Security Validation: A Deep Dive with Cymulate Field CTO, David Kellerman

In an era when cyber threats come from every dark corner at an alarming rate, staying vigilant and ahead of the adversary is a must for every organization. Implementing security validation has become a necessity and lifeline for businesses that want to take control of their security posture.
By simulating real-world attacks you can identify vulnerabilities, test, validate and continuously improve them. No matter the size or maturity of your organization, security validation adds tremendous value.
Watch this brand-new podcast with Security Ledger featuring Field CTO, David Kellerman.
Paul Roberts (Editor, Security Ledger): Hey, everybody. Welcome back to a spotlight edition of the Security Ledger Podcast. I’m your host, Paul Roberts. I’m the editor in chief here at The Security Ledger, and I’m here in the studio with David Kellerman, who is a field CTO at the firm Cymulate.
If you haven’t heard of them, Cymulate was founded by a team of former Israeli defense forces, officers, and cybersecurity researchers. And it’s a leader in what is often termed security validation. Cymulate provides services like attack service management, breach and attack simulation, and those allow customers to assess their cyber resilience by simulating attacks to pinpoint weaknesses and prioritize remediation efforts before a real breach occurs.
David is joining us to [00:01:00] talk about the growing need for security validation technology, the challenges that companies are facing in assessing the usefulness of the cybersecurity investments they’ve made or want to make. And also, of course, given the time of year, we’re going to talk about what. is coming up in 2025 for organizations when it comes to cyber risks and threats. David, welcome to Security Ledger Podcast.
David Kellerman, Cymulate: Hey, Paul, great being here and thank you for having me here.
David Kellerman’s Journey and The Mission of Cymulate
Paul Roberts (Security Ledger): It’s a pleasure. So first of all, for folks who aren’t familiar with you just talk a little bit about your security journey.
David Kellerman, Cymulate: Yeah, absolutely. My journey starts at a, of course, in the Israeli military, like many Israeli cybersecurity professionals going through different vendors, system integrators, implementing a lot of solutions. And having a chance to work with many organizations worldwide through my career until I finally landed at Cymulate and made my way up from a security advisor to being right now at the role of [00:02:00] a field CTO reporting to our CTO and co-founder.
Cymulate’s mission is to empower security teams with the ability to validate and optimize their security controls and do that continuously. Where we actually started from is basically where a, our founders were working for an advisory firm. Part of the services they were providing there is like red teaming and a penetration testing services. And the founders working together thought, why won’t we automate that process? Why won’t we have a platform to do it continuously automatically, it will be scalable. It will be efficient. And they started with the very basic concept of sending emails and monitor which malicious emails that were sent from outside are being received inside. And that was the first simulation of Cymulate. From that moment on, we scaled from email to endpoint security to web gateway to data exfiltration.
So the main goal is to allow security professionals and security engineers to continuously simulate attacks in [00:03:00] their environment to validate their security controls to really ensure that the security controls they put in place are not only there, but they are there protecting them.
You have vulnerability scanners today on the market to scan for vulnerabilities. You have CSPM solutions to validate your cloud security posture to ensure the configuration for the cloud are as you expect, and according to the best practices, but without reaching attack simulation, you don’t have anything to validate your security controls. And all the solutions I mentioned before, they are great, they are required, but they are not helping with that area of validating that your security controls are really performing as you expect. And that’s exactly where Cymulate comes in.
The Core Technology of Cymulate
Paul Roberts (Security Ledger): If you had to characterize the core technology that Cymulate has, your sort of “superpower, what would that be?
David Kellerman, Cymulate: I think it’s the ability to really provide the business, the organizations from the executives to the engineers, the full visibility of how [00:04:00] secure I am where I’m most vulnerable. It’s Think of some sort of like x ray goes through your entire body and tells you where you have a different health issues. It’s similar to that in the concept that tries to target you through the entire attack kill chain and tells you, Hey, I tested that much attacks on the email gateway on the, egress channel. You’re doing well on the exfiltration channel. You definitely need to invest more. So we allow the engineers in a very tactical level to understand what they need to configure better, but on the other hand, to the executives were allowing also to be able to I would say, quantify their security and understand how would they are monitoring progress over time. And we stopped speaking about a security in terms in, I would say in a technical operational terms.
