Most organizations discover they have a detection gap the hard way. An attacker moves through their environment for days, sometimes weeks, before anyone notices. According to Mandiant's M-Trends 2026 report, the global median dwell time worsened to 14 days in 2025, up from 11 days the previous year. That number sounds manageable until you realize attackers can move from initial access to domain compromise in under an hour.
Adversary simulation is the structured practice of replicating real threat actor behavior inside your environment to expose exactly that kind of gap. It goes beyond checking whether systems are patched. It asks whether your people, processes, and tools can actually detect, respond to, and contain a determined attacker operating with the techniques your real adversaries use.
This post explains what adversary simulation is, how it differs from penetration testing and red teaming, what a mature engagement looks like, and how to get genuine operational value from the exercise rather than a document that sits on a shelf.
Key Takeaways
Adversary simulation is a threat-intelligence-driven security assessment that replicates the specific behavior of real threat actors against a live environment. Where penetration testing finds vulnerabilities, adversary simulation asks whether your defenses can detect, alert on, and contain attacker behavior once someone is already inside.
The distinction matters. Penetration testing typically follows a scope-limited checklist: find open ports, identify misconfigurations, demonstrate exploitability, report findings. It answers the question "can an attacker get in?" Adversary simulation answers a harder question: "once they're in, what can they do, how long can they operate, and will your team know?"
Red teaming is the closest relative, and the terms are often used interchangeably, which creates confusion. Traditional red teaming tends to be objective-driven: the team tries to reach a defined crown-jewel asset by any means available. Adversary simulation adds a constraint. The red team must operate within the documented behavioral profile of a specific threat actor or category of actor, using only the techniques, tools, and sequences observed in real-world intelligence on that group.
This constraint is what makes simulation valuable for defenders. When a blue team knows the exercise is modeled on a financially motivated ransomware operator, they can validate whether their controls map to that threat, not to an abstract worst-case scenario.
Detection speed determines breach impact. This is not a philosophical point. According to IBM's Cost of a Data Breach Report 2025, breaches resolved in under 200 days averaged $3.87 million in total cost, while those contained after that threshold averaged $5.01 million. Every day of undetected attacker presence adds cost.
Mandiant's M-Trends 2025 showed that when organizations discovered intrusions through their own internal mechanisms, the median dwell time was 10 days. When external parties were the source of notification, that number jumped to 26 days. That 16-day gap represents two and a half weeks of attacker access to systems, credentials, and data that the organization did not know was being accessed.
Adversary simulation stress-tests the mechanisms that produce internal detection. The exercise runs real attacker behavior through your environment and records what your SIEM, EDR, and SOC team actually catch. Not what the vendor claims the tools catch, and not what the alert documentation says should trigger. What actually fires.
Our finding: In a significant portion of engagements we run, initial access via spearphishing and subsequent credential harvesting goes undetected for the first 24 to 48 hours. The tooling is often present and correctly configured. The gap is typically in alerting logic that was never tuned to behavioral indicators, only to known-bad signatures. Simulation exposes this in a way no compliance audit can.
If you want a systematic view of how your environment holds up against real attacker TTPs, speak with the Redfox Cybersecurity adversary simulation team about scoping an engagement against the threats relevant to your sector.
MITRE ATT&CK is a publicly maintained knowledge base of adversary tactics, techniques, and procedures derived from real-world intrusion observations. It organizes attacker behavior into 14 tactical categories, from Initial Access through Impact, and documents hundreds of specific techniques with examples drawn from named threat groups.
For adversary simulation, ATT&CK serves three functions. First, it provides the vocabulary that connects threat intelligence to executable attack behavior. When a threat intelligence report documents that a ransomware operator used spearphishing with a malicious LNK file for initial access, then deployed a living-off-the-land binary for lateral movement, those behaviors map to specific ATT&CK technique IDs that the red team can replicate.
A well-constructed simulation scenario looks like this for a financial services client:
Every technique in that chain maps to an ATT&CK ID. This means the defensive team can directly evaluate whether their detection rules cover each step and, if not, why.
