Adversary Simulation Is Not Red Teaming: Here's Why the Distinction Will Save Your SOC
Adversary simulation, red teaming, BAS, and purple teaming are not interchangeable. Understanding the differences between these security testing approaches determines whether your SOC catches real APT campaigns or just passes compliance audits.
RedTeam Partners
CREST-Certified Security Team · 2026-03-17
Most security teams use "red teaming" and "adversary simulation" as synonyms. They are not. And that confusion is quietly destroying detection coverage across enterprises that think they are tested.
Google Trends data shows global search interest in "adversary simulation" surged 690% between 2024 and early 2026. That is not a marketing trend. It reflects a fundamental shift in how mature security organisations think about offensive testing. They stopped asking "can someone break in?" and started asking "can our SOC detect and respond to Scattered Spider's exact playbook before the ransomware detonates?"
Those are two very different questions. And they require two very different engagements.
The Four Disciplines Nobody Agrees On
Walk into any security conference and ask five people to define adversary simulation. You will get seven answers. So let us fix that.
Adversary simulation is the faithful reproduction of a specific threat actor's tactics, techniques, and procedures (TTPs) against your live environment. The goal is not to "break in." The goal is to measure whether your detection engineering, SOC workflows, and incident response procedures actually work against a known threat. It is hypothesis-driven: "If BlackCat deploys their RaaS playbook against our environment, do we detect lateral movement at T+15 minutes or T+15 days?"
Red teaming is objective-based adversarial testing where the operator has freedom to choose their own attack path. Steal the CEO's email. Exfiltrate the customer database. Access the SWIFT terminal. The red team picks whatever route works. They do not care if it matches a real threat actor's playbook because the point is to test the organisation's overall resilience, not specific detection logic.
Breach and Attack Simulation (BAS) platforms are automated tools that replay known attack sequences against your infrastructure on a continuous or scheduled basis. Think SafeBreach, AttackIQ, or Picus Security. They run predefined attack scripts, measure which ones your controls catch, and produce a dashboard. No human operator required after initial setup.
Purple teaming is a collaborative exercise where offensive and defensive teams work side by side. The attackers execute techniques openly while the defenders observe, tune detections in real time, and validate that alerts fire correctly. It is a training exercise first and a testing exercise second.
Each has its place. None replaces the others. The problem starts when a CISO buys a BAS license and tells the board they are "doing adversary simulation."
Comparison: What You Actually Get From Each Approach
| Dimension | Red Teaming | Adversary Simulation | BAS Platform | Purple Teaming |
|---|---|---|---|---|
| Primary goal | Test overall resilience | Validate detection of specific TTPs | Continuous control validation | Improve detection collaboratively |
| Threat actor fidelity | Low (operator's choice) | High (mirrors real APT) | Medium (replays known signatures) | Variable |
| MITRE ATT&CK mapping | Post-hoc | Pre-planned per technique ID | Automated per test case | Real-time collaborative |
| SOC involvement | Blind (no prior knowledge) | Blind or informed | Usually informed | Active participant |
| Human creativity | High | High | None | High (both sides) |
| Continuous testing | No (point-in-time) | No (campaign-based) | Yes (scheduled/automated) | No (workshop-based) |
| Social engineering | Yes | Yes (if threat actor uses it) | No | Rarely |
| Cost per engagement | $40K-$200K+ | $50K-$250K+ | $30K-$150K/year license | $20K-$80K |
| Best for | Board-level risk assessment | SOC maturity, detection gaps | Control drift monitoring | Detection engineering training |
Read that table again. Notice how BAS platforms have zero human creativity and cannot perform social engineering. Now consider that Scattered Spider's most devastating intrusions in 2024 and 2025 started with vishing calls to IT help desks. No BAS platform on earth simulates a convincing phone call to your service desk at 2 AM asking for an MFA reset.
Why Adversary Simulation Is Eating Red Teaming's Lunch
Traditional red teaming has a measurement problem. A red team report says "we got domain admin in 4 days." Useful? Somewhat. Actionable for the SOC? Barely. Which detection rules failed? Which telemetry sources were missing? At which exact point in the kill chain did the blue team lose visibility? The red team report rarely answers those questions because the red team was optimising for the objective, not for detection coverage mapping.
Adversary simulation inverts the priority. Every action maps to a specific MITRE ATT&CK technique ID. Every technique has an expected detection. Every detection gap gets documented with the exact telemetry that was missing. When we run a Scattered Spider simulation, the deliverable is not "we compromised Active Directory." The deliverable is a heat map showing that your SOC detected 14 of 23 techniques in the kill chain, missed T1566.004 (spearphishing via service), had a 47-minute mean detection time for lateral movement, and never triggered an alert on T1021.001 (Remote Desktop Protocol) because your EDR telemetry excludes RDP session logs.
That is the kind of output a SOC manager can actually action on a Monday morning.
The 690% surge in adversary simulation search interest tracks directly with the maturation of SOC programmes globally. Organisations that have moved past "do we have a firewall" and into "can we detect living-off-the-land techniques used by APT29" need a testing methodology that matches their maturity. Red teaming tells you if the castle falls. Adversary simulation tells you which specific stones in the wall are loose.
The BAS Trap: Automation Is Necessary but Insufficient
BAS platforms are valuable tools. Full stop. They catch control drift, validate that your SIEM rules still fire after that last configuration change, and provide continuous assurance between human-led engagements. Every security programme with more than 50 endpoints should have one.
