Top 20 Breach and Attack Simulation (BAS) Vendors

A group of green toy soldiers positioned in a row as this article is about the top Breach and Attack Simulation (BAS) solutions to fend off the latest threats.

Breach and attack simulation (BAS) remains a newer IT security technology, but its capabilities are increasingly essential to vigilance in a world of zero-day threats.

BAS can automatically spot vulnerabilities in an organization’s cyber defenses, akin to continuous, automated penetration testing. More than just pen testing and red team insights, BAS solutions often recommend and prioritize remediation to maximize security resources and minimize cyber exposure.

A few years into BAS’s entry into the cybersecurity marketplace, vendors range from startups to fast-growing mid-sized companies and vulnerability-focused enterprise companies. Some consolidation has already taken place, but more will come and the race to obtain a sustainable market share is far from over.

As the market develops, several vendors refer to advanced BAS solutions as security validation. Artificial intelligence and machine learning are an increasingly important part of this market, as automated cybersecurity tools need to be able to adjust as new threats emerge.

Read more on boosting your security posture with eSecurity Planet’s Best Risk Management Software and Top Vulnerability Management Tools.

Top Breach & Attack Simulation Solutions

This roundup dives into the best in the BAS market, from the top-tier solutions to companies on the rise and honorable mentions.

SkyboxSophosTenableXM Cyber

Market Leaders

This list begins with the only vendors to make our top BAS article on every occasion since 2018. Four years later, the leading BAS solution providers are:

Purple eSecurity Planet Badge: Best Breach & Attack Simulation Vendors 2022.


AttackIQ started as an automated validation platform in 2013 in San Diego, California. Its platform, previously known as FireDrill, enables organizations to test and measure their security posture across environments. Informed by the MITRE ATT&CK matrix and its wealth of cyber adversary behavior, clients can run advanced scenarios targeting critical assets and continuously improve their defensive posture.

AttackIQ’s Anatomic Engine is a differentiator, as it can test ML and AI-based cybersecurity components. With the capacity to run multi-stage emulations, test network controls, and analyze breach responses, AttackIQ remains a top contender among BAS solutions.

Orange eSecurity Planet Badge: Top Breach & Attack Simulation Vendors 2022.


Cymulate is the first of two Israeli vendors in our top tier BAS solutions. Founded in 2016, the Rishon LeZion-based vendor specializes in breach and attack simulation and security posture verification. By employing the MITRE ATT&CK framework and mimicking an array of advanced hacker strategies, the Cymulate platform assesses network segments, detects vulnerabilities, and optimizes remediation.

To confront the dynamic threat landscape, Cymulate offers continuous security validation that provides consistent guidance for action. Deploying Cymulate with near-unlimited attack simulations can be completed within minutes via a single lightweight agent.

Orange eSecurity Planet Badge: Top Breach & Attack Simulation Vendors 2022.

Picus Security

Picus Security is a continuous security validation vendor founded in 2013 and located in San Francisco, California. Recognized in each of our top BAS lists, Picus has raised over $32 million through Series B and a corporate funding round by Mastercard in May 2022. The Picus Security Control Validation (SCV) platform scans for vulnerabilities and offers guidance on the germane configuration of security controls.

Integrating into an existing security information and event management (SIEM) system, the Picus SCV helps identify logging and alert gaps where additional action is required to optimize your SIEM. With MITRE ATT&CK and kill chain visibility, administrators deploying SCV can take the necessary steps to prevent the next advanced attack.

Also read: Automating Security Risk Assessments for Better Protection

SafeBreach logo.


SafeBreach holds multiple patents and awards for its BAS technology. Founded in 2014, the California-based vendor is a pioneer in breach simulation. Since our last update, SafeBreach earned a $53.5 million Series D funding round in November 2021. The BAS platform can detect infiltration, lateral movement, and data exfiltration by offering cloud, network, and endpoint simulators.

SafeBreach continuously validates tools and the organization’s overall security posture with an ever-changing threat landscape. When flagged, administrators have the visibility to take prompt action against potential vulnerabilities. With the SafeBreach platform deployed, organizations can expect increased security control effectiveness, real threat emulation, and improved cloud security.

XM Cyber logo.

