Looking Back at 2022: Adoption at Scale, Research, and Validated Industry Analysis 

A look back at how AttackIQ's customers and advanced research, as well as key players in the analyst community, helped propel the breach and attack simulation market forward in 2022. Read More

A Thank You to the AttackIQ Employees, Analysts, Customers, and Partners that Helped Us Continue to Innovate  

The past 12 months have been a critical period of growth for the Breach and Attack Simulation (BAS) market and for AttackIQ’s emergence as the industry leader in this category. Gartner highlighted Breach and Attack Simulation as a top security trend in late 2021, and in September, 2022, CISA and U.S. government allies Australia, Canada, and the United Kingdom began recommending for the first time that organizations automate continuous security control validation using MITRE ATT&CK, garnering international attention. All of this points towards the movement of BAS and automated security control validation from being a technology that is nice to have to a technology that security teams require to achieve real security outcomes.  

Why? After years of investment in cybersecurity, security programs fail because of a lack of testing against real-world threats. Logically, organizations want to optimize their existing defense technologies and make their security teams more effective against the adversary. That’s why the most strategic security leaders, including at organizations like the U.S. Army, JetBlue, and ISS World Services, are turning to AttackIQ and automated security control validation. This past year saw a record number of new logos added to the AttackIQ customer base. We also saw the continued growth of AttackIQ Academy (closing the year with 40,000 practitioners in 190+ countries), the launch of the AttackIQ Adversary Research Team, and the publication of a groundbreaking report on security effectiveness.  As the year comes to a close, I want to reflect on the work of our employees, customers, partners and the broader research and analyst communities. Their efforts helped AttackIQ ensure organizations have access to insights and education that enables better cybersecurity decisions and investments. I will highlight a few key points, focusing on our research first, and then pivot to the path ahead.  

Adversary Research Team Uncovers Historic Security Control Failures Leveraging MITRE ATT&CK  

AttackIQ’s Adversary Research Team (ART) released timely information and recommendations on U.S. CERT alerts throughout the year to help our customers and the public better protect themselves from cyberattacks. The group also released its first comprehensive report detailing security control effectiveness within our customer base. Using anonymized customer data from our cloud platform, the ART identified the top MITRE ATT&CK tactics, techniques and procedures (TTPs) that succeeded against EDR security controls, revealing that endpoint detection and response controls only stop cyberattacks 39 percent of the time.  

Creating Opportunities to Bring the Cybersecurity Community Together for Education and Collaboration  

At AttackIQ, we are passionate about fostering a community around the practice of a threat-informed defense. Our free AttackIQ Academy, part of the Informed Defender Community and provided as a public service, introduced new classes throughout the year. This included security leader-level content taught by guest technology and security experts such as Columbia University’s Dr. Art Langer and Direct Line Group CISO Robert Duncan. We also launched Academy Live in-person classes on “Building Threat-Informed Emulation Plans” in eight cities across the U.S. and EMEA, featuring expert instructors and fellow cybersecurity professionals sharing their insights. The award-winning Purple Hats Conference also returned for its second year, with keynote speakers Jen Easterly, Richard Danzig, and Arthur Brooks, as well as leaders from Stripe, Google, Mt. Sinai Hospital, the MITRE ATT&CK team, Toyota, POLITICO,  and technical experts from across the security community. This event has grown enormously in the last two years and has become the go-to venue for security teams and security leaders focused on adopting a threat-informed defense and outcomes-based approach to cybersecurity management. 

A Thank You to the Analysts Delivering Validated Market Insight 

Our momentum over the last year would not have been possible without the analyst community’s guidance. Given the current pressure on CISOs to make data-driven decisions on where to invest or divest to meet risk and security goals, the insights provided by Gartner, Forrester, IDC and ESG have helped companies better understand how automated breach and attack simulation is being used to optimize people, processes, and technologies.   

Gartner’s hype cycle, for example, was pivotal in recognizing BAS as a category for security programs to incorporate. Their insight has helped us to identify meaningful ways to innovate for customers, and, as a result, AttackIQ has a 4.8/5 rating on Gartner Peer Insights with 78 reviews.  

In addition to our work with Gartner, we partnered with IDC in 2022 to develop a Business Value White Paper, an interview-based report focused on major enterprise customers that outlined significant financial and organizational benefits gained from AttackIQ’s Security Optimization Platform and the process of testing and validating security program performance. The study emerged from five in-depth interviews with enterprise security leaders based in the United States and Europe across the healthcare, IT, and financial services sectors. IDC found that these organizations attributed substantial improvements in risk and security operations and substantial reductions in cost to their use of the AttackIQ platform. They were able to reduce the cost of a potential security breach on average by nearly $4 million annually, improve security operations team efficiency by 47%, and save more than $900,000 in staff time per year. 

Our work with ESG similarly surfaced the benefits of automated security control validation. ESG released key findings from its cybersecurity hygiene and posture management survey. In a poll of 400 cybersecurity professionals in North American enterprises, the number one action respondents said would improve cybersecurity hygiene? You guessed it: continuous security control validation. The survey discovered a number of key findings. First, organizations are struggling to get their hands around their cyberterrain, which is growing larger and more complex every day due to an explosion of devices, IT connections to third parties, and use of public clouds as infrastructure. Second, security teams need to protect their organization by thinking like their adversaries and continuously measuring the impact of their assumptions and decisions. Finally, continuous security control validation is the number one action respondents said would improve cybersecurity hygiene. You can read more about ESG’s analysis here 

These resources provide the credible, data-backed analysis our industry needs. It’s why we only communicate with globally recognized analyst firms, to include Gartner, Forrester, IDC and ESG, and eschew firms that fail to follow analytic best practices. Because of the success of top-tier firms in shaping the BAS market, however, some sub-standard analyst firms have begun to produce content with incorrect, misleading, or not corroborated or verified data. It is important therefore for business leaders to focus on quality. Anything sub-standard does customers a grave disservice when facing critical decisions on where to spend their finite resources budgets. 

Looking Ahead 

In today’s market, security teams must optimize and maximize the effectiveness of all their security products, people, tools, and processes. Breach and Attack Simulation is critical to maximizing the security budget and getting the most out of investments. Every CISO must be able to answer the critical question: Are we ready for the next attack? The AttackIQ Security Optimization Platform is trusted by large government agencies, private organizations, and public companies alike to answer that question. Looking ahead to 2023, we are eager to continue helping teams anticipate adversary behavior, improve operational performance against advanced persistent threats, and ensure the effectiveness and efficiency of their security programs.  

To learn more about the benefits organizations have gained from continuous testing, including staff savings, decreasing the cost of breaches, and efficiencies gained through purple team operations, download the IDC report ungated here: attackiq.com/idcbv.