Comparing Cymulate and AttackIQ Continuous Security Validation Platforms
As a kid in elementary school my father, took me with him when he was looking for a new car. With a manila folder carrying a copy of Consumer Reports and a legal pad of his carefully taken notes under his arm we went into one car dealership where my dad found a car he had researched and was interested in. As he began to look over the car an eager sales rep approached us and began to bombard us with various facts about the car. Within minutes of arriving my dad turned to me and said, “Dave lets go.” On the way out he turned to me and said, “When someone approaches you using big words and statistics trying to impress you, don’t be. They are merely trying to hide inadequacies and baffle you with bs.”
That lesson comes to mind when I think about competitive documents vendors put out. Whenever I have been asked to do one, I take my time to be as respectful, fair, detailed, and honest. As my father told me, it is also important you should speak clearly, and avoid confusing language. It is in that frameset that I want to compare how Cymulate stacks up to one of our competitors AttackIQ. I wanted to compare across six key critical capabilities to see how each stands up.
In adopting continuous security validation today to optimize your security controls, your incident response plans and people you are looking to prevent threats, reduce risk and maximize your cybersecurity investment. It is therefore critical that the solution you adopt covers the entire enterprise landscape and works across all levels of the kill-chain in an effective fashion. Cymulate’s attack simulations work across the entire attack surface from analysis to pre-exploitation, exploitation, and post-exploitation. From premises to clouds, bare metal to containers, you can assess your effectiveness at all stages of the attack kill chain. Cymulate starts with reconnaissance looking for attack surface enterprise details on the Internet and Dark Web. It provides in-depth testing of your email, web gateway, and web application firewalls. It has a phishing module where you can run phishing campaigns across your enterprise to see your risk as well as to educate your employees. It can do sophisticated endpoint checks, lateral movement, and even data exfiltration. The solution is made, unlike some competitors, to test your production environment - where it matters most.
AttackIQ is also made to test your production environment, however it only does post-exploitation testing and only covers specific parts of the attack kill chain as well. The solution focuses on post-exploitation testing of endpoints. There is no reconnaissance and no web application firewall testing capabilities. Testing of Email, Web and Data Exfiltration is highly limited.
With the current long-standing shortage of skilled cybersecurity professionals globally giving back to the community, supplying technical and managerial education is essential. In this regards AttackIQ has been in the forefront. They offer free, online series of courses through their AttackIQ Academy which is a vendor-neutral place where you can improve your skills through course and lab work on everything from Cybersecurity management, purple teaming skills, MITRE ATT&CK framework and more. July first we will launch a comprehensive cybersecurity academy of our own which will also be vendor-neutral, have courses and labs and successful completion will also come with 8 ISC CPE credits. Purple hats off to AttackIQ for their contribution and leadership here to educate the market.
Back to that issue finding skilled cybersecurity staff. Far too often we are working with a smaller staff than we would like and a wide array of skill sets. It is essential that solutions take this into consideration if they wish to be able to appeal to all cyber-maturity levels. For less experienced practitioners, the solution should provide value out-of-the-box and increase cybersecurity offense and defense skills from day-to-day use. For higher-level cyber-maturity professionals, the solution should be open and customizable and liberate them from time-consuming tasks so they can focus on the more important things.
Cymulate provides an easy-to-use interface for purple teaming and red teaming leveraging Breach & Attack Simulation (BAS) and Continuous Automated Red Teaming (CART) requiring zero coding or advanced cybersecurity training before use. In-depth reporting allows them to understand the results, cross-referencing MITRE ATT&CK framework and provides both easy-to-follow prescriptive technical remediations and executive-level reporting. A higher-level cyber-mature professional armed with some adversarial skills can take full advantage of Cymulate’s Advanced Purple Teaming Framework to craft and automate sophisticated scenarios.
AttackIQ on the other hand requires an FTE (full-time equivalent person) to run with advanced adversarial skills, coding, cybersecurity techniques, and tactics to run.
As attacker tactics, techniques, and procedures (TTP) change constantly it is critical that the solution you pick is continuously updated as well. This will ensure that your ongoing security validation testing is thorough. Cymulate provides a continuous feed of the latest threats that are updated 24*7*365. The threats cover everything from pre-exploitation, exploitation, and post-exploitation. Across the entire kill chain.
AttackIQ on the positive side is also updated with a continuous feed of the latest threats. Unfortunately, all of these are only post-exploitation and are only available for one step of the kill-chain, covering Endpoint.
