A large commercial bank operated under pressure from rapidly evolving threats, requiring immediate validation of detection rules. Additionally, the introduction of DORA regulations imposed an obligation to continuously monitor the ICT environment, identify vulnerabilities, detect anomalies and threats, and regularly test the effectiveness of security controls (including vulnerability assessments, penetration testing, and cyberattack scenarios such as TLPT) to confirm the actual resilience of systems.
However, the teams responsible for cybersecurity testing were concerned about the risk of “shelfware” - a situation where a deployed tool, despite high costs and expectations, gradually stops being actively used. Deploying a global platform that requires significant effort quickly loses real value without proper organizational support.
In previous implementations, a key limitation was the platform’s ability to operate effectively within the bank’s real operational environment. The support model offered by the vendor was highly process-driven and based on global procedures, which in practice hindered rapid response to the ongoing needs of security teams.
Additionally, communication friction emerged due to language differences, lack of shared operational context, and limited understanding of the banking environment’s specifics.
The bank needed a solution that was easy to deploy and simple to use in daily operations - without multi-month projects and extensive training with every team change. It was crucial that new analysts could quickly enter the process and, in case of blockers, have a clear and short path to engineering support. With threats evolving week by week, time, shared context, and efficient collaboration were key - not multi-step escalations and lengthy ticket workflows.
The bank implemented IOC Simulator - a BAS (Breach & Attack Simulation) platform for continuous validation of SIEM/EDR detection through safe, repeatable simulation scenarios. The solution provided immediate access to up-to-date, customized attack scenarios, as well as an open testing environment where security teams can independently design, test, and automate their own response strategies.
IOC Simulator operates in a non-intrusive model - it focuses on deterministic reproduction of attacker behavior without the risk of uncontrolled offensive activity. It can be run in test, lab, and mirrored endpoint environments, without impacting production systems, and an automatic cleanup mechanism removes all artifacts after tests are completed.
The implementation also supported regulatory compliance efforts - IOC Simulator provides evidence of continuous operational resilience testing, helping the organization meet selected DORA requirements (Chapter IV) as well as compliance processes related to NIS2 and ISO 27001 in the area of risk management.
The PREBYTES technical support model was used, eliminating the traditional division between junior support and helpdesk. Every customer request is handled directly by a team of security and maintenance engineers.
The implementation was based on two transparent communication channels:
Thanks to engineering sessions included in the license, the bank’s team went through an efficient onboarding process, enabling immediate execution of real testing scenarios. Technical support focused on operational assistance, ensuring that the tool became an active part of the defense strategy from day one.
Direct access to PREBYTES engineers significantly reduced the product’s time-to-value. Teams no longer wasted time explaining basic technical issues to first-line support and instead gained a partner for substantive technical dialogue. Engineers understood the specifics of detection testing, making their recommendations accurate and quickly translatable into concrete improvements in SIEM/EDR rules.
In practice, the bank moved from a reactive model to continuous, structured resilience testing. Security teams gained the ability to regularly run attack scenarios without impacting the production environment. A model based on tasks, scenarios, and playbooks also enabled them to independently design and automate their own tests, which significantly increased their operational maturity and shortened the time required to verify changes to security controls.
Another key improvement was enhanced visibility into detection effectiveness. The bank obtained consistent and reliable data that made it easier to assess how security systems responded to individual scenarios and to identify areas requiring optimization. This translated into more informed risk management and the ability to continuously eliminate detection gaps - before they could be exploited by real attackers.
The deployment also supported the fulfillment of regulatory requirements - IOC Simulator provides evidence of continuous operational resilience testing, helping the organization address selected DORA (Chapter IV) requirements as well as compliance processes related to NIS2 and ISO 27001 in the area of risk management.
The ability to book sessions via an online calendar eliminated uncertainty regarding expert availability and improved planning of development activities. Meanwhile, the licensing model with a defined pool of engineering hours ensured cost predictability and guaranteed access to high-level technical support at critical moments.
As a result, IOC Simulator became a permanent operational component - the foundation for continuous validation of security effectiveness and real improvement of organizational resilience.
