Top 11 Breach and Attack Simulation (BAS) Vendors for 2022

Breach and attack simulation (BAS) is a relatively new IT security technology that can automatically spot vulnerabilities in an organization’s cyber defenses, akin to continuous, automated penetration testing. BAS offers more than just pen testing and red team insights, going further in recommending and prioritizing fixes to maximize security resources and minimize cyber risk.

Just a few years into BAS’s entry into the cybersecurity marketplace, vendors range from startups to fast-growing mid-sized companies. Some consolidation has already taken place, but more is sure to come and the race to obtain a sustainable market share is far from over. As the industry develops, several vendors refer to advanced BAS solutions as security validation. Artificial intelligence and machine learning are an increasingly important part of this market, as automated cybersecurity tools need to be able to adjust as new threats emerge.

Here are 11 of the top movers in the BAS market. For an adjacent market, please see our top vulnerability management solutions.

Top 11 Breach & Attack Simulation Solutions

  1. AttackIQ
  2. CyCognito
  3. Cymulate
  4. DXC Technology
  5. Mandiant
  6. FireMon
  7. Picus Security
  8. Qualys
  9. Rapid7
  10. SafeBreach
  11. XM Cyber

1. AttackIQ

AttackIQ calls San Diego, California, home and started as an automated validation platform in 2013. Its platform, previously known as FireDrill, enables organizations to test and measure their security posture across environments. Informed by the MITRE ATT&CK matrix and its wealth of cyber adversary behavior, clients can run advanced scenarios targeting critical assets and continuously improve their defensive posture. AttackIQ’s Anatomic Engine is a differentiator, as it can test machine learning and AI-based cybersecurity components. With the capacity to run multi-stage emulations, test network controls, and analyze breach responses, AttackIQ remains a top contender among BAS solutions.

See our in-depth analysis of AttackIQ’s BAS platform

2. CyCognito

CyCognito is committed to exposing shadow risk and bringing advanced threats into view. One of the youngest BAS vendors, the vendor started operations in 2017 and resides in Palo Alto, California. Named a Gartner Cool Vendor for Cyber and IT Risk Management in 2020, CyCognito identifies attacker-exposed assets to enhance visibility into the attack and protect surfaces. According to the vendor, clients identify up to 300% more assets than they knew existed on their network. Through the CyCognito platform, organizations can define risk categories, automate offensive cybersecurity operations, and prepare for any subsequent advanced attack.

See our in-depth analysis of CyCognito’s BAS platform

3. Cymulate

Cymulate is the first of two Israeli vendors on our top BAS solutions list. Founded in 2016, the Rishon LeZion-based vendor specializes in breach and attack simulation and security posture verification. By employing the MITRE ATT&CK framework and mimicking an array of advanced hacker strategies, the Cymulate platform assesses network segments, detects vulnerabilities, and optimizes remediation. To confront the dynamic threat landscape, Cymulate offers continuous security validation that provides consistent guidance for action. Deploying Cymulate with near-unlimited attack simulations can be completed within minutes via a single lightweight agent.

See our in-depth analysis of Cymulate’s BAS platform

4. DXC Technology

DXC Technology has over 40 years of infosec experience, most of which as HPE’s Enterprise Services. In 2017, HPE spun off the segment and merged with Computer Sciences Corporation to establish DXC. The DXC BAS offerings are a part of their Cyber Defense product line, which crafts tailored security solutions for the digital enterprise and prioritizes the evolving threat landscape. Services include tools for managing incident response, breaches, threats, and vulnerabilities, threat intelligence feeds, OT and IoT security, and cyber maturity reviews. The most comprehensive and enterprise-ready BAS solution is the DXC Security Platform, which includes DXC’s IT management platform, ServiceNow. DXC security platform also provides automated security services, advanced vulnerability management, and a managed SIEM.

5. Mandiant

Verodin was an upstart BAS vendor out of Washington, D.C., as of our last update. This time around, the same platform is now under a notable cybersecurity vendor, Mandiant – which itself will soon be acquired by Google.

Initially founded in 2014, Verodin was acquired by Mandiant in May 2019 for $250M and integrated into the vendor’s Mandiant Security Validation platform. With integrated threat intelligence, automated environmental drift detection, and support for optimizing existing cybersecurity tools like SIEM, Mandiant eases a client’s monitoring job to focus on taking action. Mandiant notes clients can save big financially in the form of controlled vulnerabilities and speed response time to advance TTPs by almost 600%.

