Frequently Asked Questions

Product Overview & Technology

What is the Cymulate AI Copilot and Dynamic Attack Planner?

The Cymulate AI Copilot and Dynamic Attack Planner are advanced features within the Cymulate platform that leverage large language models (LLMs) and automation to help security teams simulate real-world cyberattacks. The Dynamic Attack Planner was initially developed to improve internal efficiency for Cymulate's research team and is now available to customers, enabling them to easily create, customize, and execute complex attack scenarios for security validation and training.

How does the Cymulate AI Copilot use AI and LLMs to build attack simulations?

The Cymulate AI Copilot uses large language models (LLMs) to analyze user prompts or articles, extract relevant attack use cases, and match them to thousands of atomic breach and attack simulations in Cymulate's database. It then chains these simulations together using a graph database and LLM ranking to create logical, realistic attack scenarios that mirror real-world adversary behavior. This process automates what was previously a manual, time-consuming task for security teams.

What are "atomic breach and attack simulations" in Cymulate?

Atomic breach and attack simulations are individual, automated security tests that mimic specific attacker tactics or techniques. In Cymulate, these can be executed independently or chained together to form complex, multi-step attack scenarios that reflect real-world threats such as advanced persistent threats (APTs) or ransomware campaigns.

How does the Dynamic Attack Planner assemble attack chains?

The Dynamic Attack Planner uses a combination of LLMs, a graph database, and a process called "enrichment" to map user requests to relevant attack actions. It identifies the logical sequence of steps an attacker would take (e.g., credential dumping before lateral movement) and finds the shortest path between required actions, assembling them into a coherent, executable attack chain for security validation.

What is the "enrichment" process in Cymulate's AI Copilot?

Enrichment is a process where each attack simulation (execution) is annotated with additional metadata describing the actual action performed. This enables more accurate matching between user requests and available simulations, improving the relevance and effectiveness of automated attack scenario generation.

How does Cymulate's AI Copilot improve efficiency for security teams?

By automating the analysis, extraction, and assembly of attack scenarios, Cymulate's AI Copilot significantly reduces the manual effort required from security teams. The research team previously spent 80% of their time on these tasks; with the AI Copilot, much of this work is automated, allowing teams to focus on higher-value activities like response and remediation.

What is the role of the Cymulate research team in attack simulation content?

The Cymulate research team is responsible for creating, updating, and maintaining the library of attack simulations and advanced scenario templates. They ensure that the platform reflects the latest attacker tactics, techniques, and procedures, so customers can test their defenses against current threats.

How does the AI Copilot handle user prompts for attack simulation?

When a user submits a prompt (such as a text description or article), the AI Copilot disassembles it into individual attack use cases, finds suitable executions for each, and chains them together using a story-based approach and graph database logic. The result is a tailored, executable attack scenario that matches the user's intent.

What is the current availability of the Cymulate AI Copilot?

The Cymulate AI Copilot is currently in beta, with general availability planned within 30 days of the last update (May 8, 2025). Interested users can request a demo to see the technology in action.

How does Cymulate ensure attack simulations reflect real-world threats?

Cymulate's research team continuously updates the attack simulation library with the latest methods, techniques, and tactics used by threat actors. This ensures that simulations are relevant and effective for testing defenses against current and emerging threats.

What is the benefit of chaining executions in attack simulations?

Chaining executions allows Cymulate to simulate complex, multi-stage attacks that more accurately reflect how real attackers operate. This provides a more thorough test of an organization's security controls and helps identify gaps that single, isolated simulations might miss.

How does the AI Copilot help with blue team training and SOC optimization?

The AI Copilot enables blue teams and SOC analysts to easily generate and run attack scenarios for training, detection tuning, and validation of security controls. This helps teams stay prepared for real-world threats and optimize their detection and response capabilities.

What is the "story" concept in Cymulate's attack scenario assembly?

The "story" concept refers to the logical flow of attack steps, where each use case is connected in a sequence that mirrors real attacker behavior. The AI Copilot uses LLMs to create these stories, ensuring that each step in the attack chain is contextually relevant and necessary for the scenario.

How does Cymulate's AI Copilot rank and filter attack scenarios?

After generating possible attack chains, the AI Copilot uses LLMs to rank each scenario based on how well it matches the user's original prompt. Scenarios that do not align with the intended use case are filtered out, ensuring high relevance and accuracy in the final output.

What is the main advantage of using LLMs in attack simulation planning?

