Will Breach and Attack Simulation (BAS) replace manual penetration testing?   That is the question that many CISOs and security professionals are looking to understand in 2023.  Breach and Attack Simulation is a relatively new niche part of the cyber security tools market, but one that is growing rapidly.  Frost & Sullivan Research estimates that the BAS market is set to grow at 35% each year between 2022 and 2025.

Breach and attack simulation is a type of cybersecurity testing that involves simulating cyber attack techniques and behaviours in order to identify vulnerabilities and assess the organisation’s ability to protect itself from these kind of attacks and how well it is able to detect and respond to such attacks. BAS tools can be used as an alternative or supplement to traditional penetration testing, which normally involves manually attempting to exploit vulnerabilities in a system to see if it is possible to gain unauthorised access, but it should be noted that the two ultimately serve different purposes.  BAS tools are often deployed to validate security control effectiveness and to simulate attacker behaviours to help security teams to develop better and more effective detections.

Breach and Attack Simulation tools are often deployed to validate security control effectiveness and to test and optimise detections.  Penetration testing will normally involve manual attempts to exploit vulnerabilities in order to gain unauthorised access.

Breach and Attack Simulation has the potential to provide some benefits over traditional penetration testing, such as the ability to test a larger number of offensive scenarios in a shorter amount of time and the ability to simulate more complex and sophisticated attacks. However, it is important to note that BAS is not a replacement for all forms of penetration testing and may not be suitable for all organizations or situations.

Can the two co-exist?

Most BAS tools, like Validato, will help information security teams to validate the effectiveness of their security controls and help security operations to better detect threats.  Manual penetration and Red Team tests rarely include security control effectiveness within the scope of their testing.  Often, the scope of a penetration test will be defined and restricted in advance, in order to keep costs and complexity down.  Automated Breach and Attack Simulation tools however, are able to simulate a wide range of attacker behaviours and do this across the whole organisation and on a much more regular schedule than manual penetration tests.

Having said that, manual penetration testing can still be a valuable tool for identifying vulnerabilities and testing an organization’s defences, particularly in cases where the tester has a deep understanding of the system and can think creatively to identify potential weaknesses. In addition, manual testing may be necessary in situations where the complexity or sensitivity of the system makes it difficult to accurately simulate attacks using automated tools.


So, will Breach and Attack Simulation replace manual penetration testing?  Not in the short term.  The most likely scenario will be that automated Breach and Attack Simulation will be used to validate security control effectiveness and to optimise detection capabilities and manual penetration testing will be used to confirm that changes made as a result of attack simulations are effective in preventing unauthorised access.