See our in-depth write up on predecessor Verodin

6. FireMon

FireMon is a Dallas-based vendor for cybersecurity, compliance, and risk mitigation started in 2004. FireMon’s BAS solution is Risk Analyzer, covering advanced vulnerability management, risk analysis, and threat modeling software. With the capacity to categorize risks, simulate attacks, and craft policy-based remediation, Risk Analyzer offers a broad BAS solution. FireMon’s attack path graphics and analysis are good for administrators who desire greater visibility.

7. Picus Security

Picus Security is a continuous security validation vendor located in San Francisco and founded in 2013. Recognized in 2019 as a Gartner Cool Vendor, the Picus Security Control Validation (SCV) platform scans for vulnerabilities and offers guidance on germane configuration of security controls. By integrating into an existing SIEM, the Picus SCV helps identify logging and alert gaps where additional action is required to optimize your SIEM. With MITRE ATT&CK and kill chain visibility, administrators deploying SCV can take the necessary steps to prevent the next advanced attack. While still a new industry, Picus currently holds the top Gartner Peer Insights rating at an average of 4.8/5 stars with 33 reviews.

See our in-depth analysis of Picus Security

8. Qualys

Qualys is a leading provider of cloud security and compliance solutions–and the oldest vendor to make our list, founded in 1999 in San Francisco. Their most popular product and top BAS solution is the Vulnerability Management, Detection, and Response (VMDR) platform. From analyzing vulnerabilities with six sigma accuracy to identifying known and unknown network assets, the Qualys VMDR is a single app solution that’s fully cloud-based. In line with its cloud hosting, the vendor offers a set of included features and several add-ons for organizations requiring more. Add-on features include mobile device support, cloud security assessments, and container runtime security.

9. Rapid7

Rapid7 kicked off operations in 2000 and, fifteen years later, released the Insight platform, bringing together vulnerability research, exploit knowledge, attacker behavior, and real-time reporting for network administrators. Rapid7’s BAS solution is InsightVM and comes with an easy-to-use dashboard where clients can manage everything from risk prioritization and automated containment to integrated threat intelligence feeds. With features devoted to remediation and attack surface monitoring, Rapid7’s InsightVM goal is to make cyber risk management seamless.

While not the top-ranked on Gartner Peer Insights, Rapid7 by far has the most reviews at 309, with a solid score of 4.5/5 stars.

10. SafeBreach

SafeBreach holds multiple patents and awards for their BAS technology. Founded in 2014, the California-based vendor is a pioneer in breach simulation. The BAS platform can detect infiltration, lateral movement, and data exfiltration by offering cloud, network, and endpoint simulators. With an ever-changing threat landscape, SafeBreach continuously validates tools and the organization’s overall security posture. When flagged, administrators have the visibility to take prompt action against potential vulnerabilities. With the SafeBreach platform deployed, organizations can expect increased security control effectiveness, real threat emulation, and improved cloud security.

See our in-depth analysis of SafeBreach

11. XM Cyber

XM Cyber is a Tel Aviv-based cyber risk analytics and cloud security vendor launched in 2016. Born from the thought leadership of the Israeli intelligence sector, the XM Cyber Breach and Attack Simulation, previously known as HaXM, is a leading BAS solution. In its short history, the vendor has been at the forefront of BAS innovation, winning several awards and pushing other vendors forward. XM Cyber identifies an organization’s most critical assets and works backward with attack-centric exposure prioritization, identifying the exploit routes. Analyzing every potential attack path and crafting remediation options informed by risk impact give administrators visibility in real-time to secure their network.

See our in-depth analysis of XM Cyber

Guide to BAS solutions

Breach and attack simulation is the next generation of vulnerability assessment tools and an essential deterrent to advanced persistent threats (APTs). To help in finding the best solution for your organization, we offer an overview of BAS, what it is, standard features, options for deployment, case studies, and more.

Also Read: How to Fight Advanced Persistent Threats (APT)

What is breach and attack simulation (BAS)?

Breach and attack simulation solutions go beyond vulnerability assessments, penetration testing, and red teaming by offering automated and advanced breach simulation.

To test the strength of network security, organizations must put themselves in the shoes (or hoodie) of the world’s malicious actors. In the process, administrators lean on existing threat intelligence, outsource system auditing to cybersecurity firms, and pray they fend off the next advanced attack. BAS as a software, hardware, cloud, or hybrid solution offers the latest vulnerability management, risk analysis, and network testing.

Why BAS?

Malicious attacks and advanced persistent threats pose a constant risk to SMB and enterprise organizations. In response to the ever-evolving nature of threats, a number of security tools have evolved, among them vulnerability assessments, penetration testing, red teaming, and breach and attack simulation.

Without disrupting business continuity, these methods can test attacks and other malicious activities that provide valuable insight into present and future defensive needs.

