# Best Breach and Attack Simulation (BAS) Software *By [Brandon Summers-Miller](https://research.g2.com/insights/author/brandon-summers-miller)* Breach and attack simulation (BAS) software is used to mimic real-world security threats to help businesses prepare incident response plans and discover potential vulnerabilities in their security systems. These simulated attacks might send fake phishing attacks to employees or attempt a cyberattack on a company’s [web application firewall](https://www.g2.com/categories/web-application-firewall-waf). Many tools even provide automated simulations with AI-based threat logic and continuous testing to ensure teams are always prepared to properly handle security incidents. Most of these simulations are available at all times. Many businesses use them periodically as updates are made to security systems or security policies are changed. Without simulated attacks, it can be difficult to assess the efficacy of security operations; customized simulations can mimic various threats to different surface areas or within unique environments to help businesses prepare and evaluate their defense against all kinds of multivector threats. Breach and attack simulation software tools are typically capable of performing [penetration tests](https://www.g2.com/categories/penetration-testing) or simulate attacks similar to some [dynamic application security testing](https://www.g2.com/categories/dynamic-application-security-testing-dast) tools and [vulnerability scanners](https://www.g2.com/categories/vulnerability-scanner). But most of those solutions only mimic a single kind of threat and are not continuously available. They also do not provide the same outcome details and report on vulnerabilities and security posture to the same degree of BAS solutions. To qualify for inclusion in the Breach and Attack Simulation (BAS) software category, a product must: - Deploy threats targeting various attack surfaces - Simulate both cyberattacks and data breaches - Quantify risk and evaluate security posture based on attack response - Provide remediation process guidance and improvement suggestions ## How Many Breach and Attack Simulation (BAS) Software Products Does G2 Track? **Total Products under this Category:** 52 ### Category Stats (Jun 2026) - **Average Rating**: 4.55/5 The average rating of products in this category, based on all submitted ratings - **Top Trending Product**: Pentera (+0.13%) - Among all products in this category, Pentera recorded the largest rating increase compared to last month *Last updated: June 09, 2026* ## How Does G2 Rank Breach and Attack Simulation (BAS) Software Products? **Why You Can Trust G2's Software Rankings:** - 30 Analysts and Data Experts - 1,200+ Authentic Reviews - 52+ Products - Unbiased Rankings G2's software rankings are built on verified user reviews, rigorous moderation, and a consistent research methodology maintained by a team of analysts and data experts. Each product is measured using the same transparent criteria, with no paid placement or vendor influence. While reviews reflect real user experiences, which can be subjective, they offer valuable insight into how software performs in the hands of professionals. Together, these inputs power the G2 Score, a standardized way to compare tools within every category. ## Which Breach and Attack Simulation (BAS) Software Is Best for Your Use Case? - **Leader:** [Picus Security](https://www.g2.com/products/picus-security/reviews) - **Easiest to Use:** [Cymulate](https://www.g2.com/products/cymulate/reviews) - **Top Trending:** [Adaptive Security](https://www.g2.com/products/adaptive-security/reviews) - **Best Free Software:** [Picus Security](https://www.g2.com/products/picus-security/reviews) --- **Sponsored** ### Picus Security Picus Security is the pioneer of Breach and Attack Simulation (BAS) and Adversarial Exposure Validation (AEV). The Picus Security Validation Platform unifies exposure assessment, security control validation, and exposure validation to help organizations continuously measure and reduce real cyber risk. By safely simulating real-world attacks across network, endpoint, and cloud, Picus quantifies security control effectiveness and provides a transparent Exposure Score, revealing the \<2% of vulnerabilities still exploitable and instantly deprioritizing the rest. This validation-led approach enables teams to cut patch backlogs by 86%, reduce MTTR from 74 to 14 days, and strengthen operational resilience. Trusted globally and rated 98% willingness to recommend on Gartner Peer Insights™, Picus empowers organizations to pinpoint exploitable risks, close gaps faster, continuously validate cyber readiness, and sustain proven resilience. [Visit website](https://www.g2.com/external_clickthroughs/record?secure%5Bad_program%5D=ppc&secure%5Bad_slot%5D=category_product_list&secure%5Bcategory_id%5D=2047&secure%5Bdisplayable_resource_id%5D=2047&secure%5Bdisplayable_resource_type%5D=Category&secure%5Bmedium%5D=sponsored&secure%5Bplacement_reason%5D=page_category&secure%5Bplacement_resource_ids%5D%5B%5D=2047&secure%5Bprioritized%5D=false&secure%5Bproduct_id%5D=56073&secure%5Bresource_id%5D=2047&secure%5Bresource_type%5D=Category&secure%5Bsource_type%5D=category_page&secure%5Bsource_url%5D=https%3A%2F%2Fwww.g2.com%2Fcategories%2Fbreach-and-attack-simulation-bas&secure%5Btoken%5D=74b491b678e5a22f76cabefe9873cd862844f44ee8b2ed8de7600f7f8ac7064d&secure%5Burl%5D=https%3A%2F%2Fwww.picussecurity.com%2Fschedule-demo%3Futm_source%3Dg2%26utm_medium%3Dpaidsocial%26utm_campaign%3Dpicus_profile_promo&secure%5Burl_type%5D=book_demo) --- ## What Are the Top-Rated Breach and Attack Simulation (BAS) Software Products in 2026? ### 1. [Picus Security](https://www.g2.com/products/picus-security/reviews) Picus Security is the pioneer of Breach and Attack Simulation (BAS) and Adversarial Exposure Validation (AEV). The Picus Security Validation Platform unifies exposure assessment, security control validation, and exposure validation to help organizations continuously measure and reduce real cyber risk. By safely simulating real-world attacks across network, endpoint, and cloud, Picus quantifies security control effectiveness and provides a transparent Exposure Score, revealing the \<2% of vulnerabilities still exploitable and instantly deprioritizing the rest. This validation-led approach enables teams to cut patch backlogs by 86%, reduce MTTR from 74 to 14 days, and strengthen operational resilience. Trusted globally and rated 98% willingness to recommend on Gartner Peer Insights™, Picus empowers organizations to pinpoint exploitable risks, close gaps faster, continuously validate cyber readiness, and sustain proven resilience. **Average Rating:** 4.8/5.0 **Total Reviews:** 229 **Who Is the Company Behind Picus Security?