Frequently Asked Questions

Product Information & Technical Details

What is Cymulate and what does it do?

Cymulate is a unified exposure management and security validation platform that enables organizations to continuously test, validate, and optimize their security controls against real-world threats. It provides automated breach and attack simulation (BAS), continuous automated red teaming (CART), exposure prioritization, and more, helping organizations proactively identify and remediate security gaps before attackers can exploit them. Learn more.

How does Cymulate assess for data exfiltration over blocked ports?

Cymulate's data exfiltration module tests security controls by simulating exfiltration attempts over various network channels, including blocked ports like Telnet (port 23). The platform initiates a 3-way handshake with a remote C2 server and sends data packets. It then validates successful exfiltration by comparing hashes of the original and received data, ensuring accuracy. This process helps organizations uncover hidden vulnerabilities in their firewall configurations. Read the full blog post.

What did Cymulate discover about Next-Gen Firewalls (NG-FW) and data exfiltration?

Cymulate found that many NG-FWs, by design, allow at least one packet to pass through a blocked port to identify the application protocol. This behavior can be exploited to exfiltrate small amounts of data, even when the port is officially blocked. The issue was reproduced across multiple leading NG-FW vendors, highlighting a structural flaw in how these firewalls handle initial packets. Source: Cymulate Blog

How does Cymulate validate that data exfiltration has occurred?

Cymulate validates data exfiltration by hashing the exfiltrated data and sending it over the agent-to-cloud communication channel to the C2 server. The server compares the hash with the received data to confirm successful and complete exfiltration, ensuring there is no room for error in detection. Learn more.

What practical steps can organizations take to prevent data exfiltration through NG-FWs?

Organizations should: 1) Limit both service (port) and application in NG-FW policies, 2) Restrict source and destination addresses, and 3) Implement network least privilege, allowing traffic only as needed. These steps reduce the risk of exfiltration while leveraging NG-FW capabilities. See full recommendations.

How does Cymulate help organizations uncover and remediate security control flaws?

Cymulate enables organizations to simulate real-world attacks, identify gaps in their security controls, and receive actionable remediation guidance. This process helps teams fix vulnerabilities before attackers can exploit them, reducing overall risk exposure. Learn more about Exposure Validation.

What is the value of security validation platforms like Cymulate?

Security validation platforms like Cymulate provide organizations with the ability to proactively test and validate their defenses, uncover hidden vulnerabilities, and ensure that security controls are functioning as intended. This reduces the risk of successful attacks and supports continuous improvement of the security posture. More info.

How does Cymulate's customer success team support users?

Cymulate's customer success team works closely with users to investigate unexpected findings, explain simulation results, and provide remediation guidance. This collaborative approach ensures that customers can quickly address vulnerabilities and optimize their security controls. See customer stories.

What is the significance of the 'grace packet' in NG-FW data exfiltration?

The 'grace packet' refers to the initial packet allowed by NG-FWs to identify the application protocol. Attackers can exploit this behavior to exfiltrate small data chunks, even when the port is blocked. Recognizing and mitigating this risk is crucial for robust firewall policies. Read more.

How does Cymulate's exposure validation module work?

Cymulate's exposure validation module allows users to build custom attack chains and simulate a wide range of threats, including data exfiltration, lateral movement, and privilege escalation. The platform provides actionable insights and remediation steps to close identified gaps. Learn more.

What are the main features of Cymulate's platform?

Cymulate offers continuous threat validation, attack path discovery, automated mitigation, detection engineering validation, complete kill chain coverage, and an extensive, daily-updated threat simulation library. These features help organizations stay ahead of emerging threats and optimize their defenses. See all features.

How does Cymulate support proactive security validation?

Cymulate enables organizations to proactively test their security controls by simulating real-world attack scenarios, identifying vulnerabilities, and providing remediation guidance. This approach helps reduce risk before an actual attack occurs. Learn more.

What is the role of the customer success team in Cymulate's platform?

The customer success team at Cymulate assists users in interpreting simulation results, investigating unexpected findings, and implementing remediation steps. Their expertise ensures that customers maximize the value of the platform and maintain high security standards. See customer stories.

How does Cymulate handle small data exfiltration attempts?

Cymulate's assessments revealed that small data packets, such as plain text or TXT files smaller than the MTU, can be exfiltrated through NG-FWs due to their protocol identification process. The platform helps organizations detect and remediate these subtle vulnerabilities. Read more.

What is the importance of validating security controls regularly?

