Huntress Acquires Inside Agent: A New Era for Identity ProtectionFree Trial
Menu
InvestorsCareersBlogAboutAcademySupportContact
LoginSign up
BREACH & ATTACK SIMULATION · MITRE ATT&CK · CONTINUOUS ADVERSARY VALIDATION

Continuously emulate real attackersinside your environment.Validate. Detect. Respond.

Spakto executes real adversary tradecraft safely across your infrastructure to validate whether your security controls, detections, and teams can actually stop modern attacks — not just alert on them.

Request BAS AssessmentView Attack Coverage
What is BAS

BAS is not alert testing.
It is attacker emulation.

Traditional security tools test whether detection rules fire on known signatures. Spakto BAS tests whether a real attacker can complete an objective — reconnaissance, execution, credential theft, lateral movement, and impact — safely and continuously.

Traditional SIEM / EDR Alert ViewHIGH NOISE
TIMERULE FIREDSEVVERDICT
⚠ 47 Alerts Today23 False Positives3 Critical MISSED
Spakto BAS — Attacker Emulation ViewLIVE EMULATION
Reconnaissance
Execution
Cred.
Lateral
Impact
# Phase: Reconnaissance [TA0043]
spakto@emulator:~$ nmap -sV -p 80,443,445,3389 10.10.1.0/24
OPEN: 10.10.1.45:445 (SMB) · 10.10.1.12:3389 (RDP)
✓ DETECTEDMITRE: TA0043Tactic #1 of 5
✓ 1 Detected✗ 4 MissedFull Path Mapped
Attack Coverage Intelligence

Real-time adversary technique
coverage across all 14 MITRE tactics.

101/187
Techniques Covered
+12 this cycle
54%
Overall Coverage
+6.2 pts
40
Detection Gaps
-3 this cycle
91%
Simulation Confidence
+2.1 pts
MITRE ATT&CK — 14 Tactics
CoveredPartialGap
TA0043
Reconnaissance
79%
T1595T1592T1589+2
8 covered3 partial1 gap
TA0042
Resource Dev.
64%
T1583T1586T1584+2
5 covered4 partial2 gap
TA0001
Initial Access
65%
T1078T1190T1566+2
7 covered3 partial3 gap
TA0002
Execution
85%
T1059T1059.001T1204+2
10 covered2 partial1 gap
TA0003
Persistence
75%
T1547T1136T1053+2
9 covered3 partial2 gap
TA0004
Priv. Escalation
57%
T1548T1134T1055+2
6 covered4 partial4 gap
TA0005
Defense Evasion
47%
T1027T1036T1218+2
5 covered5 partial6 gap
TA0006
Credential Access
60%
T1003T1110T1558+2
7 covered4 partial4 gap
TA0007
Discovery
87%
T1083T1018T1082+2
12 covered2 partial1 gap
TA0008
Lateral Movement
57%
T1021T1021.001T1021.002+2
6 covered4 partial4 gap
TA0009
Collection
77%
T1560T1115T1074+2
9 covered2 partial2 gap
TA0011
Command & Control
54%
T1071T1095T1572+2
5 covered5 partial4 gap
TA0010
Exfiltration
50%
T1041T1048T1567+2
4 covered3 partial4 gap
TA0040
Impact
75%
T1485T1486T1498+2
8 covered2 partial2 gap
Coverage Radar — 14 Tactics
ReconRes. DevInit AccessExecutionPersistencePrivEscDef. EvasionCred. AccessDiscoveryLateral MoveCollectionC2ExfilImpact54%avg coverage
101 Covered46 Partial40 Gap
Named Threat Actor Coverage
APT29 / Cozy Bear
Nation State · Russia
74%
42 TTPs
FIN7 / Carbanak
Financially Motivated
81%
37 TTPs
Scattered Spider
Social Engineering / Cloud
68%
29 TTPs
LockBit 3.0 Affiliate
Ransomware Group
86%
33 TTPs

Detection Confidence Map

Validated detection performance across MITRE ATT&CK tactics. Each technique reflects real alert behavior, latency, and signal quality.

Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Command & Control
Exfiltration

T1059

Command Execution

Missing

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Delayed

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Missing

T1059

Command Execution

Delayed

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Delayed

T1059

Command Execution

Detected

T1059

Command Execution

Missing

T1059

Command Execution

Detected

T1059

Command Execution

Delayed

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Delayed

T1059

Command Execution

Missing

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Delayed

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Missing

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Delayed

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Missing

T1059

Command Execution

Delayed

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Delayed

T1059

Command Execution

Detected

T1059

Command Execution

Missing

T1059

Command Execution

Detected

T1059

Command Execution

Delayed

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Detected

T1059

Command Execution

Delayed

T1059

Command Execution

Missing
Validated DetectionPartial / DelayedDetection Gap
Reporting & Analytics

Security posture,
measured by adversary outcomes.

