This occasional paper explores how commercial offensive cyber tools, while having legitimate applications in areas like corporate security and law enforcement, are also vulnerable to misuse, posing serious risks to national and international security. It focuses on the dynamics that enable the proliferation of offensive cyber capabilities, particularly identifying state permissive behaviours (SPBs) and non-state proliferating factors (NPFs) that contribute to this spread. The paper provides an in-depth analysis of how regulatory frameworks, corporate governance, legal standards, diplomatic engagement, and integration into security ecosystems all play a role in facilitating or curbing the proliferation of these capabilities. By investigating SPBs in relation to the international market for offensive cyber tools, it aims to inform ongoing policy debates about how to mitigate these risks through national and international interventions. The work draws on data from desk-based research and consultative workshops with industry stakeholders and focuses on outlining actionable insights to address offensive cyber proliferation responsibly. A companion paper from Chatham House sets out policy options: https://coilink.org/20.500.12592/10ipg25.