A breach-and-attack simulation (BAS) is a proactive cybersecurity technique organizations use to evaluate the effectiveness of their security infrastructure. It involves simulating various cyber attacks and breaches to assess how well their defenses can detect, prevent, and respond to threats.

BASs support attack surface management (ASM) in that they mimic the tactics, techniques, and procedures (TTPs) and attack vectors real threat actors may use against targets to identify protection and prevention strategies.

Read More about a Breach-and-Attack Simulation

Regularly conducting BASs lets organizations identify and address security gaps before attackers can exploit them, ultimately strengthening their overall cybersecurity posture.

What Are the Steps in a Breach-and-Attack Simulation?

BASs typically involve the following steps:

  1. Planning and preparation: Security professionals analyze an organization’s infrastructure, systems, and applications to identify potential vulnerabilities and weaknesses. They also gather threat intelligence and research recent attack trends to design realistic attack scenarios.
  2. Simulation creation: Based on their findings from the planning phase, security teams create cyber attack simulations using specialized BAS tools or platforms. These simulations mimic real-world threat actors’ TTPs, including phishing, malware infection, lateral movement, and data exfiltration.
  3. Attack execution: After creating simulations, they get executed against an organization’s network, systems, and applications. This step involves launching the simulations and observing how they interact with the target’s security infrastructure.
  4. Detection and response evaluation: As the simulations unfold, security teams monitor an organization’s security tools and processes to evaluate how well they detect and respond to the attacks. This step includes assessing the effectiveness of intrusion detection systems (IDSs), endpoint protection solutions, security information and event management (SIEM) platforms, and incident response procedures.
  5. Analysis and reporting: After completing the simulations, security teams analyze the results to identify strengths and weaknesses in an organization’s security posture. They generate reports detailing their findings, including insights into detected vulnerabilities, successful attack vectors, and areas for improvement.
  6. Remediation and improvement: Based on the findings from the analysis phase, security teams develop remediation strategies to address the vulnerabilities identified. This step may involve patching software, updating security configurations, enhancing security controls, providing additional staff training, and refining incident response procedures.
  7. Process repetition: A BAS is not a one-time activity but an ongoing process. Organizations should regularly conduct simulations to continuously evaluate and improve their security posture in the face of evolving threats and environmental changes.

How Does a Breach-and-Attack Simulation Differ from Attack Surface Management?

BAS and ASM are distinct but complementary approaches to cybersecurity testing and risk management.


BAS focuses on actively simulating cyber attacks and breaches to evaluate the effectiveness of an organization’s security defenses. It aims to identify vulnerabilities and weaknesses in a security infrastructure by mimicking the TTPs real-world threat actors employ.

ASM, meanwhile, focuses on identifying and managing a company’s attack surface. ASM tools typically provide visibility into its digital footprint, including assets, applications, services, and potential vulnerabilities.


BAS involves actively launching cyber attack simulations against an organization’s systems and networks to assess security controls and incident response capabilities. It typically includes predefined attack scenarios and simulations designed to mimic real-world threats.

On the other hand, ASM involves continuously monitoring and analyzing a company’s attack surface to identify potential risks and vulnerabilities. It involves asset discovery, vulnerability assessment, and threat intelligence gathering to understand the scope and exposure of the attack surface.


BAS evaluates the effectiveness of security controls and incident response procedures by simulating cyber attacks across the entire kill chain—from initial infiltration to data exfiltration. It provides insights into an organization’s readiness to defend against and mitigate real-world threats.

ASM, meanwhile, focuses on understanding and managing a company’s attack surface by identifying and prioritizing potential risks and vulnerabilities. It provides visibility into the entity’s digital footprint and helps prioritize security efforts to reduce exposure to cyber threats.


BAS is typically conducted periodically or on an ad hoc basis to assess an organization’s security posture and validate the effectiveness of its security controls. Depending on the company’s risk profile and compliance requirements, it may be performed quarterly, semi-annually, or annually.

ASM, on the other hand, involves ongoing monitoring and management of an organization’s attack surface. It provides real-time visibility into changes in its attack surface, including new assets, applications, and vulnerabilities, allowing the company to adapt its security posture accordingly.

Breach-and-Attack Simulation versus Attack Surface Management

By regularly conducting BASs, organizations can identify and address security gaps before threat actors exploit them, ultimately strengthening their overall cybersecurity posture.

Key Takeaways