Skip to main content
SANDWORMSECURITY

Sandworm BAS

Breach & attack simulation and purple teaming that finds your detection gaps.

What is Sandworm BAS?

Sandworm BAS is a Breach and Attack Simulation (BAS) platform that runs safe, MITRE ATT&CK-mapped adversary techniques against your environment and automatically verifies whether your detection stack generated an alert. It is designed for detection engineers and red/purple teams that want continuous, evidence-based assurance that their controls are working rather than relying on periodic manual pen tests.

  • Every simulated technique is mapped to a MITRE ATT&CK tactic and technique ID.
  • Gap reports list techniques that executed without producing a corresponding alert in connected detection tools.
  • Purple-team mode provides a shared view for red and blue teams to collaboratively review gaps and write remediation rules.

Set up your simulation environment

Sandworm BAS runs simulated adversary techniques in a controlled fashion against your environment. Start by defining a target scope and connecting Sandworm BAS to your detection tools for automated gap analysis.

  • Define a scope: specify the IP ranges, cloud accounts, or SaaS platforms in scope — Sandworm BAS will not execute outside these bounds.
  • Connect detectors: link Sandworm BAS to Sandworm SIEM and Sandworm EDR so it can automatically check whether each technique was detected.
  • Credentials: provide least-privilege simulation credentials (a dedicated user with no production access) for authenticated technique execution.
  • Schedule: simulations can run on demand or on a recurring schedule (weekly, monthly).
  1. 1
    Define a simulation scope.

    Navigate to Sandworm BAS → Scopes → New Scope. Add IP ranges, cloud account IDs, or SaaS targets. Sandworm BAS will only execute techniques within these bounds.

  2. 2
    Connect your detection tools.

    Link Sandworm BAS to Sandworm SIEM and Sandworm EDR under Settings → Detection Integrations so gap analysis runs automatically after each simulation.

  3. 3
    Create simulation credentials.

    Provision a dedicated least-privilege user (no production access) and add the credentials under Sandworm BAS → Credentials. These are used for authenticated technique execution only.

Sandworm never writes to your environment. All integrations use the minimum read-only permissions required.

Key concepts

Sandworm BAS maps every simulation technique to the MITRE ATT&CK framework, runs the technique safely, then checks your detection stack for a corresponding alert.

  • Techniques: individual ATT&CK-mapped atomic procedures (e.g. credential dumping, lateral movement via SMB).
  • Scenarios: chains of techniques that simulate a realistic threat actor campaign.
  • Detection gap: a technique that executed without producing an alert in your connected detection tools.
  • Purple teaming: collaborative mode where the red simulation and blue detection results are reviewed together in the Sandworm BAS UI.
  • Remediation guidance: each gap includes a suggested rule template for your detection platform.

Running your first simulation

Navigate to Sandworm BAS → Simulations → New Simulation. Select a technique or scenario from the ATT&CK-mapped library, confirm the scope, and click Run. Results appear within minutes.

  • The Gap Report shows detected vs. undetected techniques side-by-side with ATT&CK coverage visualisation.
  • Export a PDF gap report for your security leadership or audit team.
  • Use the purple-team mode to share the report with your detection engineers and collaboratively write remediation rules.

Integrations

Sandworm BAS integrates with your detection tools to automate gap analysis and with Elm to track remediation work.

  • Sandworm SIEM: Sandworm BAS queries SIEM alert logs after each technique execution to determine detection coverage.
  • Sandworm EDR: endpoint technique executions are checked against EDR alert data for gap analysis.
  • CloudGuard (CNAPP): Sandworm BAS reads the entitlement graph to simulate cloud lateral-movement scenarios.
  • Elm (SOAR): gap reports can auto-create Elm cases assigned to detection engineers for remediation tracking.
  • Reporting: PDF export of gap reports for audit teams; MITRE ATT&CK Navigator layer export for programme documentation.

API and CLI

Trigger simulations and retrieve gap reports programmatically via the sandworm CLI or REST API.

  • `sandworm sardaukar simulations list` — list past simulations with status.
  • `sandworm sardaukar simulate run --scenario <id>` — kick off a simulation run.
  • `sandworm sardaukar gaps list --simulation <id>` — list detection gaps for a run.
  • REST API: see the OpenAPI spec at /api/sardaukar/openapi.json on your deployment.
bash
sandworm sardaukar simulate run --scenario lateral-movement
Book a demo← Back to Sandworm BAS
Sandworm Security — One security platform, AI in every tool