Search

FAQs

We've compiled a list of common questions about our cloud security platform with clear and helpful answers to address your concerns.
Table of Contents
Related articles
This is another article on the site
This is also a heading
This is a heading

Cloud Attack Emulation (CAE) - Safety Measures

What prevents Mitigant CAE emulations from causing damage?

Mitigant CAE is built on Security Chaos Engineering research with multiple layers of safety controls:

1. Bring Your Own Role (BYOR) - Customer-Controlled Blast Radius:

  • You define the blast radius: During onboarding, you provide a role with only the permissions you're comfortable granting
  • Mitigant CAE can only operate within the boundaries you set: Attack emulations are constrained by the IAM policies you assign
  • Granular control: Scope access to specific resources, accounts, regions, or resource types using IAM policies
  • Zero trust by default: The platform cannot exceed the permissions you explicitly grant
  • Example controls you can implement:
    • Restrict to non-production accounts only
    • Limit to specific resource tags
    • Exclude critical workloads or sensitive data stores
    • Permit read-only for assessment, limited write for specific attack scenarios
    • Set resource quotas and budget limits within the role

2. Dynamic Snapshotting:

  • Before any attack runs, Mitigant CAE captures the current state of target resources
  • This snapshot enables guaranteed rollback to the pre-attack state
  • The snapshot-attack-recover cycle happens automatically

3. Automatic Rollback:

  • All changes made during attack emulation are automatically reversed
  • Even if an attack fails mid-execution, the recovery process still runs based on previously captured snapshots
  • Cleanup reliability isn't dependent on the attack code behaving perfectly

Learn more: Cloud Attack Emulation 101: Shallow Waters

4. Attack Type Distinction:

  • Provisioned attacks: Spin up temporary infrastructure to safely emulate techniques without risking production
  • Inline attacks: Run against actual resources with sophisticated safety guardrails, including resource discovery, permission checks, state capture, dependency resolution, and deterministic recovery

5. Scope Controls:

  • Tag-based inclusion/exclusion rules
  • Cannot escape defined boundaries
  • Account-level or resource-level scoping
  • Combined with BYOR, you have multiple layers of containment

6. Non-Destructive by Design:

  • Many attacks use read-only operations
  • Write operations are isolated and reversible
  • No actual data exfiltration occurs (simulated only)

Read more: Mitigant Connects with European Cybersecurity Leaders at ITSA 2025

Has Mitigant CAE ever caused a production outage?

Mitigant CAE is designed with production safety as a first principle. The platform:

  • Uses Security Chaos Engineering research that has been proven through academic study and practical implementation
  • Includes deterministic recovery mechanisms that guarantee rollback
  • Respects the blast radius you define through BYOR - it physically cannot operate outside the permissions you grant
  • Allows customers to start with completely harmless enumeration attacks
  • Provides sophisticated orchestration to safely execute attacks with automatic cleanup

Attacks are recommended based on your cloud environment's context—not random or guesswork. The platform uses AI to intelligently select appropriate attack scenarios for your specific infrastructure.

Learn more: Demystifying Security Chaos Engineering - Part I | Part II

What if something goes wrong during a Mitigant CAE attack?

Multiple fail-safes are in place:

Permission Boundaries (BYOR):

  • The role you provide during onboarding acts as a hard limit
  • Even if something unexpected occurs, Mitigant CAE cannot exceed granted permissions
  • Your IAM policies provide an additional safety layer independent of platform controls

Automatic Recovery:

  • Even if an attack encounters unexpected errors mid-execution, the recovery process executes based on pre-captured snapshots
  • The separation of attack execution and recovery ensures that cleanup works independently

Stop Controls:

  • Attacks can be started and stopped with button clicks
  • You maintain full control throughout execution

Audit Trail:

  • Complete logging of every action taken
  • Full transparency into what happened during the emulation
  • All actions traceable through CloudTrail/Azure Activity Logs in your own environment

Attack Telemetry:

  • Mitigant CAE automatically retrieves and displays event logs corresponding to emulated attacks
  • These logs provide evidence and can be used by detection engineers for analysis

Will Mitigant CAE trigger our SOC alerts?

Yes—and that's actually valuable. You have three options:

1. Pre-announced Testing (Coordinated):

  • Notify your SOC team beforehand that authorized testing will occur
  • Best for testing response procedures and team coordination

2. Unannounced Testing (True Validation):

  • Run attacks without warning to validate whether your detection rules actually work
  • Tests your SOC's ability to identify real threats
  • Best for validating that detection rules are properly configured

3. Tagged/Labeled Execution:

  • Attack telemetry can be labeled in logs for easy identification
  • Integrate with your SIEM as "authorized testing"
  • Allows you to distinguish emulated attacks from real threats

You choose the approach based on what you're testing—detection rules, response procedures, or team readiness.

Join The Cloud Security Revolution Today!

Take control of your cloud security in minutes. No credit card required.
Get Demo Environment
Start 30-day Free Trial