How did Cymulate get started?

Cymulate was founded in 2016 by Avihai Ben-Yossef, Eyal Wachsman, and later joined by Eyal Gruner. The idea originated from their experiences in penetration testing, where they noticed the repetitive and limited nature of manual security assessments. They aimed to automate these processes, making security validation more accessible and continuous for organizations of all sizes. Source

What inspired the creation of Cymulate?

The founders were motivated by the inefficiencies and limitations of traditional pen testing, which was repetitive and could not provide continuous, comprehensive coverage. They wanted to create an automated solution that would allow organizations to conduct in-house, ongoing security assessments and move beyond point-in-time evaluations. Source

Who are the founders of Cymulate?

Cymulate was founded by Avihai Ben-Yossef (CTO), Eyal Wachsman (CEO), and Eyal Gruner. All three have deep backgrounds in cybersecurity, with experience in penetration testing, cyber research, and founding other security companies. Source

How did Cymulate evolve from pen testing to exposure management?

Cymulate began by automating elements of pen testing, focusing initially on email security. As the platform matured, it expanded to automate more pen testing features and eventually embraced full-context exposure management, integrating with a wide range of security platforms to provide a holistic view of vulnerabilities and exposures. Source

What challenges did Cymulate aim to solve in its early days?

Cymulate set out to overcome the limitations of manual pen testing, such as limited scope, human error, and the inability to provide continuous security validation. The founders wanted to automate these processes to give organizations real-time, comprehensive visibility into their security posture. Source

How did Cymulate's customer base change as the company grew?

Initially, Cymulate worked with large enterprises, but as the platform's automation capabilities expanded, it became valuable for mid-sized businesses as well. The company scaled to serve organizations of all sizes, helping them achieve real-time security validation across their digital environments. Source

What is Cymulate's approach to product development and innovation?

Cymulate rigorously tests every new feature and solution before market release, ensuring high quality and reliability. The company continuously innovates by expanding coverage and integrating with new domains to meet emerging customer needs. Source

How does Cymulate's leadership background influence the company?

The founders' deep experience in cybersecurity, including pen testing, cyber research, and previous startups, has shaped Cymulate's focus on automation, innovation, and practical solutions for real-world security challenges. Source

What is the significance of automation in Cymulate's platform?

Automation is central to Cymulate's value proposition. It enables organizations to move beyond manual, point-in-time assessments and achieve continuous, dynamic security validation, reducing human error and resource constraints. Source

How does Cymulate help organizations prioritize exposures?

Cymulate's platform integrates exposure data from various security solutions and validates which exposures are actually exploitable. This full-context approach allows organizations to prioritize remediation efforts based on real risk, saving time and resources. Source

What makes Cymulate's exposure management unique?

Cymulate provides a comprehensive view of both exposure discovery and validation by integrating with a wide range of security platforms, CSPM solutions, and attack path management tools. This holistic approach offers context that other exposure management solutions may lack. Source

How does Cymulate support continuous improvement for customers?

Cymulate continuously adds new domains and features to its platform, enabling customers to identify and prioritize exposures across their entire environment. The company is committed to evolving with the threat landscape and customer needs. Source

What is Cymulate's vision for the future?

Cymulate aims to continue empowering organizations with advanced tools for exposure management, expanding coverage, and providing actionable insights to stay ahead of evolving threats. The company is focused on putting more capabilities in the hands of security teams. Source

How does Cymulate ensure product quality?

Cymulate employs rigorous testing for every new feature and solution before market release, leveraging a team of experienced designers, developers, and product testers to maintain high standards. Source

What role did email security play in Cymulate's early success?

Email security was a major focus in Cymulate's early days. Demonstrating the ability to identify and stop malicious emails helped land the company's first customers, even before a user interface was developed. Source

How does Cymulate integrate with other security platforms?

Cymulate integrates with a wide range of security platforms, CSPM solutions, and attack path management tools, enabling a holistic view of vulnerabilities and exposures across the entire network. Source

What is the importance of context in exposure management?

Context is crucial for prioritizing remediation. Cymulate's platform provides full context by validating which exposures are actually exploitable in a specific environment, allowing organizations to focus on the most urgent threats. Source

How does Cymulate plan to expand its platform capabilities?

Cymulate is committed to adding more domains and integrations to its platform, ensuring customers can identify and prioritize exposures regardless of where they exist in their environment. Source

What is Cymulate's commitment to customer empowerment?

Cymulate is dedicated to putting more tools and capabilities in the hands of security teams, enabling them to control and improve their security posture as the threat landscape evolves. Source

What are the key features of Cymulate's platform?

Cymulate offers continuous threat validation, unified exposure management, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, ease of use, and an extensive threat library with over 100,000 attack actions updated daily. Source

Does Cymulate integrate with other security tools?

Yes, Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a full list, visit the Partnerships and Integrations page .

How easy is Cymulate to implement and use?

