Sorting The Myths And Facts In Breach And Attack Simulation (BAS)

A relatively new IT security technology, breach, and attack simulation (BAS) debuted at the Gartner Hype Cycle for Threat-Facing Technologies in 2017. It was touted as a “technology on the rise” back then. Fast forward to a couple of years, and BAS has proven that it is indeed one of the security technologies to watch out for. BAS tools at present enable security teams to consistently and continuously test security controls.

It covers many aspects of security, from prevention to the detection stage and even threat response. You can find a breach and attack simulation service provider that takes advantage of the technology, optimizing security effectiveness without the hassles. BAS tools are being offered as automated SaaS solutions that simplify the process of validating and managing security posture.

It’s important to remember, however, that BAS is not a be-all-end-all solution. While many can attest to its effectiveness and efficiency, its capabilities can’t be overstated. Many may be confused with its functions and purpose, so it helps to lay out the facts and strike down the myths.

Myths Facts BAS Header Image


Fact: BAS Is Not About Making Automated Exploitation Easier But Is About Simulating An Entire Attack Scenario

Breach and Attack is an advanced testing security tech that is arguably better than the likes of Metasploit, Core Impact, and CANVAS. The latter three tools are employed by penetration testers to avoid the need to rewrite exploits for specific conditions identified during the tests.

They work well, but not as good as the automation-enhanced performance of BAS, which automates many steps in the attack chain These steps include lateral movement, command and control, the accessing of resources, and exfiltration. As observed in most security systems, if there are no exploitation actions, most security testing systems don’t do the tests.

That’s why BAS does not only focus on exploitation actions. In simulating a lateral movement scenario, if the attacker employs deception breadcrumbs, these will be ignored by the test. As such, no checking is done to see if the breadcrumbs are extracted and used during an attack. BAS addresses this weakness by making sure that the entire attack chain is simulated.

Myth: BAS Guarantees Full Protection

Breach and Attack Simulation provides next generation detection capabilities, but it is far from perfect. It does not guarantee the complete eradication of threats just like every other security technology cannot do the same. Advanced security tech like Endpoint Detection and Response (EDR) and the MITRE ATT&CK framework don’t claim to capture and halt all forms of attacks.

What makes BAS great is its integration of automation to make simulations faster, more efficient, and uninterrupted. It allows continuous tests on the efficacy of control points. It is a significant leap in threat detection as it is one of the solutions that shift the focus from prevention to detection, automation, and response.

BAS tools are designed to keep up with the increasing volume and frequency of breaches. They are highly suited for the dynamic threat landscape. However, BAS does not cover everything. It would be unreasonable to expect it to block coordinated attacks, especially those that include social engineering.

BAS is not some “silver bullet” solution against cyber-attacks. The threat landscape at present is far too wide and complicated to be covered by a single security tech competently. The reality that no single technology can eliminate all cyber threats remains. BAS is just one component in a large system.

Fact: BAS Tools Are Applicable In Red Team/Blue Team And Purple Teaming Exercises

Red Team/Blue Team models are designed to match attackers with defenders to examine if the defenses put in place are able to hold up. The process can take several weeks to a few months. Purple Teaming, on the other hand, is the collaborative and repetitive process of improving security posture. It allows organizations to observe important details during the exercise so the appropriate rectification, changes, or optimizations can be made while doing the exercise.

Whichever approach is used (Red Team/Blue Team or Purple Teaming), it is possible to employ BAS tools so more simulations can be run at a faster pace. It also aids in the accurate scaling of simulations.

However, it’s advisable to be prudent in accepting the outcomes of Red Team/Blue Team simulations, because they don’t take into account specific organizational nuances. They may end up creating a false sense of security.

Using BAS tools requires experience and a good sense of assessing threats in an organization. It will be necessary to have slight variations or tweaks when running simulations to properly target specific assets that need to be protected. Also, users need to be competent enough to ascertain that the detection and prevention mechanisms are operating as intended.

Myth: BAS Tools Can Replace An Organization’s Vulnerability Management Program

Breach and Attack Simulation tools are excellent in scanning vulnerabilities and evaluating management solutions. However, they are not designed to replace scanning and penetration testing systems. BAS tools augment vulnerability management programs, but they don’t scrutinize specific assets to uncover the security infirmities therein.

They follow a more comprehensive and holistic approach in examining the overall effectiveness of the security system of an organization. They perform automatic, simultaneous, and continuous simulations of end-to-end attack scenarios to promptly spot network and system gaps that can aggravate vulnerabilities

Fact: BAS Tools Generate Quantitative Metrics That Are Useful To Management

Breach and Attack simulation tools provide a consistent and efficient way for measuring the effectiveness of prevailing security detection measures. They can quantify estimates for the risks detected, which can be helpful in guiding product investments and decisions in configuring security protocols and assignments.

Additionally, BAS tools can help close the cybersecurity knowledge gap among enterprise leaders. They can help enterprise leaders or managers in responding to security questions from senior executives and the board. Questions pertaining to applicable risk, actor bypassing, and the extent of impact, for example, are easier to answer with the help of BAS tools. .

Myth: BAS Incorporates Automation, So Using It Is A “Set And Forget” Affair

BAS is not designed to be a “set and forget” setup, even though it incorporates automation. It requires the constant involvement of people to customize and configure the simulations. Human inputs are required to identify priority use cases and interpret the results of the simulated attacks.


Breach and Attack Simulation tools can deliver significant cybersecurity augmentation. Using these tools, however, requires a thorough understanding of the capabilities and limitations of BAS. Users can’t tap on the benefits of this advanced security testing technology without getting properly acquainted with its functions and applications.

BAS provides the best results when used with the guidance of an experienced cybersecurity expert who knows the right configurations, adjustments, and customizations to implement when doing the simulations.

If you are interested in even more technology-related articles and information from us here at Bit Rebels, then we have a lot to choose from.

Myths Facts BAS Article Image