** - **Seller:** [Picus Security](https://www.g2.com/sellers/picus-security) - **Company Website:** https://www.picussecurity.com - **Year Founded:** 2013 - **HQ Location:** San Francisco, California - **Twitter:** @PicusSecurity (2,916 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/picus-security/ (315 employees on LinkedIn®) **Who Uses This Product?** - **Who Uses This:** Cyber Security Specialist, Cyber Security Engineer - **Top Industries:** Information Technology and Services, Computer & Network Security - **Company Size:** 38% Enterprise, 37% Mid-Market #### What Are Picus Security's Pros and Cons? **Pros:** - Simulation (114 reviews) - Ease of Use (75 reviews) - Continuous Validation (63 reviews) - Actionable Insights (58 reviews) - Integration (55 reviews) **Cons:** - Reporting Limitations (44 reviews) - Integration Issues (32 reviews) - Steep Learning Curve (28 reviews) - Complex Setup (26 reviews) - Limited Customization (21 reviews) ### 2. [Cymulate](https://www.g2.com/products/cymulate/reviews) Designed for security teams to continuously validate threats and build exposure-informed defenses, the Cymulate Platform combines advanced attack simulation with an agentic cyber defense engineering control plane to continuously prove, prioritize and adapt security controls for the latest threats. With a daily feed of threat intelligence and a comprehensive attack library, Cymulate is a SaaS offering that applies AI to tailor offensive testing to the environment while integrating with security stack to push updates for immediate prevention and detection. Core use cases include threat validation, control validation & tuning, detection engineering, and vulnerability validation and prioritization. **Average Rating:** 4.9/5.0 **Total Reviews:** 174 **Who Is the Company Behind Cymulate?** - **Seller:** [Cymulate](https://www.g2.com/sellers/cymulate) - **Company Website:** https://www.cymulate.com - **Year Founded:** 2016 - **HQ Location:** Holon, Israel - **Twitter:** @CymulateLtd (1,079 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/cymulate (231 employees on LinkedIn®) **Who Uses This Product?** - **Who Uses This:** Security Analyst, Cyber Security Engineer - **Top Industries:** Financial Services, Banking - **Company Size:** 56% Enterprise, 42% Mid-Market #### What Are Cymulate's Pros and Cons? **Pros:** - Ease of Use (73 reviews) - Security (41 reviews) - Vulnerability Identification (41 reviews) - Features (39 reviews) - Customer Support (33 reviews) **Cons:** - Improvement Needed (12 reviews) - Integration Issues (10 reviews) - Reporting Issues (8 reviews) - Complexity (6 reviews) - Inefficient Alert System (6 reviews) ### 3. [Adaptive Security](https://www.g2.com/products/adaptive-security/reviews) Adaptive Security is the security layer for the AI era, protecting organizations and their employees from modern cyberattacks. AI has changed how every company works, and it's changed how every company gets attacked. Employees use AI tools IT doesn't know about. Attackers craft deepfakes, vishing calls, and spear phishing emails that get past filters. Adaptive addresses all of it in one unified platform: managing AI tool usage before it becomes a liability, training employees on the threats they'll actually face, simulating AI-powered attacks in a safe environment, and protecting the inbox and browser so threats never reach their intended targets. Because it's one platform, Adaptive develops a complete risk picture and uses it automatically, applying targeted training, attack simulations, real-time interventions, and policy controls to lower risk over time. More than 1,000 organizations run Adaptive to manage their human security program, and the company has raised $150M+ from investors including NVIDIA, Andreessen Horowitz, Bain Capital Ventures, and Citi Ventures. **Average Rating:** 4.9/5.0 **Total Reviews:** 79 **Who Is the Company Behind Adaptive Security?** - **Seller:** [Adaptive Security](https://www.g2.com/sellers/adaptive-security) - **Company Website:** https://www.adaptivesecurity.com - **Year Founded:** 2024 - **HQ Location:** New York, US - **LinkedIn® Page:** https://www.linkedin.com/company/adaptivesecurity (242 employees on LinkedIn®) **Who Uses This Product?** - **Top Industries:** Financial Services, Computer Software - **Company Size:** 68% Mid-Market, 18% Enterprise #### What Are Adaptive Security's Pros and Cons? **Pros:** - Training (22 reviews) - Ease of Use (18 reviews) - Customer Support (13 reviews) - Easy Implementation (11 reviews) - Awareness Increase (10 reviews) **Cons:** - Limited Customization (5 reviews) - Group Management (3 reviews) - Inadequate Reporting (2 reviews) - Integration Issues (2 reviews) - Learning Curve (2 reviews) ### 4. [Pentera](https://www.g2.com/products/pentera/reviews) Pentera is the category leader for Automated Security Validation, allowing every organization to test with ease the integrity of all cybersecurity layers, unfolding true, current security exposures at any moment, at any scale. Thousands of security professionals and service providers around the world use Pentera to guide remediation and close security gaps before they are exploited. Its customers include Casey's General Stores, Emeria, LuLu International Exchange, IP Telecom PT, BrewDog, City National Bank, Schmitz Cargobull, and MBC Group. Pentera is backed by leading investors such as K1 Investment Management, Insight Partners, Blackstone, Evolution Equity Partners, and AWZ. Visit https://pentera.io for more information. **Average Rating:** 4.5/5.0 **Total Reviews:** 169 **Who Is the Company Behind Pentera?** - **Seller:** [Pentera](https://www.g2.com/sellers/pentera) - **Company Website:** https://pentera.io/ - **Year Founded:** 2015 - **HQ Location:** Boston, MA - **Twitter:** @penterasec (3,291 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/penterasecurity/ (483 employees on LinkedIn®) **Who Uses This Product?