Cymulate is designed for quick, agentless deployment with no need for additional hardware or complex configurations. Customers can start running simulations almost immediately, and the platform is praised for its intuitive, user-friendly interface. Source

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating adherence to industry-leading security and privacy standards. Source

How does Cymulate ensure data security?

Cymulate uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), hosts data in secure AWS data centers, and follows a strict Secure Development Lifecycle (SDLC) with continuous vulnerability scanning and third-party penetration testing. Source

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams in organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. Source

What problems does Cymulate solve for security teams?

Cymulate addresses fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies in vulnerability management, and post-breach recovery challenges. Source

Are there case studies showing Cymulate's impact?

Yes. For example, Hertz Israel reduced cyber risk by 81% in four months, and a sustainable energy company scaled penetration testing cost-effectively. More case studies are available on the Cymulate Customers page .

How does Cymulate help with cloud security validation?

Cymulate integrates with cloud security solutions like AWS GuardDuty, Check Point CloudGuard, and Wiz to validate cloud security controls and ensure compliance in hybrid and cloud environments. Source

What are the measurable benefits of using Cymulate?

Customers have reported a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months of using Cymulate. Source

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's needs. Pricing depends on the chosen package, number of assets, and scenarios selected. For a quote, schedule a demo .

How does Cymulate differ from other exposure management solutions?

Cymulate stands out by offering a unified platform that combines Breach and Attack Simulation (BAS), Continuous Automated Red Teaming (CART), and Exposure Analytics. It provides continuous, real-time validation, AI-powered optimization, and the most advanced attack simulation library, with tailored solutions for different security roles. Source

What advantages does Cymulate offer for different user segments?

CISOs benefit from quantifiable metrics and insights, SecOps teams gain operational efficiency, red teams access automated offensive testing, and vulnerability management teams can automate validation and prioritization. Source

What do customers say about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly interface and ease of implementation. Testimonials highlight the platform's accessibility for users of all skill levels and the quality of support provided. Source

What support resources does Cymulate provide?

Cymulate offers email and chat support, a knowledge base with technical articles and videos, webinars, e-books, and an AI chatbot for quick answers and best practices. Source

Where can I find Cymulate's blog and newsroom?

You can read about the latest threats, research, and company news on the Cymulate blog and newsroom .

Does Cymulate provide a resource hub for learning?

Yes, Cymulate's Resource Hub offers insights, thought leadership, product information, whitepapers, and more.

Where can I find Cymulate's glossary of cybersecurity terms?

Cymulate provides a glossary of cybersecurity terms, acronyms, and jargon at this page .

How can I stay updated with Cymulate's latest news and research?

Stay informed by visiting the company blog and newsroom for the latest threats, research, and media mentions.

From Beginnings to Breakthroughs: The Cymulate Story

By: Avihai Ben-Yossef

Last Updated: June 25, 2025

Cymulate was founded in 2016, but the idea behind it dates back much further than that. When we first began seriously discussing the possibility of starting a company, my co-founder Eyal Wachsman and I were working for Avnet Cyber & Information Security. I was a penetration tester at the time, conducting security assessments for a wide range of customers. While pen testing is important, it quickly became apparent that the job was repetitive and mostly involved running the same types of security assessments that businesses have been conducting for decades. It made me remember something I was taught on day one of computer science: if you’re doing the same thing over and over without getting results, you’re probably doing it wrong.

Eyal was the vice president of sales and business development at the time, and together we began considering whether there was a better way to accomplish the same goal. We started wondering whether we could create a product that would be able to automate these repetitive activities in a way that would make them more accessible to day-to-day users, which would allow organizations to conduct in-house security assessments on a continuous basis. That would be a major step forward for security validation—and we wanted to be first.

Is There an App for That?

Having both come from the world of pen testing, Eyal and I understood the limitations and inefficiencies of traditional methods. One of the biggest problems with pen testing is that the humans conducting the assessment can only do so much. It isn’t feasible for a small security team to conduct ongoing pen tests all day every day—and even if they could, they would inevitably miss things. That’s not a knock against security teams—even the most talented professionals aren’t perfect. “Human error” isn’t something you can wish away. It’s an unavoidable challenge that needs to be accounted for.

Cymulate was founded with one basic drive: to overcome that challenge by automating the process of pen testing. Traditional, manual pen testing needs to be carefully scoped according to how much human testers can feasibly accomplish. That means a given pen test might only cover a small number of systems, provided a limited view of the vulnerabilities that might be affecting the organization. We wanted our solution to be truly scopeless. And that could only be accomplished via automation. After all, by relying on machines, we could move beyond traditional human limitations. An automated pen testing solution would be able to conduct tests across the entire network much more efficiently than even the largest security teams.

Embracing automation also allowed us to give our customers a way to move past point-in-time assessments and gain a more holistic, real-time view of their security posture. That was a big deal—the threat landscape was starting to evolve at an increasingly rapid pace, environments and attack surfaces were constantly evolving, and point-in-time assessments were becoming less and less useful. If we could enable organizations to conduct their own automated assessments, they would be able to evaluate their security posture on a continuous, dynamic basis and stay ahead of threats as they emerged. Instead of hoping a security assessment from six months ago was still accurate, they would always have access to up-to-date information.

