Frequently Asked Questions

Product Features & Capabilities

What is Cymulate's Immediate Threats Validation module and how does it work?

Cymulate's Immediate Threats Validation module provides continuous, automated assessments using real-time threat simulations. It proactively validates your defenses against newly emerging threats, ensuring your organization stays ahead of attackers without manual effort. This module leverages the latest threat intelligence to simulate attacks and test your security controls in real time. Learn more.

How does Cymulate help expand and automate IoC (Indicator of Compromise) updates?

Cymulate streamlines and automates the validation of immediate threats by continuously updating and testing IoCs against your security controls. This reduces the manual effort required to keep defenses current and ensures rapid response to new threats. The platform integrates with threat intelligence feeds and tools like VirusTotal, Shodan, and URLScan to enrich and expand your IoC lists for more effective detection and defense.

What is Exposure Validation in Cymulate?

Exposure Validation in Cymulate refers to automated, real-world attack simulations that test your organization's defenses against the latest threats. It helps identify exploitable vulnerabilities and provides actionable insights to improve your security posture. The process is fast, easy, and centralized, allowing users to build custom attack chains and validate their exposure efficiently. Learn more.

How does Cymulate leverage threat intelligence tools like VirusTotal, Shodan, and URLScan?

Cymulate integrates with leading threat intelligence tools such as VirusTotal, Shodan, and URLScan to enrich IoC lists and improve threat detection. These integrations allow users to discover hidden IoCs, locate malicious infrastructure, and automate the process of updating their defenses based on the latest threat data.

What is the benefit of using VirusTotal Enterprise with Cymulate?

Using VirusTotal Enterprise with Cymulate provides access to the full VirusTotal file database, enables unique queries, and allows the creation of hunting rulesets using YARA rules. This enhances your ability to hunt for malware campaigns and expand your IoC coverage for more effective threat simulations and defense validation.

How does Cymulate help close the gap between IoC detection and defense?

Cymulate helps close the gap between IoC detection and defense by enabling rapid validation of whether specific IoCs are detected by your existing SIEM/SOAR tools. If not, Cymulate provides actionable insights to add them manually or automate their inclusion, reducing the window of opportunity for attackers.

Can Cymulate help discover hidden IoCs in phishing campaigns?

Yes, Cymulate can help discover hidden IoCs in phishing campaigns by integrating with tools like VirusTotal to analyze metadata and uncover additional malicious files or domains not listed in public reports. This enables organizations to proactively defend against evolving threats.

How does Cymulate use YARA rules for threat hunting?

Cymulate leverages YARA rules, especially when integrated with VirusTotal Enterprise, to create custom hunting rulesets. These rules help identify malware campaigns and automate the detection of new threats based on file characteristics and metadata.

What is the role of Shodan and URLScan in Cymulate's threat intelligence process?

Shodan and URLScan are used within Cymulate's threat intelligence process to locate malicious infrastructure and expand IoC lists. Shodan scans the internet for exposed services and infrastructure, while URLScan analyzes URLs for malicious behavior, both contributing to a more comprehensive threat detection strategy.

How does Cymulate automate the validation of immediate threats?

Cymulate automates the validation of immediate threats by continuously running real-time threat simulations and updating IoC lists based on the latest intelligence. This ensures that your defenses are always tested against the most current attack techniques, reducing manual workload and improving response times.

What are the key capabilities of Cymulate's platform?

Cymulate's platform offers continuous threat validation, unified exposure management, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily. These features help organizations improve security posture, operational efficiency, and threat resilience. Learn more.

How does Cymulate's Exposure Validation help with lateral movement detection?

Cymulate's Exposure Validation includes automated testing for lateral movement, helping organizations identify and mitigate risks associated with attackers moving within their network. This feature is essential for detecting advanced threats and preventing internal spread after an initial compromise. Learn more.

What is the advantage of automating IoC enrichment with Cymulate?

