Improving Incident Response with BAS and CART Improving Incident Response with BAS and CART-mask

How BAS and CART Improve Incident Response and Recovery

Forewarned might be forearmed, but, even if it is impossible to ignore that the threat landscape is fast worsening in both complexity and frequency of cyberattacks, action is needed to do the forearming part. 

In other words, having incident response plans at hand to accelerate mitigation and recovery is now a must. Compliance regulators even include incident response-specific clauses, such as PCI DSS Requirements 10 (Implement Logging and Log Management) and 12 (Documentation and Risk Assessments) for example.

In this post, we look at incident response steps and at how BAS (Breach and Attack Simulation) and CART (Continuous Automated Red Teaming) can accelerate and enhance incident response readiness. 

Recommended Incident Response Readiness Preparation Steps 

Identify and Prioritize Critical Assets 

Identifying and prioritizing critical assets is the process that lists sensitive data and mission-critical applications that, if compromised, would cause significant damage to the organization.  

Designing Scenarios 

Design a realistic scenario that accurately reflects the potential cyber threats that an organization may face. 

Establish Procedures and Policies 

Planned procedures detail the role of operational and security staff, when and how to escalate the incident, internal and external communication protocols, and when to enlist help from third parties like consultants, legal, or PR.  

Establish an Incident Response Team 

Defining each incident response team member’s roles and responsibilities, and the scope of their role – i.e., full-time incident response or alongside a related role in IT operations or security – accelerates their response time in case of a breach.  

Educate All Stakeholders About the Incident Response Plan 

Alignment of all stakeholders – i.e., IT, software development, legal, HR, public relations, senior management, etc.  –  requires ensuring that they are informed of their individual roles in the response plan and of their expected interactions with other stakeholders. 

Get Advanced Buy-In From Senior Management 

When a response plan includes budgetary implications, such as hiring a consultant or external services, a pre-approved budget for contingency accelerates the response time. 


Validating incident response plans’ adequacy requires holding regular tabletops exercise drills with relevant stakeholders.
Postmortem analysis following tabletop exercise is crucial to identify the security gaps that let the adversary gain an initial foothold and escalate their attack, spot stakeholders lacking the proper training, and define preemptive remediation measures. 


The Role of BAS/CART in Incident Response  

The problem with tabletop exercises is that they are costly, time-consuming, and disrupt daily operations.
A cursory look at even just a single one of CISA’s cybersecurity scenarios seems to imply that a tabletop exercise requires interrupting regular operations for a few days. 

As such, like full-scale fire drills, they cannot be run often. Yet, the rapid pace of change in the threat landscape should be reflected in the regular update of response plans. 

This is where BAS and CART technologies can be invaluable. Thanks to their automated attack simulations, the technical validation of incident response planning can be run regularly without requiring additional resources or disrupting routine operations.

How BAS/CART Improves IR Processes 

The table below summarizes the main difference between  


  Classic IR preparation  BAS/CART Assisted Preparation 
TTEs  Pen and paper exercises requiring gathering stakeholders -interrupting daily routine – and running thought exercise-like TTEs 



Automated attack simulations of customizable scope, schedulable at will and running in a production environment, which enables testing stakeholders’ reactivity in real time. 
Reporting  Manual reporting relying on manually recorded processes and interactions  Automated reporting that include all interactions and action taken. 
Integrations  None  SIWM, SOAR, EDR, Email Gateways, Firewalls, WAFs, and DLP tools 
Analysis  Manual based on manually collected data  Automatically generated, including details of the attack simulations’ success, the TTPs used, the attack routes, and the impact on the organization’s security controls. 
Postmortem  Requires drafting mitigation guidance based on the expertise level of the people present and the quality of the manually generated report and analysis  Automatically generated mitigation guidance based on best practices by a team of experts 


Additional Benefits of Using BAS/CART to Drill Incident Response  

Tool Stack Optimization 

As BAS and CART technologies can integrate with the cybersecurity tool stack, it provides detailed information about the performance of each individual tool. Comparing the ratio of detected/stopped simulated attacks with the number of attacks launched gives a data-backed evaluation of each tool.  

This evaluation can then be used to rationalize and optimize the tool stack by eliminating overlapping capabilities and identifying missing ones. 

Attack Route Mapping 

The attack route mapping capabilities of advanced BAS/CART technologies pinpoint exactly where security gaps enable the attack to progress, focusing mitigation efforts on where they have a high impact. 

Easy to Scope 

BAS/CART attack simulations are easy to scope and can focus on particularly sensitive, high-value, or corresponding to industry sectors, department areas of activity, geolocation, specific APT, or other relevant segmentation factors as needed.

No Business Disruptions 

Unless running a full-scope IR exercise that involves downstream non-technical skills such as legal, PR, marketing etcetera 

No Extra Cost 

The main purpose of BAS/CART technologies is to validate security resilience. Running incident response exercises is just a welcome by-product accessible at no extra cost. 


Thanks to its non-disruptive, no-cost, and easy-to-run characteristics, incident response exercises can be repeated as needed to evaluate progress and trends in MTTRs.

Limits of BAS/CART for Running IR Exercises

The full value of BAS/CART tun IR exercises applies to the cybersecurity and IT department and to some of the operational functions, such as email for example, but only inasmuch as they are connected to the digital infrastructure.
To include the entire human factor, factoring in the reaction time and efficacy of non-tech stakeholders, still require running including some manual operations.

However, drilling the reactions of legal, marketing, finance, HR, and other stakeholders can then be limited to a yearly exercise covering different types of attacks, i.e., ransomware, DDOS, data theft, etc., and defining the role of each for each specific attack type.  

The benefits far outweigh the limits and have an immediate impact on a company’s resilience. 

Start A Free Trial