” Okay, I deployed a security solution.
” We started speaking how effective my security is. Which is a much more valuable ’cause you don’t measure I, I would say [00:05:00] existence of security control. You measure the efficacy of the security control.
Paul Roberts (Security Ledger): That’s a super important distinction because, as it stands, companies invest in cyber security solutions based on a set of features that are promoted to them. But that doesn’t necessarily mean they’re gonna implement those features or maximize them within their organization to actually get the full benefit of the product. So it’s a super important issue, but how do you measure the effectiveness of let’s say a web application firewall or EDR solution? From Cymulate’s standpoint, how does that work?
David Kellerman, Cymulate: Yeah that, that’s a great question. Traditionally security assessments and audits are going and reviewing configurations literally reading the configurations and tell you,
“Hey, here, you didn’t check that box.
” Cymulate takes a slightly different approach, which we call it the “Real Life Test.
”There could be many things configured on the dashboard of a certain solution, but what we test is eventually [00:06:00] what happens in reality. And the way we do it is let’s take the WAF for instance. So in some of this WAF simulation, what we’re going to do is we’re going to target your website with potentially, with thousands of different payloads from an OS top 10 list.
It could be SQL injection, could be cross site scripting, the command injection, even log4j payloads are there. So you can also validate how effective your WAF is against these ones. Now, our main goal in this simulation will be to send these payloads as a attacker would do and reflect to you back whether it triggered a response from your web application firewall or not.
Eventually, you will get at least Aggregated by categories, but also with a drill down to the payload level that tells you hey Cross site scripting you prevented 70 percent SQL injection Only 50 percent of the payloads trigger the block on your WAF. And that way you can start analyzing these results and understand where you need to improve.
So it could be on a category level, it could be [00:07:00] more on a payload level. There are many different optimization methods. But our main goal is eventually to help our clients and to help their organizations to understand what exactly they need to improve, not by reviewing configuration, but literally simulating effects within their environment.
Streamlining Exposure Management with Validation
Paul Roberts (Security Ledger): Cyber risk management is, it’s just a huge area of focus and investment for organizations.
There’s also the concept of exposure management, right? Which is more pointed — how are you most likely to be attacked?
How are the current conversations about those things? Because obviously, it’s a big focus of investment and interest and yet we still see a lot of successful attacks. So it suggests that companies are not doing as much as they should be doing or are not investing in a way that is as effective as it should be.
David Kellerman, Cymulate: Initially, the risk management approach is a very complicated task when speaking of cyber security. Especially that there are so many sources and so many assets and [00:08:00] so many security tools to work with that all of them generate for you a lot of exposures that you as a security practitioner or executive need to deal with.
It could be something coming from your cloud environment, from your vulnerability scanner, from your EDR. And what do I do? How do I manage all that risk? The good news are that on last year Gartner came out with a very good approach called CTEM, the Continuous Threat Exposure Management Program where they actually suggest organizations to follow a very structured flow of exposure management.
Now first of all, I would say that the first thing that I would say change there is the terminology. We’re not speaking anymore in vulnerabilities or misconfigurations. We put it all in the same basket called exposures. Once we put this all in the same basket called exposures, and we treat all these exposures according to the same measures, we can start comparing different, I would say, exposures from different languages.
What’s more critical, a CVE, a vulnerability on one of my servers, or an exposed S3 bucket on [00:09:00] the cloud? How can I compare them when they’re speaking completely different languages? CVEs have CVSS, the cloud exposure have different thing. And how we put it all together: prioritize, validate, and then mobilize our teams to really take action against all this?
And I think that this is exactly where Cymulate, and also speaking of 2025 and what’s upcoming next year from Cymulate’s side, is basically where Cymulate really kicks in that context of, first of all, being able to gather these exposures, but also add a very important phase, which is the validation.
