Picus Security Quantifies Cyber Risk Using Attack Simulations

Picus Security has announced a new methodology for quantifying cybersecurity risks, aiming to replace traditional assumption-based models. The company's approach utilizes continuous attack simulation and validation to provide organizations with a more accurate understanding of their security posture.

Traditional risk assessment tools often rely on self-reported data and questionnaires, which can lack transparency and real-world validation. These "black box" calculations generate numerical scores that may not accurately reflect an organization's actual exposure to threats, potentially leading to misinformed business decisions.

The Picus Security solution replaces guesswork with empirical data. By employing continuous breach and attack simulation (BAS) technology, the company tests an organization's defenses against real-world adversary techniques in real-time. This method directly identifies which defenses fail and where detection gaps exist, offering measurable outcomes based on observed events rather than assumptions.

These validated findings are then integrated with ThreatConnect's Risk Quantifier. This integration calculates risks by considering factors such as threat actor activity, asset value, and control effectiveness. By incorporating Picus's validated data—confirming whether attack techniques can bypass existing controls—organizations can achieve more accurate financial risk estimates than assumption-based models allow.

The new module also supports business scoping, enabling granular risk assessment by department, service, or technology. Picus states this allows for more effective prioritization and investment decisions based on validated risk metrics.