Automated Pen Testing vs Breach and Attack Simulation

With the growth in complexity of business environments and the dynamic nature of the threat landscape security teams are turning to automated security testing in order for their testing to be more frequent, thorough, and simpler to perform. But automation is not a synonym for simplicity. When the autopilot was introduced in modern airplanes pilots weren’t exempt from getting trained on the functions the autopilot controlled. The same for pen-testing. Automated pen testing is best used in the hands of expert pen-testers whereas breach and attack simulation (BAS) makes security testing accessible to security analysts from a wider range of skill levels. BAS makes security testing simpler.

But is simpler less? To answer this question let’s look at the approaches taken by automated pen-testing and BAS. At a high level, they can both tell you what needs fixing, but the way they get about it is very different as is the frequency and scope of the results.

Scope of Automated Penetration Testing

In automated pen-testing, a scope for the test is set and objectives are agreed upon. The result of the effort is a binary answer - did the tester achieve the objective? The value provided by the pen tester is in understanding how the objective was achieved and providing remediation recommendations. Automated pen testing helps answer the question "can an attacker get in, and how?”

Automated pen testing is basically automating the repetitive actions of pen testers, enabling them to do more in less time. These tools provide a high degree of customization for skilled pen testers to adapt their efforts to the scope and objective of the test. Using automated pen-testing tools the tester will be able to identify some of the gaps in some security controls and describe which techniques were used in order to evade other controls. The pen tester may also describe how lateral movement was achieved in order to advance towards the objective. The mitigation recommendations provided will be related to the scope of the test.

Scope of Breach and Attack Simulation

The approach of BAS is different in that it tests each individual security control AND the full kill chain, as frequently as required. It answers the question "how well do our controls and policies detect and stop attackers?" Leading BAS platforms approach security testing in three ways.

1. Test the efficacy of individual security controls such as endpoint, web gateway, email gateway, DLP, and web application firewall. It provides a score and list of mitigation tips that security operations are able to implement.
2. Test the security posture of an organization against a broad list of known and new immediate threats.
3. Visualize all possible lateral movement, employing techniques similar to those of a pentester, but not limited in scope.

BAS is automated by definition and it’s accessible to a broad skill level of operators because it relies on the expertise of the analysts and developers of the platform and not the expertise of the end-user of the platform. The simplicity does not come at the expense of fidelity, in fact, BAS provides a report based on a broad set of tests that accurately represents reality, they are not limited to the context of a scoped pen-test.

Security teams must continuously adapt defenses to protect the dynamic business environment and the innovative threat landscape. And herein lies another fundamental difference between BAS and automated pen-testing. Breach and attack simulation can be performed as frequently as you desire.

Cymulate is a SaaS-based breach and attack simulation platform that makes it simple to test, measure and optimize the effectiveness of your security controls any time, all the time. With just a few clicks, Cymulate challenges your security controls by initiating thousands of attack simulations, showing you exactly where you’re exposed and how to fix it—making security continuous, fast, and part of everyday activities.