If we go to the log4j vulnerability, so many organizations rushed to patch different production servers, different production applications. Why? Because it was very noisy. It was very critical vulnerability and it was important. However, it’s not best practice to rush and patch your production servers that fast and without proper validation, without proper testing. What if I [00:10:00] told you that before doing that, you could implement a very simple WAF rule to basically have your WAF protect you against potential exploitation of that. And then you could also validate that and see that, hey, log4j builds are not passing through my WAF anymore. And maybe it would allow you to take some time, do your tests, go ahead and patch that.
Now that’s a single example, but think of it in scale. You have so many vulnerabilities. How many of them could be virtually patched by compensating security controls? How many of the priorities you have could potentially be changed knowing that there is a security control compensating over that.
So once you have the validation capability to really test your security controls with the associated techniques of that exposure, it could completely change the priority and the way you look at these exposures. And that’s something that we really see to do that question about the [00:11:00] exposures and how it evolves these days.
Paul Roberts (Security Ledger): Obviously in cybersecurity, what drives a lot of investment, and a lot of research and innovation are what the bad guys are doing, threats and attacks. As you look at the threat landscape what changes have you seen that make this focus on efficacy much more important?
David Kellerman, Cymulate: Yeah. So I think that it ties back to the fact that measuring your security by implementation or by deployment is not valid anymore. I would say there is like one. I remember when I’ve been a system integrator deploying an endpoint security solutions. I remember the CISO was asking me as an integrator.
“Hey, David, how many machines are covered?” And that was like his biggest concern. He never asked me, Hey, David, how effective my endpoint security is? Never I think that there are many things that evolve on the attacker [00:12:00] side but the main weakness I would say of the security teams is that it is the false assumption that having security controls means your security is under control. It doesn’t mean your security is under control, and that’s a very key thing.
Now, to the attackers, doing cyber security, generating and creating cyber security threats has never been easier. We’re today in the era of AI. Every script kiddie can now generate a very sophisticated thing, can literally deploy that. And besides that, the threats also evolved to new environments like cloud environments, Kubernetes environments, and new technology stack that the security teams really struggle to keep up with.
It just, it’s anyway hard to find experienced and and professional security personnel. So now as the technology evolves, the security teams need to keep up faster with new threats in new environments. That is challenging. And that again, takes us to the need to be sure that [00:13:00] what you put in place really protects you and not just there because it has to be.
Powering Attack Simulations with Real-Time Threat Intelligence
Paul Roberts (Security Ledger): One of your, one of Cymulate’s key capabilities, like you said, is this attack simulation capability, the ability to show how your clients be able to simulate an attack by a malicious actor. I’m really interested in that.
Obviously, you need a lot of threat data on how attacks play out in order to fuel those simulations. How does that work behind the scenes? What does Cymulate use to inform or structure these simulations? Where do you get your attack data from?
David Kellerman, Cymulate: So first of all, that’s a great question. And honestly, it’s a pretty common question because our clients want to know how can we ensure that if we work with you, we’re always have the latest threats and we can really be sure that we are up to date with our simulations.
So first of all, behind the scenes time that they hire us a dedicated [00:14:00] research team that all it’s goal is research is find out what’s the latest thing that happening behind the scene. These researchers are former red teamers. They are malware analysts. They’re a threat Intel analysts that all their, like day job is literally a go and browse through all the relevant dark places where they need to find out the interesting stuff. Now there is a combination, of course, we will, we need to scale. So there is a combination of manual seeking for the next new interesting stuff that is somehow a hidden in some dark place. But we also work, of course, with automated and big scale threat sources. Besides that, I would say that we’re also Fully aligned with all the relevant agencies that are publishing threats.
Yeah, there is the ongoing a hunting for threats, but we also fully aligned and allow our clients to immediately validate things, for instance, published by CISA by the cyber security agency. Of [00:15:00] the United States. So when they publish a new threat alert, hey, there is a new threat targeting organizations. Here are the IOCs. Here are the TTPs Simulate. Will within 24 hours respond to this CSAW alert and upload a relevant threat for our clients to validate it. So the actual effort here is a combined effort from having a streamline of known threat Intel plus. Manual research by our researchers and malware analysts, and of course, following relevant agencies in the geographies that we worked with to really comply with the national standard and the latest threats that interest them.
