← Back to Resources Red Teaming

Breach and Attack Simulation (BAS): Test Continuously Instead of Hoping Once a Year

By Dennis Kionga May 18, 2021 8 MIN Updated: June 14, 2026

Organisations spend serious money on security products every year — firewalls, EDR, email security, SIEM. The uncomfortable question remains open all the same: does any of it actually work the way it should when it matters? A once-a-year pentest snapshot answers that for a single day. Breach and Attack Simulation (BAS) closes exactly that gap.

BAS is an automated approach that mimics real attack actions to verify whether the security measures you already have genuinely serve their purpose — continuously, repeatably, and with no risk to production.

The Three BAS Approaches

1. Agent-based. Agents distributed across the network hunt for vulnerabilities and possible attack paths. Conceptually related to vulnerability scanning, but with far more context about how an attacker would actually move.

2. Traffic-based. Malicious traffic is generated between virtual machines to test whether security controls detect and block attack scenarios.

3. Cloud-based. Delivered as SaaS, this approach simulates external multi-vector attacks against the network perimeter — fast to roll out and with no infrastructure of your own.

Who Benefits From BAS

The biggest gains go to large organisations with many security products, dynamic IT environments and high compliance demands — banks and insurers, for example. Vendors like SafeBreach, Cymulate and XM Cyber shaped the market; multi-tenant offerings increasingly make the technology accessible to smaller companies too.

BAS vs. Manual Penetration Testing

BAS does not replace the penetration test — not today, at least. Three reasons:

  • Compliance in many frameworks explicitly requires a human-led test.
  • Creativity: simulations work through a known playbook. A human red team finds the chained path nobody anticipated — and is far less blind to false positives and false negatives.
  • Depth: no automation spots logic flaws in business processes.

Where BAS is unbeatable, on the other hand, is closing the gap between two pentests. Every new detection rule, every configuration change, every new system can be validated against real attack techniques immediately — instead of waiting for the next audit.

Where BAS Fits in a Modern Strategy

Continuous validation is a core building block of Continuous Threat Exposure Management (CTEM): instead of periodic snapshots, you get an ongoing loop of discovering, prioritising and validating exposure. BAS provides the validation step — proof that a vulnerability (or a detection) is genuinely relevant in your specific context.

That’s exactly where our Continuous Threat Exposure Management comes in: we combine continuous validation with prioritisation by real business risk — and with the human depth of our red team where automation hits its limits.

Talk to us about Exposure Management — we’ll show you how continuous validation and targeted pentesting achieve more together than either does alone.