Threat Simulation Call to Action for 2018

As our SOAR research project is nearing completion, a reasonable question of “what other esoteric stuff deployed only by the top 1% we can research next?” “what other usable insight on new technologies we can provide?” :-)

We (Augusto and myself) decided to tackle a ***BIG*** problem: how to actually test organization’s security, entire security? We are going to look beyond pentesting, red teaming, application testing, maturity assessments [well, the last item is not really a test per se], etc to the meta-challenge of testing your overall security. Won’t it be fun!!!

We will describe what we have in mind on the blog(s) later (we need to gather our thoughts first), but as a part of this effort we want a closer look at so-called “Breach and Attack Simulation” (BAS) technologies. The vendors I’ve heard of in this space include Cymulate, SafeBreach, ThreatCare, and Verodin (listed alphabetically; Gartner documents may mention other vendors that compete with these). In fact, this part of the research may result in a separate paper, just on the usage of these technologies.

As we understand it, these tools promise to pretend to perform things similar to what the attackers will do (such as lateral movement, exfiltration, privilege abuse, perhaps exploitation, etc) in order to test how well your security controls (prevention, detection, response) work. Naturally, if you are not able to act on the findings, these tools will not do you any good, just like the pentests people [occasionally] ignore.


  • If you are vendor of threat, attack or breach simulation tools, please schedule a Vendor Briefing with Augusto and myself [and, no, you do NOT need to be a Gartner client for this!]
  • If you have used such tools and have a happy/sad story to tell about your experience, please share [if you are a Gartner client, this may be covered by Gartner client NDA].

P.S. Note that our Vendor Briefing lead times are becoming longer, so schedule a VB now … and get it for early February.

P.P.S. Yes, I read that report already, thanks for sending it.

This is a Security Bloggers Network syndicated blog post authored by Anton Chuvakin. Read the original post at: Anton Chuvakin