Breach and Attack Simulation: Bringing the Reds and Blues Together

On April 16, 2020 we hosted our "Breach and Attack Simulation" webinar, where our CTO Ralph Moonen and Product Development Manager Robert Meppelink discussed Breach and Attack Simulation. The attendees asked some good questions, which we have summarized below in a Q&A. Should you still have any remaining questions, please contact

Curious to our other webinars? Visit:


Thank you for all your questions during the webinar, we have received quite a few! Our CTO Ralph Moonen answered all of them below.

Should you still have any remaining questions, please contact

How do you define use cases in a SOC/SIEM? Can the MITRE framework be used for that?

You usually define them with rules, but it depends on the actual SIEM you use. For instance, you could define a use case as 'I want an alert when someone logs in to our VPN from a Chinese IP address'. You can define rules for this, and yes, you can relate this to TTPs from the Mitre ATT&CK framework. Some SIEM's support this more than others but it is definitely possible.

How to do these simulations work in an environment that cannot be isolated from the network neither stopped?

This approach is intended to be performed in a production environment.

Can you tell me something about the duration of testing SOC/SIEM? What kind of investment are we talking about on average?

Anywhere between 5 to 20 persondays of effort depending on the number of use cases.

Are the case study use cases tested during implementation?

Yes, they are.

Is a check of a SIEM part of the standard IT Audit?

Not to this level of detail.

How would you assess the "Response readiness" at a customer. Do you validate the design of their governance, processes, techniques, plans, resources etc. to react on incidents?

It would take more of a Red Teaming approach to asses this, rather that the described approach. And for a 'readiness assessment' it would require also some more classical audit techniques to assess governance,

Your main message seems to be: if you don't test your SIEM system well, it provides you fake feeling of security. Right?

This is correct. For the same reason we perform fire drills.

We have our SOC/SIEM solution outsourced, how do I know it works properly as they promised?

You don't. But you could test this by using techniques like we described in this webinar.

Do the attacks vary depending on the system or you just simulate attacks that are the same for every system?

Attacks vary per system, and so do log messages and events. So you need to have detailed information on the exact systems to be able to accurately emulate attacks.

What if the head of security wanted to test his blue team response, how will you manage that since the blue team can't be alerted?

In that case, I would propose to perform a Red Teaming exercise, since that focuses more on the response. The approach explained in this webinar is aimed at testing detective capabilities more than response.

If you have any remaining questions, please contact us at