Breach & Attack Simulation

Prove Your Controls Work — Not Just That They Exist

Continuous BAS that simulates AWS IAM privilege escalation, S3 exfiltration, CloudTrail evasion, and network lateral movement. Every finding mapped to MITRE ATT&CK and linked to your compliance controls as verifiable evidence.

Start free trialSee all features
Simulation Categories
6
MITRE Techniques
200+
vs Annual Pen Test Cost
90% less
Compliance Frameworks
6

Simulation Coverage Across the Full Attack Lifecycle

Six scenario packs covering the most impactful cloud attack patterns — each tested against your live environment, not a staging sandbox.

IAM

AWS IAM Privilege Escalation

CATAAM simulates the most common AWS IAM privilege escalation paths documented by security researchers. Each scenario tests whether your IAM policies, SCPs, and permission boundaries actually block escalation — not just whether policies exist.

  • iam:CreatePolicyVersion — inject new admin policy version
  • iam:AttachRolePolicy — attach AdministratorAccess to existing role
  • iam:PassRole to Lambda — assume role via function invocation
  • sts:AssumeRole chain — cross-account escalation via trust policy
  • EC2 instance profile abuse — extract credentials from metadata
T1548.005 – Abuse Elevation Control MechanismT1078.004 – Valid Cloud Accounts
S3

S3 Data Exfiltration & ACL Bypass

Tests whether your S3 buckets are actually protected — not just tagged as private. CATAAM validates block public access settings, bucket policies, and ACLs against real exfiltration scenarios documented in cloud breach reports.

  • Public bucket ACL detection and read access test
  • Bucket policy misconfiguration — cross-account access
  • Pre-signed URL abuse via leaked credentials
  • S3 Block Public Access override test
  • Replication to attacker-controlled bucket
T1530 – Data from Cloud StorageT1537 – Transfer Data to Cloud Account
CT

CloudTrail Evasion & Detection

Attackers disable CloudTrail early to prevent detection. CATAAM tests whether your monitoring would detect and alert on logging disruption attempts — and whether existing gaps would let an attacker operate undetected.

  • CloudTrail logging disabled — event capture test
  • Log file validation disabled — tampering detection
  • Event selector manipulation — API call filtering evasion
  • Delivery to S3 stopped — logging gap simulation
  • Multi-region trail completeness check
T1562.008 – Disable Cloud LogsT1070 – Indicator Removal
Network

Network Exposure & Lateral Movement

Network misconfigurations are the most common initial access vector in cloud breaches. CATAAM maps your Security Groups, VPC peering relationships, and metadata service configuration to identify lateral movement opportunities before attackers find them.

  • SSH brute-force resistance (password auth exposure)
  • EC2 metadata service v1 vs v2 enforcement
  • Security group overpermission — 0.0.0.0/0 ingress
  • VPC peering lateral movement path mapping
  • RDS public endpoint exposure detection
T1021 – Remote ServicesT1110 – Brute ForceT1599 – Network Boundary Bridging
Crypto

Encryption & Cipher Weakness

Weak encryption is an invisible vulnerability — systems appear healthy until an attacker captures and decrypts traffic. CATAAM tests cipher strength across all external endpoints and validates encryption-at-rest across cloud storage resources.

  • TLS version detection — SSLv3, TLS 1.0, TLS 1.1 exposure
  • Weak cipher suite enumeration (RC4, DES, 3DES)
  • Certificate validity and expiry monitoring
  • KMS key rotation status check
  • EBS and RDS encryption-at-rest validation
T1557 – Adversary-in-the-MiddleT1552 – Unsecured Credentials
Email

Email Security & Phishing Resilience

Email-based attacks account for the majority of initial access in enterprise breaches. CATAAM validates your SPF, DMARC, and DKIM configuration to ensure attackers cannot spoof your domain or deliver malicious email that bypasses filters.

  • SPF record validation and strictness check
  • DMARC policy enforcement (none / quarantine / reject)
  • DKIM selector presence and key strength
  • BIMI record detection
  • Domain lookalike registration monitoring
T1566 – PhishingT1598 – Phishing for Information

Continuous Simulation, Not Annual Snapshots

BAS runs continuously — catching control regressions from configuration changes the moment they happen, not 12 months later during a pen test.

01

Select simulation scenarios

Choose from pre-built scenario packs (AWS IAM, S3, network) or run the full suite. Scenarios are safe — they test control effectiveness without causing damage or data loss.

02

Run against your live environment

BAS executes in your environment using the same techniques real attackers use. No agents needed — cloud API-based simulations with read-only escalation probes.

03

Review MITRE ATT&CK findings

Each finding displays the technique ID, tactic, severity, CVE reference where applicable, and a specific remediation step. Prioritized by attacker impact, not CVSS score.