Automating IoC enrichment with Cymulate ensures that your threat intelligence feed is always up to date, reduces manual workload, and enables faster detection and response to new threats. This proactive approach helps organizations stay ahead of attackers and minimize risk exposure.

How does Cymulate support custom attack chain creation?

Cymulate's Exposure Validation platform allows users to build custom attack chains easily within a centralized interface. This flexibility enables organizations to simulate specific attack scenarios relevant to their environment and test their defenses against targeted threats. Learn more.

What is the role of SIEM and SOAR integrations in Cymulate?

Cymulate integrates with SIEM and SOAR tools to automate the detection and response to new threats. These integrations ensure that IoC updates and threat intelligence are reflected in your defensive infrastructure as quickly as possible, minimizing the time attackers have to exploit gaps.

How does Cymulate help organizations stay ahead of emerging threats?

Cymulate helps organizations stay ahead of emerging threats by continuously updating its threat simulation library, integrating with real-time threat intelligence sources, and automating the validation of defenses. This ensures that organizations can quickly adapt to new attack techniques and maintain a strong security posture.

What are some practical examples of IoC enrichment using Cymulate?

Practical examples include using VirusTotal to analyze hashes and domains from phishing campaigns, leveraging Shodan to identify malicious infrastructure, and using URLScan to find additional C2 servers. These techniques help organizations expand their IoC lists and improve threat detection coverage.

How does Cymulate's platform support continuous threat exposure management (CTEM)?

Cymulate's platform enables continuous threat exposure management by integrating validation, prioritization, and mobilization across teams. It provides a unified view of exposure risks and automates the process of identifying, validating, and remediating vulnerabilities. Learn more.

What is the Cymulate Resource Hub and how can it help me?

The Cymulate Resource Hub is a central location for insights, thought leadership, and product information. It includes whitepapers, blogs, webinars, and more to help you stay informed about the latest cybersecurity trends and best practices. Visit the Resource Hub.

Where can I find more information about Cymulate's Immediate Threats Validation?

You can find detailed information about Cymulate's Immediate Threats Validation module in the solution brief available at this link.

Integrations & Technical Requirements

What security technologies does Cymulate integrate with?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore (network security), AWS GuardDuty (cloud security), BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a complete list, visit our Partnerships and Integrations page.

Does Cymulate support integration with SIEM and SOAR platforms?

Yes, Cymulate supports integration with SIEM and SOAR platforms, enabling automated validation of threat detection and streamlined incident response workflows. This ensures that threat intelligence and IoC updates are quickly reflected in your security operations.

How easy is it to implement Cymulate and start using it?

Cymulate is designed for quick and easy implementation. It operates in agentless mode, requiring no additional hardware or complex configurations. Customers can start running simulations almost immediately after deployment, with comprehensive support and educational resources available. Schedule a demo to learn more.

What educational resources does Cymulate provide?

Cymulate offers a variety of educational resources, including a Resource Hub, blog, webinars, e-books, and a glossary of cybersecurity terms. These resources help users stay informed about the latest threats, best practices, and platform capabilities. Explore resources.

How does Cymulate ensure product security and compliance?

Cymulate holds several industry-leading certifications, including SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1. The platform uses encryption for data in transit and at rest, secure AWS-hosted data centers, a secure development lifecycle, and ongoing employee security training. Learn more about security at Cymulate.

What compliance certifications does Cymulate have?

Cymulate is certified for SOC2 Type II, ISO 27001:2013 (Information Security Management), ISO 27701 (Privacy Information Management), ISO 27017 (Cloud Services Security Controls), and CSA STAR Level 1. These certifications demonstrate Cymulate's commitment to robust security and compliance standards. See details.

Is Cymulate GDPR compliant?

Yes, Cymulate is GDPR compliant. The platform incorporates data protection by design and has a dedicated privacy and security team, including a Data Protection Officer (DPO) and Chief Information Security Officer (CISO).

What security features are built into Cymulate's platform?

