Red Team & BAS
MITRE ATT&CK emulation plans, CVE exploit mapper, detection gap reports, and threat feed marketplace.
/red-teamHow BAS works
OverviewHow Breach and Attack Simulation Works
BAS (Breach and Attack Simulation) tests your detection capabilities by safely emulating the techniques real threat actors use. Unlike a penetration test, BAS:
- Uses non-destructive techniques that cannot cause actual damage
- Runs continuously (not just annually)
- Produces a detection gap report showing exactly which MITRE techniques you can and cannot detect
- Requires no specialist red team knowledge
Emulation vs simulation
- Simulation — mimics the effects of an attack without actually executing malicious code (what GuardFoxCopilot does)
- Emulation — fully replicates attacker tools and techniques (requires specialist red team)
What gets tested
Each emulation plan covers a specific threat actor or attack pattern and contains 4–15 MITRE ATT&CK techniques. GuardFoxCopilot checks whether your SIEM, EDR, and detection rules flagged each technique.
Running an emulation plan
How to useRunning an Emulation Plan
- Go to Cloud & Testing → Red Team BAS → ⚔️ Emulation Plans
- Select a plan from the left panel (APT29, LockBit 3.0, Credential Harvesting)
- Click Run Emulation
- Watch each technique resolve in real-time — green (detected), red (missed), yellow (partial)
- When complete, click Show Gap Report
Reading the gap report
- Coverage % — overall detection rate across all techniques
- By tactic breakdown — which ATT&CK phases you're weak in
- Gaps list — each missed/partial technique with an analyst note explaining why it was missed and what rule to add
Acting on gaps
For each missed technique:
- Check if the relevant data source is connected (e.g., ETW for process injection)
- Add or tune the SIEM rule
- Re-run the emulation plan to verify the gap is closed
Pre-built plans
| Plan | Actor | Techniques |
|---|---|---|
| APT29 Emulation | Cozy Bear (Russia) | 11 techniques |
| LockBit 3.0 | Ransomware group | 6 techniques |
| Credential Harvesting | FIN7-style | 4 techniques |
CVE Exploit Mapper
How to useUsing the CVE Exploit Mapper
The CVE Exploit Mapper shows you which vulnerabilities have public exploit code available, so you can prioritise patching correctly.
Understanding EPSS
EPSS (Exploit Prediction Scoring System) is the probability that a CVE will be exploited in the wild in the next 30 days. It's more actionable than CVSS alone:
- CVSS 9.8 with EPSS 0.1% — theoretically severe, rarely exploited
- CVSS 7.5 with EPSS 97% — high exploitation probability — patch first
Exploit source tags
- 🟠 PoC — proof-of-concept code publicly available
- 🔴 Metasploit — fully weaponised exploit module in Metasploit Framework
- 🔵 Nuclei — detection/exploitation template for automated scanning
- 🟣 ExploitDB — documented exploit on exploit-db.com
CISA KEV
If a CVE has the CISA KEV badge, it is confirmed as actively exploited in the wild and US federal agencies are legally required to patch within the FCEB deadline. Treat these as P1 regardless of CVSS.