Agent-based execution
A lightweight user-mode agent runs on Windows, Linux, or macOS. No kernel hooks. No persistent payloads. Reversible by design — every test cleans up after itself.
Cyberange · AttackWiz · Breach & Attack Simulation
Drop the agent. Run the TTPs. Measure what your SOC actually sees.
An agent-based BAS platform in the Caldera class. Deploy a lightweight agent on a target endpoint, execute atomic TTPs and chained scenarios mapped to MITRE ATT&CK, and compare the technique log against what your SIEM and EDR escalated. SOC maturity, measured per technique.
The CISO problem
You've spent 4–20% of revenue on security. You still don't know if it works.
Annual audits are snapshots. Pen-tests are samples. Red-team engagements are quarterly at best. Between them, adversaries are running continuous reconnaissance against you. Continuous validation is the only way to close the asymmetry.
01
Multi-vendor stack gaps
EDR, NDR, SIEM, SOAR, IAM — each works in isolation, none has been tested together against an adversary that knows you have all four.
02
Stale playbooks
Your IR runbook was written for last year’s threats. The TTPs your SOC drilled on six months ago are already a generation old.
03
Unknown analyst capacity
You don’t know if L1 escalates the right alert. You don’t know if L2 reconstructs the kill chain in time. You will know after the breach.
How it runs
Agent. Orchestrator. TTP catalogue. Telemetry comparison.
A lightweight agent runs on the target endpoint. The orchestrator pulls atomic TTPs (or chained scenarios) from the catalogue and tells the agent which to execute. As each technique fires, AttackWiz logs the exact action; in parallel, it watches your SIEM/EDR feed for the corresponding alert. The delta is your detection gap.
Capabilities
Six things a continuous-validation platform needs to do.
Atomic TTPs + chained scenarios
Run a single technique to validate one detection rule, or chain dozens into a realistic post-compromise scenario. Both modes, same agent.
MITRE ATT&CK at technique grain
Every action mapped to a sub-technique ID. Output drops into ATT&CK Navigator JSON your SOC already reads. No translation layer needed.
Adversary profiles, by sector
Curated TTP sets representing the tradecraft seen in your industry — financial-services, energy, healthcare. State actor, criminal crew, insider — pick a profile, run it.
Tunable intrusiveness
Run loud (full-volume, every alert fires), run stealthy (living-off-the-land, slow), or anywhere in between. Author your own techniques — agents accept custom modules.
Continuous, not quarterly
Scheduled runs, scoped to business units. Catch detection regressions the day after a SIEM rule edit, not the next quarterly pen-test.
Coverage
Fourteen tactics. Hundreds of techniques. One coverage map.
Every emulation run produces an ATT&CK Navigator-compatible coverage matrix. You see exactly which techniques were exercised, which raised alerts, which were blocked, and — most importantly — which slipped through.
Sample scenario · Post-compromise SOC drill
Assume the foothold. Now find out what your SOC sees.
The agent is on one endpoint — your "assumed-breach" starting point. From there it executes a chain of post-compromise techniques. Each fires a precise, ATT&CK-indexed action. Each is compared against what your SOC raised an alert on.
T+0:00
Agent activation
Operator triggers the scenario from the orchestrator. The pre-deployed agent on the test endpoint comes online and pulls its TTP queue. SOC should see process-tree anomaly. Do they?
T+0:02
Discovery — T1082, T1083, T1057
System info, file/directory enumeration, process listing. Low-noise baseline. If EDR doesn’t correlate this triad inside five minutes, the gap is in your behaviour-analytics rules.
T+0:08
Credential access — T1003.001 (LSASS) atomic
Reversible LSASS-access primitive — touches the right Win32 calls without dumping anything sensitive. If neither EDR nor SIEM fires, your detection for the single highest-yield technique in the matrix is missing.
T+0:18
Persistence — T1053.005 (scheduled task)
Creates a benign scheduled task with the same primitive adversaries use, then removes it. SOC should catch the registration. Capture which detection rule fired — and how long after.
T+0:31
Lateral movement — T1021.002 simulated
SMB admin-share enumeration to a second test endpoint, no actual mount. If your NDR doesn’t flag east-west reconnaissance from a non-admin host, the gap is in your network telemetry coverage.
T+0:45
Exfiltration over HTTPS — T1048.003
Stages a synthetic data archive in a designated test directory and transmits it to a controlled collection endpoint over HTTPS. DLP, SSL inspection, and proxy egress logging all get one chance. Did any of them fire?
Every run produces a per-technique report indexed to ATT&CK technique IDs, with timestamps, agent artefacts, and the corresponding SOC alert — or its absence.
What changes after the first run
Stop guessing. Start knowing.
Detection-gap inventory
A ranked list of every technique that slipped through, by tactic.
SOC response-time baseline
Mean time to detect, escalate, and contain — for every stage of the chain.
Playbook regression catalogue
Which IR runbooks held. Which ones broke on the first novel TTP.
Tool-stack ROI evidence
Which controls fired. Which sat silent. Which fired falsely. Procurement, calibrated.
Deployed alongside
- CERT-In
- NCIIPC
- BFSI · regulated financial entities
- Sovereign · MeitY-aligned deployments
- MITRE ATT&CK Navigator
Practice
"The annual audit model is structurally inadequate. The Mythos era demands a motion picture, not a snapshot. Adversaries don’t attack the fortress — they attack the supply chain. The exploitation timeline has collapsed."
Schedule the first run. Measure what you actually have.
Scoped pilot on a single business unit. Two-week engagement. One executive-readable report on every detection gap we found.