Cymulate's platform includes mandatory 2-Factor Authentication (2FA), Role-Based Access Controls (RBAC), IP address restrictions, and TLS encryption for its Help Center, ensuring robust protection for user data and platform access.

Pricing & Plans

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's requirements. Pricing depends on the chosen package, number of assets, and scenarios selected for testing and validation. For a personalized quote, schedule a demo with the Cymulate team.

Use Cases & Benefits

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. The platform delivers measurable improvements in threat resilience, operational efficiency, and security strategy alignment. Learn more.

What problems does Cymulate solve for security teams?

Cymulate addresses challenges such as fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery. It provides automation, unified visibility, and actionable insights to overcome these issues.

Are there case studies demonstrating Cymulate's effectiveness?

Yes, Cymulate has numerous case studies showing measurable outcomes, such as Hertz Israel reducing cyber risk by 81% in four months and a sustainable energy company scaling penetration testing efficiently. See all case studies.

How does Cymulate improve operational efficiency for security teams?

Cymulate automates threat validation, exposure prioritization, and vulnerability management, leading to a 60% increase in team efficiency and saving up to 60 hours per month in testing new threats. This allows security teams to focus on strategic initiatives rather than manual tasks.

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive interface and ease of use. Testimonials highlight the platform's user-friendly dashboard, quick implementation, and accessible support. For example, Raphael Ferreira, Cybersecurity Manager, noted, "Cymulate is easy to implement and use—all you need to do is click a few buttons, and you receive a lot of practical insights." Read more testimonials.

How does Cymulate support different security personas?

Cymulate tailors its solutions to the needs of CISOs, SecOps teams, red teams, and vulnerability management teams. Each persona benefits from features like quantifiable metrics, automated processes, advanced offensive testing, and efficient vulnerability prioritization. Learn more.

What are the measurable outcomes of using Cymulate?

Organizations using Cymulate have reported a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. These metrics demonstrate the platform's effectiveness in improving security posture and operational performance.

How does Cymulate compare to traditional penetration testing?

Cymulate offers automated, continuous threat validation that is 40 times faster than manual penetration testing. It provides real-time insights, reduces costs, and enables ongoing assessment of security controls, unlike traditional point-in-time pen tests.

What makes Cymulate different from other security validation platforms?

Cymulate stands out with its unified platform combining BAS, CART, and Exposure Analytics, continuous 24/7 threat validation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive, daily-updated threat library. It delivers measurable results and is recognized as a market leader by industry analysts. See comparisons.

Where can I find Cymulate's latest news, research, and events?

Stay updated with Cymulate's latest news, research, and events through the blog, newsroom, and events & webinars page.

Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Case Study: Credit Union Boosts Threat Prevention & Detection with Cymulate
Learn More
New Research: Cymulate Research Labs Discovers Token Validation Flaw
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

How to Expand IoCs for Immediate Threat Simulations

By: Elad Beber

Last Updated: April 20, 2025

cymulate blog article

Why Expanding IoCs Enhances Threat Detection

With the acceleration of new cyber immediate threats emergence rhythm, it is always a good idea to add new threat hunting skills and techniques.

Typically, the trigger to create a new threat simulation campaign is the more or less strident public reporting of the appearance of a new threat. As cyber-attackers are also quick to capitalize on these new attacks, finding ways to procure the attack technology and weaponize it before the defensive arrays have been updated.

This is an ongoing race and staying ahead of potential attackers can be enhanced by enriching your internal threat intelligence feed with tools such as Virus Total and other tools – utilizing their IOC bank.

Before getting into the nitty-gritty detail of how to use any of those tools, let’s put things into a defensive context, that presupposes an effective SIEM and SOAR array.

Closing the Gap Between IOC Detection and Defense

SIEM and SOAR tools are regularly updated by their vendors to reflect the emergence of new threats and IOCs, but there is a time gap between the time IOCs are available, the time the vendors update their database, and the time these updates are reflected within the defensive infrastructure. These time gaps are a golden opportunity for attackers to strike.