Early Success and Finding the Right Market

Of course, the process of starting a business isn’t always smooth. Eyal and I were first-time business leaders—we didn’t always know what we were doing! Fortunately, we met our third partner, Eyal Gruner. Gruner had already co-founded two security companies (Cynet and Versafe), which made him the perfect person to help us through the process. Like me and Eyal, he began his career at an early age. When he was just 15 years old, Gruner hacked the ATM of a local bank and proudly walked inside to inform management about the weaknesses in their security. It’s safe to say that all three of us have cybersecurity in our blood.

Like most startups, the early days were chaotic—everyone was doing a little bit of everything. Fortunately, our idea was a modular one. We knew we could start by automating different elements of pen testing, rather than feeling like we had to do everything at once. We knew email security was a major problem for organizations at the time, so that was something we prioritized from the earliest days of the business. In fact, that’s what landed us our first customers: we could literally walk into a meeting and show a potential customer the sort of malicious emails getting through their security filters and walk them through exactly how we could stop it. We didn’t even have a user interface yet—but the ability to show customers firsthand what we could do was a major selling point.

In those early days, we generally worked with large enterprises. But the more we grew, and the more pen testing features we were able to automate, the more we realized that smaller enterprises were facing the same issues. Before long, we were scaling down to work with more mid-sized businesses because we could see that the value props to them were largely the same. By automating the pen testing and security validation process, we were helping businesses of all sizes accomplish something that was previously outside the realm of possibility for them: real-time security validation across every part of their digital environment. We could help them evaluate their security posture better and more efficiently than ever before—and we could do it on a continuous basis.

Embracing Exposure Management and Beyond

As the industry has evolved, so has our business. The freewheeling days of Cymulate’s startup period are gone—and as fun as they were, that’s probably a good thing! It was great to be able to experiment with different approaches and solutions, but today Cymulate has a much more concrete idea of what we want to accomplish and how we want to do it. As we’ve grown, we’ve improved our ability to specialize, and we’re proud to have some of the best designers, developers, and product testers in the business. We rigorously test every new feature and solution well before it hits the market—and our customers know that when we put our stamp of approval on a product, we mean it.

That has also allowed us to safely branch out when we see an opportunity to explore what we predict our customers will need next, and that’s why we’re focusing our efforts on the emerging need for full-context exposure management. We’ve been in the security posture arena for almost eight years now, and it’s a crowded market. Different companies have solutions that cover specific areas of security posture management and automated pen testing, but Cymulate is uniquely able to provide a truly comprehensive view of both exposure discovery and validation. Because Cymulate’s platform integrates with a wide range of security platforms, cloud security posture management (CSPM) platforms, attack path management platforms, and other security solutions, we can provide a holistic view of vulnerabilities across the entire network in a way other providers simply cannot.

And from this broad vantage point, we have a pretty strong opinion on remediation: The worst threats – the ones you need to prioritize – are the ones that can get past your defenses. The ones that are specifically exploitable to your security infrastructure and environments. This made the decision to embrace exposure management an easy one. Cymulate’s attack simulation solution can bring in data points from all of the individual solutions and platforms in use—and because Cymulate includes security validation, it allows organizations to understand which exposures are exploitable and which are not. This is crucial context other exposure management solutions in the market simply don’t provide. By empowering customers to effectively prioritize their exposures with full context, they can save crucial time and resources while improving prevention, detection, and response. And we’re not stopping there—as Cymulate continues to evolve, we’ll be adding even more domains to our coverage, helping customers identify and prioritize their exposures no matter where they live.

Putting More Tools in the Hands of Our Customers

When we were just getting started back in 2016 and 2017, we knew we were onto something big but could never have predicted how quickly Cymulate would grow. We’re proud of what we’ve accomplished, and even more bullish about what’s ahead. Cymulate today offers cyber teams an unprecedented level of control over their security posture. And as the threat landscape gets more complex and we move deeper into the exposure management space, we’ll continue putting more capabilities than ever in the hands of today’s organizations.

Avihai is the co-founder and CTO of Cymulate. He started his career in an intelligence unit of the IDF in a leading technological role. Prior to Cymulate, Avihai was the head of the cyber research team at Avnet Cyber & Information Security, where he worked on several projects on behalf of the Israeli Ministry of Defense.

More about Author

Table of Contents

Is There an App for That? Early Success and Finding the Right Market Embracing Exposure Management and Beyond Putting More Tools in the Hands of Our Customers

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.

Mike Humbert, Cybersecurity Engineer

DARLING INGREDIENTS INC.

Learn More

Featured Resources

View More Resources

blog

Validate What Matters: Simulate Real-World Identity and Privilege Attacks in AD and Entra ID

Identity is the new perimeter. The move to the cloud and remote work creates new security boundaries based on users and services operating across cloud and hybrid environments, making