bas use cases bas use cases-mask

Deep Dive into Gartner’s Breach and Attack Simulation Use Cases

In emerging markets, it is normal to have a lot of confusion around what’s what. Experts, vendors, and analysts only make it worse by trying to drive the discussion, ending up muddying the waters. As a result, end users struggle to evaluate whether or not they need this new technology and why.

For the still maturing Breach and Attack Simulation (BAS) market, the obvious answer to the ‘why’ question would be gaining clarity and validating the complex security solutions stack efficacy. The basket of emerging technologies Gartner now includes under the generic BAS terminology covers a range of specific use cases and business challenges that lacked coverage.

BAS Use Cases and Basket of Technologies

As there are different types of attack simulations designed to achieve diverse purposes, a variety of terms describing purpose-specific technologies are already in use. The more common ones are Continuous Security Validation (CSV), automated pen-testing, Continuous Automated Red Teaming (CART), attack path mapping, and, of course, the original BAS.

Gartner has put together a list of common use cases for potential BAS users to clear the waters.

Primary BAS use cases:

  • Security posture and readiness assessment

To effectively prevent attempted attacks from succeeding, the first step is to assess a system’s resilience by answering the following questions:

    • How can an adversary get to my crown jewels?
    • How can they get an initial foothold and propagate within the network?
    • How far can they get? Which data can they get a hold of?

End-to-end simulated attack campaigns allow defenders to map attack routes. However, they are not designed to test each security control thoroughly.

  • Security control validation and efficacy

To ensure maximum resilience against all attacks, known, unknown, and unknown-unknown, the global and granular structural resilience soundness needs to be evaluated by answering the following questions:

    • Are my security controls performing to the maximum?
    • Which attacks do they miss?
    • What do I need to do to optimize the current configuration of my security controls?

Continuously running simulated attack scenarios based on assumed breaches allows defenders to run hundreds or thousands of scenarios against each and every security control. However, these attack scenarios are typically not chained – Cymulate is leading the end-to-end chained attack scenarios technology – and do not cover outside-in steps as they are based on assumed breaches.

  • Complementing penetration testing

Periodic penetration tests are often compulsory for compliance purposes, but they structurally fail to provide comprehensive security evaluation. To evaluate the actual scope of penetration testing requires answering the following questions:

    • Was the last pen-testing exercise extensive?
    • Did the latest deployment affect the systems’ cyber resilience?
    • Are we vulnerable to the latest emerging attacks?

The stated goal of penetration testing is to find a way into the targeted system, and the scope of the attack is defined ahead of time. As such, the tests they run to evaluate the attack permeability of the networks, assets, platforms, applications, or hardware covered by their mandate scope do not include testing resilience to evasive stealthy attacks, nor the efficacy of the existing detection and response infrastructure. Moreover, the financial and resource cost of penetration testing resulted in the common practice of using last year’s report as a baseline and targeting already identified vulnerabilities and loopholes.

As, by definition, penetration tests are pinpoint exercises, they do not cover subsequent modifications of the infrastructure due to new deployments, nor new attack techniques or recently uncovered vulnerabilities, so their validity is limited in time and needs to be complemented by up-to-date validation techniques.

As simulated attack technologies allow running thousands of scenarios automatically, saving hundreds of hours if carried out manually, they are an affordable and efficient alternative to increasing the frequency of penetration testing.


Secondary BAS use cases:

  • Risk-based vulnerability management

With exploiting vulnerabilities overtaking phishing as the initial compromise source, timely patching vulnerabilities is becoming more and more crucial. To amplify the impact of vulnerability patching efforts, the main question to answer is:

    • Which vulnerabilities shall I focus on first?

Simulated attacks differentiate between ‘vulnerable’ and ‘exploitable’. Some critical vulnerabilities may not urgently require a patch simply because they are not accessible, while a low CVSS score actually paves the road for attackers to progress their attack further.

BAS checks the effectiveness of security controls in hampering attackers’ progress and zeroes in on vulnerabilities that pose an immediate danger and need to be patched first, thus focusing the patching prioritization efforts on the in-context weak points.

  • Support for red and purple team activities

Organizations that incorporate adversarial skills as part of their security organization can leverage breach and attack simulation to automate, scale, and customize their assessments, and reduce time to mitigation by having red and blue teams working together.

  • Support for mergers and acquisitions

Cybersecurity due diligence is becoming the norm in an M&A process and aims at answering the following question:

    • What would be the impact of my digital footprint and overall exposure if we were to acquire this company?

Running the full extent of BAS technologies on the prospective partner’s infrastructure not only provides an affordable, near-instantaneous evaluation of their security posture, it can also be instrumental in evaluating the scope of resources required to securely implement a post-M&A integration strategy.

  • Third-party assessments

With over 80% of organizations vulnerable to software supply-chain attacks, the importance of assessing the risks associated with third parties even gave rise to a specific MITRE Supply Chain Security System of Trust Framework dedicated to supply-chain security. There are ways to leverage some BAS technologies to evaluate the in-context risks associated with prospective or active third-party suppliers, for example by comparing the results of attack simulations with the third-party connected and without that connection.

  • Measurement of security operations processes

Evaluating the effectiveness of in-place security processes is key to refining them and ensuring continuous efficacy, and requires answers to the following questions:

    • How do I know what goes undetected?
    • Does the SIEM alert me on what is really important?
    • Does my incident response team (or my managed SOC provider) engage quickly?
    • How can I improve my SOAR playbooks?

Simulated attacks answer all these questions, and the granular information they provide is determinative in continuously overseeing processes’ effectiveness.


Learn how Cymulate’s Security Posture Validation Platform is the only one that comprehensively covers the basket of BAS technologies to address all Gartner-identified use cases from a single pane of glass.

Try Cymulate BAS platform for 14 days for free

Related Resources


Light Up Your Security: What is Security Control Validation?

Hear from Cymulate cybersecurity specialists about the benefits of continuous security validation for all enterprises.

LISTEN NOW arrow icon


Frost & Sullivan Whitepaper on Continuous Security Validation

Get the whitepaper from Frost & Sullivan on how they anticipate the growth of the Breach and Attack Simulation market.

READ MORE arrow icon


Offensive Cybersecurity Goes Mainstream: Doing it Right

Jon Oltsik, Senior Principal Analyst at ESG Fellow and Dave Klein, Director of Cyber Evangelism at Cymulate will share the continuous posture validation essentials.

WATCH NOW arrow icon