Initial-access techniques
Phishing payload delivery, credential-stuffing, exposed-service abuse. Confirms email gateway, EDR initial-detection, and authentication anomaly rules fire.
continuous validation · 08
Continuously validate your detections.
Automated attack-technique replay against your production environment, scheduled and safe. Verifies that the controls you bought, configured, and tuned still catch what they were supposed to catch.
01. in scope
What's in scope.
What BAS exercises cover.
Execution and persistence
Living-off-the-land binaries, scheduled tasks, registry persistence, OAuth app abuse. Tests EDR and SIEM rule coverage.
Lateral movement
Pass-the-hash, kerberoasting, SMB enumeration, cloud cross-account walks. Tests internal east-west visibility and segmentation.
Privilege escalation
Common Windows and Linux escalation patterns, sudo misconfig, ADCS abuse. Tests host-level monitoring.
Exfiltration
DNS tunneling, HTTPS POST to attacker domains, cloud-object exfil. Tests network DLP and outbound monitoring.
Cloud-specific techniques
IAM privilege walks, snapshot exfil, control-plane log evasion. Tests CSPM and cloud audit-log alerting.
02. how we work
How we work on it.
How a BAS engagement runs.
- Scoping call60 minutes. We learn the environment, the existing detection stack, and the risk appetite for live testing.
- Baseline runOne pass of the full technique library. Establishes which controls fire and which do not. Baseline report delivered.
- Tuning sprintTwo-week sprint with your detection-engineering team. Close the most material gaps, then re-run.
- Scheduled cadenceMonthly or quarterly automated runs. Each run reports drift from baseline. Useful for SOC 2 continuous-monitoring evidence.
- Annual reviewOnce per year, full library refresh and a deep technique review with the SOC. Aligns the program against new ATT&CK tactics.
03. deliverables
What you walk away with.
Outputs from a BAS engagement.
Coverage matrix
Every technique tested, the result (detected, alerted, blocked, missed), the tool that caught it, and the timestamp. Heatmap by ATT&CK tactic.
Detection drift report
Per-run delta. Shows where coverage regressed (often after a control upgrade or tooling change). Critical for catching silent failures.
Tuning recommendations
For each missed technique: what should have caught it, why it did not, what rule or configuration change would close the gap.
Audit-ready evidence
Continuous-monitoring evidence formatted for SOC 2, ISO 27001, PCI DSS reviewers.
Executive dashboard
Trend over time. The board sees whether the program is improving, holding, or sliding.
Annual narrative report
Once per year, a narrative report that captures the year of testing for board and audit consumption.
04. when
When teams hire us for this.
When BAS belongs in the program.
You bought a SIEM, an EDR, and a CSPM
You spent the budget. Now you need to know whether the controls work, the rules fire, and the alerts get triaged.
You went through a tool consolidation
A platform migration silently breaks detections. BAS catches the regression before an attacker does.
Continuous monitoring requirement
SOC 2 Type 2 and ISO 27001 expect ongoing control validation. BAS is the audit-friendly mechanism.
You have a SOC and need to keep it sharp
BAS exercises the SOC every week, not once a year. Detection engineers learn the most from real misses.
05. faq
Questions before the call.
BAS FAQ.
Will this damage production?
No. Techniques are non-destructive by default. Where a technique is genuinely risky, we either skip it or run it against a representative test environment.
What tooling do you use?
Vendor-neutral. We use a combination of commercial BAS platforms and custom tooling, depending on your environment and risk tolerance.
Do you replace red-team engagements?
No. BAS validates controls against known techniques. A red team finds the new technique or the path your controls did not anticipate. They are complementary.
How often should we run?
Monthly for high-risk environments, quarterly for most. Annual is too slow to catch detection drift.
Can we run this ourselves?
Yes, eventually. Most teams run BAS internally after a year of working with us on the rule library and triage process.
Want to know if your detections still work?
A 60-minute call covers your detection stack, alert volume, and where BAS would close gaps fastest. Free.