MITRE ATT&CK Aligned · BNM RMiT Validated

Breach & Attack Simulation (BAS) Malaysia — Continuous Security Validation

Always-on, MITRE ATT&CK-aligned emulation of the techniques your real adversaries use — so you find a broken control on Tuesday, not at the next annual pentest. Vendor-neutral, RMiT-mappable, board-reportable.

Get a Scope Talk to an Expert

What BAS is — and what it is not

Breach & Attack Simulation is the discipline of running automated, safe, repeatable adversary emulations against a production environment on a continuous basis. Lightweight agents on representative endpoints, controlled network sensors, and SaaS-side connectors play the role of an attacker — executing the same tactics, techniques and procedures (TTPs) catalogued in MITRE ATT&CK — and measuring which preventive control blocked, which detective control alerted, and which control silently failed.

The crucial distinction is cadence. A traditional penetration test is a snapshot — invaluable on the day but stale within weeks. BAS gives you a live, daily measurement of control effectiveness across the full stack. When the EDR vendor pushes a content update that quietly breaks PowerShell detection, BAS notices in the next run; the annual pentest would not.

Properly governed, BAS exercises are non-disruptive: payloads are inert, exfiltration goes to a controlled sink, lateral movement is sandboxed. Every action is logged with a unique correlation ID so the SOC can validate end-to-end visibility — from raw EDR telemetry to SIEM alert to SOAR ticket to analyst response.

MITRE ATT&CK coverage

Our BAS programmes target the full MITRE ATT&CK Enterprise matrix — fourteen tactics and the ~150 techniques most frequently exercised by financially-motivated and state-aligned actors observed in Southeast Asia. Each technique runs on a defined cadence; coverage gaps are surfaced on the board dashboard.

Reconnaissance

Active scanning, gathering victim host information, search-engine recon

Resource Development

Acquire infrastructure, develop capabilities, stage capabilities

Initial Access

Phishing, drive-by compromise, exploit public-facing application, valid accounts

Execution

Command and scripting interpreter, scheduled task, user execution

Persistence

Boot or logon autostart, account manipulation, scheduled task, BITS jobs

Privilege Escalation

Abuse elevation control, access token manipulation, valid accounts

Defense Evasion

Obfuscated files, masquerading, indicator removal, impair defenses

Credential Access

Brute force, OS credential dumping, Kerberoasting, AS-REP roasting

Discovery

Account discovery, network sniffing, system info discovery

Lateral Movement

Remote services, lateral tool transfer, internal spearphishing

Collection

Data from local system, data from network shared drive, screen capture

Command and Control

Application layer protocol, encrypted channel, web service

Exfiltration

Exfil over C2 channel, exfil over alternative protocol, exfil over web service

Impact

Data encrypted for impact (ransomware), data destruction, service stop

Where BAS plugs into BNM RMiT

The Risk Management in Technology Policy Document, paragraph 11 series, requires Malaysian financial institutions to maintain effective cyber-risk management with continuously validated controls. BNM examiners look for evidence that detective and preventive controls work — not just that they are deployed. BAS is the mainstream evidence vehicle. Specifically:

• 11.x — Cyber resilience & control effectiveness: BAS produces dated, repeatable test artefacts proving each control was exercised and either passed or failed.
• 10.49 — Penetration testing: BAS does not replace intelligence-led pentesting under 10.49 but provides between-test assurance that improvements stick.
• 10.55 — Logging and monitoring: BAS validates that SIEM rules generate the alert your runbook says they will, end-to-end.
• 11.x — Cyber drills: Complementary to tabletop exercises for board-level scenario rehearsal.

For sectors outside FSI, BAS aligns to ISO/IEC 27001:2022 Annex A.8.7 (protection against malware), A.8.16 (monitoring activities) and PCI DSS v4.0 11.5.1 (intrusion detection & prevention).