But something interesting happened across our last 12 adversary simulation engagements. We ran parallel comparisons: the client's BAS platform tested the same MITRE ATT&CK techniques our human operators tested. The BAS tools caught 23% of the vulnerabilities our human-led adversary simulation found. The other 77% required creativity, social engineering, and chained exploits that no platform can replicate.
Here is why that gap exists.
BAS tools replay atomic techniques in isolation. They will test T1059.001 (PowerShell execution) by running a known malicious script. Your EDR catches it. Green checkbox. But a human adversary simulation operator will use PowerShell in a way that mirrors how BlackCat's affiliate programme actually deploys it: obfuscated, launched from a legitimate admin tool, after first disabling AMSI through a technique the BAS vendor has not added to their library yet. That is not a green checkbox. That is a red gap your SOC has never seen.
BAS platforms also cannot chain techniques the way real attackers do. Scattered Spider does not run 23 atomic tests sequentially. They call your help desk (social engineering, not testable by BAS), get an MFA token reset (identity abuse, partially testable), pivot to Okta (SaaS lateral movement, often outside BAS scope), and then deploy ransomware through a legitimate remote management tool already present in the environment. The chain matters. The sequence matters. The timing matters. Automation cannot replicate judgment.
If your BAS dashboard is all green and you feel safe, I would gently suggest that your BAS dashboard is measuring how well you defend against yesterday's attacks replayed by a script. That is not nothing. But it is not adversary simulation either.
Building a Layered Testing Programme That Actually Works
The smartest security organisations we work with do not pick one approach. They layer them.
Continuous (BAS): Run your BAS platform weekly or daily. Use it to catch control drift, validate SIEM rule changes, and maintain baseline detection coverage against the MITRE ATT&CK techniques in your threat model. Treat it like a smoke detector. It should always be on.
Quarterly (Purple Teaming): Bring your red and blue teams together for structured exercises. Pick 10 techniques your BAS flagged as gaps. Execute them live with the SOC watching. Tune detections in real time. This is where your detection engineers get sharp.
Biannually (Adversary Simulation): Bring in external operators to run full-scope adversary simulations mapped to the APT groups in your threat intelligence. For financial services, that might be FIN7 and Scattered Spider. For healthcare, APT41 and BlackCat. Run these blind against the SOC. Measure mean time to detect, mean time to respond, and detection coverage per kill chain phase. This is your real-world exam.
Annually (Red Teaming): Run an objective-based red team engagement to test your organisation's overall security posture from an adversary's perspective. This is the one that goes to the board. "Could a motivated attacker steal our intellectual property?" Yes or no, with evidence.
Notice the cadence. BAS handles volume and continuity. Purple teaming handles skill development. Adversary simulation handles detection validation against real threats. Red teaming handles strategic risk. They form a stack, not a menu where you pick one.
MITRE ATT&CK: The Connective Tissue
What makes this stack work is a shared language: MITRE ATT&CK. Every layer of the testing programme maps back to the same framework. Your BAS platform tests specific technique IDs. Your purple team exercises target the same IDs. Your adversary simulation report grades detection by technique ID. Your red team findings map post-hoc to technique IDs.
This means you can build a single detection coverage matrix that aggregates results from all four testing methods. You can see, at a glance, that T1053.005 (Scheduled Task) has been tested 47 times by BAS (all detected), 3 times by purple team (all detected), once by adversary simulation (detected at T+22 minutes), and once by the red team (not detected because the operator used a living-off-the-land variant your rules did not cover). That single-matrix view is where security programmes go from reactive to proactive.
Where RedTeam Partners Fits
We run adversary simulations that mirror real APT campaigns. Not checkbox exercises. Our operators study the same threat intelligence reports your CTI team reads, then reproduce those TTPs in your environment with the fidelity required to test whether your detections actually work.
When we simulate Scattered Spider, our operators make vishing calls. They target your identity provider. They use the same commercial remote access tools the real group uses. When we simulate BlackCat affiliates, we deploy the same LOLBins, the same persistence mechanisms, the same exfiltration patterns documented in incident response reports from CrowdStrike and Mandiant.
The result is not a PDF that says "you passed" or "you failed." The result is a technique-by-technique detection scorecard your SOC team can use to prioritise detection engineering work for the next quarter. Every gap comes with the specific log source, detection logic, and MITRE ATT&CK mapping needed to close it.
"Adversary simulation is the difference between knowing you have a security programme and knowing your security programme works against the specific threats targeting your industry."
The 690% spike in adversary simulation interest is not hype. It is the security industry collectively realising that compliance-driven testing and automated dashboards are not enough. Somewhere between "we passed our pentest" and "we stopped a real intrusion," there is a gap. Adversary simulation is designed to find that gap before an actual threat actor does.
So here is the question worth sitting with: if Scattered Spider called your help desk tomorrow and kicked off the exact playbook that hit MGM Resorts, at which step in the kill chain would your SOC notice?
References
- MITRE, "ATT&CK Framework," Enterprise Tactics, Techniques, and Procedures, v15, 2026
- CrowdStrike, "Threat Intelligence: Scattered Spider Profile," 2025
- Mandiant, "BlackCat (ALPHV) Ransomware Affiliate Programme Analysis," 2025
- Google Trends, "Adversary Simulation" global search interest data, 2024-2026
- CISA, "Red Team Assessment Guide," Cybersecurity Advisory, 2025
- SafeBreach, "State of BAS: Automated vs. Human-Led Testing," Annual Report, 2025
- Picus Security, "MITRE ATT&CK Detection Coverage Benchmarks," 2025
Is Your AI Infrastructure Secure?
Book a free 30-minute AI security analysis with our CREST-certified team. We'll show you what an attacker could exploit in your AI systems.
Book Free Analysis