The second function of ATT&CK in simulation is measurement. After an engagement, the red team produces a technique-level breakdown of which behaviors were detected, which generated alerts without triggering response, and which passed completely unnoticed. This gives the blue team a specific, prioritized list of detection engineering work to address. It is more actionable than a general finding that says "lateral movement was not detected."
A structured adversary simulation engagement runs in four phases. Each phase has defined inputs, activities, and outputs. Skipping any phase reduces the operational value of the exercise.
The engagement begins with intelligence work, not with tooling. The red team works with the client to identify the threat actors most likely to target their organization based on industry, geography, technology stack, and public profile. A healthcare system faces different adversaries than a financial services firm or a critical infrastructure operator.
This phase produces an adversary profile: a documented set of TTPs drawn from threat intelligence, mapped to ATT&CK, and used to constrain the red team's behavior during execution. It is what separates adversary simulation from generic red teaming.
The red team operates against the live environment using the TTPs in the adversary profile. They do not deviate to use techniques outside the profile, even if easier paths present themselves. This constraint is intentional. The goal is to simulate a specific threat, not to demonstrate the maximum possible damage an attacker could cause.
Execution typically covers the full kill chain: initial access, persistence, privilege escalation, lateral movement, and the defined simulation objective (credential extraction, data staging, reaching a crown-jewel system).
Throughout execution, the engagement logs which techniques generated detections, which alerts fired, and how the blue team or SOC responded. In mature organizations, this phase becomes a live purple team exercise where the blue team is partially aware of the simulation and works to detect and contain the red team in real time.
The output is a technique-level detection gap analysis mapped to ATT&CK, not just a list of vulnerabilities. Findings are tied to specific attacker behaviors, specific gaps in detection logic, and specific remediation actions. A good engagement report tells a blue team exactly which detection rules to write, which log sources to enable, and which response playbooks to update.
Our finding: Organizations that run simulation engagements and then act on the detection gap analysis as a detection engineering sprint see measurable improvement in mean time to detect within 60 to 90 days. The simulation is only as valuable as the remediation work that follows it. The report is not the outcome: the improved detection posture is.
Credential abuse is the single most common initial access vector in confirmed breaches, accounting for 22% of all entry points in the Verizon 2025 DBIR. Vulnerability exploitation followed at 20%, a 34% increase from the prior year driven largely by edge device and VPN flaws. Together, these two vectors represent the attack surface that adversary simulation is best positioned to evaluate.
Why credentials specifically? Because detection for credential-based attacks is harder. An attacker using valid credentials does not look like malware. They look like a user. The only way to know whether your behavioral analytics, identity threat detection tools, and SOC processes can catch credential abuse is to run the scenario in your environment with real attacker techniques.
A simulation targeting credential-based initial access might include:
The following command demonstrates a targeted Kerberoasting technique that extracts service account hashes from Active Directory for offline cracking, a technique documented under ATT&CK T1558.003 and observed across multiple financially motivated threat groups:
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -ExpandProperty hash | Out-File -FilePath C:\Windows\Temp\hashes.txt -Encoding ascii
[cta]
If you want to understand how your identity infrastructure holds up against credential-based attack chains, engage the Redfox Cybersecurity team for a threat-intelligence-led adversary simulation scoped to your environment.
The following command enumerates Active Directory for accounts with unconstrained delegation enabled, a common lateral movement precursor that attackers use to impersonate high-privilege users across the network:
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation,ServicePrincipalNames | Select-Object Name,ServicePrincipalNames
[cta]
Redfox Cybersecurity's red team services include full Active Directory attack chain simulation, covering Kerberoasting, delegation abuse, and DCSync scenarios mapped to your specific threat profile.
Adversary simulation can be expensive and time-consuming. Done poorly, it produces a report that looks thorough but does not change anything. These are the failure patterns we see most often.
Treating simulation as a compliance checkbox. Some organizations run simulation engagements because a regulation or framework requires evidence of offensive testing. When the exercise is scoped to satisfy an auditor rather than to learn something about detection capability, the results are predictably shallow.