XM Cyber

XM Cyber is a Tel Aviv-based cyber risk analytics and cloud security vendor launched in 2016. Born from the thought leadership of the Israeli intelligence sector, the XM Cyber Breach and Attack Simulation, previously known as HaXM, is a leading BAS solution. In its short history, the vendor has been at the forefront of BAS innovation, winning several awards and pushing other vendors forward.

XM Cyber identifies an organization’s most critical assets and works backward with attack-centric exposure prioritization, identifying the exploit routes. Analyzing every potential attack path and crafting remediation options informed by risk impact give administrators visibility in real-time to secure their network. Through its success, XM Cyber was acquired for $700 million by retail conglomerate the Schwarz Group in November 2021.

Read next: Addressing Remote Desktop Attacks and Security

Market Players

The next group includes a mix of familiar names like Mandiant and Rapid7 alongside budding vendors CyCognito and Randori – all ready to help clients validate their security posture.

CyCognito logo.


CyCognito is committed to exposing shadow risk and bringing advanced threats into view. One of the youngest BAS vendors started operations in 2017 and resides in Palo Alto, California. Founded by tenured national intelligence professionals, CyCognito identifies attacker-exposed assets to enhance visibility into the attack and protect surfaces.

According to the vendor, clients identify up to 300% more assets than they knew existed on their network. Through the CyCognito platform, organizations can define risk categories, automate offensive cybersecurity operations, and prepare for any subsequent advanced attack. The budding vendor continues to grow with a Series D of $100 million in December 2021.

FireMon logo.


Started in 2001, FireMon is a Kansas-based vendor for cybersecurity, compliance, and risk mitigation. One of the earliest companies to address change detection and reporting, compliance, and behavioral analysis, FireMon has a track record that includes helping over 1,700 organizations. For BAS, FireMon’s solution is Risk Analyzer, covering advanced vulnerability management, risk analysis, and threat modeling software.

With the capacity to categorize risks, simulate attacks, and craft policy-based remediation, Risk Analyzer offers a comprehensive BAS solution. FireMon’s attack path graphics and analysis are suitable for administrators who desire greater visibility.

Also read: Best Network Monitoring Tools

Guardicore logo.


A decade into a maturing zero trust solution space, Guardicore has been an upstart microsegmentation company addressing security for assets across hybrid environments. The Tel Aviv-based company most recently was acquired by enterprise cybersecurity vendor Akamai in September 2021 for $600 million.

For BAS, Guardicore’s open source platform Infection Monkey offers continuous testing and reports on network performance against attacker behavior. On par or better than some proprietary solutions, Infection Monkey is environment agnostic, handles varying network sizes,  and offers analysis reports based on zero trust, ATT&CK MITRE, and BAS.

Mandiant logo.


In our first BAS update, Virginia-based startup Verodin made the list before its acquisition by FireEye in 2019. Integrated into the Mandiant Security Validation platform, Mandiant continues to lead the way through an eventual few years.

Founded in 2004, Mandiant has long been known for its enterprise cybersecurity and incident response credentials. That success led to its acquisition by FireEye in 2013 for $1 billion. And after the split of FireEye and Mandiant a decade later, Google acquired Mandiant for a whopping $5.4 billion in June 2022.

With integrated threat intelligence, automated environmental drift detection, and support for optimizing existing cybersecurity tools like SIEM, Mandiant eases a client’s monitoring job to focus on taking action. Mandiant notes clients can save big financially in the form of controlled vulnerabilities and speed response time to advance TTP by almost 600%.

Read more: Why You Need to Tune EDR to Secure Your Environment

Qualys logo.


Qualys is a leading provider of cloud security and compliance solutions–and one of the older vendors to make our list, founded in 1999 in San Francisco. The Vulnerability Management, Detection, and Response (VMDR) platform is their most popular product and a top BAS solution.

From analyzing vulnerabilities with six sigma accuracy to identifying known and unknown network assets, the Qualys VMDR is a single app solution that’s fully cloud-based. In line with its cloud hosting, the vendor offers a set of features and several add-ons for organizations requiring more. Add-on features include mobile device support, cloud security assessments, and container runtime security.

Randori logo.


