I’m not against Breach and Attack Simulation (BAS). In fact, I think it has its place. But the way it’s being pitched, oversold, and misunderstood by vendors and buyers alike? That’s where the problem begins.
Too many people are cozying up to BAS as if it’s the silver bullet in their security stack — roasting marshmallows in front of a YouTube fireplace while real adversaries are out there setting actual fires.
Table of Contents
BAS Isn’t Red Teaming. Period.
There’s an uncomfortable truth that needs to be said: BAS is not red teaming. It’s not even close.
Red teaming is built on creativity, context, and chaos. It’s about adversarial thinking — the kind of unpredictable, multi-stage attacks that make defenders sweat and post-incident reports go viral. BAS, on the other hand, is structured, templated, and heavily dependent on predefined playbooks.
When a vendor sells BAS as a “replacement” for red teaming or penetration testing, they’re doing a massive disservice to the industry — and more importantly, to the customer who believes they’re safe.
Click-Next-Simulate Doesn’t Make You Bulletproof
Let’s face it: most BAS tools today are reduced to “click-next simulations” that give firewall admins or system engineers the illusion of proactiveness. But if the operator running it doesn’t understand the cyber kill chain, if they don’t have a solid grasp of how lateral movement or privilege escalation works, then what’s being tested?
You can’t simulate what you don’t understand.
Running BAS with zero context is like handing a stethoscope to someone who’s never studied medicine and asking them to diagnose a heart condition.
BAS Belongs in the Hands of the Aware
Now let me flip the coin. When BAS is deployed in environments where teams deeply understand pentesting but don’t have the capacity or time to run one, it can actually shine.
Think of a mature blue team — threat hunters, detection engineers, IR specialists — who know how attacks unfold but want to validate defenses continuously. BAS becomes a unit test toolkit for them. It’s not meant to surprise, it’s meant to confirm.
Similarly, seasoned red teams may want to automate repeatable scenarios or validate their persistence mechanisms across environments without having to script from scratch every single time. That’s where BAS can assist — as supporting infrastructure, not a replacement.
The (Un)Comfortable Cost Conversation
Let’s talk budgets.
Hiring a skilled red teamer or even running quarterly pen tests isn’t cheap. Salaries, tools, time, and the operational complexity of true adversary simulation are real. That’s where BAS lures decision-makers — it promises “always-on validation” at a fraction of the cost.
But what’s often missed is this: If the BAS operator doesn’t know what they’re doing, you’re not saving money — you’re wasting it.
You might as well burn cash and call it a ‘fire drill’.
Threat-Led BAS & MITRE ATT&CK: The Brighter Side
If there’s one real innovation worth celebrating in this space, it’s threat-led BAS tied to MITRE ATT&CK.
Mapping simulated attacks to tactics, techniques, and procedures (TTPs) from real-world threat actors? That’s gold — especially when it’s updated frequently and reflects emerging threats.
MITRE’s evolution from static matrices to Engage and CTID-inspired practical security initiatives is promising. It helps shift BAS from basic scripting to threat-informed defense.
But again, execution matters. A shiny UI with an ATT&CK mapping doesn’t make your SOC “threat-led.” Context is key.
Chaining Together BAS Modules ≠ A Kill Chain
Here’s another fallacy floating around: chaining multiple BAS modules creates a full adversarial simulation.
False.
Unless your BAS platform can contextually emulate a kill chain — exploiting a weak external asset, pivoting, evading controls, and achieving impact — you’re just running a bunch of atomic tests with no adversarial logic.
And don’t even get me started on vendors who claim to simulate zero-days, but their runbooks haven’t seen a serious update since EternalBlue made headlines.
CART, Autonomous Pentesting, and the “Next Big Hype”
o what about Continuous Automated Red Teaming (CART) and the rise of autonomous penetration testing?
Honestly, I think we’re in danger of creating the next wave of hype. Many so-called autonomous tools are still just glorified BAS engines in disguise, now with buzzier names and subscription models.
If they can’t think like an attacker — adapting, chaining, customizing — they’re not red teams. They’re just fancy vulnerability scanners with storytelling skills.
Conclusion: I Love BAS… But Only When It's Used Right
Let me be clear: I’m a fan of BAS. When it’s implemented by the right teams, for the right reasons, with full knowledge of what it can and cannot do — it becomes a powerful tool.
But the current state of BAS — oversold, poorly implemented, rarely updated, and often misunderstood — is hurting more than helping.
Until we stop treating it as a replacement for real offensive security work and start treating it like a supporting actor in a threat-informed defense, we’ll keep getting fooled by dashboards and false confidence.
So, next time someone offers you BAS as a magical fix, remember this:
Roasting marshmallows in front of a fake fireplace might feel warm — but it won’t save you from the winter that’s coming.
Stay Ahead or Stay Hacked: The CTEM Advantage
Cyber threats don’t wait, so why should you? reconn’s Continuous Threat Exposure Management (CTEM) keeps you ahead with:
EASM – Find what’s exposed before attackers do.
RBVM – Fix what actually matters, not just what’s loud.
ASPM – Secure apps at every stage, not just before release.
CSPM – Cloud misconfigs? Not on our watch.
PTaaS – Real-world attack simulations, on demand.