** - **Top Industries:** Banking, Government Administration - **Company Size:** 52% Enterprise, 36% Mid-Market #### What Are Pentera's Pros and Cons? **Pros:** - Vulnerability Identification (5 reviews) - Automation (4 reviews) - Customer Support (4 reviews) - Improvement (4 reviews) - Automated Testing (3 reviews) **Cons:** - Inadequate Reporting (2 reviews) - Missing Features (2 reviews) - Resource Intensive (2 reviews) - Access Control (1 reviews) - Access Restrictions (1 reviews) ### 5. [Sophos PhishThreat](https://www.g2.com/products/sophos-phishthreat/reviews) Sophos Phish Threat is a cloud-based security awareness training and phishing simulation platform designed to educate employees on identifying and responding to phishing attacks. By simulating realistic phishing scenarios and providing interactive training modules, it helps organizations strengthen their human firewall against cyber threats. Key Features and Functionality: - Realistic Phishing Simulations: Offers hundreds of customizable templates that mimic real-world phishing attacks, enabling organizations to test and improve employee vigilance. - Automated Training Modules: Provides over 30 interactive training courses covering security and compliance topics, automatically enrolling users who fall for simulated attacks. - Comprehensive Reporting: Delivers actionable insights through intuitive dashboards, tracking user susceptibility, training progress, and overall organizational risk levels. - Multi-Language Support: Available in nine languages, ensuring accessibility for diverse workforces. - Seamless Integration: Integrates with Sophos Central, allowing unified management alongside other security solutions like email and endpoint protection. Primary Value and Problem Solved: Sophos Phish Threat addresses the critical challenge of human error in cybersecurity by transforming employees into proactive defenders against phishing attacks. By combining realistic simulations with targeted training, it reduces the likelihood of successful phishing attempts, thereby enhancing the organization's overall security posture and minimizing the risk of data breaches and financial loss. **Average Rating:** 4.3/5.0 **Total Reviews:** 23 **Who Is the Company Behind Sophos PhishThreat?** - **Seller:** [Sophos](https://www.g2.com/sellers/sophos) - **Year Founded:** 1985 - **HQ Location:** Oxfordshire - **Twitter:** @Sophos (36,759 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/5053/ (5,500 employees on LinkedIn®) - **Ownership:** LSE:SOPH **Who Uses This Product?** - **Top Industries:** Computer & Network Security - **Company Size:** 54% Mid-Market, 29% Small-Business ### 6. [HTB CTF & Threat Range](https://www.g2.com/products/htb-ctf-threat-range/reviews) The HTB CTF Platform turns cyber training into an addictive team experience. Choose from 250+ scenarios, host events for hundreds of players, and launch in less than 10 minutes without additional setup required. Live scoreboards, team chat, and advanced reporting reveal strengths, gaps and next best steps. Leaders calling CTFs the best way to beat burnout and improve performance, HTB delivers the proven formula for engaged, attack-ready teams. **Average Rating:** 4.7/5.0 **Total Reviews:** 22 **Who Is the Company Behind HTB CTF & Threat Range?** - **Seller:** [Hack The Box](https://www.g2.com/sellers/hack-the-box) - **Company Website:** https://www.hackthebox.com/ - **Year Founded:** 2017 - **HQ Location:** Folkestone, GB - **Twitter:** @hackthebox_eu (246,095 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/hackthebox/ (2,272 employees on LinkedIn®) **Who Uses This Product?** - **Top Industries:** Computer & Network Security - **Company Size:** 45% Enterprise, 36% Small-Business ### 7. [vPenTest](https://www.g2.com/products/vpentest/reviews) Vonahi Security is building the future of offensive cybersecurity by delivering automated, high-quality penetration testing through its SaaS platform, vPenTest. Designed to replicate the tools, techniques, and methodologies of experienced consultants, vPenTest brings the benefits of manual network penetration testing into an easy-to-use, automated solution. Traditionally, penetration testing has been a manual, time consuming, and expensive process that many organizations only perform once or twice a year. This often leaves businesses exposed to emerging threats between assessments. vPenTest addresses this gap by offering fast, consistent, and on-demand testing that helps organizations evaluate their real-time cybersecurity risk more effectively. Powered by a proprietary framework that evolves through continuous research and real-world insights, vPenTest stays aligned with the latest attack techniques and industry best practices. The platform is backed by over 13 years of offensive security expertise, with the team holding certifications such as CISSP, OSCP, OSCE, CEH, and more. Their knowledge is built directly into the platform, ensuring each test is conducted with depth, consistency, and accuracy—without the delays or variability of manual testing.
 vPenTest enables organizations to run internal and external network penetration tests as often as needed monthly, quarterly, or prior to audits or insurance reviews. The automated reports provide actionable insights that make it easy to prioritize remediation and demonstrate progress toward compliance. Today, over 22,000 organizations rely on vPenTest to strengthen their security posture and reduce risk. This includes managed service providers, managed security service providers, financial institutions, compliance-driven organizations, and internal IT teams. Whether you're working to meet regulatory requirements, secure cyber insurance coverage, or proactively defend against evolving threats, vPenTest makes network penetration testing easy, affordable, and scalable. **Average Rating:** 4.6/5.0 **Total Reviews:** 238 **Who Is the Company Behind vPenTest?** - **Seller:** [Kaseya](https://www.g2.com/sellers/kaseya) - **Company Website:** https://www.kaseya.com/ - **Year Founded:** 2000 - **HQ Location:** Miami, FL - **Twitter:** @KaseyaCorp (17,411 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/kaseya/ (5,471 employees on LinkedIn®) **Who Uses This Product?