41% of Attacks Bypass Defenses: Adversarial Exposure Validation Fixes That

April 16, 2025

Computer with a broken screen

Your security tools say everything’s fine, but attackers still get through.

Despite years of investment in firewalls, endpoint protection, SIEMs, and other layered defenses, most organizations still face a disturbing truth: according to recent research by Picus Security, only 59% of threats are stopped by their security controls.

That means 41% of attacks successfully bypass defenses. And the real damage often starts where visibility ends.

40% of enterprise environments have attack paths that lead to domain administrator compromise, hidden routes that attackers could exploit right now.

Even worse, these blind spots often go unnoticed until it's too late. Traditional indicators like zero incidents or clean scan results can create a false sense of security. But attackers don’t care what your dashboards say. They care about what they can exploit.

So the question is no longer “Do I have security tools in place?” It's: “How do I know they’re working, right now?”

What’s Missing from Current Offensive Security Testing

Security teams often rely on a mix of once-a-year penetration tests and periodic vulnerability scans. While useful and still required, these approaches have major limitations in today’s fast-evolving threat landscape and IT environment:

They’re not continuous. Point-in-time tests don’t account for configuration drift, new vulnerabilities, or the daily shifts in attacker behavior.
They lack real-world context. Scans flag thousands of CVEs without showing what attackers could actually exploit and without prioritizing the ones that matter most to your environment.
They don’t validate controls. Just because a vulnerability exists doesn’t mean your EDR or SIEM would miss it, but you’ll never know without testing.
They lack verification of remediation. You may fix a vulnerability, but do your detection systems recognize similar exploits? Do alerts trigger when they should?

This creates a dangerous gap between perceived security and actual resilience. This reactive approach leaves teams flying blind. You might fix what’s easy to patch but miss what’s most exploitable. You might assume your detection rules work, until they don’t.

To stay ahead of adversaries, organizations need a smarter, more continuous way to validate their defenses; one that reflects the way attackers think, operate, and evolve.

Double your Threat Blocking in 90 Days

Breach and Attack Simulation (BAS) lets you safely simulate real-world attacks in your production environment without risk or downtime.

Discover how the Picus platform enhances prevention and detection, helping you block 2X more threats in just 90 days.

Download the e-book

Breach and Attack Simulation (BAS): Continuously Testing Your Defenses

Breach and Attack Simulation (BAS) closes a significant gap in traditional validation. It allows you to simulate actual cyberattacks in your production environment risk-free and without downtime.

Here's how it works:

BAS platforms launch safe simulations of malware, ransomware, phishing attacks, and more, then monitor which are blocked, detected, or missed entirely.
These simulations test your firewalls, IPSs, email gateways, EDR, SIEMs, and more, so you can see where controls fail or fail to trigger.
Threat libraries are continuously updated with the newest attacker TTPs so that your defenses are measured against the threats of today.

Consider BAS like a round-the-clock fire drill for your security equipment. When an exploit goes around your IPS or your SIEM doesn't catch a recognized beacon, you'll know it in hours, not months.

Studies have revealed that Teams that consistently use BAS have been demonstrated to double their threat blocking in 90 days.

Automated Penetration Testing: Exploiting Vulnerabilities, Exposing Attack Paths

While BAS focuses on verifying control effectiveness, Automated Penetration Testing identifies the path an actual attacker would move through your environment.

Here is what it brings to your arsenal:

It simulates attacker activity: vulnerability exploitation, credential harvesting, lateral movement across systems, and privilege escalation.
It corroborates real attack steps: illustrating not only what's vulnerable, but also how an attacker would link steps to access key assets.
It can work continually: keeping up with the evolution of your IT infrastructure, whether new deployments or patch delays.

For instance, an automated pentest could take advantage of an unpatched server, steal credentials, and lateral move until it gets to the domain admin. These aren't theoretical attacks, they're actual, reproducible drills that reveal the exact paths attackers would take.

Indeed, research from Picus Security discovered that 40% of the environments they tested had exploitable paths to domain admin rights, a frightening confirmation that small holes can result in enormous compromise.

Adversarial Exposure Validation: Uniting BAS and Automated Pentesting for Stronger Security

Combined, BAS and automated pentesting give you a 360-degree perspective on your security stance. This combined practice is what Gartner calls Adversarial Exposure Validation (AEV), a continuous, real-world methodology for cyber risk management.

Using AEV, you can answer the two most important questions in security:

Are my security controls working effectively? (the BAS perspective), and
What can an attacker accomplish in my environment? (the pentest perspective).

These subjects inform one another:

If BAS shows your SIEM missed a simulation, fix the rules, then run a pentest to see if that blind spot leads to additional access.
If an automated pentest identifies a privilege escalation vector, recreate that TTP with BAS to ensure detection in the future.

This closed-loop system equates to quicker remediation, improved detection, and less speculation.

5 Key Benefits of Adversarial Exposure Validation for Modern Security TeamS

Adversarial Exposure Validation delivers more than visibility, it drives measurable improvement:

Confidence Against Real Attacks: AEV battle-tests your defenses against today’s threats—not last year’s. When the real thing hits, your team will have seen it before.
Continuous Validation of Security Controls: Test your EDRs, firewalls, and SIEMs every day, not once a year. Catch detection failures and misconfigurations early.
Proactive Exposure Management: Don’t just scan vulnerabilities. Simulate attacks. AEV helps prioritize risks based on actual exploitability and potential business impact.
Improved SOC Readiness: Each simulation is a training opportunity. Your analysts refine their skills and validate incident response playbooks in real time.
Measurable Security Progress: Track detection and prevention rates, response times, and closed attack paths to show real security ROI, internally and to auditors.

An Integrated Approach to Security Validation

Successful Adversarial Exposure Validation (AEV) takes more than point tools, it takes an end-to-end, threat-driven approach. The Picus Security Validation Platform provides exactly that, unifying Breach and Attack Simulation (BAS) and Automated Penetration Testing (APT) under one platform to break tool silos and consolidate security testing.

Real-World Threat Coverage: Picus has a threat library of 30,000+ TTPs, ranging from ransomware to cloud misconfigurations, for current, relevant testing.
Actionable Mitigations, Built In: When a test finds a gap, such as a missed exploitation attempt, Picus doesn't merely report. The platform recommends and automates remediations via its Mitigation Library, accelerating risk reduction.
Unified, Correlated Validation: By combining Security Control Validation (SCV) with Attack Path Validation (APV), Picus closes detection gaps to possible attacker progression, prioritizing what is most important.

With Picus, validation is an ongoing process of test, fix, and enhance, not an annual checkbox.