Frequently Asked Questions

MITRE ATT&CK v18 Alignment & Exposure Validation

How does Cymulate Exposure Validation align with MITRE ATT&CK v18?

Cymulate Exposure Validation is fully aligned with MITRE ATT&CK v18, incorporating the latest techniques and sub-techniques introduced by MITRE. The platform has expanded its attack scenario library and reporting capabilities to reflect these updates, enabling organizations to validate their defenses against the most current adversarial behaviors and measure their threat readiness using the widely adopted MITRE ATT&CK framework. Source

What new attack scenarios are included in Cymulate Exposure Validation for MITRE ATT&CK v18?

Cymulate Exposure Validation now includes eight new attack scenarios and updates to three others, covering nine of the twelve new techniques in MITRE ATT&CK v18. These scenarios simulate real-world adversarial behaviors such as Kubernetes mass command execution, Python startup hooks backdoors, delay execution, browser fingerprint masquerading, selective exclusion ransomware, local storage discovery, backup software discovery, and ODBC SQL database queries. Source

Which MITRE ATT&CK v18 techniques are not supported by Cymulate, and why?

Of the 12 new techniques in MITRE ATT&CK v18, Cymulate does not automate validation for three: T1677 (Poisoned Pipeline Execution), T1681 (Search Threat Vendor Data), and T1204.005 (User Execution: Malicious Library). These are excluded due to environmental or ethical constraints, such as the need for offensive simulation on build servers or techniques that are external to the organization and cannot be reproduced or detected internally. Source

How can security teams use the new MITRE ATT&CK v18 scenarios in Cymulate?

Security teams can run the new MITRE ATT&CK v18 scenarios via the Cymulate “attack scenario workbench” as individual assessments or include them in new or existing assessment templates. This enables teams to validate coverage against the latest adversarial tactics, identify and close security control gaps, and strengthen detection and response capabilities. Source

What is the benefit of continuously validating against new MITRE ATT&CK techniques?

Continuous validation against new MITRE ATT&CK techniques helps organizations proactively address evolving threats, identify gaps in their defenses, and build resilience. It also allows teams to measure validated prevention and detection using the MITRE ATT&CK heatmap, ensuring comprehensive threat coverage. Source

What future enhancements are planned for Cymulate’s detection validation engine?

Cymulate is planning to revamp its detection validation engine to align with MITRE’s updated detection taxonomy, innovate in detection engineering to map detections to analytics and response mechanisms, and expand correlation capabilities between simulation results and SOC detection analytics. These enhancements will help customers transition from validation to continuous detection engineering. Source

How can I experience Cymulate Exposure Validation firsthand?

Current Cymulate users can explore the new MITRE ATT&CK v18 scenarios by running simulations and reviewing results. For guidance on optimizing defenses or troubleshooting, users can work with their Customer Success Manager. Prospective customers can schedule a demo to see how Cymulate validates threat resilience against MITRE ATT&CK. Source

What is the MITRE ATT&CK heatmap in Cymulate?

The MITRE ATT&CK heatmap in Cymulate provides a visual representation of validated detection and prevention coverage across the MITRE ATT&CK framework. It helps organizations quickly identify strengths and gaps in their security controls. Source

How does Cymulate help measure threat readiness against MITRE ATT&CK?

Cymulate enables organizations to measure their threat readiness by running attack simulations mapped to MITRE ATT&CK techniques and sub-techniques. The results are visualized in the heatmap, allowing teams to assess their detection and prevention capabilities against the latest adversarial behaviors. Source

Where can I find more technical details about Cymulate Exposure Validation?

Technical details about Cymulate Exposure Validation, including data sheets and guides, are available on the Exposure Validation Data Sheet and the Cymulate Resource Hub.

What customer feedback is available about Cymulate Exposure Validation?

Customers have praised Cymulate Exposure Validation for making advanced security testing fast and easy. For example, Mike Humbert, Cybersecurity Engineer at Darling Ingredients Inc., stated, “When it comes to building custom attack chains, it's all right in front of you in one place.” Source

How does Cymulate Exposure Validation help with cloud security validation?

Cymulate Exposure Validation includes updated attack scenarios for cloud platforms such as Azure, AWS, and GCP. These scenarios simulate adversaries modifying network security group rules or firewall settings to test detection and prevention capabilities in cloud environments. Source

What is the attack scenario workbench in Cymulate?