** - **Who Uses This:** CEO - **Top Industries:** Information Technology and Services, Computer & Network Security - **Company Size:** 68% Small-Business, 25% Mid-Market #### What Are vPenTest's Pros and Cons? **Pros:** - Ease of Use (29 reviews) - Reporting Quality (28 reviews) - Pentesting Efficiency (26 reviews) - Setup Ease (18 reviews) - Ease of Implementation (14 reviews) **Cons:** - Limited Scope (12 reviews) - Complex Setup (8 reviews) - Lack of Detail (7 reviews) - Inadequate Reporting (6 reviews) - Expensive (5 reviews) ### 8. [Right-Hand Cybersecurity](https://www.g2.com/products/right-hand-cybersecurity/reviews) Right-Hand is a Human Risk Management company supporting organizations across North America and APAC, working with teams across a wide range of industries including finance, education, retail, healthcare, and manufacturing. The platform is built to help security leaders understand, measure, and reduce human-initiated risk in modern, distributed environments where technology alone is no longer enough. Most security programs generate large volumes of alerts and telemetry but struggle to translate that data into meaningful insight about human behavior. Right-Hand addresses this challenge by integrating with core security tools such as email security, EDR, DLP, CASB, and SIEM. These integrations surface high-signal events and contextual risk indicators tied directly to user actions, giving teams visibility into where risky behavior occurs, which patterns lead to incidents, and how human risk changes over time across the organization. Building on this foundation, Right-Hand provides purpose-built AI agents that support security awareness execution at scale. The vishing agent enables realistic voice-based simulations, the email agent supports the creation of phishing templates and scenarios, and the training agent helps generate and adapt learning content based on role, behavior, and exposure. Together, these agents allow teams to move beyond static programs and deliver continuous, relevant awareness without relying on one-size-fits-all content or manual effort. The primary value of Right-Hand is turning visibility into action. Instead of compliance-driven training disconnected from real risk, organizations gain a data-informed program that links behavior, learning, and outcomes. Security teams can reduce repeat incidents, lower operational noise, demonstrate progress over time, and build a stronger, more resilient security culture aligned with how people actually work. **Average Rating:** 4.8/5.0 **Total Reviews:** 69 **Who Is the Company Behind Right-Hand Cybersecurity?** - **Seller:** [Right-Hand Cybersecurity](https://www.g2.com/sellers/right-hand-cybersecurity) - **Company Website:** https://right-hand.ai/ - **Year Founded:** 2019 - **HQ Location:** Lewes, Delaware - **Twitter:** @righthand_ai (139 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/19126566 (44 employees on LinkedIn®) **Who Uses This Product?** - **Top Industries:** Financial Services, Information Technology and Services - **Company Size:** 55% Mid-Market, 28% Enterprise #### What Are Right-Hand Cybersecurity's Pros and Cons? **Pros:** - Customer Support (31 reviews) - Ease of Use (23 reviews) - Training (16 reviews) - Helpful (15 reviews) - Aware (8 reviews) **Cons:** - Inadequate Reporting (6 reviews) - Limited Features (6 reviews) - Phishing Issues (5 reviews) - Integration Issues (4 reviews) - Limited Customization (2 reviews) ### 9. [RidgeBot](https://www.g2.com/products/ridgebot/reviews) RidgeBot by Ridge Security is a leading agentic AI-driven offensive security platform, supporting continuous threat management programs. It enables CISOs to minimize cyber risks by continuously validating the cybersecurity posture and controls protecting attack surfaces against increasingly sophisticated and frequent attacks. RidgeBot automatically tests an organization’s entire IP-based environment, including network infrastructure, applications, websites, IoT, and OT, using ethical hacking techniques to pinpoint the most critical vulnerabilities. It's dynamic AI-powered decision-making supports DevSecOps, compliance, incident response verification, and custom attack simulations. RidgeBot maintains a library of over 36,000 plugins to launch complex penetration tests and attack simulations, with detailed reporting of results and remediation recommendations. **Average Rating:** 4.5/5.0 **Total Reviews:** 98 **Who Is the Company Behind RidgeBot?** - **Seller:** [Ridge Security Technology](https://www.g2.com/sellers/ridge-security-technology) - **Company Website:** https://ridgesecurity.ai/ - **Year Founded:** 2020 - **HQ Location:** Santa Clara, California - **Twitter:** @RidgeSecurityAI (1,291 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/ridge-security/ (47 employees on LinkedIn®) **Who Uses This Product?** - **Top Industries:** Information Technology and Services, Computer & Network Security - **Company Size:** 51% Small-Business, 45% Mid-Market #### What Are RidgeBot's Pros and Cons? **Pros:** - Automation (16 reviews) - Ease of Use (15 reviews) - Pentesting Efficiency (12 reviews) - Vulnerability Identification (12 reviews) - Efficiency (9 reviews) **Cons:** - Complexity (4 reviews) - Complex Setup (4 reviews) - Missing Features (4 reviews) - Poor Customer Support (3 reviews) - Poor Documentation (3 reviews) ### 10. [Defendify All-In-One Cybersecurity Solution](https://www.g2.com/products/defendify-all-in-one-cybersecurity-solution/reviews) Founded in 2017, Defendify is pioneering All-In-One Cybersecurity® for organizations with growing security needs, backed by experts offering ongoing guidance and support. Delivering multiple layers of protection, Defendify provides an all-in-one, easy-to-use platform designed to strengthen cybersecurity across people, process, and technology, continuously. With Defendify, organizations streamline cybersecurity assessments, testing, policies, training, detection, response & containment in one consolidated and cost-effective cybersecurity solution. 3 layers, 13 solutions, 1 platform, including: • Managed Detection & Response • Cyber Incident Response Plan • Cybersecurity Threat Alerts • Phishing Simulations • Cybersecurity Awareness Training • Cybersecurity Awareness Videos • Cybersecurity Awareness Posters & Graphics • Technology Acceptable Use Policy • Cybersecurity Risk Assessments • Penetration Testing • Vulnerability Scanning • Compromised Password Scanning • Website Security Scanning See Defendify in action at www.defendify.com. **Average Rating:** 4.7/5.0 **Total Reviews:** 57 **Who Is the Company Behind Defendify All-In-One Cybersecurity Solution?** - **Seller:** [Defendify](https://www.g2.com/sellers/defendify) - **Year Founded:** 2017 - **HQ Location:** Portland, Maine - **Twitter:** @defendify (305 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/11098948/ (36 employees on LinkedIn®) **Who Uses This Product?