Frequently Asked Questions

Product Information & Security Control Validation

What is Cymulate and what does it do?

Cymulate is a leading exposure management and security validation platform that enables organizations to simulate real-world cyberattacks, test and validate security defenses, identify vulnerabilities, and optimize resilience. It provides actionable insights and integrates seamlessly with existing security infrastructure to help organizations continuously improve their cyber resilience. [Source]

How does Cymulate help organizations prepare for unauthorized intrusions?

Cymulate helps organizations prepare for unauthorized intrusions by simulating attacker behaviors (both external and internal) using Breach and Attack Simulation (BAS) and Security Control Validation (SCV) tools. This allows organizations to test their controls, identify gaps, and ensure their defenses are effective against real-world threats such as stolen credentials, phishing, vulnerability exploitation, and botnets. [Source]

What is Breach and Attack Simulation (BAS) and how does Cymulate use it?

Breach and Attack Simulation (BAS) is the process of operationalizing a wide range of threat-actor behaviors in a controlled environment to assess how effectively defensive systems respond. Cymulate uses BAS to test security controls, employee awareness, and incident response processes, providing organizations with visibility into their security posture and actionable recommendations for improvement. [Source]

What is Security Control Validation (SCV) and how does it differ from BAS?

Security Control Validation (SCV) builds on BAS by stringing together attacker behaviors into complex attack chains that challenge layered defenses, especially in production environments. While BAS focuses on individual behaviors, SCV tests how controls work together to block and report sophisticated attacks, ensuring comprehensive protection. [Source]

How does Cymulate address the top four intrusion paths identified in the Verizon DBIR?

Cymulate addresses the top four intrusion paths—stolen credentials, phishing, vulnerability exploitation, and botnets—by simulating these attack vectors, testing security controls, and providing actionable insights to remediate gaps. The platform enables organizations to validate endpoint security, SIEM effectiveness, vulnerability management, and email security controls against these threats. [Source]

How can Cymulate help test the effectiveness of my SIEM and SOC team?

Cymulate can simulate attacker behaviors within your network without prior notice to your SOC team, allowing you to test whether your SIEM is correctly configured and your SOC team is able to detect and respond to suspicious activities in real time. This ensures your detection and response capabilities are effective. [Source]

How does Cymulate test for phishing readiness?

Cymulate tests phishing readiness by simulating phishing attacks to evaluate both email security controls and employee awareness. The platform sends legitimate-looking emails to employees and tracks interactions, helping organizations identify users who may be susceptible to phishing and improve training. [Source]

How does Cymulate help prioritize vulnerabilities for remediation?

Cymulate uses Attack Based Vulnerability Management (ABVM) to combine vulnerability management data with offensive testing results. This approach identifies which vulnerabilities are actually exploitable in your environment, allowing you to focus remediation efforts on the most critical risks rather than relying solely on CVSS scores. [Source]

How does Cymulate validate defenses against botnet attacks?

Cymulate validates defenses against botnet attacks by simulating distributed brute-force and mass phishing attacks, testing the robustness of security controls and the ability of SIEM solutions to correlate and detect multi-vector attacks from numerous sources. [Source]

What are the benefits of using BAS and SCV solutions like Cymulate?

BAS and SCV solutions like Cymulate provide continuous assessment of security controls, improve visibility into security posture, identify gaps, and help organizations proactively address weaknesses before attackers can exploit them. They also support compliance efforts and enhance incident response readiness. [Source]

How does Cymulate support continuous security improvement?

Cymulate supports continuous security improvement by enabling organizations to run ongoing simulations, receive daily updates to its threat library, and access actionable remediation guidance. This ensures defenses remain effective against evolving threats and new attack techniques. [Source]

What is the primary purpose of Cymulate's Exposure Management Platform?

The primary purpose of Cymulate's Exposure Management Platform is to help organizations move from guessing to knowing and acting on security threats by hardening defenses, optimizing security controls, and providing actionable insights to improve overall security posture. [Source]

How does Cymulate help organizations test their endpoint security and VPN configurations?

Cymulate enables organizations to simulate attacks targeting endpoints and VPNs, ensuring that endpoint protection products and VPN configurations are effective in protecting devices, even when used on public Wi-Fi or by users with elevated privileges. [Source]

How does Cymulate help organizations test their vulnerability management processes?

Cymulate complements vulnerability management tools by simulating offensive attacks against identified vulnerabilities, helping organizations determine which vulnerabilities are actually exploitable and should be prioritized for remediation. [Source]

How does Cymulate help organizations test their email security controls?

Cymulate tests email security controls by simulating phishing and malicious email campaigns, ensuring that security solutions block harmful links and attachments and that employees are trained to recognize and avoid phishing attempts. [Source]

How does Cymulate help organizations test their public asset exposure?