LLMs enable Cymulate to interpret natural language prompts, extract relevant security actions, and intelligently assemble attack scenarios that would otherwise require significant manual effort and expertise. This makes advanced security validation accessible to a wider range of users.

How can I request a demo of the Cymulate AI Copilot?

You can request a personalized demo of the Cymulate AI Copilot and Dynamic Attack Planner by visiting the Cymulate demo page.

Where can I find more technical details about the Cymulate AI Copilot?

For an in-depth look at the technology behind the Cymulate AI Copilot, you can read the blog post "The Technology Behind the Cymulate AI Copilot" on the Cymulate website.

How does Cymulate support custom attack scenario creation?

Cymulate's AI Copilot allows users to input custom prompts or articles describing specific attack behaviors. The platform then automatically generates tailored attack scenarios, enabling organizations to test their defenses against threats relevant to their environment.

What is the future roadmap for the Cymulate AI Copilot?

Cymulate has indicated that the AI Copilot is just getting started, with ongoing development and new features planned for future releases. Users are encouraged to stay tuned for updates and enhancements.

Features & Capabilities

What are the key features of Cymulate's platform?

Cymulate offers continuous threat validation, a unified platform combining Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily. Learn more.

How does Cymulate use AI and automation in exposure management?

Cymulate leverages AI to simplify threat exposure validation by running intelligent breach and attack simulations that map to threats and detection rules. Automation ensures continuous testing, integrates with existing workflows, and provides automated control updates and remediation guidance, reducing manual effort and improving resilience. Watch the AI-Powered Exposure Validation for Complete Cybersecurity Control video.

What integrations does Cymulate support?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a complete list, visit our Partnerships and Integrations page.

What compliance and security certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating adherence to industry-leading security and privacy standards. Learn more about security at Cymulate.

How easy is Cymulate to implement and use?

Cymulate is designed for quick, agentless deployment with no need for additional hardware or complex configuration. Customers can start running simulations almost immediately, and the platform is praised for its intuitive, user-friendly interface. Support and educational resources are available to help users get started quickly.

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its ease of use, intuitive dashboard, and actionable insights. Testimonials highlight the platform's user-friendly design, accessible support, and immediate value in identifying security gaps and mitigation options. Read customer stories.

Use Cases & Benefits

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. Learn more about roles.

What problems does Cymulate solve for security teams?

Cymulate addresses challenges such as fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery challenges. The platform provides unified, automated, and actionable solutions for these pain points.

How does Cymulate help organizations prioritize exposures and vulnerabilities?

Cymulate validates the exploitability of exposures and ranks them based on prevention and detection capabilities, business context, and threat intelligence. This helps organizations focus remediation efforts on the most critical vulnerabilities.

What measurable outcomes have customers achieved with Cymulate?

Customers have reported up to an 81% reduction in cyber risk (Hertz Israel, four months), a 52% reduction in critical exposures, a 60% increase in team efficiency, and a 20-point improvement in threat prevention. See case studies.

Are there case studies showing Cymulate's impact?

Yes. For example, Hertz Israel reduced cyber risk by 81% in four months, and a sustainable energy company scaled penetration testing cost-effectively. More case studies are available on the Cymulate customers page.

How does Cymulate support different security personas?

Cymulate tailors its solutions for CISOs (metrics and risk communication), SecOps (automation and efficiency), red teams (automated offensive testing), and vulnerability management teams (in-house validation and prioritization). Each persona benefits from features designed for their specific needs. Learn more.

How does Cymulate help with cloud security validation?

Cymulate integrates with cloud security tools like AWS GuardDuty, Check Point CloudGuard, and Wiz to validate cloud and hybrid environments, automate compliance testing, and address new attack surfaces introduced by cloud adoption. Learn more.

How does Cymulate help organizations recover after a breach?

Cymulate enhances post-breach visibility and detection capabilities, replacing manual processes with automated validation to ensure faster recovery and improved protection. See the Nedbank case study.

Pricing & Plans

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a detailed quote, schedule a demo with the Cymulate team.

Competition & Differentiation

How does Cymulate differ from other security validation platforms?

Cymulate stands out with its unified platform combining BAS, CART, and Exposure Analytics, continuous 24/7 validation, AI-powered optimization, complete kill chain coverage, ease of use, and a large, frequently updated threat library. It delivers measurable outcomes such as reduced exposures and increased efficiency. See Cymulate vs. competitors.

What are Cymulate's advantages for different user segments?

