Implementing adversary simulation to orient your security program
Published By
Will McCann
November 23, 2022
7 min read.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles”

Sun Tzu — Chinese military general, strategist, philosopher


Organisations today are trying to rapidly build up their cyber defences as quickly as threat actors try to tear them down. We regularly encounter organisations attempting to deliver large security programs of work without a deep understanding of the coverage needed to thwart their most likely attackers.

For many, this is a helpless situation with no clear direction. So how do you orient your security program toward the cyber security north star? And where do you start?

The problem that prompted the solution

Let’s go back a step here. One of our customers came to us with a problem. “We have a yearly Penetration Test, find a bunch of issues and spend the next year fixing them, only to be tested again and find even more issues – we need more regular testing”.

From this problem, we designed a unique Adversary Simulation service to help organisations understand their security exposure against those most likely to compromise them and ensure accountabilities for all outcomes.

How it works

Our specialised security experts emulate the tactics, techniques and procedures used by actual threat actors against your environment. This helps security and IT leaders prioritise their security strategies and roadmaps with pragmatic programs of work that reduce the risk of likely attackers to your organisation. 

At the heart of our Adversary Simulation practice is our threat intelligence and enrichment capability. Our Digital Forensics and Incident Response team is constantly helping organisations respond to and recover from cyber events. Building on this, and leveraging our global intelligence partnerships, we collect and curate threat intelligence that is relevant to your organisation and industry vertical. This integrated approach with Threat Intelligence guides our simulations and allows us to test your environment against the type of threats looking to compromise you. Through our threat informed simulations, you will have a strong knowledge of self, and the enemy you are fighting against.

Think of your Adversary Simulation program like a monitored security system for you home. The SOC provider monitors the system, detects when an intruder is inside and observes what they do once inside. The Adversary Simulation team tests whether your front door or windows are locked. Are there any blind spots in the cameras? What happens when someone is inside the house – can they access the keys to your safe?

Critical outcomes for customers

Our Adversary Simulation program is truly unique in that it is not a purely Red Team orientated activity. It is a true Purple Team exercise where adversarial staff will test both the customer’s environment while working with the customer’s detection and response capability. This provides the following benefits:

  • Our customers receive regular, highly specialised security testing of likely adversaries.
  • ParaFlare provides remediation advice to our customers with respect to vulnerabilities likely to be exploited by actual threats.
  • Our customers’ Security Operations Centre/Managed Detection and Response provider stays abreast of the latest adversarial techniques to ensure this detection and response service can detect likely adversaries trying to target them.
  • Our customers can detect complex and sophisticated adversaries attempting to compromise their environment.

Why traditional Adversary Simulation doesn’t cut it

Traditional Adversary Simulation is typically performed by sophisticated Red Teams who only perform the actions of the specific Adversary they are emulating (such as an Advanced Persistent Threat). While this has its benefits, it is also highly restrictive.

We found our customers wanted to replace their big yearly Penetration Test with regular, smaller tests which demanded a better approach. ParaFlare adopted an approach where testing would focus around the MITRE ATT&CK Framework. ATT&CK techniques known to be used against specific industries would be tested to mimic the known tactics of known adversaries. This also proved a benefit to the SOC provider, as detections could be confirmed or created to ensure greater coverage over a wider range of techniques. This is what makes our program different.

In addition to testing common MITRE ATT&CK techniques, adversarial staff will then test for more advanced vulnerabilities and weaknesses within the customer’s environment. This may be simply testing for misconfigurations and accessible sensitive resources – things that a vulnerability scanner would not detect. Or it may involve testing the latest techniques to compromise a system to confirm what defensive strategies the customer has in place as well as if the SOC can detect these actions.

Orient your security program

It’s important to make sure your security program keeps pace with the likely adversaries trying to target you. Through our Adversary Simulation service, a dedicated project manager brings your SOC provider, your security team, and our experts all to the same room. Our regular simulation cycles are backed by our project management methodology that keeps everyone accountable for closing out remediation items and ensuring detections are in place.

Talk to us today about how to orient your security program through Adversary Simulation.

Reach out at

You Should also read

Active defence: the importance of cyber operations

Practical security tips for young businesses

Rise in attackers manipulating seo to deliver gootkit

Mandy Ross and Marcus Thompson join paraflare