AI’s Impact on Cybersecurity
Paul Roberts (Security Ledger): So you mentioned AI and machine learning, obviously a huge kind of transformative technology. I’m interested in your thoughts on how that is affecting the threat landscape, and also how Cymulate does its job both from the attack simulation standpoint, but also just how it empowers your platform. And are there other technologies, I don’t know, internet of things or other things [00:16:00] that you see really changing the threat and risk landscape, not only in 2025, but, looking out a few years,
David Kellerman, Cymulate: So I think that just as I mentioned, the first impact of AI I would say the most immediate suspect as an impact on the AI of the AI and the cybersecurity domain would be the fact that now everyone can be hacker and very easily. Really, it’s ridiculous how easy it is.
Paul Roberts (Security Ledger): No coding necessary!
David Kellerman, Cymulate: Not at all. And even if it’s necessary, it’s anyone can code now. Yeah. Hey, or what you need to do is just to validate that it really does what you want to, but you didn’t really write one line of code. So absolutely.
So that’s the immediate thing. And I would say that. The same AI engine in the hands of an expert is much more powerful than in the hands of a script kiddie. I mean, I see how professionals use AI. It can scale up things that the professional would take one week, one year to do it, can scale it up and shorten timeframes tremendously. So first [00:17:00] thing is that it’s crazy how it can have organizations and threat actors to generate threats continuously. Things that took them long time before happens within a couple of minutes now.
So I think there’s one critical thing. Second critical thing when looking at AI is basically. That organizations adopt AI and introduce a lot of risks associated with the AI if in the past we were concerned about how do we protect our web application or how do we protect our database? Now we’re also concerned how do we protect our AI engine?
How we ensure that our AI engine will not expose sensitive data it shouldn’t. How do we ensure our AI engine will not get a command to delete the entire database it has behind the entire model and why follow our data. So these are just a couple of examples and there are so many more, but there is definitely a challenge in actually protecting them.
And that’s segues me to the fact to where [00:18:00] silent comes in. And usually silent comes in where a security control comes in. We’re in a pretty early stages of seeing security controls to protect AI environments, AI check bots, AI models in general. We start seeing more and more startups develop to literally protect this thing called AI.
We see now AI firewall which aims to protect, the AI from accepting illegal requests or from sharing illegal content that it should not share, some sort of BLP on the other side. And the more we will see security controls and threats associated with that, Cymulate will also, of course, simulate attacks associated with that, just as we do with all the different other security controls. Maybe last note into how Cymulate leverage that. And I think it’s a super cool. Cymulate, of course we really jumped on that way of leveraging AI. We today leverage AI for multiple things, first of all. And I think this I will go with the most interesting one because there are many [00:19:00] implementations, but the most interesting one is that today we have security teams want to validate themselves, their security controls against a particular new threat.
Today you need a team of researchers to analyze that threat, understand what TTPs are there, implement it in the Cymulate platform, and then launch that. Instead of doing all this process, what you can do now is to take this threat, it could be a URL, it could be free text of what threat you want to validate, you put it into Cymulate’s AI attack planner, and the AI attack planner of Cymulate will automatically generate for you that attack for simulation.
So I think that could take a couple of hours. You can now just give us a URL. We will read through, analyze that, generate an assessment for you, ready to use, you can now go ahead and simulate that within seconds, so that’s just one thing, but just to show how big that thing could be when it’s done properly and in experience a professional hand.
Ensuring Security Investments Deliver Results
Paul Roberts (Security Ledger): One of the things that Cymulate really does is [00:20:00] to assess the effectiveness of, security investments, technologies that you may have purchased, or maybe considering purchasing. Do you see your company’s technology playing a role in that?
David Kellerman, Cymulate: Yeah, absolutely. The initial use case of Cymulate is, of course, to do the security control validation. But once you’re already a Cymulate consumer or a Cymulate user you work with that. So every time a, our clients need to evaluate a new technology before getting it in.
And it goes back to what was assessed in the past. If you want to deploy a new EDR, for instance, or a new DLP. In the past, what your organizations would evaluate is is it, does it work? Is it easy to manage? But they never evaluated the efficacy of that. How can I be sure that EDR is the best in detection, best in prevention?
