Breach and attack simulation (BAS) is a relatively new IT security technology that can automatically spot vulnerabilities in an organization’s cyber defenses, akin to continuous, automated penetration testing. The best tools also recommend and prioritize fixes to maximize security staff time and minimize cyber risk.
As with most new technologies, vendors in the BAS market tend to be startups, and many of them are headquartered in Israel, thus creating challenges for early adopters. Once the market begins to mature and get noticed, expect consolidation to follow.
Here are 11 of the top early movers in the BAS market, based in part on Gartner and CyberDB research. Also see our picks for top vulnerability management solutions for a tangential market.
- Cronus Cyber Technologies
- Picus Security
- XM Cyber
Founded in 2013, AttackIQ is headquartered in San Diego, California, and has raised $14.3 million in funding, according to CrunchBase. The company promises to help companies put on an “offensive defense” with its FireDrill platform. It’s an agent-based system that “requires minimal setup time, and few resources to implement.” It includes a dashboard for monitoring your ongoing security posture and a project section for running specific attack scenarios.
See our in-depth analysis of AttackIQ’s FireDrill platform
Based in Israel, this startup offers a product called Cybot that it describes as a combination vulnerability management and penetration testing solution. It offers three versions of the product, a standard “pro” version, plus one for enterprises and one for managed security service providers (MSSPs). It was founded in 2014 and has raised $5.7 million in venture funding.
See our in-depth analysis of Cronus Cybot
Founded in 2017, CyCognito is one of the youngest BAS vendors. It offers a SaaS solution that is said to “think like an attacker to uncover and eliminate security blind spots.” It attempts to identify the path of least resistance, those that attackers are most likely to exploit. The company is headquartered in Silicon Valley.
See our in-depth analysis of CyCognito’s BAS platform
One of several Israel-based startups on the list, Cymulate was named a Gartner Cool Vendor for 2018. It claims that its cloud-based BAS tool takes just five minutes to deploy and starts returning insights two minutes later. Its capabilities include immediate threat alerts, email security, Web gateway, Web application, hopper—lateral movement, endpoint, data exfiltration, phishing and SIEM/SOC assessments.
See our in-depth analysis of Cymulate’s BAS platform
GuardiCore’s primary product is a microsegmentation platform designed for hybrid clouds, but the company also has an open source BAS tool called Infection Monkey. It’s a free download, and enterprises can run it continuously if they choose. Building on GuardiCore’s area of expertise, it is especially good at detecting lateral movement and assessing the security of hybrid clouds.
See our in-depth analysis of GuardiCore Infection Monkey
Picus calls itself the “pioneer of breach and attack simulation technologies” and boasts “many large multinational corporations and government agencies” as customers. It includes modules for continuous HTTP/HTTPS, endpoint and email testing. The company was founded in 2013 and is headquartered in San Francisco with offices in London and Ankara, Turkey (where many of its executives are from).
See our in-depth analysis of Picus Security
SafeBreach holds multiple patents for breach and attack simulation technology and has won multiple awards, including being named a Gartner Cool Vendor for 2017 and a BlackHat Most Innovative Startup in 2016. It offers cloud, network and endpoint simulators that can detect infiltration, lateral movement and data exfiltration. Founded in 2014, it is headquartered in Silicon Valley.
See our in-depth analysis of SafeBreach
Founded in 2014 by a U.S. Navy veteran who worked in cryptography, this Texas firm claims to be “the leader in breach and attack simulations.” It promises to make BAS easy, and unlike many of the other BAS vendors, it is upfront about pricing, which starts at $33 per month for the Pro version. The solution deploys as a standalone app with optional agents available for testing multiple networks simultaneously.
See our in-depth analysis of Threatcare
Based in the Washington, D.C. area, Verodin is on a mission to “help organizations remove assumptions and prove cybersecurity effectiveness with evidence-based data.” It calls its BAS product a Security Instrumentation Platform (SIP) and promises to be able to test the defenses for networks, endpoints, email and the cloud. It was founded in 2014 and earlier this year closed a $21 million funding round.
See our in-depth analysis of Verodin Security Instrumentation Platform
This Silicon Valley startup is somewhat mysterious as details about its headquarters and founding are difficult to find on its website or CrunchBase. It claims to be “the only solution which allows the IT Security team to conduct automated internal verification of their own security infrastructure defenses without impacting any production servers or endpoints.” It has versions available for networks, endpoints, PVC (cloud) and MSSPs, as well as a Lite version.
See our in-depth analysis of IronSDN WhiteHaX
Headquartered near Tel Aviv, XM Cyber was “founded by the highest caliber of security executives from the elite Israel intelligence sector.” Its product is called HaXM, and the company says it is “the first APT simulation platform to simulate, validate and remediate attackers’ paths to your critical assets 24×7.” It has won multiple awards, including a 2018 Cybersecurity Breakthrough Award, Startup of the Year 2018, 2018 World Economic Forum Technology Pioneer and more.
See our in-depth analysis of XM Cyber HaXM
Open-source BAS Options
In addition to the vendors offering the full-featured products mentioned above, a few other organizations have released open source software which offers some limited breach and attack simulation capabilities. They include Uber with its Metta adversarial simulation tool; AlphaSOC with its FlightSIM tool for generating malicious network traffic; Endgame with its Red Team Automation scripts; and Red Canary with its Atomic Red Team tests.