Regular validation of security controls ensures that configurations are effective and up-to-date, reducing the risk of undetected vulnerabilities. Cymulate's platform automates this process, providing continuous assurance of security posture. Learn more.

How does Cymulate's platform integrate with existing security tools?

Cymulate integrates with a wide range of security technologies, including network, cloud, endpoint, and SIEM solutions, to enhance and validate your security ecosystem. For a full list of integrations, visit our Partnerships and Integrations page.

What resources are available to learn more about Cymulate's platform?

You can access Cymulate's Resource Hub for whitepapers, product information, thought leadership, and more. Additional resources include the blog, newsroom, events, webinars, and a comprehensive glossary. Visit the Resource Hub.

Where can I find Cymulate's blog and newsroom?

Cymulate's blog covers the latest threats, research, and platform updates, while the newsroom features media mentions and press releases. Visit the blog and newsroom for more information.

How can I stay updated with Cymulate's latest news and research?

Stay informed by visiting Cymulate's blog for the latest research and threat intelligence, and check the newsroom for company news and media coverage. Blog | Newsroom

Features & Capabilities

What are the key capabilities of Cymulate's platform?

Cymulate's key capabilities include continuous threat validation, attack path discovery, automated mitigation, detection engineering validation, complete kill chain coverage, and an extensive, daily-updated threat simulation library. These features help organizations stay ahead of emerging threats and optimize their defenses. See all features.

Does Cymulate support integration with other security tools?

Yes, Cymulate integrates with a wide range of technology partners across network, cloud, endpoint, and SIEM domains, including Akamai Guardicore, AWS GuardDuty, CrowdStrike Falcon, and more. For a complete list, visit our Partnerships and Integrations page.

How often is Cymulate's threat simulation library updated?

Cymulate provides the most advanced library of attack simulations with daily updates, ensuring customers are protected against the latest threats. Learn more.

Is Cymulate easy to implement and use?

Yes, Cymulate is designed for ease of use and quick implementation. It operates in agentless mode, requires minimal resources, and can be deployed rapidly. Customers consistently praise its intuitive interface and actionable insights. See testimonials.

What kind of support does Cymulate offer to customers?

Cymulate provides comprehensive support, including email and chat support, a knowledge base, webinars, e-books, and an AI chatbot for instant answers. Customers can reach support at [email protected] or via chat support.

What security and compliance certifications does Cymulate have?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications. These attest to its robust security, privacy, and cloud compliance practices. See all certifications.

How does Cymulate ensure data security and privacy?

Cymulate is hosted in secure AWS data centers, uses TLS 1.2+ for data in transit, AES-256 for data at rest, and follows a strict Secure Development Lifecycle (SDLC). It is GDPR compliant and employs a dedicated privacy and security team. Learn more.

What educational resources does Cymulate provide?

Cymulate offers a Resource Hub, blog, glossary, webinars, e-books, and technical articles to help users stay informed about cybersecurity trends and best practices. Explore resources.

How does Cymulate help with compliance requirements?

Cymulate's platform and certifications (SOC2, ISO, CSA STAR) help organizations meet regulatory and compliance requirements by providing evidence of robust security controls and continuous validation. See compliance details.

Use Cases & Benefits

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across industries such as finance, healthcare, retail, media, transportation, and manufacturing. Learn more about roles.

What business impact can customers expect from Cymulate?

Customers have reported an 81% reduction in cyber risk within four months, a 60% increase in team efficiency, a 52% reduction in critical exposures, and a 30% improvement in threat prevention. See case studies.

What pain points does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volumes, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers. It provides continuous validation, exposure prioritization, and actionable insights. Learn more.

How does Cymulate help different security personas?

Cymulate tailors its solutions for CISOs (metrics and investment justification), SecOps (operational efficiency), red teams (automated offensive testing), and vulnerability management teams (exposure prioritization). See persona-specific solutions.

Can you provide a real-world example of Cymulate uncovering a security gap?

Yes. In a customer case, Cymulate's data exfiltration assessment revealed that data could be exfiltrated through a blocked Telnet port due to NG-FW design. The customer remediated the issue based on Cymulate's guidance, closing the gap before it could be exploited. Read the story.

How does Cymulate help with lateral movement and privilege escalation testing?

Cymulate's Attack Path Discovery automates offensive testing to identify and mitigate threats related to privilege escalation and lateral movement, helping organizations strengthen their defenses. Learn more.

