A scanner tells you which CVEs you have. It does not tell you whether your team catches a live intrusion. Assumed-breach and adversary simulation measure what readiness actually means: how long an attacker dwells, and whether your detection fires on the chain.
File · Answer first
The test that settles it is an operator working a realistic attack chain inside your environment while three numbers get recorded: whether each step fires a detection, how fast your team moves once one does, and how long the adversary dwells before anyone reacts. Tabletops and tooling purchases do not produce those numbers, which is why most teams have never actually seen them. Assumed-breach and adversary simulation exist to put a number on each one. What you walk away with is not a CVE list but a measured answer to whether your team catches an intruder before the damage lands, and the sections below break down how each format gets there.
File · Assumed-breach scenarios
Assumed breach starts the operator inside, from a position an attacker reaches anyway: a phished workstation, a compromised set of credentials, a foothold on one server. It skips the question of whether the perimeter eventually fails (it does) and goes straight to the question that decides an incident: once an adversary is in, what can they reach, how far do they get, and does anyone notice? This is the highest-signal way to test detection and response, because it spends the entire engagement on the part of the kill chain where your SOC either earns its budget or does not. It runs as part of adversary simulation.
File · Adversary simulation
A tabletop is a discussion. People sit in a room and talk through how they would respond to a hypothetical, which is useful for process and decision rights and worthless for measuring whether the technical detection actually fires. Adversary simulation is the real thing: an operator executing real techniques against real systems while your team responds live, not knowing it is a test. The tabletop tells you what the team believes it would do. The simulation tells you what the team and the tooling actually do under contact. You want both, but only one of them produces evidence.
Operator Note
The number that matters is dwell time: how long an adversary operates before detection. Most teams discover, the first time they are tested, that an attacker would have had days inside before anything fired, often because the alert existed but was buried, mis-tuned, or routed to a queue nobody watched. You cannot fix that with a tabletop. You find it by being attacked under controlled conditions.
“Nearly every engagement I have led, the team believed their detection was better than it was. That is not a criticism, it is the whole reason to run the exercise. You do not know your mean-time-to-detect until an adversary gives it a number.”
File · Purple-teaming to
When the goal is improvement and not just a grade, run it purple. The operators execute each technique in the open, mapped to MITRE ATT&CK, while your defenders watch their own telemetry in real time. For every technique you get a clear verdict: detected, partially detected, or missed. Then you tune the rule, re-run the technique, and confirm the detection now fires. A purple-team engagement walks out with a measured detection-coverage map across the ATT&CK matrix and a list of gaps closed, not a report that sits on a shelf. Phishing and initial-access tradecraft feed it through social engineering testing, and physical access vectors through physical red teaming.
File · What ready
File · FAQ
Q1 What is assumed breach testing?
It starts the operator inside, from a foothold a real attacker reaches anyway, and spends the whole engagement on the part of the kill chain where your SOC either earns its budget or does not: reach, escalation, and whether anyone notices.
Q2 Adversary simulation versus a tabletop exercise?
The tabletop tells you what the team believes it would do; the simulation, run live and often unannounced, produces evidence of what the team and tooling actually do under contact. You want both, but only the simulation generates real detection numbers.
Q3 Will this test my SOC's detection?
Yes, that is the point. Run as assumed breach or purple team, the engagement measures whether your detection fires on each step of the attack chain, mapped to MITRE ATT&CK, and produces real numbers for mean-time-to-detect and mean-time-to-respond. A purple-team format also tunes and re-tests each gap so detections that missed are confirmed working before the engagement ends.
Talk to an Operator
Real operators. Real attack paths. Real business impact. Talk to us about your security goals.
Related
Objective-based operations, the initial-access vectors that feed them, and the physical path in.
Full-scope, objective-based adversary operations.
Assumed-breach and ATT&CK-mapped detection testing.
The phishing and initial-access tradecraft that starts the chain.
The physical path past your controls and into the building.