Breach and Attack Simulation – BAS Products Compared
10 years ago, when Gartner defined SIEM (Security Information and Event Management) it was trending in the cybersecurity landscape, and every organization was looking for one. More players started coming in with different set of architecture and deployment based on organizations size and requirements. Even now there are new companies coming up with a new SIEM product. However, we know who are the leaders in the SIEM industry with experience and analyst reports like Gartner’s Magic quadrant. In the last 4 years the same trend is happening to SOAR (Security Orchestration Automation and Response) industry. Every major cyber security players either built one or acquired a SOAR product. Now in the last 2 years another buzzing term is trending which is BAS (Breach and Attack Simulation). BAS helps to automate cyber security attack simulation and help the purple/blue team to automate continuous security validation.
BAS tools will help teams to quickly validate the environment after a new security attack or exploit going around or network/patch update in their environment. These tools automates and reduces the work load of the purple and red teams. With so many BAS tools in the market I have done some research to find out what they offer, the platforms where you can deploy them and run, the pricing model and some of the key features. I hope this summary helps individuals or organizations in their process of deciding and implementing a BAS tool.
Vendor | Description | Supported Installation Platforms | Features | Pricing model |
![]() Infection Monkey | Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement. | Windows, Debian, and Docker. | Test your infrastructure running on Google Cloud, AWS, Azure, or premises. Automatic Attack Simulation. Continuous & Safe Assessments. Actionable Recommendations. | Open source |
![]() | CALDERA is a cyber security framework designed to easily run autonomous breach-and-simulation exercises. It can also be used to run manual red-team engagements or automated incident response. | Any Linux or MacOS | It is built on the MITRE ATT&CK™ framework and is an active research project at MITRE. | Open Source |
![]() | securiCAD is a foreseeti product, developed to perform virtual attack simulations on models of IT architectures. | Not listed | Create a model, simulate an attack and get the risk report. | Enterprise-ready solution and got a community edition with limited features |
![]() | AttackIQ builds on the MITRE ATT&CK framework of adversary tactics, techniques, and procedures (TTPs) and emulates those TTPs to exercise security controls in the same way an adversary does, in production. | Supports both SaaS and on-premises deployments and full application programming interface (API) workflows. | AttackIQ SOP is powered by both dedicated content team and customers submissions. Security analysts can easily modify python-based scenarios to create custom tests for proprietary requirements, uploading any scripts in python, bash, or PowerShell for the platform. Gives detailed analysis of protection failures and actionable insights into rapid remediation. | Starting price is $5,000 per Test Point Engine. |
![]() | SCYTHE is an adversary emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. SCYTHE allows organizations to continuously assess their risk posture and exposure. | Offered as a SaaS model or on-premises. | Multiple command and control channels. Mapped to MITRE ATT&CK & ATOMIC Red team integration. Leverage Cyber Threat Intelligence. Automate adversary behaviors and TTPS. Customize with python modules. Virtual File System. | Not listed |
![]() | XM Cyber’s Breach and Attack Simulation (BAS) connects the dots from breach point to critical asset if there exists any potential attack path. Next, it creates a prioritized remediation plan to help you quickly eliminate steps hackers would take inside your environment. | On-premise or in the cloud | Risk based Vulnerability Management. Compliance Support. Red Teaming. Auto Penetration Testing. Vulnerability Scanning. Vulnerability Prioritization. Patch Management Continuous Assessment Prioritized Remediation | $95,000 |
![]() | Cymulate’s breach and attack simulation platform is used by security teams to determine their security gaps within seconds and remediate them. | SaaS | Simulate Attacks based on MITRE model. Evaluate Controls like NIST to Identify Gaps. Remediate with Actionable Insights . | From $40,000 to $500,000. |
![]() | Picus developed Agile SecOps methodology in order to help enterprises beat threats systematically and overcome the most common challenges they face everyday. | Picus exists as a virtual appliance or as software to run on physical or virtual Linux platforms. | Deploys in hours and begins returning results just minutes later. No technology dependencies. Works in complex production environments. Identifies weaknesses in real time Includes modules for HTTP, HTTPS, endpoints and email Dashboards and alarms. Prioritizes security needs. | $10,000 |
![]() | SafeBreach Platform automatically executes thousands of breach methods from an extensive playbook of research and real-world investigative data and prioritizes remediation activities based on business risk. Patented simulation technology. | On-premises or private cloud deployments | Simulate 15K attack techniques. Visualize results across the kill chain, attack sophistication, phase, asset, leak rate and more. Remediate by integrating with automation and ticketing solutions. Automatically verify remediation with continuous validation. | Pricing is based on the number of simulators deployed. It costs $50,000 per year for 10 of them |
CyberBattleSim | This is an experimental research platform from Microsoft. The simulation environment is parameterized by a fixed network topology and a set of vulnerabilities that agents can utilize to move laterally in the network. | Linux or WSL | Offers OpenAI Gym interface to its simulation. Perform local and remote attacks. | Open source |