A part of the budding attack surface management (ASM) solution space, Randori was one of the leading cybersecurity startups before its acquisition by IBM in June 2022. Launched in Waltham, Massachusetts in 2018, Randori’s black-box approach maps attack surfaces to identify and prioritize an organization’s most valuable targets.

Whether it’s continuous automated red teaming (CART), preparing for zero-day attacks, or inspecting shadow IT, the Randori Platform offers robust insights into the cyber kill chain. Organizations can test their managed detection and response (MDR), managed security service provider (MSSP), and Security Operations Center (SOC) capabilities, as well as the effectiveness of tools like SIEM, SOAR, and EDR.

Rapid7 logo.


Rapid7 kicked off operations in 2000 and, fifteen years later, released the Insight platform, bringing together vulnerability research, exploit knowledge, attacker behavior, and real-time reporting for network administrators.

Rapid7’s BAS solution is InsightVM and comes with an easy-to-use dashboard where clients can manage everything from risk prioritization and automated containment to integrated threat intelligence feeds. Rapid7’s InsightVM goal is to make cyber risk management seamless with features devoted to remediation and attack surface monitoring.

Read next: Top SD-WAN Solutions for Enterprise Security

Best of the Rest

Last but not least, these companies are all first-time picks for the top BAS list and similarly represent a mix of newer and more mature vendors.

BreachLock logo.


Launched in early 2019, BreachLock is a top BAS company focused on penetration testing as a service (PTaaS). While young, the New York City startup already has a growing reputation. The on-demand SaaS solution offers testing for servers, IoT devices, APIs, mobile and web apps, and cloud infrastructure to give clients end-to-end visibility of exposure to risk. logo.

Another top cybersecurity startup, also offers a cloud-based BAS solution with its autonomous penetration testing as a service (APTaaS), NodeZero. Across hybrid IT environments, NodeZero identifies internal and external attack vectors and verifies the effectiveness of security tools and remediations. Started in October 2019, the San Francisco-based company most recently earned a $30 million Series B in October 2021.

Also read: Top VC Firms in Cybersecurity

NetSPI logo.


Founded in 2001, NetSPI has a track record of delivering pen testing to the top cloud providers, healthcare companies, banks, and more. The Minneapolis, Minnesota-based company’s PTaaS, Resolve, offers clients an orchestration platform to manage the lifecycle of vulnerabilities. With two-way synchronization to tools like ServiceNow and Jira, Resolve can reduce time to remediation.

Pentera logo.


Formerly known as Pcysys, Pentera has emerged as another top BAS solution in a field full of Israeli security startups. Started in 2015, the Pentera Automated Security Validation (ASV) Platform inspects internal and external attack surfaces to emulate the latest threat behavior. With a Series C round worth $150 million in January 2022, Pentera has the leverage to emerge.

Scythe logo.


Launched in 2018, Scythe is an adversary emulation platform offering services for red, blue, and purple teams to optimize visibility into risk exposure. Available as a SaaS or on-premises solution, the Virginia-based startup also offers developer-friendly clients a software development kit to create custom validation modules in Python or native code.

Read more: Rainbow Table Attacks and Cryptanalytic Defenses

Skybox Security logo.

Skybox Security

Twenty years after its founding, Skybox Security’s stack of products include threat intelligence, vulnerability control, network assurance, change management, and firewall assurance to form the Security Posture Management Platform. Alongside a robust set of integrations, Skybox offers organizations visibility into IT and OT infrastructure, path analysis, and risk scoring.

Sophos logo.


Founded in 1985, Sophos is the UK-based enterprise cybersecurity vendor with a portfolio including antivirus, next-generation firewalls (NGFW), EDR, MDR, encryption, and more. Unlike other BAS solutions that attempt to identify and remediate risks for an entire organization’s infrastructure, Sophos Phish Threat focuses on the ever-present threat of phishing and the email attack vector for end users.

Tenable logo.


A longtime leader in vulnerability management, Tenable continues to look to the future of cyber exposure while organizations experience digital transformation. Started in 2002, the Columbia, Maryland-based cybersecurity vendor’s portfolio includes solutions for ransomware, zero trust, application security, and a range of compliance and security frameworks.

See also: Preparing for Ransomware: Are Backups Enough?

All of the featured picks and logos sit in a table five across the top and four down with the title "Top BAS Vendors".

Honorable Mention BAS Solutions

  • Aujas
  • Cronus Cyber
  • Detectify
  • DXC Technology
  • Foreseeti
  • Keysight
  • NeSSi2
  • NopSec
  • ReliaQuest
  • Verodin

What is Breach & Attack Simulation Software?

Breach and attack simulation solutions go beyond vulnerability assessments, penetration testing, and red teaming by offering automated and advanced breach simulation.

To test the strength of network security, organizations must put themselves in the shoes (or hoodie) of the world’s malicious actors. Administrators lean on existing threat intelligence, outsource system auditing to cybersecurity firms, and pray they fend off the next advanced attack. As a software, hardware, cloud, or hybrid solution, BAS offers the latest vulnerability management, risk analysis, and network testing.

A screenshot of the Cymulate platform showing a menu on the left hand side for breach and attack simulations, continuous automated red teaming, and advanced purple team frameworks. The page is open to BAS where users can see several scores for indicators like web gateways, endpoint security, data exfiltration, immediate threats, and recon.
The Cymulate platform offers a clear view of immediate threats, security controls, and scoring for critical infrastructure components like web gateways, endpoint security, and data exfiltration.

Why Do Companies Use BAS?

Malicious attacks and advanced persistent threats (APTs) pose a constant risk to SMBs and enterprise organizations. In response to the ever-evolving nature of threats, several security tools have evolved, among them vulnerability assessments, penetration testing, red teaming, and breach and attack simulation.

Without disrupting business continuity, these methods can test attacks and other malicious activities that provide valuable insight into future defensive needs.

Also read: Kaseya Breach Underscores Vulnerability of IT Management Tools

Penetration Testing

Penetration testing is testing a network for vulnerabilities and complex configurations. Also shortened to just pen testing, this method is a foundational cybersecurity practice today, but the truth is it’s no longer enough for organizations who want to take all precautions against breaches,

Pen testers can offer valuable insight as they move across your network and attempt to exploit vulnerabilities. These tests are often scheduled, limited to assessing known vulnerabilities for reporting pertinent patches, and run during a 1-2 week sprint.

Red Teaming

In-house and third-party red teams refine penetration testing by targeting specific attack vectors, utilizing social engineering, and avoiding detection.

The idea is simple enough: hire ethical hackers to simulate multi-layered attacks against the home network. Like real-world malicious actors and APTs, these digital ninjas aim for the most precious virtual assets.

While pen testing can take as much as a couple of weeks, red team assessments typically last 3-4 months. The next generation of vulnerability and breach detection is BAS, an around-the-clock solution.

Active, Automated, and Simulated

Automated breach simulation addresses current threats. No longer does an organization have to worry about potential vulnerabilities for weeks or months between a visit by a third-party pen tester or red team.

With an on-premises or cloud-based breach and attack solution, administrators can automate vulnerability scans and attack scenarios for the most substantial visibility into a network’s defensive position. Insights into existing vulnerabilities or vulnerable routes to critical assets can be the difference in withstanding the next advanced attack. All the while, BAS solutions work inside the network without disrupting the business-critical production environment.

An attack graph emulating the TTPs of nation-state adversaries exploiting the Log4Shell vulnerability in VMware Horizon Systems.
An AttackIQ attack graphic emulating the TTPs of nation-state adversaries exploiting the Log4Shell vulnerability in VMware Horizon Systems.

See more: Best Patch Management Software & Tools

BAS features

APT Simulation

Breach and attack simulators assess and verify the most recent and advanced tactics, techniques, and practices (TTP) circulating the globe. In 2020, Russia-aligned APT29 was responsible for a prolonged and devastating breach of the SolarWinds Orion management software.

Advanced persistent threats, in particular, are daunting to organizations due to social engineering, zero-day vulnerabilities, and an incredible capacity to go unnoticed and undetected. No tool is guaranteed to stop every attack. Still, a BAS system in place can put a dent in detecting zero-day vulnerabilities and present potential attack routes for malicious actors moving through a network.

Automated vs. Manual

For penetration testing, red teaming, or in-house security audits, organizations and third-party security contractors were responsible for manually designing and executing each passthrough. Whether the scan was targeting a critical asset or doing a vulnerability assessment of the entire network, manual network testing is resource-exhaustive with any frequency.

BAS solutions have the technological prowess to mitigate this problem by automating the deployment of custom scans and attacks pertinent to the specific network, informed by threat intelligence feeds and the industry ecosystem.

Also read: Sandboxing: Advanced Malware Analysis

Real-Time Insights

Malicious actors don’t care what time it is for the organization and will gladly take advantage of a small window of opportunity. Given this, SMB and enterprise organizations know that 24/7 monitoring is necessary, if not an objective in progress.

Firms can save internal resources devoted to vulnerability and attack simulations by outsourcing BAS. Network administrators can rest assured knowing breaches should result in a timely notification. For ongoing attacks, prompt notice and action can stop the attacker in their tracks before any additional damage.

Flexible for Evolving Infrastructure

Organizations moving to the cloud or considering alternatives to on-premises infrastructure requires a solution covering everything. As a newer technology, breach and attack simulation can deploy to most infrastructures or network segments, including organizations moving towards a hybrid cloud or SD-WAN.

Add to this the headaches caused by mergers and acquisitions. For a global economy chock full of digital transformation and network changes, deployment flexibility for diverse environments is critical.

Learn more: Top Database Security Solutions.

Deployment Options for BAS

Agent-Based Vulnerability Scanning

The most straightforward deployment of BAS is the agent-based method. Similar to a vulnerability assessment but offering more visibility, this approach means placing agents in the organization’s LAN to continue testing network segments.

A critical downside to the agent-based method is its lack of oversight of the perimeter and, typically, an inability to exploit or validate vulnerabilities. That said, the agent-based process for deployment is still an improvement from past tools, thanks to its ability to report vulnerabilities and map out potential attack routes.

Malicious Traffic-Based Testing

Monitoring traffic, including malicious packets, is an inherent component of any modern cyberinfrastructure. Whether it’s an NGFW, IDPS, SIEM, EDR, or a combination of these tools, comprehensive solutions to address risks are a focal point for advanced network security. The malicious traffic-based testing approach attacks the network to identify vulnerabilities and–more importantly–report instances where core security solutions like IDPS and SIEM miss malicious traffic.

Like agent-based scanning, several agents in virtual machines (VMs) sit positioned throughout the network. Using a database of breach and attack scenarios, these VMs serve as the targets for testing. However, like the agent-based method, the traffic-based deployment option also leaves your perimeter out of the equation.

Blackbox Multi-Vector Testing

The most advanced approach to BAS typically involves cloud deployment of agents to network locations, while the software solution maintains communication with the BAS platform. Unlike the previous two methods, the black box multi-vector approach for deployment includes analysis for perimeter-based breaches and attacks.

Much like the classic black box example for agent-machine I/O, this method aims to test as many inputs on multiple attack vectors to detect malfunction. Suffice it to say that this method is most desirable for enterprises because it offers the most visibility into its defensive posture.

See more: Top XDR Security Solutions.

BAS: Next-gen vulnerability and risk management

When honing a skill, the saying goes, “practice makes perfect.” And then someone interjects, “Actually, perfect practice makes perfect.”

While maybe a bit too literal, they’re right in the context of cybersecurity. Threats today require proactive defensive strategies and can’t wait to be attacked to prepare. All it takes is one hidden misconfiguration and an advanced TTP for a network to fall victim to malicious actors.

Pen testing and red team services continue to make organizations more robust, offering critical insight into vulnerabilities, breach detection, and attack vectors. Breach and attack simulation is a natural step for SMB and enterprise organizations that require the latest cybersecurity tools. In an age where APTs wreak massive damage to critical infrastructures, the need for constant, active scanning for the newest threats makes sense.

Read next: Top 8 Cyber Insurance Companies

Article revised by Sam Ingalls on May 6, 2021, and July 20, 2022.

Sam Ingalls
Sam Ingalls
Sam Ingalls is an award-winning writer and researcher covering enterprise technology, cybersecurity, data centers, and IT trends, for eSecurity Planet, Tech Republic, ServerWatch, Webopedia, and Channel Insider.

Latest articles

Top Cybersecurity Companies

Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.

Related articles