Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Fact vs Fiction: The Truth About Breach and Attack Simulation Tools

In 2017, a category called Breach and Attack Simulation (BAS) tools made its first appearance on the Gartner Hype Cycle for Threat-Facing Technologies, positioned as a technology on the rise.

In 2017, a category called Breach and Attack Simulation (BAS) tools made its first appearance on the Gartner Hype Cycle for Threat-Facing Technologies, positioned as a technology on the rise. Since then, these tools have been gaining momentum because they allow security teams “to have a consistent way to continuously test your controls, from prevention to detection (and even response)”, as described by Gartner. But as anyone who has been in the security industry for even just a few years knows, with momentum comes confusion around a technology’s capabilities, role in the security stack, and benefits. Here’s my take at dispelling some misconceptions and providing clarity to help you, as a security professional, derive the most value from these tools.

BAS is part of the evolution we’re seeing in detection capabilities. Fact. 

With the recognition that breaches are happening with increased volume and velocity, we’ve shifted from a focus on prevention to include detection, response, and automation. Examples of this evolution include the proliferation of tools like Endpoint Detection and Response (EDR), the popularity of the MITRE ATT&CK framework, and the emergence of Breach and Attack Simulation tools. By incorporating automation, BAS tools allow you to conduct more simulations faster, continuously test the efficacy of control points, and help make your security posture more consistent despite a dynamic threat landscape. 

BAS tools are next-generation vulnerability scanning and management solutions. Fiction.

BAS tools are a great way to augment your vulnerability management program, but they don’t replace vulnerability scanning or penetration testing solutions. These tools don’t look directly at an asset and try to find vulnerabilities in that asset. Instead, BAS tools take a more holistic, campaign-based view to measure overall security effectiveness. They continuously, automatically, and simultaneously run simulations of end-to-end attack scenarios. This allows you to more quickly find gaps in your network and systems that make you vulnerable to various tactics, techniques, and procedures (TTPs) threat actors employ throughout the lifecycle of an attack so that you can take immediate steps to close those gaps. 

Finally, we have a “silver bullet” technology solution with BAS. Fiction. 

Whenever a new technology category emerges, the “silver bullet syndrome” creeps in. But no one technology can solve all our cybersecurity challenges. The threat landscape is too complex and dynamic. The attack surface is always expanding and changing. And, in response, security technologies and strategies must continually evolve. BAS tools are an important step forward, augmenting manually conducted attack simulations, but they are only one component in your security stack, and you can’t “set it and forget it”. You still need humans to configure and customize attack simulations for your environment, identify priority use cases given your organization’s threat landscape, and interpret the results of the simulations. 

BAS tools are useful for Red Team/Blue Team and Purple Teaming exercises. Fact.

The practice of breach and attack simulation is what Red Team/Blue Team and Purple Teaming exercises are all about. Red Team/Blue Team models pit “attackers” against defenders in exercises that can take weeks or months to complete and learn from. Purple Teaming is more collaborative and iterative so that organizations can improve their security posture during the exercise to capture immediate and ongoing value. Whichever model you use, BAS tools help these exercises scale through automation, providing the ability to run more simulations faster than with manual methods. But Red and Purple Teams should exercise caution when using BAS tools, because they can provide a false sense of security if relied on exclusively. The simulations are prescriptive, out-of-the-box scenarios that don’t consider the nuance of each organization. You need to make intelligent choices about which simulations to run. This requires people with skills to enrich or change simulations based on intelligence about threats targeting your organization and industry, an understanding of the specific assets your organization needs to protect, and the expertise to make sure detection and prevention is working as intended.

BAS tools offer quantitative metrics relevant to management. Fact.

Organizations make significant investments to protect their assets. By 2022, IDC projects worldwide security spending will exceed $133 billion. But are these technologies and tools working as they should? BAS tools offer an efficient and consistent way to measure the effectiveness of existing security detection capabilities and operations. Findings from the simulations can help guide product investment and configuration decisions to close security gaps, but they can also be used to help bridge the cybersecurity knowledge gap with enterprise leaders. You can use the information to engage in discussions about risk management and answer questions from your board and senior executives, like: Can threat actors bypass our defenses and do so undetected? What is our applicable risk? What kind of impact can they have? This puts you in a position to influence near-term investment decisions, engage in long-term security planning, and report on improvement in security operations in business terms.  

BAS tools are an important addition to your arsenal of defenses. However, as with any security investment, you need to understand the strengths and limitations of the technology to derive the most value. BAS tools aid in maintaining a fundamental level of security assurance more quickly and cost effectively than traditional approaches. What’s more, when combined with the right expertise, they can also help you play a strategic role in the overall success of the business.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...