Attack Simulation
Threat Management

Bringing life to Filigran eXtended Threat Management platform with OpenBAS first releases

Aug 7, 2024 6 min read

Ever since Filigran was founded, we’ve been focused on helping organizations derive maximum value from their knowledge of cyber threats. This approach has led us to imagine a platform focused entirely on the management of cyber threats, whether technical or strategic, internal or external.

This dimension, rarely covered from end to end in our industry, is key to the success of a threat intelligence program, but also to better meet the challenges of preparing a company for upcoming security incidents, complementing very well attack surface management and penetration testing / red teaming. Even more, because most ASM platforms can be integrated with OpenCTI to correlate results with external threat intelligence feeds.


The release of OpenBAS marks a turning point in the realization of this vision, which still needs to be completed by two other modules. It enables the implementation of this virtuous loop of operationalizing threat knowledge, in Filigran’s field of application: the anticipation of cyber threats.

Cyber Threat Intelligence Operationalization Loop

OpenBAS, first iterations

Like OpenCTIOpenBAS is an open source platform. It enables organizations to design and execute cyber attack scenarios, whether technical (injections directly onto endpoints or into security systems), table-top (emails, simulated media pressure) or Capture the Flag with integrated challenges. Of course, it is possible to mix all types of injection within a single scenario, for complex simulations at all levels of an organization.

We’ve designed OpenBAS to be as flexible and powerful as possible, with an architecture that enables our teams to implement the full range of use cases expected of a BAS platform, and much more besides:

  • Integrated within an XTM platform to leverage your own CTI and create the most relevant simulations.
  • Covering all aspects of a cyber incident: the technical attack itself, but also its communication, legal, business, etc. contexts too.
  • Follow the evolution of your security posture’s efficiency, both technical capabilities and human skills proficiency.
  • Use AI to assist during the content generation of you scenarios.
  • Generate atomic testing in few click and get immediate results.
  • Simulate complex one-shot or recurring attack scenario.
  • Assess your security posture in a glimpse through meaningful dashboards and breakdowns.
  • Organize Capture the Flag events.

We know how time-consuming and resource-intensive it can be to create these scenarios, even when a library is available (planned for the end of this year), which is why the OpenBAS platform:

  • Fully integrates with OpenCTI, enabling scenarios to be created automatically from any report or threat.
  • Flexiblly uses of the AI endpoint of your choice to automate scenario and content creation.
  • Is able to import any scenarios from existing Excel sheets/ CSV files using a powerful and customizable mapper.
Generate breach and attack simulation scnearios from OpenCTI

The security posture will then be automatically or manually assessed, along three axes: prevention, detection and human response, enabling the level of protection of a company’s assets to be tested and assessed, in real time and over time, whether they be systems (endpoints, XDRs, SIEMs, antivirus, etc.) or employees (analysts, communicators or standard business lines team members).

Overview of an atomic testing

The platform comes with an ecosystem featuring two types of integration:

  • Injectors, enabling simulation actions to be launched (payloads, social networks, ticketing platforms, etc.).
  • Collectors, enabling data of all kinds to be aggregated in the platform, as well as automatic evaluation of detection and prevention in security systems (frameworks, XDRs, EDRs, MDRs, etc.).

This ecosystem will be enriched by numerous new integrations over the coming months. You can also propose your own integration, in both injectors and collectors repositories.

Overview of the OpenBAS ecosystem

Focus on technical execution

Aligned with the Filigran product philosophy, we want to enable organizations to use the tools already available to them to avoid new deployments, especially when it comes to agents that run on machines. Therefore, in addition to the OpenBAS agent, already available for Windows, MacOS and Linux (x86 and arm processors), the platform is also compatible with Tanium and Caldera, and we expect more integrations with pre-existing agents in the future.

These agents have a neutral role within the platform, and we ensure that they never launch a payload directly, precisely to prevent the security systems present on a machine from considering them as malicious. They ensure :

  • Endpoint information is fed back into the OpenBAS platform.
  • Implant execution in processes detached from the tree.
  • The implants are responsible for gathering and executing the payloads.
Platform architecture

In OpenBAS, you can create your own payloads of various types:

  • Command lines (Powershell, DOS, bash, sh, etc.).
  • Executables that run on a machine.
  • File drop to simply write a file to disk.
  • DNS resolution
  • Network traffic emulation

We plan to add many more payload types in the future, especially for cloud platforms such as AWS, GCP and Azure.

Creation of payloads

Assessing safety posture and skills

In OpenBAS, we have introduced two fundamental concepts: expectations and skills. Expectations are, for a given inject, the expected response on the three axes mentioned above. In the future, the results of these expectations will have a direct impact on the skills of an organization’s assets, be they people or systems. Some expectations are validated / invalidated automatically by collectors, notably for prevention / detection, and some have to be validated manually (for the time being).

Injects expectations

This is precisely what the OpenBAS strategic roadmap is all about: consolidating security posture and asset capabilities over the long term. Here’s a non-exhaustive overview of the main features to come:

  • Customize your simulations with your own technical payloads.
  • Adapt the platform to your specific usages and organization with a powerful an advanced RBAC system.
  • Create real-like simulations with chained injects.
  • Simulate network communication of attacker for training network detection.
  • Manage skills’ proficiency of your teams and asses its impact on your security posture.
  • Customizable CISO cockpit.
  • Tailored recommendations for improving your security posture.
  • Organization segregation in the platform.
  • Use AI to impersonate stakeholders in simulations.

Join us on our Slack community channel to give your feedback and help us shape the next move!

Stay up to date with everything at Filigran

Sign up for our newsletter and get bi-monthly updates of Filigran major events: product updates, upcoming events, latest content and more.