04

Link to compliance controls

BAS results auto-populate compliance evidence for SOC 2, ISO 27001, PCI-DSS, and HIPAA. Pass results prove control effectiveness; findings generate remediation tickets in Jira.

BAS vs. Traditional Penetration Testing

FeatureBAS (CATAAM)Manual Pen Test
FrequencyContinuous (365 days)Annual or quarterly
Speed to resultsMinutesWeeks
Evidence formatTimestamped API resultsStatic PDF report
Compliance linkageAuto-mapped to controlsManual mapping required
MITRE ATT&CK coverageContinuously updatedPoint-in-time scope
Remediation trackingIn-platform with JiraSeparate workflow
Cost modelPer credit, pay-as-you-go$15K–$50K per engagement

BAS and penetration testing are complementary — not competing. CATAAM BAS handles continuous coverage; a skilled penetration tester handles creative exploitation.

Real-Time Simulation Results

CATAAM runs BAS simulations continuously against your environment. Results are timestamped, MITRE-mapped, and immediately available in your compliance dashboard — not buried in a PDF three weeks after an engagement ends.

  • IAM escalation paths tested every scan cycle
  • Configuration drift caught within minutes of a change
  • Compliance evidence auto-linked on PASS results
  • Jira tickets auto-created on new FAIL findings
# CATAAM BAS — live simulation output
PASS IAM: iam:CreatePolicyVersion blocked ✓
PASS IAM: iam:AttachRolePolicy blocked ✓
FAIL IAM: iam:PassRole to Lambda — ESCALATION PATH ✗
→ T1548.005 | CVE-2021-25315 | Jira: SEC-4421
PASS S3: Block Public Access enforced ✓
WARN S3: Cross-account replication enabled ⚠
PASS CloudTrail: multi-region enabled ✓
PASS EC2: IMDSv2 enforced ✓
Findings: 1 FAIL, 1 WARN, 6 PASS
SOC 2 evidence: 8 controls updated →

Breach & Attack Simulation — Frequently Asked Questions

What is Breach and Attack Simulation (BAS) and how does it differ from a penetration test?
Breach and Attack Simulation (BAS) continuously and safely executes real-world attack scenarios against your environment. Unlike a penetration test — which is a one-time manual engagement conducted by human testers — BAS runs continuously, produces machine-readable results, and integrates directly with your compliance workflows. A penetration test is valuable for deep, creative exploitation; BAS is better for continuous validation of specific controls, compliance evidence generation, and catching regressions after configuration changes.
Are CATAAM's BAS simulations safe to run in production?
Yes. CATAAM's BAS scenarios are designed to test control effectiveness without causing damage, data loss, or service disruption. IAM escalation simulations use read-only API calls to probe permission boundaries — they do not actually create new admin users or modify resources. S3 tests validate access controls by attempting read operations that should be blocked — they do not exfiltrate data. Network tests probe service exposure without exploiting vulnerabilities. Every simulation is non-destructive by design.
How does BAS evidence satisfy compliance requirements like SOC 2 and PCI-DSS?
BAS produces timestamped, structured results that prove controls are effective — not just documented. SOC 2 CC6 and CC7 require demonstrating that logical access and system operations controls work; BAS provides verifiable evidence that IAM escalation is blocked, CloudTrail monitoring is active, and network controls prevent unauthorized access. PCI-DSS Requirement 11 mandates penetration testing and vulnerability scanning — BAS continuous results satisfy both requirements with audit-grade evidence. Every result is stored in CATAAM and linked to the relevant control.
What MITRE ATT&CK techniques does CATAAM's BAS cover?
CATAAM's BAS covers techniques across the Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, and Exfiltration tactics — focused on cloud environments. Key techniques include T1548 (Abuse Elevation Control Mechanism), T1530 (Data from Cloud Storage), T1562 (Impair Defenses), T1078 (Valid Accounts), T1021 (Remote Services), T1110 (Brute Force), T1530 (Data from Cloud Storage), and T1537 (Transfer Data to Cloud Account). The technique library is updated as new cloud attack patterns are published.
Can BAS findings trigger automated remediation or Jira tickets?
Yes. CATAAM's Jira integration automatically creates remediation tickets from BAS findings that exceed your configured severity threshold. Each ticket includes the MITRE ATT&CK technique ID, the specific finding, the affected resource ARN, and the recommended remediation step. Tickets are tracked in CATAAM alongside the compliance control they affect — so remediation progress is reflected in your compliance dashboard automatically.

Ready to Test Whether Your Controls Actually Work?

14-day free trial. No credit card. First BAS scan results in minutes.

Start free trialView pricing