While the benefits of continuous security validation are strategic it is still for most of us merely one of many hats we wear in cybersecurity. Adoption needs to be low touch, resource un-intensive and easily incorporated. Cymulate’s Software as a Service (SaaS) platform makes it easy to deploy and manage. Most environments require the addition of only a single lightweight agent to be effective. This means you are not fighting the “yet another agent being deployed issue” that many enterprises cannot stomach. Testing often begins within the first or second hour of being deployed with results coming within the subsequent hour.
AttackIQ requires professional services, setting up a manager and per their own best practices architecture, deploying thousands of agents. As we mentioned earlier it takes training to run and prior knowledge of coding skills among other things.
Automated Red Teaming is a much broader and larger scale than conventional security testing. It is a way for security teams to first discover an organization's attack surface and then launch simulated attacks to test blind spots – just like a real attacker would. Cymulate’s CART is allowing you to run a comprehensive yet autonomous attack campaign from pre-, during and post exploit and through each step of the kill-chain. Any number of scenarios can be picked from one of our out-of-the-box templates using real-world attack tactics, techniques and processes as well as incorporating ones that you have come up with yourself. At each step within the kill-chain you have robust testing and options.
AttackIQ, only a post-exploit solution, has no pre-exploit and exploit capabilities making its ability to do Automated Red Teaming limited. Furthermore, since it has no reconnaissance, phishing, and web application firewall capabilities and its web and email capabilities are limited it is really relegated to endpoint testing of post-exploits. Lateral movement is limited to being from a single network connection to a predesignated host and data exfiltration a single file.
When it comes to Continuous Security Validation, Purple Teaming and Automated Red Teaming, Cymulate is the industry standard, clear-cut leader across a wide array of factors. It requires no heavy education curve. No coding skills. It can be used by all cyber-maturity levels and allows customization to those skilled, is more comprehensive in end-to-end risk management by covering the entire kill-chain and entails pre, during and post exploit capabilities. It is updated constantly against the latest threats and provides immediate time to value with only the lightest touch within your environment. It is one of the many reasons why Frost & Sulivan awarded Cymulate its Best Practices Award 2021 for Breach and Attack Simulation. AttackIQ’s high learning curve, coding skills requirements, coming with only post-exploitation capabilities and having major gaps in kill-chain coverage.
Final words of wisdom as I do at work and at home, check around, find people you know who are experienced with both solutions and ask them their experiences; what they like and do not like. Ask them how they do in the six key critical capabilities and how the solution helps them.
|End to End Risk Management||🟢||Measure and monitor organizational risk from attack surface analysis to pre-exploitation, exploitation, and post-exploitation, all stages of the attack kill chain.||🟡||Post-exploitation only. Missing critical details like Reconnaissance, Poor Email and Web, No WAF (Web Application Firewall), Poor to No Lateral Movement, Poor Data Exfil.|
|Investment in Open Cybercommunity & Education||🟢||Cymulate is launching a comprehensive cybersecurity academy July 1st.||🟢||AttackIQ offers free AttackIQ academy courses|
|Useable by All Cyber-Maturity Levels||🟢||BAS (Breach and Attack Simulations) and Automated Red Teaming require zero coding or advanced cybersecurity training. Advanced Purple Teaming Framework requires adversarial skills.||🛑||Requires adversarial skills and prior knowledge of coding, cybersecurity techniques & tactics. Requires an FTE to operate.|
|Immediate Threats Intelligence||🟢||Testing against a continuous feed of the latest threats updated. From pre-exploitation, exploitation, and post-exploitation. Across the entire kill-chain.||🟡||Testing against continuous feed of latest threats. Only tests endpoint.|
|Time to Value||🟢||Deploy within an hour, full value on the first day. Assess risk post M&A in a day! One agent per environment.||🟡||Weeks. Agents – often recommend up to 10% of workloads.|
|Automated Red Teaming||🟢||Autonomous attack campaigns implemented with real-world penetration and propagation techniques.||🛑||No pre-exploitation, phishing, attack surface penetration. Lateral movement limited to a single network connection to a predesignated host.|
Start simulating cyber attacks today with a 14-day free trial of Cymulate's Continuous Security Validation Platform.
Dave Klein is the Director of Cyber Evangelism for Cymulate. With more than 21 years of real-world cybersecurity experience, he works with Cymulate teams, customers and industry thought leaders to address the challenges of securing modern enterprise environments. Dave’s long career includes working on the NIST response to President Obama’s Policy Directive 21 on Critical Infrastructure Security and Resilience, leading some of the largest sales engagements for US Federal security solutions, and working with the City of New York post 9/11, helping shore up cyber defenses.