Cymulate offers external exposure mapping, which provides insights into the organization's attack surface from an external perspective, helping identify and remediate exposed assets before attackers can exploit them. [Source]

How does Cymulate help organizations test their layered security controls?

Cymulate validates both individual controls and their effectiveness in tandem, ensuring that layered defenses work together to block and report malicious behaviors, and that alerts are properly sent to the SOC for rapid response. [Source]

What is the value of the Verizon DBIR for security teams?

The Verizon Data Breach Investigation Report (DBIR) provides valuable insights into hacker behaviors and common intrusion paths, helping security teams prioritize areas for defense and evaluate the effectiveness of their controls using solutions like Cymulate. [Source]

How does Cymulate make advanced security testing fast and easy?

Cymulate Exposure Validation provides a user-friendly platform for building custom attack chains and running comprehensive security tests, making advanced security validation accessible and efficient for organizations of all sizes. [Source]

Features & Capabilities

What are the key features of Cymulate's platform?

Cymulate's platform offers continuous threat validation, exposure awareness, defensive posture optimization, attack path discovery, automated mitigation, comprehensive integration with SIEM/EDR, and dedicated cloud security validation. [Source]

What integrations does Cymulate support?

Cymulate integrates with leading security tools across endpoint security (e.g., CrowdStrike Falcon, SentinelOne), cloud security (e.g., AWS GuardDuty, Wiz), SIEM (e.g., Splunk), vulnerability management (e.g., Rapid7 InsightVM), and network security (e.g., Akamai Guardicore). For a full list, visit the Cymulate Partnerships and Integrations page.

How easy is Cymulate to implement and use?

Cymulate is known for its quick deployment and intuitive, user-friendly design. Customers can start running simulations almost immediately, and the platform operates in agentless mode, requiring no additional hardware or complex configuration. [Source]

What technical documentation is available for Cymulate?

Cymulate provides a range of technical resources, including a whitepaper on its Exposure Management Platform, data sheets on platform capabilities and custom attacks, and documentation on technology integrations and MITRE ATT&CK alignment. [Source]

What security and compliance certifications does Cymulate hold?

Cymulate is certified for SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1, demonstrating adherence to industry-leading security and privacy standards. [Source]

How does Cymulate ensure data security and privacy?

Cymulate hosts its services in secure AWS data centers with ISO 27001, PCI DSS, and SOC 2/3 compliance. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256), and the company follows a strict Secure Development Lifecycle (SDLC) with regular third-party penetration tests. [Source]

Is Cymulate GDPR compliant?

Yes, Cymulate is GDPR compliant, employing data protection by design, secure development practices, and a dedicated privacy and security team, including a Data Protection Officer (DPO) and Chief Information Security Officer (CISO). [Source]

What support options are available for Cymulate customers?

Cymulate offers email support, real-time chat support, and access to educational resources such as webinars, e-books, and a knowledge base to help customers optimize platform usage. [Source]

Use Cases & Benefits

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, Security Operations (SecOps) teams, Vulnerability Management teams, Red Teams, and Detection Engineers in organizations across industries such as finance, healthcare, and technology. [Source]

What business impact can customers expect from Cymulate?

Customers typically achieve a 30% improvement in threat prevention, a 52% reduction in critical exposures, a 60% increase in operational efficiency, and an 81% reduction in cyber risk within four months. [Source]

What pain points does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volume, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers between security teams and stakeholders. [Source]

Are there case studies showing Cymulate's effectiveness?

Yes. For example, Hertz Israel reduced cyber risk by 81% in four months, Nemours Children's Health improved detection and response, and Nedbank focused on critical vulnerabilities using Cymulate. More case studies are available on the Cymulate Customers page.

How does Cymulate address the needs of different security personas?

For Red Teams, Cymulate offers production-safe attack simulations and custom offensive testing. For Detection Engineers, it helps close SIEM coverage gaps and validate detection rules. For Vulnerability Management teams, it consolidates exposure data for efficient prioritization. [Source]

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly dashboard and ease of implementation. Testimonials highlight the platform's simplicity and effectiveness for both technical and non-technical users. [Source]

Pricing & Plans

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model, customized according to the chosen package, number of assets, and scenarios required. For a tailored quote, organizations can schedule a demo with Cymulate's team. [Source]

Competition & Comparison

How does Cymulate compare to AttackIQ?

Cymulate offers the industry's leading threat scenario library and AI-powered capabilities for streamlined workflows and accelerated security posture improvement. AttackIQ does not match Cymulate's innovation, threat coverage, or ease of use. [Source]

How does Cymulate compare to Mandiant Security Validation?

