The Breach and Attack Simulation (BAS) marketplace is awash with tooling that automates the analysis of endpoint detection providers. Many leverage frameworks such as MITRE ATT&CK to dictate the exercise, simulating a large quantity of offensive actions for each section of the framework, deeming the greatest overall score the most effective. This focus on quantitative analysis is limited.
While more actions may appear to offer the greatest coverage, evaluating a solution against an exhaustive range of generic tactics, techniques, and procedures (TTPs) does not enable the accurate analysis of the solution’s efficacy in a real-world attack scenario. This approach often results in multiple providers achieving the same ‘100%’ coverage score, making it incredibly difficult for buyers to differentiate products in the market and ultimately underestimates the threat faced by motivated attackers.