Blog

Choosing Attack Path Management Over Security Control Validation When Shopping for Breach & Attack Simulation

Posted by: Menachem Shafran
March 06, 2022

Breach and Attack Simulation is gaining lots of hype today. Yet simulating attacks can mean many different things and serve many different use cases. Two of the top approaches to attack simulation are Security Control Validation and Attack Path Management. However, while both these concepts simulate attacks, they do it in very different ways and for very different goals.

By understanding when and how to deploy these products, you can make the most informed decisions possible when seeking to improve your security posture.

Understanding Security Control Validation

Security control validation is a process by which controls such as EDR, IPS and Secure Web Gateways are tested to ensure they are functioning correctly against cyber-risk. Conventional security control validation platforms run automated simulations to test security products and policies. 

This allows them to uncover security gaps and misconfigurations in those controls, then offer remediation to help address problems found through testing – much like purple teaming. These simulations validate things such as network controls, endpoints, cloud applications and container techniques.

In essence, security control validation tests the effectiveness of the SOC. Do the tools send the alerts they’re supposed to send based on the simulations run. As opposed to identifying whether there are credentials in my environment that can be exploited to reach my critical assets.

In theory, security control validation software can help an organization analyze its entire security stack to determine which controls are detecting, preventing — or missing — possible attack methods. 

Given the complexity of modern networks and systems — and the added complexity introduced when dozens of security controls are asked to play nice with each other — some form of validation is needed to “detect and protect.” 

Key considerations when selecting a security control validation platform:

  • They require many integrations, making setup and operation difficult
  • They do not highlight the risk in the context of critical asset protection
  • They are noisy
  • Remediation guidance is generic
  • By taking a segmented approach to simulation, they miss key security issues
  • They are mainly focused on detection and SOC efficiency

To summarize, security validation control platforms deliver real value – but their fundamental characteristics make them a tool for SOC efficiency and detection, rather than a holistic framework for critical asset protection across all environments.

Making this strategy easier for organizations with budgetary concerns is the availability of high-end open-source tools such as Atomic Red Team and CALDERA that can be used for security control validation. 

If you want to measure risk, find and prioritize root cause issues that put critical assets at risk, that go beyond detection controls, there is another approach that helps establish ROI: Attack path management.

When to Use Attack Path Management 

Ultimately, security control validation answers the question “how well are my security controls configured?”. By way of analogy, if hardening the perimeter is an eggshell of protection, then security control validation is understanding how brittle your eggshell is. Attack path management on the other hand assumes breach. It’s no longer about whether the perimeter is hardened enough to keep the attackers out. The assumption is that attackers will find their way in, and once in, you want to know how they can move around your network to compromise your critical assets. Now it’s about identifying weaknesses in your environment and how those weaknesses string together to form an attack path in order to harden your environment against potential attacks. 

Attack path management therefore takes a broader view by addressing the question: how can attackers move within my network and compromise my critical business assets? By collecting and analyzing data of what could potentially be exploited across on-premise and cloud environments, mapping all possible attack paths, we can understand which issues put critical assets more at risk than others. This allows for prioritized remediation, directing resources to remediate the most damaging attack paths with step-by-step remediation guidance to prevent attacks ahead of time.

Attack path management platforms, such as XM Cyber, place their focus on measuring risk across the environment, in the context of what can really put your business at risk, to then prioritize remediation for overall security posture improvement. Unlike security control validation platforms, attack path management technology is fully focused on critical asset protection.

Let’s take a closer look at some of the key factors that distinguish these two approaches:

  • XM Cyber’s graph-based simulation technology continuously discovers the attack paths that lead to critical assets, enabling full visibility into organizational security posture. This allows users to understand how vulnerabilities, misconfigurations, user privileges etc. chain together to create a cyber-attack path — or legions of them — that jeopardize critical assets.
  • XM Cyber technology is also comprehensive, capable of working across the hybrid cloud to identify exposures that could allow an attacker to pivot from an on-premises device to your cloud environment. For example, what could appear as a legitimate cloud configuration could imply a risk of attack from an on-premises credential that can be exploited to pivot into your cloud environment. 
  • Our attack path management platform provides detailed prioritized, remediation guidance and can spot security issues that go unnoticed to direct and focus resources on what to fix first based on level of attack complexity and level of risk to critical assets.

Here’s a good way to conceptualize the key distinction: Instead of being a SOC tool, attack path management is a holistic solution that puts the emphasis precisely where it needs to be: On protecting the most valuable and sensitive assets possessed by an organization. In the end, nothing in cybersecurity is more important.

Can Attack Path Management and Security Control Validation Work Together?

Organizations can also use security control validation and attack path management in a complementary fashion. This way, organizations can get the advantage of improved detection while hardening their environments, focusing resources wisely on the most critical issues that would reduce the risk to critical business assets the most.

The Takeaway


Breach and Attack Simulation is gaining lots of hype today. Yet simulating attacks can mean many different things and serve many different use cases. Two of the top approaches to attack simulation are Security Control Validation and Attack Path Management. However, while both these concepts simulate attacks, they do it in very different ways and for very different goals.

By understanding when and how to deploy these products, you can make the most informed decisions possible when seeking to improve your security posture.


Menachem Shafran

Menachem Shafran is a product leader with more than 15 years of experience in product management and cybersecurity. Mr. Shafran has managed complex product ranging from cybersecurity, homeland security, DevOps automation to mobile applications. His strength in creating a product vision, aligning R&D efforts with sales and marketing has been demonstrated over the years during his tenure at Quali, NowForce, now part of Verint (VRNT), and Radware (RDWR). Prior to his roles in product management, Mr. Shafran served for 5 years in the IDF’s Elite Intelligence Unit 8200, where he served both as a researcher and as a team leader. Mr. Shafran holds a B.Sc in mathematics from the Hebrew University and B.Mus in percussion.

Find and fix the exposures that put your critical assets at risk with ultra-efficient remediation.

See what attackers see, so you can stop them from doing what attackers do.