It was not, it was usually not part of the scope. And yeah we definitely participate in a lot of assessment processes where companies consider to acquire another solution or to move on with that solution or do some due diligence just to [00:21:00] ensure that they are with the best and it fits to their needs.
So, Cymulate plays a role there by help validating and answering that. Taking it to slightly more a broad view is also where organizations, for instance, acquire another company as a position in target position, and they want to do some assessment.
How good the security is there, how effective the security controls are there, or even just third-party supplier assessment. They want to assess their supplier that supplier has best practices and implemented and they’re protected against ransomware.
They’re protected against many techniques. So that’s another place.
Paul Roberts (Security Ledger): You look at the Change Healthcare hack in the United States, United Healthcare bought Change Healthcare, and then boom, this huge and,
David Kellerman, Cymulate: which is, by the way, a reference I use often a bit because I looked into that threat pretty deep. And after looking into that I found on YouTube a very short part from the hearing. in the Senate, [00:22:00] I think Andrew Wheatley, I think he was the CEO of the group. And he was saying that, uh, Change Healthcare was recently acquired and they are still investigating why a security control, which is MFA in that case was not applied to a particular server. And I use this as a reference. I tell it to the audience when I present it You understand what happens here? A CEO sits in the Senate, explains why security control was not in place. This is the gist of Cymulate– that you don’t sit there and explain why you didn’t have a security control because you validated and you knew that.
Maximizing Security Tools: Beyond Default Configurations
Paul Roberts (Security Ledger): Bad guys keep changing up what they’re doing. They’re very innovation focused and the industry tries to respond to that. But practically for companies, that’s just constant pressure to invest in new technology. New solutions. In your experience, most of the companies that Cymulate works with, do they have the tools that they need to adequately secure their IT infrastructure and their intellectual property? Have they already made the [00:23:00] investments, it’s just about maximizing them? Or are there gaps?
David Kellerman, Cymulate: The vast majority of the organization have exactly what they need. Of course There are some organizations that don’t but it really depends on the maturity level of that organization. But if I would take the average match average mature organization, yes, the answer is that 99% of them have whatever they need.
The challenge that sometimes they have more than what they need. And sometimes too much security is too complex to manage. And then you generate a lot of I would say blind spots because of a lot overlapping. So to the initial question. Yeah. I think that most organizations have what we need.
They need, I think that still breaches occur because these tools are either not optimized. The proper way or because of different blind spots that we’re not aware of, or they were assuming that this thing is covered by another control, but in fact, it was not covered by that control. I always say in [00:24:00] a common question of being asked, Hey, David, you work with so many organizations and you assess. They all are good. I see organizations with the same CrowdStrike, with the same defender, with the same Trend Micro, SentinelOne, Palo Alto. I mentioned them all just so no one get offended that they didn’t get mentioned.
But but the point is that all of these solutions are great.
I see organizations that great, amazing results with blocking threats with all these solutions. And I see organizations with exactly the same solutions, getting terrible results in local threats. So it’s not about a solution. The solutions on the enterprise level, they’re all good. It’s more about. How do you work with them? Why do you optimize? And maybe as one statement like to the audience that might listen to that, don’t rely on the default configurations. I think that these vendors will tell you this as well. We provide you with different configurations. These are another best practices. Go ahead and optimize them. And that’s a common mistake that organizations tend to work with default policies [00:25:00] in certain areas. And the default is not the best. And the vendors will also back that statement.
Security Drift: How Minor Changes Lead to Major Risks
Paul Roberts (Security Ledger): Security drift is a term that gets thrown around a lot, and I wanted to see if you could, for our audience, explain this concept of security drift. What is it and why should they be worried about it?
David Kellerman, Cymulate: I would like maybe to demonstrate a concept of security drift, but with a real story we had with one of our clients. That’s a big finance organization. They deal with both insurance and investment. And they are our client for a couple of years. And one of the assessments they do, they’re continuously trying to validate their web gateway. Uh, and whether their web gateway is blocking download of malicious files from the internet.