The attack scenario workbench in Cymulate allows users to run individual attack scenarios or include them in assessment templates. This feature provides flexibility for security teams to test specific techniques or broader attack chains as needed. Source

How does Cymulate support detection engineering and analytics?

Cymulate is innovating in detection engineering by mapping detections to analytics and response mechanisms. The platform’s roadmap includes expanding correlation capabilities between simulation results and SOC detection analytics, enabling deeper understanding of detection effectiveness. Source

How often is Cymulate’s attack scenario library updated?

Cymulate’s attack scenario library is updated regularly to reflect the latest adversarial techniques and threat intelligence, ensuring customers can validate their defenses against emerging threats. Source

What resources are available to help me get started with Cymulate Exposure Validation?

Cymulate provides a range of resources including data sheets, technical guides, webinars, and customer support to help users get started and optimize their use of Exposure Validation. Visit the Resource Hub for more information.

How does Cymulate Exposure Validation help organizations build resilience?

By continuously validating defenses against the latest MITRE ATT&CK techniques, Cymulate helps organizations identify and close security gaps, strengthen detection and response, and build overall threat resilience. Source

Can I customize attack chains in Cymulate Exposure Validation?

Yes, Cymulate Exposure Validation allows users to build custom attack chains, making advanced security testing accessible and flexible for different organizational needs. Source

How does Cymulate Exposure Validation support compliance initiatives?

By aligning with MITRE ATT&CK and providing comprehensive validation and reporting, Cymulate Exposure Validation supports compliance initiatives by demonstrating coverage of adversarial techniques and the effectiveness of security controls. Source

Features & Capabilities

What are the key capabilities of Cymulate’s platform?

Cymulate’s platform offers continuous threat validation, a unified platform combining Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily. Source

What are the main benefits of using Cymulate?

Key benefits include up to a 52% reduction in critical exposures, a 20-point improvement in threat prevention, a 60% increase in team efficiency, 40X faster threat validation, cost savings through tool consolidation, and an 81% reduction in cyber risk within four months. Source

What integrations does Cymulate support?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a complete list, visit the Partnerships and Integrations page.

What technical documentation is available for Cymulate?

Cymulate provides guides, whitepapers, solution briefs, and data sheets covering topics like vulnerability management, detection engineering, exposure validation, automated mitigation, and more. Access these resources at the Resource Hub.

How easy is Cymulate to implement and use?

Cymulate is designed for rapid, agentless deployment with minimal setup. Customers can start running simulations almost immediately, and the platform is praised for its intuitive, user-friendly interface. Source

What security and compliance certifications does Cymulate have?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating compliance with industry-leading security and privacy standards. Source

How does Cymulate ensure data security and privacy?

Cymulate uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), hosts data in secure AWS data centers, and follows a strict Secure Development Lifecycle (SDLC) with regular vulnerability scanning and third-party penetration testing. Source

What is Cymulate’s pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization’s requirements, including chosen package, number of assets, and scenarios. For a detailed quote, schedule a demo.

Use Cases & Benefits

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. Source

What problems does Cymulate solve for security teams?

Cymulate addresses challenges such as fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery. Source

Are there case studies showing Cymulate’s impact?

Yes, for example, Hertz Israel reduced cyber risk by 81% in four months using Cymulate. Other case studies include improved SecOps for a credit union, enhanced cloud security for Nemours Children’s Health, and cost-effective penetration testing for a sustainable energy company. Source

How does Cymulate’s value differ by user persona?

CISOs benefit from quantifiable metrics and risk prioritization; SecOps teams gain operational efficiency and faster validation; red teams access automated offensive testing; vulnerability management teams improve validation and prioritization. Source

What business impact can customers expect from Cymulate?

Customers can expect improved security posture, operational efficiency, faster threat validation, cost savings, enhanced threat resilience, and better decision-making with actionable insights and quantifiable metrics. Source

How does Cymulate compare to other security validation platforms?

Cymulate stands out for its unified platform, continuous innovation, AI-powered optimization, extensive threat library, and measurable results. It is recognized for ease of use and comprehensive coverage compared to competitors like AttackIQ, Mandiant Security Validation, Pentera, Picus Security, SafeBreach, and Scythe. Source

What feedback have customers given about Cymulate’s ease of use?

Customers consistently praise Cymulate for its intuitive interface, ease of implementation, and actionable insights. Testimonials highlight its user-friendly dashboard and immediate value in identifying and mitigating security gaps. Source

How does Cymulate help with vulnerability management?