Cymulate continually innovates with AI and automation, expanding into exposure management as a grid leader, while Mandiant's platform has seen minimal innovation in recent years. [Source]

How does Cymulate compare to Pentera?

Pentera focuses on attack path validation but lacks Cymulate's depth in defense assessment and exposure awareness. Cymulate optimizes defense, scales offensive testing, and increases exposure awareness. [Source]

How does Cymulate compare to Picus Security?

Picus is suitable for on-premise BAS needs but lacks Cymulate's comprehensive exposure validation platform, which covers the full kill chain and includes cloud control validation. [Source]

How does Cymulate compare to SafeBreach?

Cymulate outpaces SafeBreach with unmatched innovation, precision, and automation, offering the industry's largest attack library, a full CTEM solution, and comprehensive exposure validation. [Source]

How does Cymulate compare to Scythe?

Scythe is suitable for advanced red teams but lacks Cymulate's ease of use, daily threat updates, and comprehensive control validation. Cymulate provides actionable remediation and automated mitigation. [Source]

How does Cymulate compare to NetSPI?

NetSPI is a PTaaS vendor, while Cymulate offers a platform for continuous, independent assessment and defense strengthening. Cymulate is recognized as a leader in exposure validation by Gartner and G2. [Source]

Company & Vision

What is Cymulate's vision and mission?

Cymulate's vision is to lead the way in how companies implement cybersecurity strategies, making the world a safer place. Its mission is to empower organizations worldwide against threats and make advanced cybersecurity as simple as sending an email. [Source]

How large is Cymulate and what is its global reach?

Cymulate was founded in 2016 and has a global presence with offices in eight locations, customers in 50 countries, and over 1,000 customers worldwide. [Source]

Introducing Cymulate Vero AI for Agentic Cyber Defense Engineering
Learn More
New: 2026 Gartner® Market Guide for Adversarial Exposure Validation
Learn More
New Research: Exploiting Configuration Trust in AI Coding Tools
Learn More
New Case Study: How a Financial Authority Validates Cyber Resilience
Learn More

What Verizon’s DBIR Tells us About Unauthorized Intrusion Readiness

By: Cymulate

Last Updated: September 15, 2025

cymulate blog article

This blog post is part one of a multi-part blog series analyzing the Verizon Data Breach Investigation Report (DBIR) for 2022. 

Verizon's yearly DBIR provides many valuable insights into the behavior of hackers and how breaches unfold. As cyber practitioners, we should read the report closely and identify the potential areas we should emphasize to keep hackers out of our network and our data. 

This year's DBIR highlights the top four intrusion paths hackers use to get to the crown jewels – the most critical assets of an organization (be they servers, applications, or people).  

  • Stolen credentials 
  • Phishing 
  • Exploiting a vulnerability 
  • Botnet 

Then, on page 26, Verizon highlights the top vector and varieties for System Intrusion. 

Reading these lists from defenders' perspective, we should ask ourselves, "Are our current security controls adequate?" That is to say, do we have the right controls in place? Are they configured correctly to do their job? Are they placed in the correct locations? Is it possible to circumvent them? 

Those are hard questions to answer. Even if your entire security team spends days analyzing the current systems, it would be difficult to know for certain that these questions are completely answered.  

Behind these questions lie more: How do you test for phishing? How do you test that your public assets are locked down? How do you test your EDR solution? 

Then, of course, you will also ask, "How do I test these controls on an ongoing basis to ensure that our controls are at – and remain at – peak operational efficiency?"  

The challenge is that, since answering these questions is difficult, many security teams operate in the dark with no visibility - hoping for the best without really preparing for the worst. 

The Solution: Security Control Validation using Breach and Attack Simulation (BAS) tools 

The concept behind Breach and Attack Simulation and Security Control Validation are to simulate attackers' behavior – both from outside and from within your network. If you can behave like the hackers, you can test your controls and see the gaps you may have. 

There are multiple ways to do this, with different toolsets and solutions geared toward different experience levels and offensive testing skills. We (Cymulate) offer such a solution, but there are others as well. 

The concept behind security control validation is to check each of your controls, individually and in tandem (layers), to ensure they behave in the way you expect. That is – they block the malicious behavior and report it to your SOC, which can react rapidly. Cymulate also provides a solution for this testing methodology. 

In short, BAS is the operationalization of an extended array of threat-actor behaviors in a controlled situation to gauge how effectively defensive systems will act. At the same time, Security Control Validation (SCV) solutions take this idea to the next level and string together behaviors into more complex attacks specifically designed to challenge layered defenses in the same way an attacker would – especially in production environments. Both must be done as accurately as possible and as safely as possible at the same time. 

What About Verizon’s Top Intrusion Paths? 