82%
Detection Coverage
+21 pts in 90 days
39s
Mean Detection Time
↓ from 72s baseline
7
Critical Gaps Remaining
was 28 at program start
189
TTPs Validated
across 14 MITRE tactics
Detection Coverage Trend — 12 Weeks
Coverage %MTTD (s)
W1W4W7W10
Undetected TTP Breakdown
Defense Evasion14 TTPs (31%)
Credential Access10 TTPs (22%)
Priv. Escalation8 TTPs (18%)
Lateral Movement6 TTPs (14%)
Exfiltration7 TTPs (15%)

Insight: Defense Evasion and Credential Access represent 53% of all undetected TTPs — prioritising detection tuning here yields the highest posture gain.

Compliance Intelligence Network

Continuous control validation.
Audit-ready evidence, always.

Frameworks

SOC 2 Type II

Last validated: 2025-01-15  ·  Evidence documents: 121

91%Coverage
Security (CC)
52/58 controlsPARTIAL
Availability (A)
18/20 controlsPARTIAL
Processing Integrity (PI)
12/12 controlsREADY
Confidentiality (C)
8/10 controlsPARTIAL
Privacy (P)
31/31 controlsREADY
2 domains audit-ready3 domains partial4 open control gaps
bas-compliance-mapper — SOC 2
LIVE
# Mapping BAS results → SOC 2 Type II controls
0/7 controls mapped0% complete
BAS Use Cases

Operational validation across
every attack surface.

MITRE ATT&CK Coverage Validation

Measure your true defensive coverage

Continuously simulate mapped adversary TTPs across all 14 MITRE tactics to measure detection coverage, identify blind spots, and quantify defensive effectiveness against real threat actors.

Key Metrics
190+
Techniques Simulated
14
MITRE Tactics Covered
72%
Avg Coverage at Start
91%
After 90-Day Program
Related Techniques
T1059 — ScriptingT1078 — Valid AccountsT1190 — Exploit Pub AppT1566 — PhishingT1110 — Brute ForceT1021 — Remote Services
Impact: 17% reduction in undetected adversary paths after first programme cycle
How It Works

How Spakto BAS works.
Telemetry to validated intelligence.

01

Connect Telemetry

EDR · SIEM · Cloud APIs · Identity

Spakto ingests from all security data sources with read-only API connections — EDR agents, SIEM platforms, cloud provider APIs, and identity providers. Zero write access required across any source.

EDR: CrowdStrike Falcon / SentinelOne / Microsoft Defender
SIEM: Splunk / IBM QRadar / Google Chronicle
Cloud: AWS CloudTrail, Azure Monitor, GCP Activity Logs
Identity: Active Directory, Okta, Azure AD, Google Workspace
spakto-bas — connect telemetry
[+] Connecting to CrowdStrike Falcon API...
ADVERSARY EMULATION ENGINE · KILL CHAIN EXECUTOR

Stage-by-stage attacker playbook
executed, validated, scored.

Every simulation follows a structured kill-chain sequence mapped to MITRE ATT&CK. Select a tactic stage, fire the emulation, and watch real-time technique execution logs with pass/block verdicts from your controls.

spakto-bas:~$ emulate --tactic TA0043 --stage recon
# Adversary emulation log — Reconnaissance
Click EXECUTE to begin emulation
Stage Coverage Breakdown
TA0043
0%
TA0001
0%
TA0002
0%
TA0003
0%
TA0004
0%
TA0008
0%
TA0010
0%
CONTROL GAP MATRIX · TACTIC × CONTROL HEAT MAP

Every control. Every tactic.
Every gap made visible.

BAS maps each control layer against every MITRE ATT&CK tactic, scoring detection confidence from live simulation runs — not theoretical coverage claims.

≥ 80%Strong
60–79%Partial
40–59%Weak
< 40%Gap
CONTROLReconInit AccessExecutionPersistencePriv-EscDefense EvasionCred AccessLateralExfilImpactAVG
EDR / XDR
20
85
92
78
88
95
82
76
60
70
75%
SIEM / SOAR
45
60
55
70
65
80
72
60
55
62
62%
Network IDS
80
55
40
30
35
50
45
65
85
40
53%
Email Security
10
90
70
45
40
60
75
30
25
35
48%
Identity / MFA
15
88
40
55
72
45
95
80
30
50
57%
CASB / DLP
5
30
20
35
30
40
50
40
90
60
40%
Firewall / NGFW
75
50
35
25
30
55
30
55
80
30
47%
Vuln Mgmt
60
72
65
50
80
70
65
55
40
45
60%
14
Critical Gaps
controls scoring <40% against mapped tactics
31
Partial Cover
controls with 40-69% detection confidence
35
Strong Coverage
controls validated ≥80% against live TTPs
61%
Avg Coverage
mean score across all control-tactic pairs
THREAT VALIDATION TIMELINE · REAL-TIME ATTACK REPLAY

Every technique. Every verdict.
Timestamped and auditable.

BAS replays attacker sequences from a structured playbook and records every detection, block, and miss — with timestamps, latency, and control attribution for forensic-grade reporting.

0
Detected by Controls
0
Blocked / Prevented
0
Missed — Gap Confirmed
Click REPLAY SIMULATION to begin the attack playback…

Breach & Attack Simulation FAQs

Frequently asked
questions.

Still have questions?
Our security engineers answer within one business day.
Ask a question