Cymulate automates in-house validation between penetration tests, prioritizes vulnerabilities based on exploitability, and provides actionable insights for remediation, improving operational efficiency for vulnerability management teams. Source

How does Cymulate support collaboration across security teams?

The platform enables collaboration between SecOps, Red Teams, and Vulnerability Management teams by providing a unified view of exposures, validated data, and actionable insights, ensuring a coordinated approach to security challenges. Source

New: 2026 Gartner® Market Guide for Adversarial Exposure Validation
Learn More
Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Research: Azure Arc Privilege Escalation & Identity Takeover
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

Cymulate Aligns Platform to MITRE ATT&CK v18

By: Amanda Kegley

Last Updated: December 17, 2025

Cymulate continues to stay ahead of the curve by aligning our platform with the latest developments in the MITRE ATT&CK® framework. With the release of MITRE ATT&CK® v18 , we’ve expanded our attack scenario library and reporting capabilities to reflect the newest techniques and sub-techniques introduced by MITRE. 

This update to Cymulate Exposure Validation ensures our customers can maintain comprehensive threat coverage, validate their defenses and fine-tune security controls against the latest adversarial behaviors—all while measuring their threat readiness against the one of the most widely adopted frameworks. 

Key highlights 

As part of the product updates and alignment to MITRE ATT&CK, Cymulate Exposure Validation now includes: 

  • An expanded attack scenario library with the new techniques and sub-techniques in MITRE ATT&CK v18 
  • Visibility into v18-specific adversarial behaviors and how customers can easily run relevant attacks to validate their security posture and maintain threat resilience 
  • An updated heatmap of validated detection and prevention validation 
image
Further reading
MITRE ATT&CK v18: New Detection Strategies and Analytics Redefine Cyber Defense

MITRE ATT&CK v18 introduces Detection Strategies and Analytics, redefining how threats are identified.

Read More

What’s new from Cymulate Exposure Validation? 

MITRE ATT&CK version 18 introduces 12 new techniques that reflect evolving adversary behaviors across enterprise and cloud environments. Cymulate has expanded its attack simulation library with eight new attack scenarios and updates to three others that align to nine of the 12 new techniques. 

The new Cymulate new attack scenarios cover the following new MITRE ATT&CK techniques: 

Technique IDTechnique NameNew Attack Scenario NameDescription
T1059.013
(Execution) 		Command and Scripting Interpreter: Container CLI/API Kubernetes - Mass Get Command Execution Simulates an adversary executing multiple get and list commands to gather information on all resources within a namespace in containerized environments. 
T1546.018
(Persistence)  		Event Triggered Execution: Python Startup Hooks  Python Startup Hooks Backdoor  Tests the ability to detect an attacker exploiting Python’s startup hooks to create a backdoor by writing a .pth file in the directory. 
T1678
(Defense Evasion) 		Delay Execution Dump SAM Registry Hives with Delay Simulates an attacker employing a delay technique based on ping commands to avoid detection, specifically dumping the local SYSTEM and SAM registry keys from a system.  
T1036.012
(Defense Evasion)  		Masquerading: Browser Fingerprint  Downloader: Curl Browser Fingerprint Masquerading  Simulates an attacker attempting to blend in with legitimate traffic by using a legitimate browser User agent to download a single file from a specified URL to a predetermined location using curl. 
T1679
(Defense Evasion) 		Selective Exclusion  Selective Exclusion Ransomware Simulation  Simulates an attacker using malicious payloads to intentionally evade detection by a creating a folder with various dummy files and encrypting them while excluding certain file types such as .dll and .exe. 
T1680
(Discovery)  		Local Storage Discovery  Local Storage Discovery  Simulates attackers enumerating local drives, disks and/or volumes and their attributes, such as total or free space and volume serial number. 
T1518.002
(Discovery) 		Software Discovery: Backup Software Discover Backup Software Discovery Simulates malware or adversaries scanning Windows systems to identify backup solutions like Veeam or Acronis, gathering intelligence for potential data destruction, encryption or recovery prevention attacks. 
T1213.006
(Collection) 		Data from Information Repositories: Databases ODBC SQL database query Connect to the target SQL database via ODBC using given credentials and run a custom SQL query. 