** - **Top Industries:** Information Technology and Services, Computer & Network Security - **Company Size:** 65% Small-Business, 35% Mid-Market #### What Are Defendify All-In-One Cybersecurity Solution's Pros and Cons? **Pros:** - Ease of Use (8 reviews) - Cybersecurity (6 reviews) - Easy Setup (5 reviews) - Insights (5 reviews) - Monitoring (5 reviews) **Cons:** - Inadequate Reporting (4 reviews) - Poor Reporting (4 reviews) - Lack of Information (2 reviews) - Limited Customization (2 reviews) - Limited Features (2 reviews) ### 11. [Simulations Labs](https://www.g2.com/products/simulations-labs/reviews) Simulations Labs is an ai-powered platform that enables organizations, educators, and security teams to create realistic, reusable, and scalable hands-on cybersecurity simulations—without complex setup or infrastructure. Fully Managed Hosting Without Infrastructure Overhead Organizations run CTFs and simulations without DevOps, server setup, or maintenance. No Worries About Attacks or Server Downtime Simulations Labs automatically manages security, monitoring, and uptime, even during large-scale events. Organizers don’t need to worry about servers being attacked, crashing, or going offline. Custom Simulation Creation with Dashboard Simulations Labs offers a dashboard that allows organizers to create and manage fully custom simulations. Each simulation provisions isolated environments for participants, supports web application challenges, and can include dynamic flags to prevent cheating AI-Powered Challenge Creation Unlike traditional platforms that require technical expertise, our AI-powered tools enable non-technical users to create simulations and challenges quickly and easily. **Average Rating:** 4.8/5.0 **Total Reviews:** 10 **Who Is the Company Behind Simulations Labs?** - **Seller:** [Simulations Labs](https://www.g2.com/sellers/simulations-labs) - **HQ Location:** N/A - **LinkedIn® Page:** https://www.linkedin.com/company/simulation-labs-linkedin/ (1 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 100% Small-Business ### 12. [Datto SaaS Defense](https://www.g2.com/products/datto-saas-defense/reviews) SaaS Defense is an advanced threat protection [ATP] and spam filtering solution that detects zero-day threats. This means it identifies and prevents threats that competitive solutions are missing. It proactively defends against malware, phishing, and business email compromise (BEC) attacks that target Microsoft 365 including Exchange, OneDrive, SharePoint, and Teams. Benefits to MSPs ✔Close detection gaps: Proactively monitor, detect, and eliminate the unknown cyber threats that other solutions miss with data-independent technology. ✔ Go beyond email security: SaaS Defense protects from a range of malicious attacks across the Microsoft 365 suite, not just email. ✔ Improve your bottom line: This tool is a profit builder that can be used to attract new market share and triple MSP margins. ✔ Seamless deployment & management: Get new clients up and running in minutes with two-click onboarding & multi-tenant management. ✔ Easily demonstrate your value: robust reporting capabilities, that can be shared with clients, that articulate why a threat was identified as malicious. ✔ Multi-layered detection, protection and recovery for Microsoft 365 with complete SaaS Protection integration. **Average Rating:** 4.2/5.0 **Total Reviews:** 12 **Who Is the Company Behind Datto SaaS Defense?** - **Seller:** [Kaseya](https://www.g2.com/sellers/kaseya) - **Year Founded:** 2000 - **HQ Location:** Miami, FL - **Twitter:** @KaseyaCorp (17,411 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/kaseya/ (5,471 employees on LinkedIn®) **Who Uses This Product?** - **Top Industries:** Information Technology and Services - **Company Size:** 58% Small-Business, 33% Mid-Market ### 13. [NetSPI](https://www.g2.com/products/netspi-2026-02-04/reviews) NetSPI PTaaS is a type of penetration testing as a service (PTaaS) solution designed to help organizations identify and remediate vulnerabilities within their systems, applications, and networks. This service utilizes a combination of skilled professionals, established processes, and advanced AI technology to provide contextualized security outcomes in real time, all accessible through a unified platform. By addressing the limitations of traditional penetration testing methods, NetSPI PTaaS offers a more efficient and comprehensive approach to security assessments. This service is targeted at businesses of all sizes, from startups to large enterprises, making it particularly beneficial for security teams looking to enhance their vulnerability management strategies. NetSPI PTaaS caters to a variety of use cases, including application security assessments, infrastructure testing, and evaluations of emerging technologies such as artificial intelligence. With over 50 different types of penetration tests available, including traditional point in time testing and our continuous offerings, organizations can customize their security evaluations to meet specific needs, ensuring thorough coverage across all potential attack surfaces. A key feature of NetSPI PTaaS is its commitment to delivering real-time findings through a single platform. This capability allows security teams to receive immediate insights into vulnerabilities, enabling them to act swiftly to mitigate risks based on role and priority, managing testing in just a few clicks. The platform's integration capabilities enhance its usability, allowing organizations to seamlessly incorporate findings into their existing security workflows. This streamlined approach not only saves time but also ensures that remediation efforts are based on high-fidelity, manually validated findings, thus improving overall security effectiveness. The expertise of NetSPI's team of over 350 in-house security professionals is another significant differentiator. Their extensive experience and knowledge in the field of cybersecurity ensure that the testing methodologies employed are rigorous and consistent, uncovering vulnerabilities, exposures, and misconfigurations that may be overlooked by other solutions. This white-glove approach to penetration testing emphasizes the importance of manual validation, providing organizations with reliable and actionable insights that can significantly enhance their security posture. NetSPI PTaaS stands out in the realm of penetration testing services by combining expert human analysis with advanced AI technology, delivering timely and accurate results. This empowers organizations to strengthen their defenses against evolving cyber threats, ensuring that they remain resilient in an increasingly complex security landscape. **Average Rating:** 4.9/5.0 **Total Reviews:** 13 **Who Is the Company Behind NetSPI?