Breach & Attack Simulation

Security is point-in-time. It’s not a matter of if you get hacked, but when. Why not simulate hacking yourself to get better at attack detection and response?

Mike P
Mike P

Table of Contents

Terms You Might Also Hear

  • Attack Simulation
  • Automated Red-Teaming
  • Breach Simulation
  • Continuous Security Validation
  • Security Posture Validation
  • Threat-Informed Defense

Problem Statement

  • For attackers, there is a high upside to a breach and a low chance of consequences.
  • Companies have a hard time detecting breaches and successful attacks.
  • The average time to detect and contain a data breach is 280 days. Attackers can take what they want from who they want when they want.

Market Solution

Enter Breach & Attack Simulation (BAS) platforms.

  • Compliance frameworks and risk assessment methodologies are subjective. Let technology tell you where your real risks are instead.
  • Continuous threat assessment and security control validation by way of simulated attacks. Test controls, test processes, and test people.
  • Map the efforts to an attacker playbook or MITRE ATT&CK framework, and you’ve got “Attacks as Code (AaC).”


This is not an exhaustive list. If I'm missing a company, let me know!


  • There will be an industry shift from “vulnerability management” to “exposure management.”
  • Focused patching will take on a new meaning. Vulnerabilities are not created equal. Solutions like this can help you better focus your patching efforts on what matters.
  • Security risks from mergers and acquisitions can get added context using this technology.
  • Monte Carlo "what-if" simulations can become a popular exercise among top executives. Have fun trying to come up with crazy scenarios to detect and defend against.
  • Strengthen the supply chain. Companies will use this kind of technology to find out which partners measure up and which ones do not.


  • Create a new business model. Red, blue, and purple team testing-as-a-Service businesses could launch from these platforms.
  • Simulate “famous” attack scenarios. Attempt to do a malicious code injection into your CI/CD pipeline a la SolarWinds. Deploy fake ransomware like the Colonial Pipeline ransomware event.
  • Put context around vendor management programs and third-party vendor security. Stop relying on subjective, point-in-time questionnaires. Start surfacing legitimate and real threats to your business and supply chain.
  • Supplement your threat modeling. It all comes back to context, risk, and likelihood of a given solution. Make sure the controls you’re implementing add value.
  • Improve security architecture patterns. This should go without saying, but learn from these systems. Identify patterns of weakness in your architecture patterns and remediate them going forward.

Key Insights

  • Don’t forget the human side. Technology continues to evolve, but this can't replace skilled pen testers (if any vendors tell you this, run the other direction!).
  • Use this technology to reduce your biggest threats and patch vulnerabilities that matter.
  • Hone in your security investments. Technology like this can help you buy the right things for your security program and company. Defense-in-Depth doesn't work if it's not focused.
  • Improve your audits. You can now go beyond paper-based questions and get to the heart of the matter of your security risks.
  • Frameworks aren’t enough. Frameworks help build out core capabilities, but they can’t tell you how secure you are from real threats. Automated testing makes frameworks tangible.

Pro Positions

What type/size/stage company should leverage these platforms?

  • Startups - especially for cloud-first startups, this kind of solution is great for you. If you need an ad-hoc or recurring scan or pentesting for SOC 2 or regulatory compliance, this is where to look. Do it (Just in Time) JIT style when your customers need it at this stage. The cloud makes using this kind of platform a no-brainer.
  • SMBs - This kind of tech is important and affordable for your customer-facing applications. Make this a habit as you build up your internal capabilities.
  • Larger Companies - This should be an essential part of your enterprise security strategy, if and only if, you are well-practiced at patching and incident response processes. Most large companies have too many risk acceptances and process exceptions to really mitigate their biggest risks, so a tool like this might not be as effective unless you change priorities and expectations on mitigating exposure over just patching.

What makes one of these platforms “good?”

  • Prioritization of identified threats.
  • Context around vulnerability data and exposure of weak points to the Internet.
  • Visualized attack paths so you can under the “how.”

Out of the Players listed, who are the top to consider?

  • If you’re a startup/SMB that is cloud-first, check out Detecitfy and XM Cyber.
  • If you’re a larger enterprise, Cymulate is the up-and-coming leader in this space and one you should strongly consider.


Thanks for reading this far!

This post is not meant to be a particular endorsement for any one player or company in this product category but is instead intended to be an industry-level primer.

If I missed something (or am just wrong), let me know!

This is not a paid post, and none of the companies listed above paid for placement. I just pick a few companies at random when I write. Also, at the time of writing this post, I have no active investments in any of the companies mentioned above.

If your company is looking to get more of a highlight, consider sponsoring the Security, Funded newsletter.