Glossary · Security testing

What is Breach and Attack Simulation?

Also known as: BAS, Continuous Security Validation, Automated Adversary Emulation

Breach and Attack Simulation (BAS) is the practice of safely emulating real adversary techniques to validate whether security controls detect and stop them. BAS is continuous and automated, typically maps each test to MITRE ATT&CK, and produces evidence of which defenses actually work rather than which merely exist.

Key takeaways

  • BAS safely emulates real attacker techniques to test whether controls actually detect and block them.
  • It is continuous and automated, unlike point-in-time penetration testing.
  • Tests are typically mapped to MITRE ATT&CK, giving a shared language for offense and defense.
  • BAS produces evidence that controls work, closing the gap between a control existing and a control being effective.

What is Breach and Attack Simulation?

Breach and Attack Simulation runs safe, controlled emulations of the techniques real adversaries use, then measures how the organization's defenses respond. The goal is not to find a single vulnerability but to validate the whole detection-and-response chain: did the endpoint tool catch the technique, did logging capture it, did an alert fire, was it blocked?

This addresses a common blind spot. Most programs can show a control exists; BAS shows whether it works. It is the validation layer on top of security posture and is the core idea behind CATAAM bundling offensive testing with compliance.

How BAS works and its relationship to MITRE ATT&CK

BAS organizes its tests around the MITRE ATT&CK framework, executing emulations for specific tactics and techniques such as credential access, defense evasion, or lateral movement. Because every test maps to a known technique, results translate directly into measurable detection coverage across the ATT&CK matrix.

A typical cycle plays out as: select techniques to emulate, run them safely in the environment, observe whether prevention and detection controls responded, and report coverage gaps. Because it is automated, the cycle can run continuously, so a control that silently breaks after a configuration change is caught quickly.

  • Emulates specific MITRE ATT&CK tactics and techniques
  • Runs safely and continuously, without real damage
  • Measures prevention, detection, and alerting separately
  • Highlights coverage gaps as actionable findings

BAS, penetration testing, and compliance evidence

BAS does not replace penetration testing. Pen testing is a deep, creative, point-in-time human assessment; BAS is broad, repeatable, automated validation that runs between pen tests to keep coverage from drifting.

For compliance, BAS turns control effectiveness into continuous evidence. Frameworks such as SOC 2 care that controls operate effectively over time, and BAS results feed continuous control monitoring to demonstrate exactly that.

Frequently asked questions

Is BAS safe to run in production?
BAS is designed to emulate techniques safely without causing real harm, which is why it can run continuously in live environments. It exercises detection and response logic rather than executing genuinely destructive payloads.
How is BAS different from penetration testing?
Penetration testing is a deep, point-in-time assessment driven by human creativity. BAS is broad, automated, and continuous, validating known techniques repeatedly. They are complementary: pen tests find novel issues, BAS keeps coverage consistent between them.
Why map BAS tests to MITRE ATT&CK?
Mapping to MITRE ATT&CK gives a shared, standardized language for techniques. It lets teams measure detection coverage across the same matrix attackers and defenders both reference, and compare results consistently over time.

Authoritative sources

← Back to the glossary