I think offensive vs defensive is a very easy choice. We want to prevent our systems from being compromised, but don't have any business provoking attacks by breaking into systems. Invest in defense.