While our Breach and Attack Simulation competitors are practicing Kata, a predetermined set of moves, we’re teaching our customers how to Randori.
I was in a sales meeting recently, and a prospect asked me what differentiates Randori from Breach and Attack Simulation (BAS) tools and vendors. “Isn’t it the same category,” he mused. It was a great question, and I can see how some may consider Breach and Attack Simulation tools to be our competition, but Randori’s benefits and features are hugely different as BAS is only tangentially competitive to Continuous Automated Red Teaming (CART), only one of Randori’s benefits. In fact, BAS and CART serve different goals. BAS tools and vendors focus on testing a predefined set of controls and assumptions while Randori focuses on helping organizations become resilient to breach. To put it in martial arts terms, BAS is Kata while we are Randori.
For those who are not familiar with martial arts terminology:
Kata is a term used in Japanese martial arts to describe a detailed choreographed pattern of movements designed to be practiced by oneself alone.
Randori is a term used in Japanese martial arts to describe freestyle practice (Sparring – implying fighting with another,). The term denotes an exercise in tori, applying technique to a random succession of uke attacks.
BAS Tools: Immediate Satisfaction, Little Payoff
Like Kata, Breach and Attack Simulation tools are choreographed and limited to a predetermined series of events and actions. While BAS may give security teams immediate satisfaction, these exercises will not train the team to respond to real-world threats. In the real world, opponents do not operate from a predefined set of operations and assumptions — they improvise, adapt, and establish contingent plans of action. Outsmarting and out-scheming your opponent is their goal. Choreographing and memorizing a series of responses will not help when encountering a skilled adversary, just as washing Mr. Miyagi’s car and painting his fence only teaches one karate in the movies. Yes, BAS is helpful for performing QA of your security tooling but it is not enough to understand how your team will respond to a skilled and determined adversary.
Randori Attack: Tougher Lessons, Lasting Rewards
At Randori, we believe that organizations can only become truly resilient to real-world attacks by sparring with real (trusted) adversaries. These attacks must begin from a black box, meaning the attackers have no prior information or predetermined set of actions. The adversary must come at random, behave and utilize the same capabilities as real-world attackers. Most importantly, security teams need to be able to interact with the people who have attacked their system to understand what went wrong, where the team could have responded differently, and how to make their systems more resilient in the future. This is an insight those practicing Kata will not have lack, as their scripted actions yield no new information.
Of course, Randori didn’t invent red teaming. This concept and practice has existed in the intelligence and military communities long before its tenure in cybersecurity. However, conducting a corporate red teaming operation has major challenges. The biggest barrier for most companies is the cost. Hiring a red team is too expensive for most companies. It can force downtime, which hurts an organization’s productivity and creates extra work for IT teams. But most importantly, red teaming exercises are a point-in-time exercise. The point-in-time nature of traditional red teaming almost ensures that organizations will be exposed to increased risks between testing cycles. The power of CART is that as changes occur in the security posture of an organization, which we all know happens continuously, can be evaluated by CART to help identify risks much sooner.
The Randori Attack Platform runs automatically and continuously. It discovers and monitors your attack surface, locates interesting Targets, and then utilizes a catalog of capabilities to establish an initial point of presence, move laterally, and work deeper into the organization. This means actionable intelligence, informed by an attacker’s perspective, is gathered, filtered, and delivered to the security team in real time.
Randori’s dynamic, repeatable, and scalable platform is more than a red team, a pen-test, or a vulnerability management tool. It is the next evolution of these products: a trusted adversary platform which spars with your organization to identify gaps, build resiliency, and reduce your real-world risk over time.