No blue team involvement in planning. If the defensive team does not know the exercise is happening, the organization learns that the red team can move without detection. This is useful, but it misses the more valuable lesson: can the blue team detect the attacker when they're actively looking? A phased disclosure approach, where the blue team knows the timing but not the techniques, produces better learning outcomes.
Poor scoping against actual threats. Running a simulation based on a generic APT profile when the organization's actual threat is financially motivated ransomware operators wastes time and produces findings that do not reflect real risk. The threat profiling phase is not optional.
No remediation sprint. The engagement ends and the report is filed. Detection rules are not updated. Log sources are not enabled. Six months later, the same gaps exist. This is the most common failure mode and the one that most directly undermines the return on investment.
Adversary simulation is the most rigorous test of whether your security controls, your people, and your detection logic can withstand a determined attacker operating with real techniques against your real environment. Penetration tests tell you where the holes are. Simulation tells you whether anyone would notice an attacker walking through them.
The threat landscape makes this more pressing than it has ever been. The Verizon 2025 DBIR analyzed over 22,000 security incidents and more than 12,000 confirmed breaches. Ransomware appeared in 44% of those breaches. Third-party compromises doubled year over year to account for 30% of all cases. The median time for attackers to reach Active Directory after initial access is now under 11 hours, according to Sophos. You do not have the luxury of discovering detection gaps during an actual incident.
The organizations that get the most from adversary simulation treat it as a continuous program, not a one-time event. They run engagements against updated threat profiles, track detection coverage over time against ATT&CK, and close gaps systematically between exercises.
If your organization is ready to pressure-test its defenses against the threats that are actually targeting your sector, contact Redfox Cybersecurity to scope a threat-intelligence-led adversary simulation engagement. The question is not whether your controls look good on paper. It is whether they hold under realistic attacker pressure.
Adversary simulation and adversary emulation are closely related but distinct. Simulation involves replicating the general behavioral profile of a category of threat actor, such as a ransomware operator or a financially motivated group, without reproducing the exact tooling or sequences of a specific named group. Emulation goes further, recreating the documented TTPs of a specific actor such as FIN7 or APT29 as precisely as threat intelligence allows. Both use the MITRE ATT&CK framework as a reference, but emulation requires higher-fidelity threat intelligence and more constrained execution. For most organizations, simulation provides the right level of rigor without requiring intelligence of the depth that emulation demands.
A well-scoped adversary simulation engagement typically runs two to four weeks from kickoff to final report delivery. The threat profiling and scoping phase takes three to five days. Active red team execution runs one to two weeks depending on scope and the complexity of the environment. Reporting and briefing add another week. Organizations with large or highly segmented environments, or those requesting purple team components with live detection validation, should plan for longer timelines. Rushed engagements produce shallower findings.
No. Simulation is actually most informative for organizations that do not yet know the state of their detection capability. The exercise surfaces gaps regardless of whether the organization expected them. That said, organizations with very limited logging infrastructure may find that the engagement produces a long list of foundational logging gaps before it can evaluate detection logic. This is still valuable. Some organizations run a logging and visibility assessment before a full simulation engagement to ensure the environment can produce the telemetry the exercise needs to generate meaningful detection data.
Continuous Threat Exposure Management, or CTEM, is a Gartner-defined framework for ongoing security validation rather than point-in-time assessments. Adversary simulation is one of the core capabilities within a CTEM program. The broader program combines asset discovery, exposure assessment, validation through simulation and breach-and-attack simulation tools, and a prioritized remediation cycle. Organizations that run adversary simulation as a standalone engagement get a point-in-time view. Those that integrate it into a CTEM program get a continuously updated picture of detection coverage relative to their actual threat profile.
ROI from adversary simulation is measured in two ways. The first is direct: the engagement identifies detection gaps that, if exploited in a real breach, would have cost far more to contain and recover from than the engagement cost to run. IBM's 2025 Cost of a Data Breach Report found that organizations with tested incident response plans reduced breach costs by 61%, saving an average of $2.66 million per incident. The second measure is operational: track the number of detection rules added, the reduction in mean time to detect on subsequent exercises, and the percentage of simulated techniques that now trigger alerts. Over time, these metrics show a measurable improvement in detection posture that justifies continued investment.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