Three existing attack scenarios have been updated to simulate T1562.013 Impair Defenses: Disable or Modify Network Device Firewall with scenarios specific to cloud platforms. 

Technique ID Technique Name Updated Attack Scenario Name Description 
T1562.013
(Defense Evasion) 		Impair Defenses: Disable or Modify Network Device Firewall Azure - Add Rule to Azure Network Security Group Simulates an attacker modifying Azure network security group rules to expand access, enabling unauthorized entry, data breaches or lateral movement. Monitoring and controlling NSG changes is vital for prevention. 
AWS - Security Group Updated to Allow Ingress for Any IP to Any Port Simulates creation of an AWS Security Group allowing all IPs full access, exposing resources to internet threats, enabling potential unauthorized access, data breaches and exploitation of cloud vulnerabilities. 
GCP - Firewall Rule Set To Ingress From Any IP And Specific Ports Simulates an attacker creating a GCP firewall rule allowing global ingress traffic, exposing services to unauthorized access, exploitation and data breaches by bypassing restrictions on remote desktop or database access. 

These new attack scenarios in Cymulate Exposure Validation are available via the “attack scenario workbench” to run as individual assessments or included in new or existing assessment templates.  

Why these MITRE ATT&CK v18 updates matter for security teams 

Running the newly released scenarios from MITRE ATT&CK v18 ensures organizations remain proactive in addressing evolving threats. These scenarios enable security teams to: 

  • Validate coverage against the latest adversarial tactics 
  • Identify and close security control gaps across endpoints, identities and cloud workloads 
  • Strengthen detection and response capabilities based on real-world attack simulations 

By continuously validating against new techniques, Cymulate helps organizations identify gaps and build resilience—while measuring validated prevention and detection in the MITRE ATT&CK heatmap. 

Unsupported MITRE ATT@CK v18 techniques 

Of the 12 new techniques in v18, Cymulate does not automate validation for three of them due to environmental or ethical constraints.

  

Technique ID Technique Name Reason for Unsupported Simulation 
T1677  (Execution) Poisoned Pipeline Execution Requires simulation of offensive behavior specifically on application build servers. 
T1681 (Reconnaissance)  Search Threat Vendor Data  A Reconnaissance technique before Initial Access, which is external to an organization and cannot be reproduced or prevented and detected. 
T1204.005 (Execution)  User Execution: Malicious Library  Not recommended as it will most likely be flagged as malicious and removed and unable to run again 

What’s next in the Cymulate platform? 

Cymulate is planning future enhancements to further align to the major change in detections. Our roadmap includes: 

  • Revamping the detection validation engine to align with MITRE’s updated detection taxonomy 
  • Innovating in detection engineering to map detections to analytics and response mechanisms 
  • Expanding correlation capabilities between simulation results and SOC detection analytics 

These innovations will empower customers to transition from validation to continuous detection engineering, providing a deeper understanding of detection effectiveness and resilience. 
 

Experience Cymulate Exposure Validation firsthand  

We encourage Cymulate users to explore the new MITRE ATT&CK v18 scenarios today. Run the new simulations, review your results and work with your Customer Success Manager for guidance on optimizing your defenses or troubleshooting any issues. 
 
If you are not a customer, schedule a demo to see how you can validate your threat resilience against MITRE ATT&CK with Cymulate Exposure Validation. 

image
Amanda Kegley
Amanda Kegley has over 15 years of experience in cybersecurity. With her in-depth knowledge of security needs in today’s dynamic threat landscape, she successfully innovates and markets new cybersecurity capabilities.
More about Author
Table of Contents
What’s new from Cymulate Exposure Validation?  Why these MITRE ATT&CK v18 updates matter for security teams  Unsupported MITRE ATT@CK v18 techniques  What’s next in the Cymulate platform?  Experience Cymulate Exposure Validation firsthand  
Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.
Mike Humbert, Cybersecurity Engineer
DARLING INGREDIENTS INC.
Learn More

Featured Resources

View More Resources
image
blog

MITRE ATT&CK v18: New Detection Strategies and Analytics Redefine Cyber Defense

Framework update with behavior-driven detections.

Read More
image
Data Sheet

Cymulate Exposure Validation

Learn more about automated attack simulations to test and validate your cyber defenses.

Read More
image
Video

MITRE ATT&CK Version 18 Explained

Experts explain MITRE ATT&CK v18 changes and how Cymulate aligns attack simulations and detection engineering.

Watch Now

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo