Forem: Sahil Malvi

From Validation to Valuation: How BAS in CTEM Turns Into a Weapon Against OEM Licensing Bloat

Sahil Malvi — Sat, 18 Oct 2025 12:52:42 +0000

Start of my POV:

In BFSI, most of them spend millions on security controls: EDRs, SIEMs, DLPs, WAFs, firewalls. Vendors pitch them as silver bullets, and procurement signs cheques because who dares say no to security?
But here’s the uncomfortable question: who validates whether those million-dollar controls actually deliver what OEMs claim?

It’s not only about whether an EDR spotted a payload, or if a DLP stopped sensitive file movement. It’s about whether the OEM’s million-dollar license actually delivers resilience when tested under fire.

PPT Slide decks or POCs don’t stop breaches. BAS does.

That’s where my thinking shifted. BAS isn’t just a purple team tool for defense readiness inside CTEM, it becomes a business weapon. It validates, yes. But more importantly, it gives you negotiation leverage against OEMs charging enterprise premiums while quietly missing real-world attacks.

The Old Game-Paying for Promises:

Vendors/OEM sell a dream “Our EDR stops ransomware, our DLP blocks insider leaks, our SIEM gives total visibility, our WAF blocks every threat.”
Renewal comes, procurement signs millions again.

But when reality plays out, the shortcomings become clear:

EDR misses obfuscated payload and shadow copy deletion.
DLP lets sensitive data slip out over various channels.
SIEM floods dashboards with noise but misses the chain.
WAF looks impressive on paper, but lateral moves pass unhindered.
IAM misconfigurations let service accounts pivot into crown-jewel stores and IAM vendors rarely get this tested.

We don’t pay for proof, we pay for promises. Year after year, license costs keep climbing with some new fancy add-ons.

Slide decks assure ‘99% coverage, AI, behavioural detection, and other buzzwords.’ Yet when BAS runs a real attack chain, the truth is laid bare. Critical gaps like data exfiltration remain unaddressed.
That’s the old game: trust the pitch, ignore the gaps, and keep the OEM wheel spinning with our budgets.

The Current Game-Reality Check:

Once BAS runs in an environment, nothing stays the same: OEM claims are validated under real-world conditions. Controls thought to be airtight start showing vulnerabilities with their flawed policies and misconfiguration. Dashboards that once gave comfort now scream with overlooked gaps.

The integration is small, but the impact is massive. Teams finally see what works, what fails, and where risk truly lies. BAS doesn’t deal in assumptions, it delivers fact-based results. Every high-impact tactic that slips through isn’t a theory anymore; it’s logged evidence staring everyone in the face.

And that’s where the tension begins. BAS doesn’t just challenge vendors,
it challenges us. Security teams, product owners, even executives who signed off on compliance dashboards suddenly see that “handled alerts” don’t equal resilience. BAS makes enemies because it removes excuses.
But that’s exactly its value every gap it uncovers becomes a call to action.

The fallout is productive. This phase is a bit rough for both the BAS operator and the other security teams until the mitigation steps are mapped.

Some vendors will resist so hard they’ll try to discredit the BAS tests rather than improve. The arms race will intensify. Parameters are tightened. Shadow IT teams get dragged into the light.
Those “we’ll fix it later” leaks finally climb to the top of the list. The conversations shift from comfort in promises to discomfort in proof.

The Current Game is internal. It’s about awareness, accountability, and responsibility.
It’s about forcing the right people to understand the how and the why of security not just the what. BAS becomes the compass, pulling organizations from assumption to reality, from blind spending to evidence driven security posture.

The New Game-Valuation, brochures vs receipts:

When BAS first enters, it exposes cracks. But when it matures inside an organization, the game shifts completely.

Now, every OEM/vendor promise has receipts.
Every overlooked misconfiguration, every policy gap, every silent miss is logged not as theory but as hard data.

And that data becomes a weapon at the boardroom.

Renewal isn’t about who has the best marketing brochure anymore
Renewal is about evidence:

This is where your solution broke under real attack simulation.
This is where we had to step in because your coverage failed.
This is where alerts were created by BAS but not detected or reported by Security Solution.
For BFSI, this is power.
Because for once, it’s not just spending under pressure it’s negotiating with backbone. BAS has already done the hard part: stripping away comfort, removing excuses, forcing visibility.

OEMs can’t hide behind “will check with team and update” or inflated protection scores. Either they fix, or they justify, or they face reduced valuation.

This is the new game.
Renewals are no longer driven by faith, but by evidence and that evidence gives BFSI the leverage to set the terms. This is where CTEM provides the broader context: BAS is not an isolated tool but a critical stage in a continuous, risk-based approach.

What’s CTEM ?

Not a tool but a risk-based approach
CTEM is not a single product, but a continuous, risk-based approach to identifying, prioritizing, and mitigating exposures across the organization. It ensures security teams focus on the most critical threats, rather than chasing every vulnerability in the stack.

Gartner CTEM in Five Steps:

When Gartner first introduced Continuous Threat Exposure Management (CTEM), it shifted the conversation. CTEM wasn’t pitched as just another tool or dashboard; it was framed as a programmatic approach to continuously diagnosing and acting on the exposures that truly matter, a Proactive approach .

Gartner breaks CTEM into five steps three in the diagnosis stage and two in the action stage:

Diagnosis → Scoping, Discovery, Prioritization
Action → Validation, Mobilization
These steps aren’t meant to be a rigid, one way pipeline. In reality, they loop and feed each other. For example, validation often uncovers unexpected exposures, which then demand a fresh look at prioritization. Likewise, a newly discovered asset might be too critical to push into a future cycle it must be pulled back into the current one. CTEM is deliberately flexible: it treats exposure management as a continuous cycle, not a quarterly checklist or once in blue moon.

The Five Stages of Gartner CTEM:

1. Scoping

Define the security areas and boundaries to assess.
Identify critical assets, business priorities, and likely adversaries.
Note: “Know what matters most before you chase every vulnerability.”

2. Discovery

Map exposures across assets: vulnerabilities, misconfigurations, identity weaknesses, and shadow IT.
Tools include external attack surface management (EASM) and active scanning.
Note: “You can’t protect what you don’t see.”

3. Prioritization

Rank exposures based on exploitability, business impact, and attacker behavior.
Frameworks: EPSS (Exploit Prediction Scoring System), SSVC (Stakeholder Specific Vulnerability Categorization).
Consider attack path analysis to see how multiple weaknesses could chain into a high impact compromise.
Note: “Not all gaps are equal in focus where the attacker would first strike.”

4. Validation ~ where BAS kicks in

Test whether prioritized exposures can actually be exploited.
BAS, pentesting, and red teaming simulate real attacks.
Note: “Theory meets reality, proof is better than assumption.”

5. Mobilization

Turn validated findings into coordinated action across teams.
Feed insights into security operations, procurement, and executive decisions.
Note: “Security becomes a business enabler when insights lead to accountable action.”

Conclusion, a closing Note on CTEM:

CTEM isn’t just another Gartner acronym to park on a slide show, it’s a working discipline. The real value lies in how it forces organizations to stop chasing noise and start aligning security with business impact. With scoping, discovery, and prioritization, you learn where the fire could start. With validation, BAS ensures the flames aren’t just theoretical. And mobilization ensures fixes aren’t buried in ticket queues but actually move the needle.

The benefit? Security stops being reactive firefighting and becomes risk-driven execution. Teams know what matters, leaders see proof instead of promises, and investments finally map back to resilience.

CTEM isn’t designed to satisfy compliance; it is designed to safeguard continuity.

if you want to explore CTEM in greater depth, I’d strongly suggest the Cymulate CTEM whitepaper it provides an excellent overview from theory to implementation.

The real winners in this new game aren’t the claims,
They’re the organizations that uses the BAS + CTEM approach to put hard evidence behind every dollar they spend.

— — — — — — — — — — — — — — — — — — — — — — — — — — — —
Na chal-kapāṭena raxṣā, na vākyaiḥ viśvāsaḥ; Raxitānām pramāṇena, satyam eva tiṣṭhati.
(Neither trick nor speech brings protection, nor trust;
Through proof of protection, truth alone stands firm.)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — —

No Harm, Real Alarms: How BAS Simulates Ransomware to Test EDR Resilience

Sahil Malvi — Thu, 25 Sep 2025 08:36:17 +0000

This write-up is divided into three parts:
The Attack: Understanding Ransomware
A breakdown of how ransomware operates, from initial access to encryption.

How EDR Solutions Work and Detect Threats
An overview of how Endpoint Detection and Response (EDR) tools identify, analyze, and mitigate ransomware behavior.

~How Breach and Attack Simulation (BAS) Technology Mimics Attacks
A deep dive into how BAS platforms simulate ransomware attacks without causing real damage to user data or system files.

The Attack: Understanding Ransomware
What Happens When Ransomware Executes?

When ransomware is executed, its behavior varies depending on the type. Some variants are self-contained, such as locker ransomware, which restricts access to the system. Others are network-aware worms, like WannaCry or Ryuk, capable of spreading across connected systems.

Regardless of the variant, most ransomware follows a common chain of actions. Here’s a breakdown of what typically happens post-execution:

Step-by-Step: What Ransomware Does After Execution

Initial Setup and Evasion
Runs in memory
Anti-VM & anti-sandbox checks
Kills security processes (EDRs, AVs)
Escalates privilege (UAC bypass or exploits)
Persistence
Modifies registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creates scheduled tasks or service
Drops itself in temp folders or %APPDATA%
File Discovery and Target Enumeration
Scans file systems for target file extensions:
.doc, .xls, .pdf, .jpg, .db, .pst, etc.