** - **Seller:** [NetSPI](https://www.g2.com/sellers/netspi) - **Company Website:** https://www.netspi.com - **Year Founded:** 2001 - **HQ Location:** Minneapolis, MN - **Twitter:** @NetSPI (4,041 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/netspi/ (568 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 46% Enterprise, 38% Mid-Market #### What Are NetSPI's Pros and Cons? **Pros:** - Expertise (4 reviews) - Team Quality (4 reviews) - Communication (3 reviews) - Ease of Use (3 reviews) - Service Quality (3 reviews) **Cons:** - Difficult Navigation (1 reviews) - False Positives (1 reviews) - Information Management (1 reviews) - Lack of Detail (1 reviews) - Lack of Information (1 reviews) ### 14. [Reflex Security](https://www.g2.com/products/reflex-security/reviews) Reflex Security builds real incident response readiness through AI-driven tabletop exercises that adapt in real time to your team's decisions. The platform generates hyper-customized scenarios in minutes by researching your actual tech stack, industry, and threat landscape from public data. Every exercise is tailored to your organization, not pulled from a generic template. Exercises fight back. AI adversaries respond dynamically to participant decisions, creating realistic pressure and unpredictable outcomes that keep teams engaged throughout. An AI facilitator can join Zoom, Google Meet, or Teams to guide discussion, capture notes, and challenge individuals with role-specific questions. After each exercise, Reflex generates audit-ready reports with performance analytics and remediation guidance designed to support compliance requirements such as SOC 2, ISO 27001, and cyber insurance requirements. Built for CISOs and MSSPs who want to run tabletop exercises frequently at a fraction of the prep time and cost of traditional facilitated sessions. **Average Rating:** 5.0/5.0 **Total Reviews:** 4 **Who Is the Company Behind Reflex Security?** - **Seller:** [Reflex Security](https://www.g2.com/sellers/reflex-security) - **Year Founded:** 2025 - **HQ Location:** Los Angeles, US - **LinkedIn® Page:** https://www.linkedin.com/company/reflexsecurity/ (5 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 75% Small-Business, 25% Enterprise ### 15. [Infection Monkey](https://www.g2.com/products/infection-monkey/reviews) By deploying the Infection Monkey as an ongoing testing solution, you can verify the security baseline of your network and achieve full network coverage. **Average Rating:** 4.8/5.0 **Total Reviews:** 3 **Who Is the Company Behind Infection Monkey?** - **Seller:** [GuardiCore](https://www.g2.com/sellers/guardicore) - **HQ Location:** Cambridge, US - **Twitter:** @GuardiCore (2,636 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/akamai-technologies/ (10,201 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 100% Mid-Market ### 16. [Atrapa](https://www.g2.com/products/atrapa/reviews) The all-in-one platform to capture, convert, and retain customers across every messaging channel. **Average Rating:** 5.0/5.0 **Total Reviews:** 2 **Who Is the Company Behind Atrapa?** - **Seller:** [Atrapa](https://www.g2.com/sellers/atrapa) - **HQ Location:** N/A - **LinkedIn® Page:** https://www.linkedin.com/company/atrapa/ (1 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 50% Mid-Market, 50% Small-Business ### 17. [RADAR™](https://www.g2.com/products/mazebolt-technologies-radar/reviews) MazeBolt RADAR is a patented DDoS Vulnerability Management solution. Using thousands of non-disruptive DDoS attack simulations and without affecting online services, RADAR identifies and enables the remediation of vulnerabilities in deployed DDoS protection solutions. **Average Rating:** 4.3/5.0 **Total Reviews:** 2 **Who Is the Company Behind RADAR™?** - **Seller:** [MazeBolt Technologies](https://www.g2.com/sellers/mazebolt-technologies) - **Year Founded:** 2013 - **HQ Location:** Ramat Gan, IL - **LinkedIn® Page:** https://www.linkedin.com/company/mazebolt-technologies (33 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 100% Small-Business ### 18. [AttackIQ Platform](https://www.g2.com/products/attackiq-platform/reviews) AttackIQ is the industry’s leading Continuous Threat Exposure Management (CTEM) platform, enabling organizations to measure true exposure, prioritize risk, and disrupt real-world attack paths. By moving beyond static vulnerability data, AttackIQ operationalizes CTEM by continuously validating exposures against real adversary behavior and defensive controls. The platform connects vulnerabilities, configurations, identities, and detections into adversary-validated attack paths—quantifying the likelihood of attacker movement and impact. This evidence-based approach empowers security leaders to focus on what matters most, optimize defensive investments, and strengthen resilience through threat-informed, AI-driven security operations. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense. **Average Rating:** 4.5/5.0 **Total Reviews:** 1 **Who Is the Company Behind AttackIQ Platform?** - **Seller:** [AttackIQ](https://www.g2.com/sellers/attackiq) - **Year Founded:** 2013 - **HQ Location:** Los Altos, US - **Twitter:** @AttackIQ (7,101 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/attackiq (168 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 100% Mid-Market ### 19. [CyBot](https://www.g2.com/products/cybot/reviews) CyBot is a next-generation vulnerability management tool as well as the world first Automated pen testing solution, that continuously showcases validated, global, multi-vector, Attack Path Scenarios (APS), so you can focus your time and resources on those vulnerabilities that threaten your critical assets and business processes. CyBot has one core engine: CyBot Pro, plus two additional management consoles. One for Enterprises and one for MSSPs. **Average Rating:** 4.5/5.0 **Total Reviews:** 1 **Who Is the Company Behind CyBot?** - **Seller:** [Cronus-Cyber](https://www.g2.com/sellers/cronus-cyber) - **Year Founded:** 2014 - **HQ Location:** Haifa, IL - **Twitter:** @CronusCyber (97 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/10337915 (6 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 100% Small-Business ### 20. [FourCore ATTACK](https://www.g2.com/products/fourcore-attack/reviews) FourCore ATTACK provides a comprehensive view of security effectiveness by validating controls with realistic attacks. • Identify gaps in endpoint, email and network security controls before real attackers do • Continuously test defenses in production without disrupting users or IT operations • Focus internal red teams on high value assets while FourCore ATTACK covers routine controls testing • Give blue teams real attack data to improve threat detection and response capabilities • Enable security and IT teams to make effective risk-based security decisions FourCore ATTACK is backed by FourCore's advanced adversary emulation technology. Emulate threats consistently and realistically, to make sure you can defend against the script kiddies and advanced APTs alike. **Average Rating:** 3.5/5.0 **Total Reviews:** 1 **Who Is the Company Behind FourCore ATTACK?