Penetration Testing

Penetration testing is the practice of testing a network for vulnerabilities and complex configurations. Also shortened to just pen testing, this method is a foundational cybersecurity practice today, but the truth is it’s no longer enough for organizations who want to take all precautions against breaches,

Pen testers can offer valuable insight as they move across your network and attempt to exploit vulnerabilities. These tests are often scheduled, limited to an assessment of known vulnerabilities for reporting pertinent patches, and run during a 1-2 week sprint.

Also Read: How to Conduct a Vulnerability Assessment: 5 Steps toward Better Cybersecurity

Red Teaming

In-house and third-party red teams refine penetration testing by targeting specific attack vectors, utilizing social engineering, and avoiding detection.

The idea is simple enough: hire ethical hackers to simulate multi-layered attacks against the home network. Like real-world malicious actors and APTs, these ninjas aim for the most precious virtual assets.

While pen testing can take as much as a couple of weeks, red team assessments typically last 3-4 months. Naturally, the next generation of vulnerability and breach detection is BAS, an around-the-clock solution.

Also Read: Apple White Hat Hack Shows Value of Pen Testers

Active, Automated, and Simulated

Automated breach simulation addresses current threats. No longer does an organization have to worry about potential vulnerabilities for weeks or months in between a visit by a third-party pen tester or red team. With an on-premises or cloud-based breach and attack solution, administrators can automate vulnerability scans and attack scenarios for the most substantial visibility into a network’s defensive position. Insights into existing vulnerabilities or vulnerable routes to critical assets can be the difference in withstanding the next advanced attack. All the while, BAS solutions work inside the network without disrupting the business-critical production environment.

Also Read: Fighting Advanced Persistent Threats with Emulation

BAS features

APT Simulation

Breach and attack simulators assess and verify the most recent and advanced tactics, techniques, and practices (TTPs) circulating the globe. Advanced persistent threats, in particular, are a daunting threat to organizations due to social engineering, zero-day vulnerabilities, and an incredible capacity to go unnoticed and undetected. In 2020, Russia-aligned APT29 was responsible for a prolonged and devastating breach of the SolarWinds Orion management software. No tool is guaranteed to stop every attack. Still, a BAS system in place can put a dent in detecting zero-day vulnerabilities and present potential attack routes for malicious actors moving through a network.

Also Read: Best Penetration Testing Tools for 2021

Automated vs. Manual

For penetration testing, red teaming, or in-house security audits, organizations and third-party security contractors were responsible for manually designing and executing each passthrough. Whether the scan was targeting a critical asset or doing a vulnerability assessment of the entire network, manual network testing is resource-exhaustive with any frequency.

BAS solutions have the technological prowess to mitigate this problem by automating the deployment of custom scans and attacks pertinent to the specific network, informed by threat intelligence feeds and the industry ecosystem.

Real-Time Insights

Malicious actors don’t care what time it is for the organization and will gladly take advantage of a small window of opportunity. Given this, SMB and enterprise organizations know that 24/7 monitoring is necessary if not an objective in progress. By outsourcing BAS, firms can save internal resources devoted to vulnerability and attack simulations. Network administrators can rest assured knowing breaches should result in a timely notification. For ongoing attacks, prompt notice and action can stop the attacker in their tracks before any additional damage.

Also Read: Best Cybersecurity Software for 2022

Flexible for Evolving Infrastructure

As organizations move to the cloud or consider alternatives to on-premises infrastructure, they require a solution covering everything. As a newer technology, breach and attack simulation can deploy to most infrastructures or network segments, including organizations moving towards a hybrid cloud or SD-WAN.

Add to this the headaches caused by mergers and acquisitions. For a global economy chock full of digital transformation and network changes, deployment flexibility for diverse environments is critical.

Also Read: Top Next-Generation Firewall (NGFW) Vendors

Deployment options for BAS

Agent-Based Vulnerability Scanning

The most straightforward deployment of BAS is the agent-based method. Similar to a vulnerability assessment but offering more visibility, this approach means placing agents in the organization’s LAN to continue testing network segments.

A critical downside to the agent-based method is its lack of oversight of the perimeter and typically an inability to exploit or validate vulnerabilities. That said, the agent-based process for deployment is still an improvement from past tools thanks to its ability to report vulnerabilities and map out potential attack routes.

Malicious Traffic-Based Testing

Monitoring traffic, including malicious packets, is an inherent component of any modern cyberinfrastructure. Whether it’s an NGFW, IDPS, SIEM, EDR, or combination of these tools, the comprehensive solutions to address risks are a focal point for advanced network security. The malicious traffic-based testing approach comes down to attacking the network to identify vulnerabilities and–more importantly–report instances where comprehensive security solutions like IDPS and SIEM miss malicious traffic.