In order to rapidly check if a specific IOC is detected by the existing defensive array or if it needs to be manually added. anyone can use Virus Total, copy-paste the IOC, and check if the tools in your SIEM/SOAR array are detecting it. If not, it might be a good idea to add it manually.

But to really expand on enriching your Threat Intelligence feed, you might want to emulate Cymulate's R&D team and consider Virus Total Enterprise.

Yet, as Virus Total Enterprise is quite costly, it might help to get a better idea of what you might gain from it if you adopt it. Alternatively, you can use the other freemium tools mentioned in this blog post.

This guide aims at giving you a better idea of some of its capabilities and of tricks that could help you maximize its use.

Leveraging VirusTotal to Improve Threat Intelligence

Among other capabilities, acquiring Virus Total Enterprise premium access opens the gates to Virus Total full file database, allows you to perform unique queries within it, and creates hunting rulesets that utilize YARA rules to hunt for malware campaigns.

 

As the purpose of this post is to give an idea of the richness of VirusTotal’s database and of how to maximize its use, we will focus on locating IOCs generated by a specific threat actor, more specifically, following a mention of that threat actor in a publication.

Discovering Hidden IoCs in Lazarus Phishing Campaigns

To keep it simple, we will look at the expanded IOC list that can be unearthed based on a random recent blog post referring to a recent phishing campaign launched by the threat actor “Lazarus”.

This blog post helpfully provides Lazarus’ raw IOC from that attack. VirusTotal Enterprise includes a nifty auto-formatting feature. We can use that feature to obtain a detailed list of all Lazarus passed IOC simply by copy-pasting the raw IOC from the blog in the VirusTotal search bar.

The copied IOCs are:

Hashes

e87b575b2ddfb9d4d692e3b8627e3921
a27a9324d282d920e495832933d486ee
3f326da2affb0f7f2a4c5c95ffc660cc
490c885dc7ba0f32c07ddfe02a04bbb9
712a8e4d3ce36d72ff74b785aaf18cb0
a27a9324d282d920e495832933d486ee
f2a0e9034d67f8200993c4fa8e4f5d15

Domains

markettrendingcenter.com

lm-career.com

advantims.com

This yields the results displayed below, listed as either files or domains.

First, let’s consider interesting commonalities between the word documents mentioned in the blog post as part of the phishing campaign.

The post draws attention to the fact that both are authored by a user named “Mickey”. We can confirm this by reviewing the sample’s hashes “a27a9324d282d920e495832933d486ee” and “3f326da2affb0f7f2a4c5c95ffc660cc

VirusTotal returns the following data:

 

You can see that reviewing these hashes with VirusTotal provided additional information. We now know that the last author of these files is named “Challenger” and that both files were created on the same date. This information enables us to dig down further by querying additional files matching this metadata! All we have to do is click the “Mickey” field and VirusTotal will create the query for us.

 

Yuck, 7k results! It appears that lazily just clicking that field returns all files within VirusTotal that contain the sequence “Mickey” within their content or metadata. That is unmanageable and, therefore, not useful. But we can easily solve that!

Let’s refine the query by looking exclusively at metadata and further restrict the search by limiting it to document files containing both “Mickey” and “Challenger”.

 

That worked! Only 4 files! When reviewing the file list, we see that we have uncovered 2 additional files that, though they are part of the malicious Lazarus campaign, were not listed in the blog post.

 

Using VirusTotal to Uncover Malicious URLs

Another technique we can use is combining Shodan, Virus Total, and URLScan to locate malicious URLs. For this example, we will follow APT27 tracks, with this Trend Micro article about the Iron tiger APT update. The article contains a particularly interesting observation:

If we query all the scanned URLs in VirusTotal that contain this URI sequence, we can potentially find new IoC’s, and if not, we can create a rule which tracks this kind of events using the YARA module integrated into VirusTotal. That second option will be explored in detail in a future post, but, for now, we will first go to VirusTotal’s “advanced” tab search and click the URL tab.