Does Cymulate provide guidance for remediation after identifying vulnerabilities?

Yes, Cymulate provides easy-to-digest remediation guidance for any gaps or vulnerabilities identified during simulations, enabling teams to quickly address and close security gaps. Learn more.

How does Cymulate help organizations move from reactive to proactive security?

Cymulate enables organizations to proactively validate their defenses, identify weaknesses before attackers do, and implement improvements based on actionable insights, shifting from reactive to proactive security management. See case study.

What measurable results have customers achieved with Cymulate?

Customers have achieved an 81% reduction in cyber risk, a 60% increase in team efficiency, a 52% reduction in critical exposures, and a 30% improvement in threat prevention within months of using Cymulate. See customer results.

How does Cymulate help communicate risk to stakeholders?

Cymulate provides clear, quantifiable metrics and evidence-based reports, enabling CISOs and security leaders to effectively communicate risk and justify security investments to stakeholders. Learn more.

Pricing & Plans

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and selected scenarios. For a custom quote, schedule a demo.

Is the Cymulate subscription fee refundable?

No, the Cymulate subscription fee is non-refundable and must be paid regardless of actual platform usage. For details, contact Cymulate's sales team. Contact sales.

Competition & Comparison

How does Cymulate compare to AttackIQ?

AttackIQ provides automated security validation but lacks Cymulate's innovation, threat coverage, and ease of use. Cymulate offers the industry's leading threat scenario library and AI-powered capabilities for streamlined workflows. See comparison.

How does Cymulate compare to Mandiant Security Validation?

Mandiant is an original BAS platform but has seen little innovation in recent years. Cymulate continually innovates with AI and automation, expanding into exposure management and maintaining grid leader status. See comparison.

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks Cymulate's depth in assessing and strengthening defenses. Cymulate covers the full kill chain and provides cloud control validation. See comparison.

How does Cymulate compare to Picus Security?

Picus is suitable for on-premise BAS needs but lacks the complete exposure validation platform Cymulate provides. Cymulate covers the full kill chain and includes cloud control validation. See comparison.

How does Cymulate compare to SafeBreach?

SafeBreach offers breach and attack simulation but lacks Cymulate's innovation, precision, and automation. Cymulate leads with AI-powered BAS, the largest attack library, and a full CTEM solution. See comparison.

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams but lacks Cymulate's focus on actionable remediation and automated mitigation. Cymulate provides a more complete exposure validation platform with daily threat updates and no-code workflows. See comparison.

Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Case Study: Credit Union Boosts Threat Prevention & Detection with Cymulate
Learn More
New Research: Cymulate Research Labs Discovers Token Validation Flaw
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

Exfiltration Over a Blocked Port on a Next-Gen Firewall

By: David Kellerman

Last Updated: December 8, 2025

More and more organizations are adopting proactive cybersecurity validation technologies to verify that their security measures are working as expected and reduce risk before an attack. Knowledge of the usefulness of these technologies is spreading, which is great.

What is less known, though, is how these technologies can uncover industry-wide structural flaws in services provided by vendors. And of course, provide remediation! Sometimes, these discoveries can even come from the customer success department.

As a customer success lead and security advisor at Cymulate, I was recently lucky enough to uncover such a flaw.  

Feeling Protected? Guess Again  

Cymulate offers the most comprehensive platform for threat validation. For example, the data exfiltration module tests controls against exfiltration over network channels, email, removable devices, and cloud services. Usually, our customers run simulated data exfiltration attacks with the platform, and if a gap is found, they remediate it according to our easy-to-digest guidance. But sometimes, it is not as straightforward. 

Recently, a customer ran a data exfiltration assessment over network protocols and the Cymulate platform alerted them that data was exfiltrated through Telnet (port 23). The customer checked with their Next-Gen Firewall (NG-FW) vendor who answered that there was no way data could be exfiltrated through that closed port. So, the customer reached out to me to investigate further with this email: 

Working as a customer success team lead here at Cymulate, I encounter this kind of situation a lot. A favorite part of my job is exploring, along with the customer, why a simulated attack succeeded and what they can do to prevent it from happening when faced with a real threat. This is the true value of a security validation platform—finding the gaps and vulnerabilities of your security stack and fixing them before an attacker takes advantage. 

How Does Cymulate Assess for Data Exfiltration? 

Before I continue with the story, it will help to have some background about how Cymulate’s exfiltration over alternative network protocol works. Let’s look at Telnet as an example. 

During this type of data exfiltration assessment, Cymulate connects to a remote C2 server over port 23 (Telnet port), initiating a 3-way handshake. Upon the handshake completion, the session is established, and data is sent as packets over it.  

At the same time, the agent hashes the exfiltrated data and sends it over the agent-to-cloud communication channel to the C2 server. The C2 server receives the hash and the exfiltrated data and compares them to ensure that the original data has been successfully and completely exfiltrated. Hash validation does not leave room for mistakes – identical hashes are proof of data exfiltration.   

Getting Around the Blocked Telnet Port 

As we needed more data to further our investigation, we asked the customer to share their NG-FW dropped logs with us.  To verify that the network traffic indeed occurred as we thought, we captured packets using Wireshark and clearly saw the traffic: 

We looked again at the email the customer sent us after calling his NG-FW vendor and these words caught our attention: “Post 3-way handshake…” The NG-FW permitted the 3-way handshake and allowed us to establish a connection to the C2 server. After the handshake, the NG-FW detected that our traffic was not Telnet protocol, but just a TCP socket of port 23, so the connection was reset. 

Yet, looking at the packet captures obtained from the NG-FW vendor to analyze successfully exfiltrated data sessions, we were amazed – the NG-FW allowed them to be exfiltrated! 

But why? 

And here comes the interesting part – without exception, all successfully exfiltrated data packets were in small formats (such as plain string or TXT files), smaller than the MTU (maximum transmit unit). This meant that these data types could only be exfiltrated in single packets, rather than multiple, to avoid exceeding the MTU size.  

When asked about this finding, the NG-FW vendor acknowledged that “to determine which application is being used, and whether the session aligned with the protocol’s standard, the NG-FW must allow at least one packet to pass.”  

This potential exfiltration path appeared to be by design and specific to the NG-FW workflow. Surprised by this unexpected flaw-by-design, we tested it with many leading NG-FW vendors and successfully reproduced the exfiltration techniques with all of them.  

The transition from Firewall to NG-FW introduced a new approach and a new level of security. It allows inspection into the traffic instead of focusing exclusively on the transport layer. However, allowing some packets to pass to identify which application is used and whether it violated the policy or not, opened a breach. For an attacker, this “grace packet” is good enough to exfiltrate a small chunk of data or even communicate with a C&C server for additional instructions.   

Practical Steps to Keep Your Next-Gen Firewall from Allowing Exfiltration 

Here are some steps you can take to reduce the risk of data exfiltration and still benefit from the advanced NG-FW technology. When setting your NG-FW policy: 

1. Limit both service (port) and application.  

2. Limit source and destinations.  

3. Implement network least privilege, allowing traffic between two points over a specified port exclusively based on “need to access” logic. 

Cymulate Can Help 

Security controls are vital to ensure your organization is safe from an attack but validating that those controls are set up and working as they should is just as important. Sometimes validation can even lead to exposing a fault within the control itself and remediation will immediately reduce your risk of exposure.

image
David Kellerman
David Kellerman is the Field CTO at Cymulate, and a senior technical customer-facing professional in the field of information and cyber security. David leads customers to success and high-security standards.
More about Author
Table of Contents
Feeling Protected? Guess Again   How Does Cymulate Assess for Data Exfiltration?  Getting Around the Blocked Telnet Port  Practical Steps to Keep Your Next-Gen Firewall from Allowing Exfiltration  Cymulate Can Help 
Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.
Mike Humbert, Cybersecurity Engineer
DARLING INGREDIENTS INC.
Learn More

Featured Resources

View More Resources
Security Spent a Decade Finding More. It Should Have Been Proving More. 
blog

Security Spent a Decade Finding More. It Should Have Been Proving More. 

Here's an uncomfortable truth most security leaders already suspect but rarely say out loud: Your organization has invested millions in security tools, and

Read More
Handala Hack: From Regional Disruption to Digital Destruction — Why Security Validation Matters Now 
blog

Handala Hack: From Regional Disruption to Digital Destruction — Why Security Validation Matters Now 

After years of battling ransomware and financially motivated threats, security teams must now increase their focus to defend against digital destruction. Iranian-backed Handala Hack highlighted the growing threat with its claimed attacks against a U.S.-based medical equipment maker, with reports of widespread deletion of data

Read More
CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover 
blog

CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover 

CVE-2026-26117 lets attackers hijack Azure Arc on Windows, escalate to SYSTEM, and seize the machine’s cloud identity.

Read More

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo