Why Breach and Attack Simulation (BAS)?

To better understand how organizations approach adversarial emulation and security control validation, we spoke with Brian Rosmus, Manager of Research and Technology at K logix. As part of the K logix Cyber Research team, Brian evaluates security technologies across the market and helps organizations identify the right solutions based on their specific needs. 

As security programs mature, organizations are shifting from simply deploying controls to actively validating whether those controls work against real world threats. 

Breach and Attack Simulation has emerged in that shift, allowing teams to continuously test their environments against the same techniques adversaries are using today. Brian explains,

“Breach and Attack Simulation [platforms are] mapping to MITRE, mapping to real adversaries, and performing attack chains that really happen in the real world. Rather than relying on point-in-time testing, BAS enables organizations to safely emulate threat actors and understand how their defenses hold up across the full attack lifecycle.” 

Moving Beyond Traditional Testing 

Many organizations already have some form of testing in place, but those approaches often fall short in replicating real adversary behavior. 

Some tools, for example, may pentest or probe the environment to see what they can access, but do not emulate how a particular threat actor would actually move through systems or chain together techniques. 

BAS takes a different approach by focusing on realistic attack paths and adversary behavior. Brian comments,

“These tools allow organizations to emulate threat actors in a safe way and validate their security controls along the way. This allows teams to understand whether detections are firing as expected and where gaps exist in coverage.”  

Validating What Matters: Controls and Detection 

At its core, BAS is about validation. It is not just identifying vulnerabilities, but understanding how security controls perform under real conditions. 

Organizations can simulate attacks and immediately see whether tools like SIEM or EDR are detecting the activity. Brian explains,

“You can say, we performed this simulation and this detection did or did not fire, and improve those detections as a result.”  

This continuous feedback loop helps organizations continuously strengthen their defenses in a way that static assessments cannot. 

The Role of AI 

One of the biggest shifts in the BAS market is the growing role of AI and automation. 

Organizations are increasingly looking for ways to generate simulations dynamically, rather than relying solely on prebuilt libraries. Brian clarifies, 

“[Organizations] want to be able to provide a threat advisory and generate a simulation based on that, and summarize the findings using AI. However, AI is an area where a lot of these vendors have some work to do.”  

This includes the ability to: 

• Build simulations from threat intelligence or advisories

• Query libraries of attack scenarios by prompting

• Automate campaign scheduling by automatically running emerging techniques as threat actors adopt them

• Translate and summarize technical findings into business context 

While many platforms are beginning to incorporate AI, capabilities still vary significantly across the market. 

Simulating Real Attacks, Not Just Running Tests 

A key differentiator in BAS is the ability to replicate realistic attack chains, not just isolated techniques. 

Organizations are looking for flexibility in how simulations are run, including the ability to modify scenarios, introduce custom payloads, and incorporate human decision making into the process. 

This allows teams to move beyond static testing and create more dynamic, adversary-like scenarios. 

In some cases, organizations are also looking for ways to adjust the sophistication or aggressiveness of simulations to better mirror different types of attackers e.g., nation state actors, hacktivists, or “script kiddies”. 

Measuring Risk in Context 

Another important observation is how organizations think about risk. 

Rather than focusing only on high severity vulnerabilities, many are prioritizing residual risk, the risk that remains after security controls and detections are applied. Brian comments, 

“Some organizations want to report on residual risk and not just focus on the highest vulnerability rating, [to] understand the greatest risk that is remaining.”  

This provides a more realistic view of exposure and helps security teams prioritize what actually matters. 

Continuous Testing, Not Point in Time Exercises 

Traditional testing methods often provide a snapshot in time. BAS, on the other hand, is designed for continuous validation. 

Organizations can schedule simulations, run them across different parts of the environment, and monitor results as simulation steps occur. Brian notes,

“[Organizations] want to run simulations and get findings as it’s happening, especially if something critical is identified.”  

This shift toward continuous testing is critical in environments where threats and attack techniques are constantly evolving. 

A New Standard for Security Validation 

Breach and Attack Simulation represents a shift from reactive security to proactive validation. It allows organizations to move beyond assumptions and test their defenses against the techniques that matter most. 

By combining adversary emulation, continuous testing, and evolving AI capabilities, BAS helps security teams better understand their risk and strengthens their ability to respond. 


The K logix Cyber Research team evaluates leading BAS vendors, providing detailed comparisons, heat maps, and weighted analysis. If you are interested in learning more about let us know.