 

There, we insert the /api/v2/ajax string sequence in the “URL Contains” field and click search.

And we find 10 URLS! Including one that is not referenced within the blog post!

This is an actual C2 that belongs to APT27 and should be added to your own IoC list.

Using Shodan to Locate Malicious Infrastructure

Now, let’s see how we can leverage shodan.io to expand on these findings. Shodan is an online service that scans the internet. Shodan lists and indexes its findings in its ever-expanding database that contains data of various kinds returned from the performed scans. Even better, unless you are planning to perform API queries on the raw data returned from the scans, most of the premium features are free.

This data can be filtered by returned responses from services on the scanned servers, SSL certificates, ASN names, IP Blocks, and so on. As we will see, it will prove very useful to extracting additional IoC’s and signing malicious infrastructure for future hunting.

For this example, I decided to use Shodan to query the confirmed malicious IPs I extracted from the blog. Let’s look at the response that is returned.

Here we can see that a February 9th scan performed on the C2 on TCP port 443 returned a 500 Internal Server Error response with zero content. This is actually quite common for HyberBro (APT 27 malware) C2s. As 500 internal HTTP errors should return body content – this can be confirmed by looking at additional HyperBro C2 servers.

As you can see, I marked a number sequence in a red square. This is actually the hash returned from the scan body and it can be queried against shodan.io to find more servers returning this hash from their responses – let's click the hash.

This yields additional HyperBro C2 servers that can be added to your IoC list!

Using URLScan to Locate Malicious Infrastructure

Finally, another service that can be used to find additional infrastructure is URLScan.IO –

URLScan is a web sandbox, it scans URLs and returns their behavior in a detailed report. We can perform the same query VirusTotal against URLScan by clicking the search tab and typing page.url:"/api/v2/ajax" to return all the scans which contained this URI:

We found 19 results that can be filtered on your current IoC list to see if any new C2 can be added to it.

Automating IoC Updates for Faster Threat Response

This concludes my first Threat Intelligence guide,I hope this provides you with quick and easy ways to expand on your own IoC list and will write more tips in the near future.

If you're looking to further streamline and automate the validation of immediate threats, Cymulate’s Immediate Threats Validation module offers continuous, automated assessments using real-time threat simulations. By proactively validating your defenses against newly emerging threats, Cymulate ensures you're always ahead of attackers—without the manual effort!

image
Elad Beber
Elad Beber is a Senior Security Researcher at Cymulate with over five years of experience in cybersecurity, specializing in cloud environments and low-level reverse engineering. Before joining Cymulate, he worked as an offensive mobile security researcher and holds a B.Sc. degree in Computer Science. Elad is an experienced CTF competitor and a member of the CamelRiders CTF team.
More about Author
Table of Contents
Why Expanding IoCs Enhances Threat Detection Closing the Gap Between IOC Detection and Defense Leveraging VirusTotal to Improve Threat Intelligence Discovering Hidden IoCs in Lazarus Phishing Campaigns Using VirusTotal to Uncover Malicious URLs Using Shodan to Locate Malicious Infrastructure Using URLScan to Locate Malicious Infrastructure Automating IoC Updates for Faster Threat Response
Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.
Mike Humbert, Cybersecurity Engineer
DARLING INGREDIENTS INC.
Learn More

Featured Resources

View More Resources
cymulate article
blog

How Cymulate Discovered an Abuse Risk in Google Cloud Platform (GCP)

As a Vulnerability Researcher at Cymulate, I spent the last few months honing my skills in cloud environments vulnerability detection.

Read More
image
Solution Brief

Immediate Threat Validation

Cymulate’s Immediate Threats Intelligence module tests security controls against emerging threats.

Read More
image
Webinar

The Principles of Security Validation

Watch this informative webinar to gain more insight into the principles of security validation essential for today’s cybersecurity strategies with

Watch Now

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo