Frequently Asked Questions
SIMAPTIC uses agentic AI to plan, execute, and report realistic multi-stage campaigns (credentials → lateral movement → exfiltration). Unlike tools that “mock” behavior, SIMAPTIC can emit real indicators and controlled C2 traffic (opt-in) to validate detections end-to-end. Reports map to MITRE ATT&CK, surface missed detections, and recommend fixes.
No uncontrolled malware is used. SIMAPTIC employs safe, harnessed payloads and benign surrogates that generate realistic telemetry and IOCs. For teams that opt-in, we can exercise limited real toolchains under strict guardrails and Rules of Engagement (ROE) throttled, logged, and reversible.
Our agent plans campaigns using threat-informed prompts and your policy constraints. You can run guided templates, auto-planned sequences, or bring-your-own playbooks. Everything is ATT&CK-tagged and approval-gated before execution.
Yes. Set network scopes, account allow/deny lists, rate limits, time windows, and kill-switches. SIMAPTIC enforces least-privilege and supports dry-run and IOC-only modes.
Yes, when configured correctly. SIMAPTIC provides throttling, guardrails, hard stops, maintenance-window scheduling, and change-control hooks. You choose whether to allow live C2 or restrict to telemetry-only exercises.
We recommend a documented ROE, executive approval, coordination with SOC/IR/IT owners, and a change ticket for production. We provide templates for ROE, risk assessment, and rollback.
It should, that’s the point. You can tune intensity, run in off-hours, or use IOC-only mode first. Findings are correlated to detections that fired vs. should have fired to reduce alert fatigue.
Yes. SIMAPTIC supports on-prem, cloud, and hybrid topologies. It can operate fully on-prem/air-gapped with local reporting, or in a connected model for managed updates.
A small controller (VM or container), optional lightweight agents for deeper visibility, and service accounts with least-privilege. For cloud testing, read-only APIs plus scoped roles are typical.
We store campaign configs, logs, and results. By default, sensitive artifacts (creds, payloads, content) can be kept on-prem. You control data retention, log redaction, and export.
Yes. SIMAPTIC can run offline, with offline license/updates and fully local reporting.
SIEM (Splunk, Sentinel, Elastic, QRadar, Chronicle), EDR (Defender, CrowdStrike, Carbon Black), SOAR platforms, ticketing (Jira, ServiceNow), CMDB, and cloud logs (AWS, Azure, GCP). Exports: JSON/CSV, ATT&CK coverage, and executive PDFs.
- Executive: risk themes, trends, coverage, KPIs/OKRs
- SOC/IR: timeline, missed detections, log references
- Engineering: concrete fixes, control gaps, ATT&CK mapping
Reports support baselining and before/after comparisons.
Detection coverage, time-to-detect/respond, signal realism, and closed-loop remediation (tickets opened → resolved). We provide dashboards and exportable metrics.
Simple tiers based on number of endpoints/cloud accounts, campaign concurrency, and support level. Annual and multi-year options are available.
Yes. We offer a time-boxed PoC with guided onboarding, success criteria, and a final readout.
Standard (business hours) and Premium (24×7 for critical issues). Includes updates, knowledge base, and escalation paths.
Yes, with authorization. You must own/control the target environment and approve a Rules of Engagement. SIMAPTIC logs all actions for auditability.
We map findings and controls to MITRE ATT&CK and common frameworks (e.g., NIST CSF/800-53, ISO 27001). We provide audit-ready evidence exports and data-retention controls.
SIMAPTIC supports data minimization, PII redaction, and on-prem storage. You choose what leaves your environment.
Yes. SIMAPTIC leverages battle-tested open-source frameworks and our own contributions (e.g., Empire/Starkiller lineage), wrapped with controls, logging, and approvals for enterprise safety.
Yes. We provide threat profiles and can author custom TTP packs to emulate families, groups, or incidents, safely and deterministically.
We can emulate network-level and Windows/AD-centric stages commonly adjacent to OT, with opt-in ICS profiles. For in-plant tests, we recommend lab/maintenance windows and strict ROE.
Absolutely. Import Sigma/KQL, custom rules, or SOAR playbooks. SIMAPTIC can validate them and suggest coverage improvements.
Built-in kill switch, step-wise execution, rollback guidance, and post-run cleanup. All actions are tamper-evident logged.