Skips system folders sometimes to avoid crashing system (smart ones do).

Searches connected media including

USB drives
Mapped Network drive
Mounted shares

Once suitable targets are identified, the ransomware proceeds to encrypt files containing sensitive or high-value data, such as:

PII (Personally Identifiable Information)
PCI (Payment Card Information)
Business-critical user files

If the infected system has access to shared drives or USBs, those files may be encrypted as well — expanding the impact beyond the local machine.

How EDR Solutions Work and Detect Threats
EDR is focused on endpoints (like your laptop, desktop, or server),watching processes, memory, files, registry, and network calls in real time.

EDR Detects Ransomware Using:

Behavior-Based Detection (Most Effective) EDR tools like CrowdStrike, SentinelOne, Microsoft Defender for Endpoint watch for:

File I/O anomaly: rapid encryption of multiple files (CreateFile, WriteFile, Rename)
File entropy changes (plain → encrypted becomes high entropy)

.txt, .doc, .xls → .locked, .encrypted

File extensions being renamed in bulk

Unusual process spawning:
winword.exe → drops powershell.exe
explorer.exe → spawns vssadmin.exe

Ransomware encrypts hundreds of files in seconds. That’s unusual compared to user activity.

Command Line Pattern Matching EDR inspects suspicious command lines like:

vssadmin delete shadows /all /quiet
bcdedit /set {default} recoveryenabled no
cipher /w:C
A normal user doesn’t run this. EDR flags this as ransomware behavior or destruction of recovery.

Process Tree Monitoring Tracks parent-child process chains:

winword.exe → powershell.exe → cmd.exe → malware.exe
This suspicious chain = alert.

Honeypots / Canary Files Some EDRs plant hidden decoy files like:

C:\Users\Public\DoNotTouch_Monitor.docx
If touched its likely ransomware assumed by EDR solution.

Memory Injection / Code Injection Detection
If ransomware injects into a legitimate process (e.g., explorer.exe) using CreateRemoteThread or VirtualAllocEx, EDR flags it.
ML/Heuristics
Behavior profiling and anomaly detection
New ransomware (unknown hash) still gets caught via behavior, not signature.

How Breach and Attack Simulation (BAS) Technology Mimics Attacks
BAS simulates ransomware attacks using non-destructive behavioral mimicry. You’re spot on across most aspects. Let’s break this down and fine-tune the key technical points, highlight EDR interaction, and address some practical realities for red/blue teams.

BAS Ransomware Simulation

Behavioral Simulation — Not Actual Ransomware Does not encrypt real files — no user or system data is harmed. Label: T1486

Emulates observable ransomware behaviors, such as:

Mass file access operations
File renaming across multiple directories
Simulated extension changes (e.g., .docx ➝ .locked)
Fake “encryption-like” content or entropy increase (not real encryption)
These behaviors are used to trigger EDR/XDR responses

How BAS Interacts with EDR EDR solutions don’t rely on signatures only. They look for behavior like:

High-rate file modification
Use of built-in tools (vssadmin, bcdedit) Label: T1490
Suspicious process trees (explorer.exe → powershell.exe) Label: T1059, T1059.003
Unusual entropy or file type changes
Memory injection or child process spawning. Label: T1086
BAS simulates these, not executes them. The simulation engine triggers behavioral signatures, e.g.:

Creating hundreds of fake .locked files
Renaming test files to simulate encryption
Simulating file scans and system API calls used by real ransomware (e.g., CreateFile, WriteFile, SetFileTime)
EDR is fooled (intentionally) to think ransomware is present — validating detection logic.

Why %TEMP%, %ProgramData%, and Controlled Scopes? These directories:

Are commonly abused by real malware.
Are writable by standard users (safe to test without risking system files).
Let the agent run simulated payloads in realistic but isolated environments.
BAS: Uses local test files only, avoids real user data, and confines all activity to agent-controlled zones for safe execution and cleanup

Safe Emulation Tactics Used by BAS Simulated encryption: Instead of encrypting actual data,

BAS writes dummy files may changes harmless content. Alters timestamps or metadata.
Registry Simulation:

Creates mock entries that mimic persistence tactics but does not touch critical keys.
Mock Process Injection:

BAS may simulate or replay an injection attempt into explorer.exe, but doesn’t actually inject malicious code.
C2 Communication Simulation:

May simulate DNS queries or test beaconing and can test whether security tools detect this without contacting a real malicious server.

BAS Agent Capabilities The BAS Agent:

Executes the tests locally on the endpoint. Can run custom payloads or template-based tests. Cleans up afterward with self destruction code injected in the script.

Real-World Use Case (Example):
You run a BAS ransomware simulation:

Agent creates 20 fake .locked files in %TEMP%.
Renames them with high-entropy contents and uses PowerShell to simulate registry/persistence.
Your EDR detects this: Ransomware behavioral match — blocked, Logs high write frequency + fake encryption. ATP flags simulated shadow copy deletion attempt.
No real files are harmed, but your detection pipeline gets stress-tested just like in a live attack.

Below script for test purpose

#ItsMalvious
---------------------------------------------------------------------
# Create test directory
$TestDir = "$env:TEMP\RansomTest"
New-Item -ItemType Directory -Path $TestDir -Force | Out-Null

# Step 1: Create 20 .txt files
1..20 | ForEach-Object {
    $FilePath = Join-Path $TestDir "File$_.txt"
    Set-Content -Path $FilePath -Value "This is file $_ for simulation"
}

# Step 2: Rename first 10 to .locked, next 10 to .encrypted
Get-ChildItem -Path $TestDir -Filter *.txt | Sort-Object Name | Select-Object -First 10 | ForEach-Object {
    Rename-Item $_.FullName ($_.FullName -replace '.txt$', '.locked')
}

Get-ChildItem -Path $TestDir -Filter *.txt | Sort-Object Name | Select-Object -First 10 | ForEach-Object {
    Rename-Item $_.FullName ($_.FullName -replace '.txt$', '.encrypted')
}

# Optional: Simulate file content change to mimic encryption
Get-ChildItem -Path $TestDir -Filter *.locked,*.encrypted | ForEach-Object {
    Set-Content $_.FullName -Value ("X" * 2048)  # High entropy simulation
}

# Step 3: Wait for EDR to observe activity
Start-Sleep -Seconds 10

# Step 4: Self-destruct - delete all files and folder
Remove-Item -Path $TestDir -Recurse -Force

What the Script Actually Does:
~ Creates a Folder
$TestDir = "$env:TEMP\RansomTest"
This creates a folder like:

C:\Users\Sahil\AppData\Local\Temp\RansomTest
So it’s working only in your system’s TEMP directory, not your Desktop, Downloads, or Documents.

Creates 20 Text Files:
It creates fake .txt files like:

File1.txt, File2.txt, ..., File20.txt
inside the RansomTest folder only.

Renames & Modifies Only Those Files:
It renames and modifies only the 20 files within the same folder:

File1.txt → File1.locked
File11.txt → File11.encrypted
Then writes 2048 "X" characters into each to simulate encryption.
Deletes Only the Test Folder:
Remove-Item -Path $TestDir -Recurse -Force
This only deletes the RansomTest folder and its contents, nothing else.

Will It Touch Your Desktop or Real Files?
Doesn’t touch C:\Users\Sahil\Desktop\
Doesn’t access your Documents, Downloads, or network drives
Only works in $env:TEMP\RansomTest

Verdict / My Opinion

BAS tools give blue teams the power to test and validate their ransomware detection capabilities without putting their environments at risk.

By simulating attacker behavior — not malware payloads — BAS tools enable organizations to:

Verify their EDRs and SIEMs are correctly tuned
Train analysts to respond to ransomware scenarios
Continuously assess security posture without real damage
If you’re looking to understand ransomware better, start by simulating it safely — and study how your EDR reacts. It’s the safest way to get as close to the real thing as possible without crossing the line.

NOTE: Security isn’t just about deploying expensive tools — it’s about proving they actually work when it matters.
Breach and Attack Simulation (BAS) gives organizations the power to challenge their own defenses — testing whether technologies like EDR, DLP, PAM, IAM, WAF, proxy, and SIEM aren’t just deployed, but effective.

But this goes beyond just testing. With Continuous Threat Exposure Management (CTEM) — a strategic approach introduced by Gartner
— With BAS and CTEM, CISOs and security leaders can:

Map technical risk to real business impact
Show executive leadership where actual exposure lies
Prioritize and justify security budgets based on validated protection

This is how a CISO stops guessing and starts leading.

You can’t fix what you don’t see — and you can’t justify what you can’t prove. BAS and CTEM together bring visibility, validation, and real-world confidence back into cybersecurity.

Because in today’s threat landscape, if your defenses only look good on paper —
you’re already breached.

This is just the start.
A complete series is on the way — breaking down how real-world attacks work and how each security solution responds.
Stay tuned — because understanding the how is the first step to defending the now.

|Rakṣā-vidyāyām ācāryā x-śūnyatāṁ t*īvrā anubhūtiḥ **tārayati **a*rjunam.|
(In the science of protection, the teacher of unknowns pierces illusion and uplifts the seeker.)