CISOs benefit from quantifiable metrics and risk communication, SecOps teams gain automation and efficiency, red teams access automated offensive testing, and vulnerability management teams get in-house validation and prioritization. Cymulate tailors its platform to each persona's needs. Learn more.

Resources & Support

Where can I find Cymulate's Resource Hub?

The Resource Hub contains insights, thought leadership, and product information. Access it at https://cymulate.com/resources/.

How can I stay updated with Cymulate's latest news and research?

Stay informed by visiting the Cymulate blog for the latest threats and research, and the Newsroom for media mentions and press releases.

Where can I find events and webinars hosted by Cymulate?

Information about live events and webinars is available on the Events & Webinars page.

Where can I find a blog post about preventing lateral movement attacks?

Cymulate has a blog post titled 'Stopping Attackers in Their Tracks' that discusses lateral movement attacks and prevention strategies. Read it on the Cymulate blog.

Cymulate named a Customers' Choice in 2025 Gartner® Peer Insights™
Learn More
New Case Study: Credit Union Boosts Threat Prevention & Detection with Cymulate
Learn More
New Research: Cymulate Research Labs Discovers Token Validation Flaw
Learn More
An Inside Look at the Technology Behind Cymulate
Learn More
Book a Demo
Book a Demo

The Technology (and Story) Behind the Cymulate AI Copilot and Dynamic Attack Planner 

By: Sasha Gohman

Last Updated: May 8, 2025

cymulate blog post

The Cymulate Research Team is tasked with providing attack simulations on demand for more than 600 customers. In doing so, we noticed a pattern: Most requests revolve around articles customers find about APTs, malware, or ransomware behaviors, and they come to Cymulate for help to simulate these attacks. 

Our researchers spent 20% of their time creating new content based on these customer requests. However, a significant 80% of their time was consumed by analyzing the articles, extracting crucial information, and building advanced scenario templates that align with the requests. 

Given the rapid advancements in Large Language Model (LLM) technology, we saw a precious opportunity to leverage this technology for our use case. The journey was complex, and the process itself was challenging. However, with strong motivation and dedication, we believe anything is possible.

From Internal Efficiency to Industry-first Dynamic Attack Planner 

The dynamic attack planner in the Cymulate AI Copilot began as an internal initiative for our research team, initially aimed at saving time. Due to its remarkable results, we decided to make it public. The attack planner simplifies life for blue teams and security professionals by providing unprecedented ease in simulating attacks. It offers a significant advantage to our customers, enhancing their use of our product and Breach and Attack Simulation (BAS) capabilities in their daily routines. Whether it’s training blue teams for potential attack scenarios, optimizing SOC detection abilities, interpreting lengthy articles into actionable attack sequences, or testing the efficacy of their security controls, this tool makes it all possible with a high degree of efficiency. 

Background on Cymulate Breach and Attack Simulation Advanced Scenarios 

First, we need to introduce Cymulate and its capabilities. Cymulate Breach and Attack Simulation offers Advanced Scenarios. These complex automated assessment templates are designed to simulate complex and sophisticated cyberattacks, such as advanced persistent threats (APTs), with real-life attack chains that mirror the exact tactics and techniques used by attackers. These scenarios allow for highly customizable assessments, enabling users to tailor simulations to their specific needs to test how their security controls will respond.  

Cymulate Advanced Scenarios has two main capabilities:  

  1. Simulating atomic breach and attack simulations (let's call them executions), and  
  2. Chaining one attack simulation to another using a concept where the output of one execution becomes the input for the second (let's call them Chained Executions). 

The content, executions and templates are provided by our dedicated Cymulate research team, which constantly updates our attack simulations with the latest methods, techniques and tactics used by threat actors. 

How It Works 

Let's dive into how the AI Attack Planner works – from data prep to assembling the chained attack chains into customer-ready security assessments. 

Data Preparation: The first step in using AI is to get your data ready. Our execution database consists of thousands of attack methods, each with its own input and output arguments. Initially, we save the executions and their metadata (name, description, running code) into a database and run a process called "Enrichment." This process adds another layer of metadata representing the actual action being performed by the execution. For example, the "Nmap: Ping Sweep Scan" execution is translated into four different enrichment action types: 

  • A scan is performed to identify active devices by sending pings to a range of IP addresses 
  • Active hosts are detected by pinging a range of IP addresses to see who responds 
  • Pings are sent to multiple IP addresses to find out which devices are online 
  • The system checks which IP addresses reply to pings to identify active hosts 

Embedding: In the next stage, we run a process called embedding, which uses the "ADA 2" encoder to create a vectorized form of the name, description and action enrichment. This embedding process is later used by our cosine similarity-based algorithm to match specific actions or use cases to a list of potential executions that provide this kind of behavior. 

