The Defenders’ Dilemma - The need for time & tools that build skills and expertise

October 17, 2023
Mark Wojtasiak
Vice President of Product Marketing
The Defenders’ Dilemma - The need for time & tools that build skills and expertise

At Vectra AI we believe in the importance of security testing – it is one of the best ways to improve defenders’ skills and expertise and build confidence that ongoing security investments continue to provide ROI.

Core to this endeavor is empowering defenders by making effective security testing easier, more effective, and more accessible when it comes to exposing risk, prioritizing mitigations, and increasing safety. That’s why we invest so heavily in our own teams to not only build and share their expertise but also develop and contribute tooling into the broader defender community.

“Everyone has security testing going on around the clock; you just aren’t always notified ahead of time, nor will you always receive the report.”

This tongue-in-cheek sentiment in the security community typically underscores that there is always someone probing the attack surface of the enterprise – the obvious preference is that it is the defenders who in turn use that knowledge to harden and mitigate risk. The unfortunate reality is that defenders face barriers to performing internal security testing, ranging from time, to skills, to tooling, to the underlying costs of the activity.

This is a problem that requires a community solution – and we are proud to be part of a community that continues to invest in our defenders. To that end, we are highlighting three projects driven by our Vectra AI team members that we are proud to offer our defender community:  

  • ./HAVOC
  • The DeRF


The Microsoft 365 & AzureAD - Attack Framework (MAAD-AF), is an open-source cloud attack tool developed for testing security of Microsoft 365 & Azure AD environments through adversary emulation. MAAD-AF enables security practitioners with easy-to-execute attack modules that exploit M365/AzureAD tools & services to emulate attacker TTPs in the cloud. MAAD-AF is designed to make cloud security testing simple, fast and effective. Through its virtually no-setup requirement and easy interactive modules, security teams can test their security controls and detection & response capabilities easily and swiftly.


· ./HAVOC is an open-source Adversary Emulation as Code platform and framework. The platform provides capabilities that purple-teamers will love such as containerized infrastructure, supporting services that include load-balancers with CA-signed certificates to neatly obscure your C2 traffic behind, and cloud-native features like triggers for executing commands in response to an action, and pre-signed URLs for securely downloading and uploading files. A playbook operator allows for autonomous execution of playbooks that carry out full kill-chain adversary operations like recon, lateral movement, and exfiltration.

The DeRF

The DeRF (Detection Replay Framework) is an "Attacks-as-a-Service" framework, allowing the emulation of offensive techniques and generation of repeatable detection samples in the cloud. Use the DeRF to simulate attacker behavior, exercise detection portfolios and validate restrictive controls in the cloud.

Whether you’re an incident handler, a threat-hunter, a red teamer, or somewhere in-between – we value your partnership, we’re open to your feedback, and we’re eternally grateful to be members of the larger defender community solving this problem together. After all, defense is a team sport.

Happy hunting!