By Krishna Mali
On Tuesday Evening, Shailendra Shyam Sahasrabudhe, Country Manager, India UAE, and South East Asia at Cymulate sat down with the TechGraph editorial team for a wide-ranging interview. We discussed Cymulate’s journey, the role of technology and cyber-security in businesses, and much more.
Read the complete interview:
TechGraph: Cymulate offers a comprehensive cybersecurity testing platform that allows organizations to assess their security posture continuously. How does Cymulate differentiate itself from other cybersecurity testing solutions on the market, and what unique value does it bring to businesses?
Shailendra Shyam Sahasrabudhe: The Cymulate modular platform provides a modular, scalable platform for businesses of all cybersecurity maturity levels to understand and manage their digital risk exposure. Unlike other solutions, Cymulate provides the ability to discover vulnerabilities and assess if they have a viable attack path from ground to cloud and back. It also validates that security controls detect and alert to activity, and proves that remediation has the desired outcome.
Additionally, customers can use the automated red teaming module to validate vulnerabilities across the full kill chain. They can also conduct what-if, targeted, and custom testing. Cymulate is the only vendor to provide internal and external Attack Surface Management (ASM), Breach and Attack Simulation (BAS), and Continuous Automated Red Teaming (CART) under one management console.
Notably, the company can further ingest other third-party data to provide additional context and improve incident response instructions. Cymulate has also recognized the need for security validation services provided by Managed Service Providers and has partnered with many organizations to deliver its offerings within their programs.
TechGraph: Cymulate’s platform emphasizes the concept of “continuous security validation.” Can you explain how this approach helps organizations proactively identify vulnerabilities and mitigate risks in real time? What are the benefits of ongoing security testing compared to periodic assessments?
Shailendra Shyam Sahasrabudhe: A company’s network is constantly changing as digital business requirements change, data access demands grow, and network configurations become more complex. Revenue loss risk, regulatory, compliance, and insurance pressures are all driving an in-depth look at cyber resilience and due diligence. Given the impact on business, cybersecurity has become a leadership and board-level discussion.
One where questions like, “How do you define and manage cyber resilience?” Or “How do you demonstrate security improvements?” Or “How do you demonstrate that the company’s complex systems are resilient to emergent threats?”, all must be answered in curated and straightforward ways. The benefit of Cymulate’s platform is that it is automated and can run consistently or on demand. Dashboards and reporting provide easy-to-understand resilience scores of individual security controls and an aggregated risk score that can be trended over time and against best practices.
Most security tools are designed to detect and alert to an exploit. Cymulate is different in that the technology safely mimics attacker actions and scans the network to find vulnerabilities and viable attack paths. Next, Cymulate provides over 120,000 test scenarios to test an attacker’s techniques and tactics to see if it can penetrate the network. In this process, it validates if the security controls are effectively detecting and alerting to activity.
Collectively this information and the remediation guidance provided can quickly be used to mitigate the exposure before an attacker has a chance to These scenarios can be run as frequently as needed. Annual or semi-annual assessments are simply not adequate for maintaining a low-risk profile at the pace of change in today’s digital environments. Cymulate automation also provides a previously unattainable solution for companies without in-house Red Teams and Blue Teams who lack the expertise to conduct in-depth assessments.
TechGraph: Cyber threats are constantly evolving, and organizations must stay ahead of the game to protect sensitive data. How does Cymulate ensure that its platform stays up-to-date with the latest threat intelligence and can effectively simulate real-world attack scenarios?
Shailendra Shyam Sahasrabudhe: Cymulate has a dedicated research team that has built over 120,000 test scenarios and 10,000 preconfigured attack campaigns. This is so that organizations of all sizes can validate whether their security controls are working effectively and are not exposed to threats. If a new threat surfaces, the research team will typically have a test run within 24 hours. They will continue to update these tests as more is understood about the attack and the various techniques it uses.
Additionally, with the inclusion of chainable execution techniques in the Advanced Scenarios module, Cymulate’s platform simplifies and enables security teams to build custom scenarios. This is to simulate a broad range of techniques used in specific attacks. Red Teams use this functionality to quickly build targeted, custom, and what-if testing.
TechGraph: Cymulate’s platform provides insights and reports that help organizations understand their security strengths and weaknesses. Can you elaborate on how these reports are generated and how they help businesses make informed decisions to enhance their overall cybersecurity strategy?
Shailendra Shyam Sahasrabudhe: The Cymulate dashboard provides an easy-to-understand assessment of each security control and an aggregate risk score. Security teams can drill down from the main page for detailed and actionable insights. Cymulate maps attacks across the full kill chain and identifies techniques and tactics according to MITRE ATT&CK and NIST frameworks.