Like agent-based scanning, several agents in virtual machines (VMs) sit positioned throughout the network. Using a database of breach and attack scenarios, these VMs serve as the targets for testing. However, like the agent-based method, the traffic-based deployment option also leaves your perimeter out of the equation.

Blackbox Multi-Vector Testing

The most advanced approach to BAS typically involves cloud deployment of agents to network locations, while the software solution maintains communication with the BAS platform. Unlike the previous two methods, the blackbox multi-vector approach for deployment includes analysis for perimeter-based breaches and attacks.

Much like the classic blackbox example for agent-machine I/O, this method aims to test as many inputs on multiple attack vectors to detect malfunction. Suffice it to say that this method is most desirable for enterprises because it offers the most visibility into its defensive posture.

Also Read: Top 22 Cybersecurity Startups to Watch in 2021

BAS market

Looking ahead, the breach and attack simulation market is expected to grow at a CAGR of 37%, jumping from $278M in 2020 to nearly a billion ($984M) by 2025.

Here is more on some of the leading players:

BAS Vendors


HQ Est.

Product Description

AttackIQ San Diego, CA


“AttackIQ delivers continuous validation of your enterprise security program so you can find the gaps, strengthen your security posture and exercise your incident response capabilities.”
CyCognito Palo Alto, CA


“CyCognito’s SaaS platform continuously simulates sophisticated attackers’ actual reconnaissance and examination processes across live infrastructure and network assets to provide comprehensive attack surface analysis in real-time.”
Cymulate Rishon Le Zion, Israel


“Cymulate comprehensively identifies the security gaps in your infrastructure and provides actionable insights for proper remediation.”
Picus Security San Francisco, CA 2013 “Independent from any vendor or technology, the unparalleled Picus Platform is designed to continuously measure the effectiveness of security defenses by using emerging threat samples in production environments.”
SafeBreach Sunnyvale, CA 2014 “Our unique software platform simulates adversary breach methods across the entire kill chain, without impacting users or your infrastructure.”
FireEye Mandiant Mclean, VA 2014 “Verodin is a business platform that provides organizations with the evidence needed to measure, manage and improve their cybersecurity effectiveness.”
XM Cyber Herzliya, Israel 2016 “XM Cyber provides the first fully automated APT Simulation Platform to continuously expose attack vectors, above and below the surface, from breach point to any organizational critical asset.”
DXC Technology Arlington, VA 2017 “DXC Cyber Defense includes comprehensive advisory and managed security services to mitigate breaches and help you fully understand the threats you face.”
FireMon Overland Park, KS 2004 “FireMon Risk Analyzer provides best-in-class vulnerability management through real-time risk analysis and threat modeling to uncover exposures, score network risk, and prioritize remediation.”
Rapid7 Boston, MA 2000 “InsightVM uses secure platform capabilities to provide fully available, scalable, and efficient ways to collect your vulnerability data and turn it into answers.”
Qualys Redwood City, CA 1999 Qualys Vulnerability Management, Detection, and Response (VMDR) uses built-in orchestration to discover, assess, prioritize, and patch critical vulnerabilities in real time from a single solution.”


Other breach and attack simulation vendors include Aujuas, Cronus Cyber Technologies, Foreseeti, Guardicore, IronSDN/WhiteHax, Keysight, MazeBolt Technologies, NopSec, Pcysys, Randori, ReliaQuest, Scythe, Skybox Security, and Sophos.

BAS: Next-gen vulnerability and risk management

When honing a skill, the saying goes, “practice makes perfect.” And then someone interjects, ”Actually, perfect practice makes perfect.”

While maybe a bit too literal, they’re right in the context of cybersecurity. All it takes is one hidden misconfiguration and an advanced TTP for a network to fall victim to malicious actors. Threats today require proactive defensive strategies and can’t wait to be attacked to prepare.

Pen testing and red team services continue to make organizations more robust, offering critical insight into vulnerabilities, breach detection, and attack vectors. Breach and attack simulation is a natural step for SMB and enterprise organizations that require the latest in cybersecurity tools. In an age where APTs wreak massive damage to critical infrastructures, the need for constant, active scanning for the newest threats makes sense.

Also Read: Automating Security Risk Assessments for Better Protection

Article revised May 6, 2021 by Sam Ingalls

Sam Ingalls
Sam Ingalls
Sam Ingalls is an award-winning writer and researcher covering enterprise technology, cybersecurity, data centers, and IT trends, for eSecurity Planet, ServerWatch, Channel Insider, and Webopedia.

Top Products

Related articles