Security Testing Glossary
BAS - Breach and Attack Simulation
Breach and Attack Simulation (BAS) is a technology that continuously and automatically simulates cyberattacks to identify security vulnerabilities in real time—without the need for manual penetration testers. BAS platforms test detection (does the SIEM detect the attack?), prevention (does the firewall block it?), and response (does the SOC respond correctly?) based on MITRE ATT&CK® techniques.
Breach and Attack Simulation (BAS) bridges the gap between one-time penetration tests and ongoing security validation. While a penetration test provides a snapshot ("on Day X, the system was this secure"), BAS runs continuously and immediately detects any drift in the security configuration.
BAS vs. Penetration Testing vs. Red Team
Comparison of Approaches:
Penetration Test:
Frequency: 1–2 times per year
Scope: Defined scope, targeted
Method: Manual expertise + tools
Output: Detailed report
Strength: Deep, complex attack chains
Weakness: Snapshot, expensive, infrequent
Red Team Exercise:
Frequency: 1× per year (or less frequently)
Scope: Open-ended objective (APT simulation)
Method: Advanced Persistent Threat emulation
Output: Executive summary + technical report
Strength: Realistic APT simulation, dwell time test
Weakness: Labor-intensive, expensive, infrequent
BAS (Breach and Attack Simulation):
Frequency: Continuous (daily/weekly)
Scope: All MITRE ATT&CK techniques (systematic)
Method: Automated simulation
Output: Dashboard, score, trend
Strength: Continuous validation, coverage measurement
Weakness: Lacks creativity/context like a real pentester
No 0-day discovery
Cannot map all complex scenarios
Recommendation: Combine BAS + Pentest + Red Team
BAS: Continuous baseline + regression testing
Pentest: In-depth analysis of specific systems
Red Team: Realistic APT simulation and defense validationBAS Architecture and Functionality
BAS Platform Components:
1. Attack Library:
→ Database of attack techniques (MITRE ATT&CK-based)
→ Continuously updated with new TTPs
→ Categorized: Initial Access, Execution, Persistence,
Privilege Escalation, Defense Evasion, Credential Access,
Discovery, Lateral Movement, Collection, Exfiltration, C2
2. Agents / Simulators:
→ Lightweight agents on endpoints and network devices
→ Execute attack techniques "harmlessly" (no actual damage!)
→ Example: Simulate "DNS beaconing" without a real C2 connection
3. Simulation Engine:
→ Coordinates attack simulations
→ Combines techniques into complete attack chains
→ Purple Team Mode: Shows which techniques are detected
4. Analytics & Reporting:
→ MITRE ATT&CK; Navigator Heatmap: Visualize coverage
→ Score: "X% of techniques are detected/blocked"
→ Trending: Improvement/deterioration over time
→ SIEM comparison: Expected alert vs. alert actually triggered?
Techniques BAS tests:
□ Malware simulation: Deliver payload to endpoint (without actual infection)
□ Lateral movement: Simulate PsExec, WMI, pass-the-hash
□ Data exfiltration: Exfiltrate data via DNS/HTTP/HTTPS
□ C2 communication: Beacon to simulated C2 server
□ Privilege Escalation: Test known vulnerabilities for escalation
□ Defense Evasion: Test AMSI bypass, EDR circumvention (harmless!)
□ Email Phishing: Deliver payload via email to sandboxLeading BAS Platforms
Commercial:
Cymulate:
→ Broad MITRE ATT&CK coverage
→ Email gateway testing (phishing simulation + malware)
→ Web application testing (OWASP Top 10)
→ Cloud security testing (AWS, Azure)
→ Price: Enterprise, custom pricing
AttackIQ:
→ "Purple Teaming" focus
→ Deep MITRE ATT&CK integration
→ FireDrill: Automated breach simulation
→ Academy: Free ATT&CK training
SafeBreach:
→ "Hacker's Playbook" approach
→ 30,000+ simulation scenarios
→ Insider threat simulations
→ Cloud-native BAS
Picus Security:
→ "Peer Comparison": How do I stack up against the industry?
→ Mitigation Library: Specific fix recommendations
→ Use Case: SIEM Detection Validation
Pentera:
→ Automated Penetration Testing (not just simulation)
→ Real exploit code (in a controlled environment)
→ RPA (Robotic Pen Testing) – automated full-chain exploits
→ Difference from other BAS: real exploitation, not just simulation
Open Source:
Atomic Red Team (MITRE ATT&CK Lab):
→ GitHub: github.com/redcanaryco/atomic-red-team
→ Free: PowerShell/Bash tests for individual ATT&CK techniques;
→ No dashboard, but good for detection engineering
Caldera (MITRE):
→ Automated adversary emulation framework
→ Plugin system: Sandcat Agent, Commander Plugin
→ For security teams with technical experienceBAS in Practice
Typical BAS use case:
Use Case 1: SIEM Detection Validation
Problem: We have 500 SIEM rules. Which ones actually work?
BAS solution:
→ BAS executes the technique (e.g., T1003.001 LSASS Dump)
→ Expected: Alert in SIEM
→ Comparison: Alert triggered? (Gap analysis)
→ Result: "Of 50 techniques tested: 32 detected, 18 gaps"
→ Action: Create detection rules for the 18 gaps
Use Case 2: EDR/AV Tuning
Problem: Does our EDR block current malware?
BAS Solution:
→ Malware payload simulation on endpoint
→ Expected: EDR blocks/quarantines
→ Comparison: Blocked? If not: Adjust EDR policy
→ Deployment: After every EDR update cycle
Use Case 3: Firewall Rule Check
Problem: Which exfiltration channels are open?
BAS Solution:
→ Simulates data exfiltration via DNS, HTTP, ICMP, SMB, FTP
→ Firewalls should block
→ Report: "DNS exfiltration: blocked; ICMP exfiltration: NOT blocked → Fix!"
BAS Integration into Security Processes:
□ Weekly BAS scan → Dashboard review in the SOC
□ After every major system update → Regression test
□ Monthly report to management: Security score trend
□ Before penetration testing: BAS for pre-validation
□ After pentest findings: BAS confirms whether the fix is correct
KPIs from BAS:
Prevention Score: % of techniques blocked
Detection Score: % of techniques detected
MTTD (Mean Time To Detect): How quickly is a simulation detected?
Coverage Score: % of the MITRE ATT&CK Matrix covered