They have a great enterprise level web gateway, does amazing job through throughout the years. And then one day, they run this assessment for trying to download files weekly, and then one week suddenly they saw that from 0% of penetration, they got to 100% of [00:26:00] penetration. Pretty odd. They were quite worried. Of course, the first aspect was Cymulate.
“Hey, you report wrong information.
” But then we went into some analysis together. First, we managed to prove that the files are actually being downloaded. And then the team that works with us approached their administrators from the Web Gateway to ask for some clarifications.
Okay. They presented our results and they did some internal investigation. What they found out is that a couple of days before
There was a project going on to implement a new application, a new publicly facing application, and that application for its operation, required free access to S3 buckets to storage of Azure, which is one of the sources that we use to download the files.
So during this implementation of that client’s application, they literally created a rule to bypass anything comes from S3 buckets from AWS, which is a trusted source in general, but it doesn’t [00:27:00] mean that the people who use that will put trusted files in it. And during this simulation, we actually found out that A project not related to security at all managed the system administrator to change the rule that introduced a huge risk, to the business.
And this is one example of a drift because the environments we live in are dynamic environments. These are live environments, policies change, things change all the time, and drift monitoring is exactly the case where you had a something, a security configuration, you was in a security place and it suddenly becomes exposed. That’s drift detection. And that’s one example, but you can, of course, reflect that on any security control on any type of configuration, etc.
Paul Roberts (Security Ledger): And how many stories have we read about exposed, AWS, S3 storage buckets where, you know, when you dig into the story, it’s Oh yeah, it was, it hadn’t been exposed, but then, this happened and it was exposed and they didn’t realize it. And then, hopefully a security researcher found it, but often not a [00:28:00] security researcher, a bad guy.
David Kellerman, Cymulate: I’ve done so many projects, so I even know, how often that happens that we need to download something, we need to access some server, and then we say, okay, let’s just open it. Let’s just give full control. Let’s make it work. Then we lock it down. But then no one locks it down.
Paul Roberts (Security Ledger): Forgot. Sorry.
David Kellerman, Cymulate: Exactly.
In 2025, Cymulate drives risk management forward
Paul Roberts (Security Ledger): Final question is what what’s coming up in 2025 from Cymulate what should we be looking for?
David Kellerman, Cymulate: I think the world and also the bridging attack simulation goes towards a more holistic approach of exposure management. We now understand that the misconfigured security control and a vulnerability and a misconfigured cloud asset, there are all one of many exposures that we have, and organizations have so many exposures coming from so many sources, and they need, first of all, one place to see them and one language to speak all across the board to be able to see everything in a single pane of glass, but also create common language.
To actually prioritize and understand what’s important for me. And again, as the example I [00:29:00] gave before, what’s more critical to patch my server or to Lock down my S3 bucket on the cloud. It’s not comparable when you use the different terms of high severity there and CVSS Core 5 here. What’s higher high or five? It’s not the same. Now someone goes towards that area where someone aims to help organizations to prioritize their exposures by collecting them. Generating from the various sources, generating a common language of exposure with a common risk that allows you then to create better prioritization and uniform prioritization all across the board.
The secret sauce of some of in that case, I would say, is the ability to validate to also correlate the different exposures. With the compensating controls and tell you like the example with the log4j. Hey, that particular log4j, it is exposed. You have a vulnerability on that server, but your WAF prevents [00:30:00] that Log4j payloads, so you have a compensating controls that can buy you some time and give you some grace before you rush to patch your server and that way, maybe you can find out that you have something more critical to take care of, because there you don’t have a compensating control. In 2025, we expect to go more towards exposure management and validation approach, and what we’re looking for.
Paul Roberts (Security Ledger): David Kellerman, Field CTO at Cymulate. Thank you so much for being guests on the Security Ledger Podcast. We’ll have you back, and thanks so much for coming in and talking to us about Cymulate.
David Kellerman, Cymulate: Thank you!
Narrator: If you like what you heard, subscribe to The Security Ledger podcast. Visit Security Ledger Dot Com Slash subscribe or use your favorite podcast app, including Spotify, Apple Podcasts and more!
Featured Resources
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.