Back to the four key intrusion paths detailed in Verizon's DBIR, how do you deal with each of them? 

1. Stolen credentials

Here are two areas you should look at: 

A. How do I avoid credentials from being stolen, to begin with?  

Credentials can be stolen from various locations, but they're often stolen from users' own machines. A developer, for example, will likely have various important credentials stored on their machine to do their work. The same with an Accounting Specialist who would have access to multiple business-confidential systems. 

 The developer or accountant may be working from a public wi-fi right now, where a hacker (benignly) or attacker (maliciously) is attempting to get into their computer. Or maybe, that employee’s son or daughter decides to play a new game on their company laptop without their parent’s consent. 

Here, it’s important to ensure the endpoint products and VPN you’ve installed will protect the computer on the public wi-fi, as well as ensure whatever the child tries to install is not malicious.  

B. How do I know if stolen credentials are misused?  

This is where your SIEM tool and SOC team come into the picture. Imagine an attacker with credentials trying to navigate their way around your environment, reach their goal and exfiltrate the data. There are many controls you have put in place, and hopefully, they are all sending their logs to your SIEM, which generates events. 

Also, hopefully, your SOC team is monitoring the events the SIEM is generating, so any suspicious behavior is identified and handled. 

But, how do you know if this is actually the case? That’s where BAS and SCV come into the picture – by simulating attackers’ behavior in your network without warning your SOC team, you can check whether your SOC team is really on top of everything. In addition, some Security Posture Management solutions (like Cymulate) offer external exposure mapping, which will give you similar insights from the outside in. 

2. Phishing

how do you know none of your employees and contractors will click on an email sent by an attacker? One of the primary attackers’ paths into your network is sending innocent-looking emails to your company employees – many times with real company information taken from LinkedIn or from data troves on the dark net - with the hope that one of them will click on a malicious link or download an infected attachment. 

BAS and SCV come into the picture here at two levels: 

a. Testing your email security control to ensure malicious links and attachments are being blocked whenever possible (such as when they contain identifiable malicious attachments or links). 

b. Testing your colleagues to ensure they won’t interact with a phishing email – by sending them legitimate-looking emails and seeing who clicks. 

3. Exploiting a vulnerability

Once a patch is issued by a vendor, hackers are quick to implement an exploit. They do it so quickly that it's often ready long before you're even aware of the patch. So, what do you do? You use a vulnerability management tool to continuously scan your environment for vulnerabilities. The result? There are thousands of vulnerabilities you now need to patch. But how do you prioritize? Is the CVSS score enough?

Top BAS/SCV solutions include what's called "Attack Based Vulnerability Management", or ABVM for short. ABVM looks at the vulnerability management data and complements it with data based on offensive testing of your compensating controls for the various vulnerabilities. It then generates a report showing you which of the vulnerabilities are actually exploitable in your environment, so you can focus on patching those. 

4. Botnet

This is simply a method of scaling the hacker's work. So essentially, it's a way to do more of the first three paths mentioned above by brute-forcing passwords, sending massive amounts of emails from various IPs, etc. Botnets and similar attacks are blindingly fast, as they do not require human input once they begin running and, therefore, can execute at the same speed as the systems they are infecting can run the botnet code itself.

This is where ensuring your controls are robust is even more critical. Brute-forcing a password from a single IP is hard because most systems will block it easily, but when it’s spread over thousands of IPs, it’s much harder to block. The faster your systems can detect and respond to a botnet-type attack, the less chance the attacker has to gain information and perform additional attacks. 

Your SIEM would hopefully be able to connect the dots on this one and figure out that one actor is coming from many different directions. However, even that premise needs to be tested – is the SIEM correctly tuned? Even this, an advanced BAS/SCV solution can confirm that the SIEM is operating effectively and ensure it continues to adapt to new attack techniques over time. 

Key Takeawats 

Verizon DBIR is valuable in understanding where we should all be looking, and both Breach and Attack Simulation (BAS) and Security Control Validation (SCV) solutions are highly beneficial in evaluating how well we are protected and what our current Security Posture really is. Breach and Attack Simulation provides better security posture management; you can test your security controls, your people's awareness of hacking attempts, and your internal incident response processes. 

In our next part of this mini-series, we will look at what the DBIR says about the path hackers take once they have a small footprint in the network. 

To see what Breach and Attack Simulation (BAS) and Security Control Validation (SCV) can do in your environment, book a demo today.

Cymulate Exposure Validation makes advanced security testing fast and easy. When it comes to building custom attack chains, it's all right in front of you in one place.
Mike Humbert, Cybersecurity Engineer
DARLING INGREDIENTS INC.
Learn More
GET A PERSONALIZED DEMO

Ready to see Cymulate in action?