A CTO's Primer on Breach & Attack Simulation: Part 1 - Market Landscape

When it comes to breach and attack simulation (BAS) tools, the cybersecurity marketplace is booming. Driven by the increasing complexity of cyber threats, tools like AttackIQ and Mandiant Security Validation are dominating conversations. But as a CTO, I often caution organizations to resist the temptation of being persuaded by flashy marketing or cutting-edge features. Instead, the focus should be on one question: "Which BAS solution best serves our organizational needs?" 

Opening remarks 

Identifying your organization's primary drivers 

The key to selecting the right BAS solution lies in a deep understanding of your organization's unique drivers. While most BAS tools perform within a relatively tight margin — typically within +/- 5 percent of each other in terms of features and technical capability — contextual needs are what truly dictate the best fit. Factors like financial constraints, operational priorities, board-level mandates or resistance to onboarding new vendors can significantly skew the decision-making process. Failing to align the solution with these drivers can lead to suboptimal outcomes, wasting both time and resources. By identifying and prioritizing your organization's specific requirements from the outset, you can ensure that your chosen BAS solution not only addresses your technical needs but also aligns seamlessly with your broader strategic goals. 

Contextualizing technical metrics with non-technical weights 

The organization's drivers serve as the lens through which the features and functionality of a BAS tool are interpreted and evaluated. These drivers, such as energy efficiency goals, compliance requirements or operational scalability, inherently shape the tool's perceived value. Applying contextual weighting to the evaluation process is crucial. This ensures that the most critical features align with your organization's priorities rather than being overshadowed by less relevant capabilities. Furthermore, the dynamic nature of BAS solutions means that new features or updates may be released within 12 to 24 months after purchase. By embedding flexibility in your evaluation criteria and recognizing future adaptability as a key factor, you can better ensure that your investment remains relevant and continues to deliver value over time. 

Developing a holistic evaluation approach 

As a CTO, I have often witnessed scenarios where the best solution for an organization was not the one that scored highest in a technical evaluation. While technical efficacy is undeniably important, it is only one piece of the larger puzzle. Numerous other factors need to be considered to ensure the chosen solution aligns with both immediate and long-term organizational goals. Through this blog, my hope is to illuminate some of the critical questions decision-makers should be asking when evaluating different tools. 

Factors such as organizational readiness, existing workflows, flexibility and even cultural fit often play a pivotal role in determining the success of an implementation. It's also worth noting that no solution exists in a vacuum—vendors regularly release updates and new features. Dismissing a solution solely due to the absence of one or two functionalities can quickly become outdated thinking, especially when innovation is continually happening in the space. 

Beyond the selection itself, the real challenge lies in the implementation and integration of the solution into your operations. This step often determines whether the product can deliver its intended value. By adopting a holistic evaluation approach, businesses can avoid myopic decisions and instead focus on what drives meaningful progress for their specific circumstances. 

The market landscape 

Market evolution 

BAS tools trace their origins to traditional cybersecurity exercises, where offensive red teams simulated attacks against defensive blue teams to uncover vulnerabilities. These manual exercises laid the foundation for BAS, emphasizing the need to improve organizational security through realistic attack-defense scenarios. The underlying goal was clear: proactively identify weaknesses before malicious actors could exploit them. Over time, cybersecurity professionals recognized that periodic assessments were inadequate to keep pace with the rapidly evolving threat landscape, sparking the need for continuous, efficient testing. 

The red team/blue team model was effective, but it was also resource-intensive and time-consuming. By the mid-2010s, the cybersecurity industry began transitioning toward automation to address these challenges. This shift marked a pivotal moment in security validation practices, enabling companies to test their defenses continuously with minimal human involvement. Automation allowed organizations to conduct breach simulations around the clock, freeing security teams to focus on remediating vulnerabilities rather than executing labor-intensive tests. This era marked the emergence of specialized BAS platforms, designed to seamlessly handle both red and blue team functions while providing actionable insights and detailed reports on security vulnerabilities. 

While the category was officially recognized in 2017, several pioneering companies had already entered the space by 2015. These early tools laid the foundation for what would become a vital component of modern cybersecurity strategies, starting with security control validation and evolving into comprehensive security optimization solutions. 

In the early days of BAS, there were essentially three core solutions that defined the landscape: 

SafeBreach

Founded in September 2014 by CEO Guy Bejerano and CTO Itzik Kotler in Tel Aviv, SafeBreach quickly established itself as a pioneer in the emerging category of breach and attack simulation (BAS). Before founding the company, Bejerano served as a chief information security officer, while Kotler brought his experience as a hacker in the Israel Defense Force's technology unit, adding practical cybersecurity expertise to their venture. 

In July 2015, the company raised $4 million in seed funding from an investor group led by angel investor Shlomo Kramer and Sequoia Capital, showcasing strong early confidence in the BAS concept. 

SafeBreach's primary product is a continuous security validation platform that runs breach simulations on a client's network to proactively detect and fix security vulnerabilities. The platform simulates various hacker methods such as brute force attacks, exploits and malware. Using their proprietary "Hacker's Playbook," a comprehensive library of breach tactics, SafeBreach creates tailored scenarios based on the client's specific environment. These simulations test whether existing security defenses are robust enough to provide adequate protection. This approach marked a significant shift from traditional, periodic penetration testing to continuous, automated security validation. 

