Security Optimization Journey Blueprint

Phase 3: Strategic Defense Posture

In this phase, you achieve significant security maturation for your organization. You are exercising your organization against known threats continuously to sharpen your defense capabilities. You are mapping real data about your cybersecurity effectiveness to regulatory and compliance requirements to validate success. Your purple team operations are in full-swing, aligning red and blue teams through a threat-informed defense strategy that grounds the organization intractable, clear data about real-world adversary behaviors.

Expected outcomes:  You have meaningful ways to measure and evaluate the performance of your people, processes, and technologies. You can train in a real-world environment against an adversary. You have a strong process to begin benchmarking your security return on investment. You are streamlining your compliance process.

Exercises and Training

Analyst Training, Team Exercises, Table-Top Exercises. You are testing your analysts against specific certification requirements to ensure that they know what to do with their security controls and how to perform through exercises. You use the platform to conduct a range of attacks to test your security team’s capabilities, large scale or small scale, across the security organization or for a specific component of the security team. The platform makes the exercise real by focusing the team against a real-world adversary, like the Russian or Iranian government during a conflict scenario.

Machine Learning and Artificial Intelligence Training. For software development you can use the Security Optimization platform to teach a machine or artificial intelligence to catch attacker behaviors, sharpening the tool’s security capabilities. Machines need to learn how to adapt to threats, and AttackIQ’s adversary emulation plans from the scenario library can help. This solution takes advantage of the software you have in development to ensure a strong defense. It focuses on training machines to detect specific attacker behaviors, either from MITRE ATT&CK, AttackIQ’s library, or a tailored emulation that the company builds using AttackIQ’s open API.


Security control rationalization. Assess your security controls’ effectiveness; identify and resolve gaps and overlaps in your security control stack; conduct a risk assessment of your security vendors; and then prioritize, consolidate, and eliminate unnecessary security controls. In this phase, your security team uses the AttackIQ Security Optimization Platform to assess how security controls are functioning and rationalize their use based on overall effectiveness and security posture requirements. This capability nests under your architecture team, which faces a series of choices through its strategy rationalization narrative.

Architectural Strategy Rationalization. A security team always has one of three strategic choices for its security investments. In this phase, you can use the platform to make data-driven decisions about the future of your strategy. What are the three options as you rationalize your security architecture strategically?

  1. A perfect security strategy. In this option, costs are not a factor; you want to close every door and seal every compartment. This is the most expensive option.
  2. A good enough security strategy. You want to optimize for the lowest cost of doing business with maximum effectiveness. Under this approach, you look for products that are broadly capable, highly integrated, and reliable.
  3. Only your own security strategy. In this option, you may have the resources or the proprietary or classification demands to require your own, purpose-built security solution.

By deploying the Security Optimization Platform against your current capabilities, you can determine the right course for your future investments.

You may also need to test your security control effectiveness under a change of security policy given demands within your workforce. Do you want higher walls or more freedom? For example, should employees be able to use Gmail on an unclassified network? In this scenario, use AttackIQ to test the incident response team on issues that might arise from a policy transition AttackIQ’s scenario library and open API would allow you to test the organization’s security effectiveness.

Compliance Dashboarding

Control Framework Assessment. Often the risk team owns the control framework assessment and anchors the security framework to the control framework (i.e. the National Institute of Standards and Technology 800-53 control families, or any sector-specific frameworks that may be required, like HIPAA or PCI.) Your risk team can use the AttackIQ Security Optimization platform to assert the technical effectiveness of those security controls, either through the audit team or on their own volition.

Continuous Compliance Mapping. Compliance requirements are often ambiguous and regulators will often look to you for how to achieve the objectives that they have set. You can use the platform to reduce compliance and regulatory burden by mapping regulatory and compliance controls, conducting continuous tests, and mapping the data from those tests to the compliance framework, and then training your auditors on how it works. Under the control framework assessment process, the Director for Threat-Informed Defense can look at all of the controls, and at the business assets that those controls protect, and say to components in the security organization that manage the Security Optimization Platform, “help me articulate the status of my control framework.” This process provides the data and documentation that regulators need from the security team.