For example, "scan network for a host" translates to ten different executions that scan the current network for hosts. This method is common and used by many vendors for text similarity search tasks. During our research, we found that most user prompts/requests focus on an action rather than a specific product (e.g., "dump credentials" rather than "use Mimikatz to dump credentials"). This process significantly improved our search capabilities and matching use cases to executions, enhancing our results. 

AI Ranking: After developing an accurate search engine, we recognized room for improvement and decided to use AI. With a use case ("use Nmap to scan the network") and ten execution options, we use an LLM to rank each execution based on how well its behavior fits the use case.  

This approach yielded amazing results and was a crucial breakthrough in this project. 

Chaining Executions: Now we start the interesting part: Creating a set of chained executions representing an attack scenario built from a combination of the identified use cases. Essentially, we mimic the logical sequence of actions a normal attacker would perform. For example, to execute lateral movement, one would need credentials/tokens/tickets. If a user's prompt is "create an attack simulation that performs lateral movement using WMI," we assume the need for a basic execution of "lateral movement using WMI" and chain it with prerequisites like credential dumping (to obtain user credentials) and finding a host with an open WMI port. 

To solve this problem, we create a concept called stories. From the previous section, you might remember we had single use cases ready. Now, we use them in a story form, utilizing an LLM model to create a set of mini stories with logical connections. For example, with the prompt "create an attack simulation that performs lateral movement using WMI," we would have a story representing "credential dumping followed by lateral movement using WMI." It adds credential dumping as a prerequisite since lateral movement requires credentials. 

We use a graph database to upload all our execution data, define the initial credential dumping execution as the start node, and the lateral movement execution as the end node. We then ask the graph to find the "shortest path" between them. Finally, we use an LLM again to rank the precision of the chained scenario to its original use case, filtering out attack chains that completely mismatch the user's original prompt. This approach also allows our AI to be more or less creative, which is a neat feature. 

Assembling Advanced Scenario Templates: The final step is to assemble advanced scenario templates consisting of atomic breach and attack simulations and chained simulations that match the user's request. 

TL;DR:  When a user inputs a text/article/specific request for an attack, the attack planner LLM model disassembles it into single attack-related use cases. For each use case, we find one or two suitable executions. We then use a concept called stories to create a logical flow between single use cases and use a graph database to find the shortest path between one use case and another. 

Just Getting Started

This is only the beginning. Stay tuned to learn more about our future plans and exciting developments that are on the horizon. 

The Cymulate AI Copilot is now in beta with a general availability set for the next 30 days. To see the power of the most advanced security and exposure management platform and its new AI-powered assists, click here to request a demo

image
Sasha Gohman
Sasha Gohman is a seasoned professional with extensive technical and management experience, Currently, he is the Vice President of Research at Cymulate. He is integral in strategic planning, team management, and decision-making while staying abreast of the latest advances in cybersecurity.
More about Author
Table of Contents
From Internal Efficiency to Industry-first Dynamic Attack Planner  Background on Cymulate Breach and Attack Simulation Advanced Scenarios  How It Works  Just Getting Started
Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.
Mike Humbert, Cybersecurity Engineer
DARLING INGREDIENTS INC.
Learn More

Featured Resources

View More Resources
Security Spent a Decade Finding More. It Should Have Been Proving More. 
blog

Security Spent a Decade Finding More. It Should Have Been Proving More. 

Here's an uncomfortable truth most security leaders already suspect but rarely say out loud: Your organization has invested millions in security tools, and

Read More
Handala Hack: From Regional Disruption to Digital Destruction — Why Security Validation Matters Now 
blog

Handala Hack: From Regional Disruption to Digital Destruction — Why Security Validation Matters Now 

After years of battling ransomware and financially motivated threats, security teams must now increase their focus to defend against digital destruction. Iranian-backed Handala Hack highlighted the growing threat with its claimed attacks against a U.S.-based medical equipment maker, with reports of widespread deletion of data

Read More
CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover 
blog

CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover 

CVE-2026-26117 lets attackers hijack Azure Arc on Windows, escalate to SYSTEM, and seize the machine’s cloud identity.

Read More

GET A PERSONALIZED DEMO

Ready to see Cymulate in action?

Book a Demo