** - **Seller:** [FourCore](https://www.g2.com/sellers/fourcore) - **Year Founded:** 2021 - **HQ Location:** New Delhi, IN - **LinkedIn® Page:** https://www.linkedin.com/company/fourcorelabs (12 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 100% Small-Business ### 21. [OpenAEV by Filigran](https://www.g2.com/products/openaev-by-filigran/reviews) OpenAEV (formerly OpenBAS) Community Edition (CE) is the free base platform, while the Enterprise Edition (EE) is a commercial license upgrade that provides powerful AI-driven features and automation for faster, more contextual scenario creation and remediation actions. Convert threat/exposure data into validated, actionable security outcomes with industry’s first open-source, threat-informed AEV platform. - Unified Threat Context: Know what you need to defend against - Proactive Defense: Emulate real-world attacks to see how your defenses hold up - Adaptable interface: Customize for your use case – validate tools, people & processes - Accelerated Time-to-Remediation: Quickly detect and fix vulnerabilities **Average Rating:** 4.5/5.0 **Total Reviews:** 1 **Who Is the Company Behind OpenAEV by Filigran?** - **Seller:** [Filigran](https://www.g2.com/sellers/filigran) - **Company Website:** https://filigran.io/ - **Year Founded:** 2022 - **HQ Location:** New York, US - **Twitter:** @FiligranHQ (841 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/filigran (250 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 100% Mid-Market ### 22. [SafeBreach](https://www.g2.com/products/safebreach/reviews) SafeBreach is the only enterprise-grade Adversarial Exposure Validation (AEV) platform that simulates attacker behavior both before and after a breach—validating not just whether defenses fail, but how far an attacker could go and what they could impact. Our dual-engine platform combines breach and attack simulation (Validate) with live, attack path validation (Propagate), using real credential harvesting, lateral movement, and EDR bypass to reveal the blast radius of an attack. SafeBreach Validate is an award-winning breach and attack simulation (BAS) tool that uses patented technology to test the efficacy of deployed security controls against real-world threats. Leveraging the tactics, techniques, and procedures (TTPs) used by malicious actors, Validate automates adversarial attacks to help you continuously test your defenses, understand and limit your exposure, reduce your attack surface and improve security posture, and accelerate remediation. SafeBreach Propagate is the enterprise-grade automated penetration testing and attack path validation tool that emulates lateral movement, privilege escalation, and credential harvesting within the network—safely, automatically, and continuously—to help security teams understand potential post-breach impact. SafeBreach Propagate allows you to uncover high-risk paths to critical organizational assets, identify security gaps and strengths, prioritize remediation activities, and streamline communication with key stakeholders using built-in reports and dashboards. These dashboards distill data into business-ready metrics: breach likelihood, control failure rates, and remediation priorities—aligned to frameworks like MITRE ATT&CK, NIST CSF, DORA, and NIS2. With 30,000+ threat actions and a 24-hour SLA on CISA alerts, we help security teams walk into board meetings with clarity, credibility, and proof. Powered by SafeBreach Labs, and the industry’s largest threat library, we help teams continuously prove and improve their cyber readiness at enterprise scale. **Average Rating:** 4.5/5.0 **Total Reviews:** 1 **Who Is the Company Behind SafeBreach?** - **Seller:** [SafeBreach](https://www.g2.com/sellers/safebreach) - **Year Founded:** 2014 - **HQ Location:** Sunnyvale, California, United States - **Twitter:** @safebreach (2,504 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/safebreach/ (135 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 100% Small-Business ### 23. [SCYTHE](https://www.g2.com/products/scythe-scythe/reviews) SCYTHE is an adversary emulation platform (BAS+) catering to the commercial, government, and cybersecurity consulting market. The SCYTHE platform empowers Red, Blue, and Purple teams to swiftly construct and simulate real-world attacks. SCYTHE serves as a robust proactive security tool for scrutinizing detective and preventive controls across multiple communication vectors. Through SCYTHE, with its prepackaged action/behavior logic and threat intelligence, organizations can maintain a continuous evaluation of their risk profile, prioritize vulnerabilities, and take action against threats that matter. **Average Rating:** 4.5/5.0 **Total Reviews:** 1 **Who Is the Company Behind SCYTHE?** - **Seller:** [SCYTHE](https://www.g2.com/sellers/scythe) - **Company Website:** https://www.scythe.io/ - **Year Founded:** 2017 - **HQ Location:** Columbia, US - **Twitter:** @scythe_io (6,863 Twitter followers) - **LinkedIn® Page:** https://www.linkedin.com/company/scythe_io (33 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 100% Mid-Market ### 24. [SimLight](https://www.g2.com/products/simlight/reviews) SimLight by Thawd is an advanced Breach and Attack Simulation solution designed to deploy in minutes and continuously validate your security controls by simulating realistic attacker behaviors. SimLight provides comprehensive visibility into your organization's security posture, empowering proactive defense against real-world threats. **Average Rating:** 5.0/5.0 **Total Reviews:** 1 **Who Is the Company Behind SimLight?** - **Seller:** [Thawd Security](https://www.g2.com/sellers/thawd-security) - **HQ Location:** Ryiadh, SA - **LinkedIn® Page:** https://www.linkedin.com/company/thawd-security/ (7 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 100% Enterprise ### 25. [Validato - Continuous Security Validation Platform](https://www.g2.com/products/validato-continuous-security-validation-platform/reviews) Validato is a leading Continuous Security Controls Validation platform designed to empower modern security teams to definitively prove their cyber resilience. As a pioneer in the Adversarial Exposure Validation (AEV) and Breach & Attack Simulation (BAS) market, Validato provides an automated, evidence-based approach to identifying hidden misconfigurations and security gaps within live production environments. Why Validato? In an era of evolving regulations like DORA and NIS2, and board-level concerns such as Ransomware, traditional annual penetration testing and static vulnerability scans are no longer sufficient. Validato