Breach And Attack Simulation

Cyber Videos
Written By Guest User
 

Why “Assume Breach” is the Future of Network Security

By Ron Gula, Gula Tech Adventures

In today’s evolving cyber threat landscape, “assume breach” isn’t just a mindset—it’s a strategic imperative. At Gula Tech Adventures, we’ve been on the front lines of cybersecurity investment and innovation, and I want to explain why embracing breach and attack simulation (BAS) tools—like our portfolio company Scythe—is critical to enhancing network defense in the age of complexity, AI, and insider threats.

Let’s walk through how adopting a breach-assumed model gives organizations a clearer picture of their true cybersecurity posture—and why this method is more important than ever.

From the NSA to 2024: The Evolving Need for Real-World Testing

When I began doing penetration testing in the 1990s, a once-a-year audit with a PDF report was standard. Today, we've evolved into an environment of continuous vulnerability detection, multiple overlapping control frameworks, and nonstop threat activity. Modern enterprises run blue teams for defense and red teams for offense—but without communication and a common understanding, those teams can fall short.

That’s where “assume breach” comes in. Instead of evaluating your network from the outside in (like a traditional pen test), assume breach assessments simulate an attacker who’s already inside—bypassing perimeter defenses—and asks: now what can they do?

Frameworks Help, But Complexity Hurts

We have no shortage of security frameworks—NIST CSF, PCI-DSS, CMMC, CIS Controls, MITRE ATT&CK—but they each prescribe overlapping controls in different ways. And real-world networks are messy.

Many organizations try to model access vs. authorization: just because someone can reach a system over the network doesn’t mean they’re authorized to use it. In theory, you prevent access or require authentication. In practice, complexity leads to gaps—gaps attackers can exploit. Combine that with thousands of systems, staff turnover, legacy tech, and cloud sprawl, and you’ve got a recipe for control failure.

AI Is Bypassing Security Controls

The rise of enterprise AI adds another dimension of risk. More companies are wiring generative AI tools directly into their backend systems—often bypassing traditional access controls in the name of productivity.

An attacker doesn’t need to exfiltrate petabytes of data. If they compromise an internal AI interface, they can just ask the system questions and extract intelligence with surgical precision. And if your detection systems aren’t auditing what your AI tools are doing? You're flying blind.

AI may soon require its own monitoring AI just to audit internal usage. It's a weird recursive loop—but a necessary one.

Breach and Attack Simulation: The Practical Solution

This is why I’m such a strong advocate for breach and attack simulation (BAS) platforms. At Tenable, we focused heavily on vulnerability discovery. But I’ve long believed that a lack of active controls is itself a vulnerability—and many orgs don’t assess that effectively.

That’s what led us to invest in Scythe.

Scythe allows red teams to safely emulate real-world adversaries—complete with malware behavior, persistence mechanisms, and lateral movement patterns—without damaging systems or data. You can simulate implants, backdoors, insider threats, or code-level vulnerabilities. And critically, you can see what your blue team catches... and what they miss.

Example: Clients Are Attack Vectors Too

One commonly overlooked risk? Client systems that access core infrastructure.

If you’ve got users with credentials who connect to sensitive systems—PeopleSoft, DNS servers, domain controllers—those client systems can serve as indirect attack vectors. Exploiting a client vulnerability (think VLC, SSH clients, browsers) might be the first step to owning the server it connects to.

That’s a perfect scenario for a BAS test. Drop a benign implant on the client. See if the EDR flags it. See if it’s caught in logs. See if it triggers alerts in your SIEM or SOAR platform. Often, it won’t.

Modeling vs. Testing: Why You Need Both

Many orgs rely on models or access control maps. That’s good—but models are still theoretical. Real-world tests provide empirical validation.

Let’s say you’ve got firewalls, NAC, VPN, bastion hosts, and maybe a stealth overlay network. Great. Now layer in the 5+ ways you can authorize access: passwords, SSH keys, SSO, certificates, privileged access systems, domain tokens...

Where are the gaps? You could spend weeks modeling them, or you could test it directly.

BAS lets you simulate lateral movement or privilege escalation within specific “pipes” between systems and confirm whether your detection and prevention controls actually work.

Real-World Scenarios You Can Simulate

  • Supply Chain Risks: What if a software update includes a backdoor?

  • Insider Threats: Can a rogue employee move laterally within the network?

  • Third-Party Vendors: Do your contractors have excessive access?

  • BYOD Devices: Can unauthorized laptops introduce malware?

These aren’t academic risks—they’re daily headlines. And BAS lets you explore the “what if” of each scenario in a safe, measurable way.

Where to Start: Prioritize Critical Assets

If you can’t test everything (and you can’t), start with your core:

  • Domain controllers

  • Database servers

  • Admin workstations

  • Critical executives

  • High-value IP systems

  • Public-facing services

Focus on systems where compromise would result in a “bad day.” Those should be the most instrumented, monitored, and resilient in your network. Test them regularly. Then expand outward.

AI Makes Testing More Urgent

With AI becoming more embedded in enterprise systems, the risk of rapid, stealthy compromise is higher than ever. You may have solid EDR, solid SOAR, and a strong SIEM—but are they monitoring what your LLM is doing?

Assume breach. Test what happens if someone queries your internal AI, pulls sensitive data, and exfiltrates it via DNS or HTTPS. BAS platforms like Scythe let you simulate these scenarios before they happen for real.

Don’t Wait for Perfection—Start Now

Many CISOs say they’re “too busy” or their red teams already generate too much noise. But BAS doesn’t have to be disruptive. It can start small—run a test once a quarter, validate a specific control, assess one business unit.

And as Gartner noted, orgs that embrace BAS and continuous threat exposure management (CTEM) move into the “optimized” category of maturity. That’s exactly where you want to be if you’re defending critical infrastructure, sensitive data, or customer trust.

Final Thoughts: Complexity Is the Enemy, Simulation Is the Answer

Aviation taught me something important: you never rely on just one system for altitude or heading. Redundancy is survival.

It’s the same with cybersecurity. You can't rely solely on alert volumes or audit logs to assess your posture. You need second opinions. You need real-world tests. You need continuous validation.

Breach and attack simulation tools are that second opinion—and a critical part of a modern, “assume breach” security program.

If you want to learn more, check out Scythe at their website, or reach out to us at Gula Tech Adventures. We’re always happy to chat about cybersecurity strategy, product innovation, and investing in the tools that help secure our digital future.

Thanks for reading—and as always, stay safe out there.

— Ron Gula
Founder, Gula Tech Adventures

 

Watch More

 
Guest User
Previous

Secure Elections - Ben Adida
Next

Professionalizing Cyber