada. According to IBM’s 2025 Cost of a Data Breach Report, Canadian companies average cost of a data breach amounts to CAD $6.98 million, up 10.4 percent since 2024, while globally, data breach incidents cost CAD $6.4 million in 2025 and are currently trending down.

Contracting Pentesting Services

Contracting for offensive cybersecurity services from vendors with specialized offensive capabilities can vary depending on services required and the complexity of the work. For example, a pentest can cost anywhere between $5,000 and $100,000, dependent on scope. Common approaches to pentests include grey-box pentests, where the pentester has prior access to some internal system information and simulates an insider threat scenario, such as a compromised employee account; white-box pentesting, where testers are provided with full access to internal system information and simulates a privileged account being breached; and black-box pentests, where a pentester starts the test with no prior access to internal system information, representing a malicious actor trying to illegitimately access a system for the first time.

All colours of pentests have their own inherent advantages and disadvantages, and differing price points, but they can be used in combination to stress-test system vulnerabilities. Like the Holiday red team exercise outlined above, pentests can include red team or social engineering elements to increase overall realism. A target system’s IT and cybersecurity teams may or may not have warning that a pentest is taking place, resulting in not only the network being tested but also the organization’s response to the test. Cybersecurity firms offering pentest services work with clients to develop a clearly defined testing scope, rules of engagement, and should produce a report on vulnerabilities detected at the conclusion of the pentest.

Creating Responsible Disclosure Programs Another key component of offensive cybersecurity is the implementation of responsible disclosure programs, which actively invite ethical hackers to report discovered vulnerabilities, giving businesses early warning to address potential cyber risks. By establishing these programs, IT teams not only gain insights into hidden vulnerabilities in their networks but also build a collaborative relationship with the ethical hacking community.

Currently, Canada is the only G7 county without a formalized national responsible disclosure framework, indicating a significant policy opportunity to strengthen the country’s cybersecurity resilience. Without such a framework, ethical hackers responsibly disclosing discovered vulnerabilities may expose themselves to legal repercussions. It is also more challenging for individual companies to develop their own responsible disclosure programs without a national framework to structure them along. Since 2013, the Dutch government has maintained a responsible disclosure framework under its Coordinated Vulnerability Disclosure guidelines.

Conclusion

To meet the challenge of an increasingly hostile environment in cyberspace, Canadian companies can greatly benefit from adopting offensive cybersecurity practices, such as pentesting, red team exercises, and responsible disclosure programs as part of their cybersecurity practices. Improving the cybersecurity posture of companies helps Canada enhance national cyber resilience. Offensive approaches to cybersecurity have already been widely adopted in peer digital economies like the Netherlands with success and can help to improve cyber defences in Canada.

Tony Dong is an ethical hacker and founder of Buster Cybersecurity Ltd. Tony worked as a cybersecurity consultant in the Netherlands from 2022 to 2023. Erik Henningsmoen is a senior research and policy analyst with the Information and Communications Technology Council (ICTC), where he covers public policy, emerging technology, and workforce development issues related to Canada’s digital economy.