Vendor-neutral delivery

nCrypt has no exclusive reseller relationship with any BAS platform vendor. We deliver against whichever stack best fits your environment, regulatory scope and budget:

SafeBreach

Mature enterprise platform, extensive playbook library, strong SIEM integrations

AttackIQ

MITRE ATT&CK-native, strong purple-team workflows, education-tier available

Cymulate

Broad surface coverage (email, web, endpoint, lateral), faster time-to-value

Picus Security

Detection-rule recommendation engine, strong SOC operationalisation

Atomic Red Team

Open-source, lightweight, ideal for purple-team exercises and learning

MITRE Caldera

Open-source adversary emulation framework — full kill-chain orchestration

Our 5-phase methodology

Scope & tooling selection

Map your existing SOC stack, regulatory scope (RMiT, PCI, ISO), control inventory and SIEM/SOAR landscape. Recommend the BAS platform and deployment topology that fits — or run a 2-week shoot-out across two candidates.

Baseline run

Initial full-stack run across endpoint, network, email, web and cloud surfaces. Establishes the day-zero control-effectiveness score, MITRE ATT&CK coverage map and gap inventory. Findings triaged with the customer SOC.

Continuous emulation

Daily and weekly cadence playbooks running in production. Change-triggered runs after every material control or config change. All actions correlation-ID-tagged for end-to-end visibility validation.

Detection-engineering loop

Each failed control becomes a ticket with a recommended detection rule. Purple-team weekly review with the SOC — rule deployed, retested, closed. Closed-loop measurement of detection coverage growth over time.

Quarterly board report

Trend dashboard mapped to RMiT clauses, ISO Annex A, and your own risk taxonomy. MTTD, MTTR, technique coverage, dwell-time simulation. Examiner-ready evidence pack.

Who needs BAS

• Licensed banks, insurers and DFIs under BNM RMiT (control validation cadence under paragraph 11.x)
• E-commerce, fintech and payment operators in scope of PCI DSS v4.0 control 11.5.1
• Regulated SMEs operating an internal SOC or planning to stand one up
• Organisations with a mature MDR or SOC who need to prove detection coverage, not assume it
• NCII operators under the Cyber Security Act 2024 — see CSA readiness
• Any organisation pairing annual intelligence-led pentests with continuous between-test validation

Frequently asked questions

How is BAS different from an annual penetration test?

A penetration test is a point-in-time, human-led exercise that validates a defined scope against a defined threat profile on a single date. Breach & Attack Simulation (BAS) is the always-on counterpart: automated agents and network sensors continuously emulate adversary tactics across your environment, day after day, so a regression introduced by a config change on a Tuesday is detected by Wednesday — not at the next annual pentest. The two are complementary, not substitutes. BNM RMiT-regulated entities typically run annual intelligence-led pentests AND continuous BAS for between-test assurance.

How often must we run BAS?

BAS is by design continuous — the platform runs scenarios on a daily, weekly or change-triggered cadence across your endpoint, network, email, web and cloud surfaces. Most Malaysian customers operate a baseline of weekly full-stack runs plus on-demand runs after every material change (new EDR rule, new firewall policy, new SaaS rollout). Quarterly board reporting is standard.

Does BNM RMiT mandate BAS specifically?

BNM RMiT does not name 'BAS' as a required tool, but paragraph 11.x on cyber resilience and control effectiveness expects FIs to continuously validate that detective and preventive controls function as designed. BAS is the mainstream way regulated FIs evidence that. PCI DSS v4.0 control 11.5.1 also drives demand among Malaysian e-commerce and payment operators.

Open-source or commercial tooling — which do you use?

We are deliberately tooling-agnostic. nCrypt has delivery experience across SafeBreach, AttackIQ, Cymulate and Picus on the commercial side, and Atomic Red Team, Caldera and Stratus Red Team on the open-source side. Selection is driven by the customer's existing SOC stack, budget, regulatory scope and integration footprint — not by a vendor relationship. We will run a 2-week tooling shoot-out as part of scoping if requested.

What's the deliverable cadence?

Daily detection-engineering tickets routed into the customer's ITSM. Weekly purple-team review with the SOC. Monthly trending report (MITRE ATT&CK technique coverage, mean time to detect, mean time to respond). Quarterly board-ready summary mapped to RMiT, ISO 27001 Annex A and the customer's own risk taxonomy.

Ready to validate your controls continuously?

Scoping calls take 30 minutes. Baseline runs deliver the day-zero score within two weeks of platform onboarding. Quarterly board reporting from quarter one.

Get a Scope