transforms security from a "check-box" exercise into a proactive, continuous strategy for operational resilience. Threat-Informed Defence: We safely simulate the methods cyber adversaries use to manipulate standard features and over-privileged users across Windows, Linux, and Mac environments. MITRE ATT&CK® Alignment: Unlike tools that merely emulate Indicators of Compromise (IOCs), Validato directly tests the specific MITRE ATT&CK Techniques exploited by threat actors to validate the actual effectiveness of your detection and protection capabilities. Safe for Production: Our simulations are engineered to be non-disruptive, allowing for continuous validation without risk to critical business operations. Actionable Remediation: We move beyond identifying issues by providing clear, guided hardening steps based on the Principle of Least Privilege, helping you strategically reduce your attack surface. Key Outcomes for Security Leaders CISOs & Risk Teams: Access impartial, fact-based data to demonstrate cyber resilience to the Board and meet strict regulatory compliance mandates (DORA, NIS2, ISO 27001). SOC & Security Engineering: Optimise the ROI of existing security investments, such as EDR and SIEM tools, by validating log data fidelity and fine-tuning threat detection. Red Teams: Scale testing efficiency by automating repetitive TTP testing, freeing expert resources to focus on complex, high-value adversarial emulations. Deploy in Minutes, Validate Forever Validato is a cloud-based SaaS platform that can be operational within 30 minutes. By providing a continuous feedback loop on security effectiveness, Validato helps organisations shift from reactive defence to a proactive, resilient security posture. **Average Rating:** 4.0/5.0 **Total Reviews:** 1 **Who Is the Company Behind Validato - Continuous Security Validation Platform?** - **Seller:** [Validato](https://www.g2.com/sellers/validato) - **Year Founded:** 2021 - **HQ Location:** London, GB - **LinkedIn® Page:** https://www.linkedin.com/company/validato/ (10 employees on LinkedIn®) **Who Uses This Product?** - **Company Size:** 100% Mid-Market #### What Are Validato - Continuous Security Validation Platform's Pros and Cons? **Pros:** - Features (1 reviews) - Reliability (1 reviews) **Cons:** - Lack of Training (1 reviews) ## What Is Breach and Attack Simulation (BAS) Software? [System Security Software](https://www.g2.com/categories/system-security) ## What Software Categories Are Similar to Breach and Attack Simulation (BAS) Software? - [Penetration Testing Tools](https://www.g2.com/categories/penetration-testing-tools) --- ## What Are the Most Common Questions About Breach and Attack Simulation (BAS) Software? *AI-generated · Last updated: June 3, 2026* ### Which Breach And Attack Simulation BAS vendors provide strong implementation guidance for team adoption Based on G2 reviews, these BAS vendors are most often praised for onboarding, setup, and guidance. - [Picus Security](https://www.g2.com/products/picus-security) — onboarding help and vendor-specific remediation. - [Cymulate](https://www.g2.com/products/cymulate) — easy setup with actionable mitigation guidance. - [Right-Hand Cybersecurity](https://www.g2.com/products/right-hand-cybersecurity) — hands-on support for campaigns and rollout. - [RidgeBot](https://www.g2.com/products/ridgebot) — straightforward setup with validated findings. ### Breach And Attack Simulation BAS solutions combining ease of use with advanced integration capabilities According to verified users, BAS buyers often look for a balance between fast deployment and meaningful integrations with the rest of the security stack. In recent G2 reviews, that combination shows up in mentions of intuitive dashboards, simple setup, and the ability to connect with SIEM, EDR, XDR, firewalls, web application firewalls, and other existing controls. Reviewers value platforms that make simulations easy to run without heavy operational overhead, while still helping teams validate logs, isolate which control blocked an attack, and turn findings into remediation steps. Integration breadth matters most when it improves visibility, reduces manual testing, and supports continuous validation across multiple layers of defense. ### Most reliable Breach And Attack Simulation BAS platforms proven by long-term enterprise deployments Based on G2 reviews, these BAS platforms appear most often in feedback describing dependable use in ongoing programs. - [Picus Security](https://www.g2.com/products/picus-security) — continuous validation across enterprise security controls. - [Cymulate](https://www.g2.com/products/cymulate) — recurring assessments with broad control coverage. - [Right-Hand Cybersecurity](https://www.g2.com/products/right-hand-cybersecurity) — sustained phishing and awareness program management. - [Adaptive Security](https://www.g2.com/products/adaptive-security) — ongoing simulations and training at scale. ### What are the most important features in bas tools According to verified users, the most important features in bas tools are realistic attack simulation, continuous validation, and clear remediation guidance. Recent reviews also emphasize broad threat libraries, support for MITRE-aligned scenarios, and reporting that helps both technical teams and leadership understand gaps. Buyers repeatedly mention integration with SIEM, EDR, XDR, firewalls, and web security tools as a priority because it helps confirm whether controls are detecting or blocking attacks as expected. Ease of setup and ease of use also matter because teams want to run assessments regularly, not just occasionally. The strongest products help teams find misconfigurations, validate detections, prioritize fixes, and keep security programs proactive instead of reactive. ### How do teams use Breach and Attack Simulation (BAS) for remediation guidance G2 reviewers mention that teams use BAS to move from identifying gaps to fixing them faster. In recent reviews, users describe running attack simulations to expose weak points across endpoint, network, email, web, and broader security controls, then using the resulting guidance to tune configurations, improve detection rules, and prioritize remediation work. Some reviewers specifically value vendor-specific or easy-to-apply recommendations because they reduce guesswork for analysts and administrators. Others highlight retesting after changes to confirm that fixes actually worked. For buyers, the practical value of BAS is not just finding exposure, but making remediation more measurable, repeatable, and aligned with how real attacks would interact with existing defenses.