Executive reports highlight high-risk security deficiencies and quantify risk based on a standards-based risk-scoring methodology. This shows the scores across each cybersecurity domain so that SecOps teams can understand defense in depth and the impact of compensating controls.
Automation of the security assurance process enables organizations to establish an enterprise-wide security baseline and continuously maximize their security posture, assure improved effectiveness, and prevent security drift.
TechGraph: Cymulate emphasizes the importance of enabling non-technical users to conduct security assessments. Could you explain how the platform caters to different levels of technical expertise within an organization, making it accessible and beneficial for a wide range of stakeholders?
Shailendra Shyam Sahasrabudhe: The Cymulate platform provides an intuitive interface with instructions that guide a less experienced user through setup. The company also provides professional services support to jump-start a company’s exposure management program.
The platform is also modular so that customers can start simple and activate more functionality as their comfort level grows. Additionally, advanced users will enjoy running full kill chain campaigns as well as using the BAS advanced scenarios capabilities where they can fully customize the environment for their Red Team needs.
TechGraph: Cymulate claims to provide a holistic approach to cybersecurity testing by simulating multiple attack vectors, including email phishing, ransomware, and endpoint compromise. How does this comprehensive testing methodology contribute to a more robust security framework, and how does it help organizations prioritize their security investments?
Shailendra Shyam Sahasrabudhe: Cymulate tests individual controls across the full kill chain. The company supports vulnerability validation, what-if, targeted, and custom testing. Given the comprehensive nature of testing a company can understand if security controls are working effectively and if they need to be tuned, or replaced.
By also showing the efficacy of compensating controls, a business can justify the immediate need or rationalize a delayed investment based on the results. This technology is also commonly used to compare new products so that teams can see which tool provides the highest efficacy for their environments and needs.
TechGraph: Cybersecurity is highly regulated, with compliance requirements varying across industries and regions. How does Cymulate’s platform address these compliance challenges, and what features does it offer to help organizations meet industry standards and regulatory obligations?
Shailendra Shyam Sahasrabudhe: With the ongoing regulatory shift from periodic audits toward cyber-resilience, cybersecurity compliance management can benefit from continuous validation and comprehensive reporting. Attack surface management paired with continuous attack simulations and immediate threat validation facilitates compliance with updated regulatory and industry standards.
Cymulate reports show the efficacy of preventative measures taken to improve security posture and demonstrate continuous efforts at detecting and remediating security gaps. Automated documentation facilitates communication with compliance officers, auditors, and other stakeholders. Continuous improvement in security not only facilitates compliance but also enhances and proves cybersecurity resilience.
TechGraph: Cymulate emphasizes the importance of providing a user-friendly and intuitive cybersecurity testing platform. Could you describe the user experience and interface of the Cymulate platform, and how it facilitates efficient security testing and risk mitigation?
Shailendra Shyam Sahasrabudhe: Far too often we work with a smaller staff than we want and a wide array of skill sets. Cymulate has taken this into consideration and designed its UI to appeal to all cyber-maturity levels. For less experienced practitioners, the solution should provide value out of the box and increase cybersecurity offense and defense skills through day-to-day use. For higher-level cyber-maturity professionals, the solution is more open and customizable and designed to liberate the team from time-consuming tasks.
Cymulate provides an easy-to-use interface for purple teaming and red teaming leveraging Breach & Attack Simulation (BAS) and Continuous Automated Red Teaming (CART) requiring zero coding or advanced cybersecurity training before use. A detailed report provides easy-to-follow technical remediation and executive-level reporting under the MITRE ATT&CK framework. A high-level cyber-mature professional armed with adversarial skills can take advantage of Cymulate’s Advanced Purple Teaming Framework to craft and automate sophisticated scenarios.
TechGraph: Looking ahead, what are Cymulate’s future plans and developments? Are there any new features or enhancements in the pipeline that users and potential customers can look forward to in the coming months or years?
Shailendra Shyam Sahasrabudhe: The company’s growth strategy involves building and strengthening product capabilities, brand awareness, and partner channels. In addition to direct sales, Cymulate engages with Value Added Resellers (VARs), MSSPs, and Systems Integrators to drive customer acquisition. Cymulate’s platform produces outcomes that are indispensable to channel partners’ identification of opportunities and service effectiveness.
Continuous threat exposure management (CTEM) – originally presented by Gartner – is a cyclical process designed to continuously review, remediate, and control threat exposure throughout the organization. The Cymulate platform is designed to help customers implement and improve a CTEM program with its Discover, Validate, Prioritize, and Optimize approach. This approach aligns with the CTEM program. As CTEM evolves, Cymulate will continue to add enhancements to provide our customers with the functionality needed to meet the demands of this program. We will also continue to provide updated test scenarios for emerging threats so that our customers can manage their risk and respond to new digital network demands.