Verodin 

Founded in 2014 in McLean, Virginia, Verodin quickly emerged as a leader in the breach and attack simulation (BAS) space. Established by cybersecurity veterans with decades of experience, the company set out to help organizations eliminate assumptions and prove cybersecurity effectiveness through evidence-based data. Verodin referred to its BAS solution as the Security Instrumentation Platform (SIP), designed to help enterprises evaluate the effectiveness of their security controls, optimize and streamline security tools, detect environmental changes, and assess cybersecurity risks. 

Verodin developed strong partnerships with leading vendors such as Alien Vault, ArcSight, Blue Coat, Carbon Black, CrowdStrike, Elastic, FireEye, McAfee, Palo Alto Networks, Splunk, Symantec and many others. The company also attracted notable investment from firms like Bessemer Venture Partners, Blackstone, CapitalOne Growth Ventures, Cisco Investments and Citi Ventures. 

Verodin's impact on the BAS market was solidified in 2019 when FireEye acquired the company for $250 million, marking FireEye's largest acquisition in five years. This milestone highlighted Verodin's significance in advancing cybersecurity innovation. The solution was eventually rebranded as Mandiant Security Validation and is now owned by Google. 

AttackIQ 

AttackIQ is one of the earliest pioneers in the breach and attack simulation (BAS) market and has since grown into an industry leader. The company developed a platform that emulates adversary tactics, techniques and procedures aligned with the MITRE ATT&CK framework. This platform provides clear, data-driven insights into security program performance, along with actionable mitigation guidance. 

What set AttackIQ apart in the early days of the BAS market was its emphasis on security optimization rather than simply identifying vulnerabilities. BAS initially focused on running attacks and augmenting red teams. Over time, it evolved to include security control validation, with the ultimate goal of maximizing the effectiveness of an organization's entire cybersecurity program. This evolution showcases how early tools like those from AttackIQ helped redefine the approach to security validation and optimization in the industry. 

Current State

In recent years, the BAS market has grown exponentially, with forecasts predicting a compound annual growth rate (CAGR) of 33.4% from 2022 to 2029, potentially reaching nearly $35 billion by 2029. This rapid expansion underscores the rising importance of BAS tools as essential components of modern cybersecurity strategies, especially as threats become both more numerous and sophisticated. Contemporary BAS solutions now provide continuous, automated validation of security controls using up-to-date threat intelligence. They go beyond traditional vulnerability assessments by testing how well prevention and detection mechanisms respond to realistic attack scenarios. This evolution marks a paradigm shift in cybersecurity. 

Mandiant Security Validation

Mandiant Security Validation (MSV) has emerged as one of the top two security validation platforms in our assessment at WWT, thanks to its unmatched ability to deliver comprehensive and actionable security control testing. By leveraging Google-backed threat intelligence, MSV empowers organizations to validate their defenses against real-world adversary tactics with exceptional precision. 

Built on a five-step, intelligence-led validation methodology, MSV provides security teams with practical insights to improve their defenses. This methodology includes prioritizing threats using relevant intelligence, assessing current security posture, identifying and closing gaps, optimizing security portfolios, and continuously monitoring for environmental changes. These steps ensure a structured, effective approach to enhancing security capabilities. 

The platform's standout capability lies in its access to Mandiant's frontline threat intelligence, derived from extensive, real-world incident response engagements. This intelligence allows MSV to test security controls against the latest adversary tactics, techniques, and procedures (TTPs), in alignment with industry standards like MITRE ATT&CK and NIST. 

What sets MSV apart is its advanced features, such as Protected Theater, which safely tests destructive endpoint scenarios, and the Cloud Validation Module (CVM), enabling thorough emailbased testing across on-premises and cloud environments. This goes far beyond traditional breach and attack simulation, offering a holistic view of how security controls hold up against diverse attack vectors. 

Mandiant Security Validation's innovative approach, cutting-edge threat intelligence, and comprehensive testing make it a leading choice for organizations seeking to strengthen their security posture — and one of our top recommendations at WWT. 

AttackIQ 

AttackIQ is a leader in the BAS market, providing advanced security validation through its innovative security optimization platform. Founded in 2013 and based in San Diego, California, the company is led by security experts with deep experience in consulting, penetration testing and threat research. AttackIQ's mission is to move beyond guesswork in security testing, offering continuous, cost-effective scenario creation to hold security teams and vendors accountable. 

The company's flagship product, the PREACT™ Security Optimization Platform, specializes in security control validation by simulating adversary tactics, techniques and procedures using the MITRE ATT&CK® framework. This platform enables organizations to test their defenses against realistic attack scenarios, delivering insights into their security posture. It is an agent-based solution that supports on-premises and cloud deployments across Windows, Linux and macOS environments. Its intuitive dashboard provides clear visualizations and easy-to-understand reporting on attack readiness. 

AttackIQ transforms traditional manual security testing into an automated, scalable process. By continuously testing an organization's security controls, the platform provides real-time data on performance and readiness in an ever-changing threat landscape. This comprehensive approach allows organizations to emulate multi-stage adversary campaigns and systematically test against known tactics, ensuring they remain prepared against evolving threats. 

Other Contenders 

Cymulate and XM Cyber are notable players in the BAS space, each offering unique capabilities. Cymulate stands out with its user-friendly platform, providing security posture assessments, attack simulations and real-time reporting. Leveraging the MITRE ATT&CK framework, it enables organizations to identify and prioritize security gaps effectively. XM Cyber focuses on attack path management and risk prioritization, helping security teams address critical vulnerabilities with the highest impact. Its platform simulates advanced threats, visualizes attack paths and continuously validates security postures. Both platforms provide valuable tools for enhancing organizational security, catering to different needs within the BAS market.