Your Scanner Just Reported 4,200 Findings. Roughly 840 of Them Are False Positives.
That is not a guess. Across scan types and target environments, vulnerability scanners produce false positive rates between 20% and 40%. For the findings that are real, Kenna Security and EPSS data show that only 2-5% of published CVEs are ever exploited in the wild — 62% have less than a 1% exploitation probability. Your security team is spending the majority of its remediation cycles on findings that either do not exist or do not matter.
Breach and attack simulation (BAS) eliminates this problem by proving — not estimating — what an attacker can exploit in your specific environment. It is the difference between a vulnerability report and an answer.
What BAS Is and Where It Fits
BAS tools execute real attacker techniques against your production environment in a controlled, safe manner. They use the same exploitation methods threat actors use — credential stuffing, SQL injection, privilege escalation, lateral movement — but with guardrails that prevent actual damage.
Within Gartner’s CTEM framework, BAS occupies Phase 4: Validation. The logic is straightforward. Phase 2 (Discovery) finds your assets. Phase 3 (Prioritization) estimates which exposures are highest risk. Phase 4 (Validation) proves whether those estimates are correct by attempting exploitation. Without validation, prioritization is a model. With it, prioritization is a fact.
This distinction changes how security teams operate. Instead of patching every critical-severity CVE regardless of context, teams patch only the exposures that are confirmed exploitable after accounting for their network segmentation, WAF rules, EDR policies, and other compensating controls.
How BAS Validates: The Technical Process
Targeting High-Value Findings
BAS does not test everything — it targets the findings most likely to represent real risk. Selection criteria include high CVSS base scores, presence in CISA’s Known Exploited Vulnerabilities catalog, high EPSS exploitation probability, and asset business value. A critical CVE on a revenue-generating payment API gets tested before a critical CVE on a sandboxed development server.
Executing MITRE ATT&CK Techniques
BAS maps its validation to MITRE ATT&CK tactic categories, ensuring coverage across the full attack lifecycle:
Initial Access (TA0001) — Attempting exploitation of public-facing applications, testing phishing payload delivery paths, and validating whether stolen credentials (from dark web monitoring) actually grant access. This is where most real attacks begin, and it is where validation delivers the most immediate value.
Execution (TA0002) — Testing whether command injection, script execution, and code execution techniques succeed against target systems. A web application with a known command injection CVE is one thing; a web application where that injection is blocked by a WAF rule is another.
Privilege Escalation (TA0004) — Exploiting misconfigurations, token manipulation, and local privilege escalation paths. BAS determines whether an attacker who gains initial access at a low privilege level can escalate to admin or root.
Lateral Movement (TA0008) — Testing internal pivoting, pass-the-hash, remote service exploitation, and credential reuse across systems. This validates whether network segmentation actually contains a breach or whether an attacker can move freely once inside.
Defense Evasion (TA0005) — Confirming whether your WAF, IDS/IPS, and EDR controls detect and block simulated attack techniques. This is control validation — proving that the security products you are paying for actually work against the techniques adversaries use.
Credential Access (TA0006) — Testing brute-force attacks, credential dumping, authentication bypass, and password spray techniques against exposed authentication surfaces.
Confirming or Dismissing Findings
Every BAS test produces one of two outcomes.
Findings that are successfully exploited are confirmed as validated exposures with a full evidence chain: the technique used, the path taken, the access gained, and the potential impact. These findings bypass the triage queue and go directly to remediation with everything the engineering team needs to fix them.
Findings where exploitation fails — because a WAF blocked the payload, network segmentation prevented lateral movement, or EDR killed the process — are downgraded. They are not removed from the record, but they are deprioritized. The compensating control is documented, and the finding is flagged for re-validation if the control configuration changes.
This binary outcome is what drives the substantial reduction in actionable findings that teams adopting BAS routinely describe — the queue shrinks because most “findings” never had reach in the first place.
BAS vs. Penetration Testing: Different Tools for Different Problems
BAS is not a replacement for penetration testing. They serve different purposes.
Penetration testing is a deep, manual, time-boxed assessment conducted by skilled humans. A good penetration tester finds things automated tools miss — business logic flaws, chained exploits across multiple systems, social engineering paths. Penetration testing happens annually or quarterly, costs $15,000-$100,000+ per engagement, and produces a point-in-time report.
BAS is automated, continuous, and broad. It runs after every scan cycle, validates findings across your entire discovered attack surface, and produces results in minutes to hours. It covers the MITRE ATT&CK matrix systematically rather than relying on a single tester’s intuition and experience. It costs a fraction of annual pentest spend and never takes a vacation.
The right model uses both. Annual or biannual penetration tests provide depth, creative exploitation chains, and compliance evidence that requires human-led testing. Continuous BAS provides breadth, speed, and the confidence that no new exploitable exposure has appeared since the last pentest.
Organizations that rely solely on annual pentests have a 364-day blind spot. CrowdStrike’s 2026 Global Threat Report measured the average eCrime breakout time at 29 minutes. The fastest observed: 27 seconds. Annual testing cadences cannot compete with that operational tempo.
What BAS Delivers That Scanning Cannot
False positive elimination. Scanners report what might be vulnerable. BAS reports what is exploitable. The difference is the gap between 4,200 findings and the 200-400 that your team actually needs to fix.
Control validation. Your organization spends significant budget on WAFs, EDR, IDS/IPS, SIEM, and network segmentation. BAS tests whether those controls actually stop real attack techniques — not whether they are deployed and configured, but whether they work.
Continuous assurance. New code deployments, infrastructure changes, and configuration updates can introduce exploitable exposures at any time. BAS validates after every change, not once a quarter.
Evidence for stakeholders. Telling the board “we have 4,200 vulnerabilities” is meaningless. Telling them “we have 12 confirmed exploitable paths to critical systems, down from 31 last month” is actionable intelligence. BAS provides the evidence to make that statement.
Compliance alignment. SOC 2, ISO 27001, PCI DSS 4.0 (fully enforced since March 2025), and DORA all require evidence that security controls are effective. BAS produces that evidence continuously and automatically.
VirtueThreatX integrates BAS directly into the CTEM scanning workflow. When attack surface discovery identifies a critical exposure, BAS validation triggers automatically — no manual intervention, no waiting for the next pentest window. Your team remediates confirmed threats, not scanner noise. See adversarial validation in the platform or schedule a 30-minute walkthrough.