How a bank reduced the cost of recurring SIEM/EDR testing by 80% with IOC Simulator

What the client was facing and why it was critical?

In a large commercial bank, the need to respond quickly to constantly evolving threats required regular verification of detection rule effectiveness. At the same time, new obligations resulting from DORA regulations and NIS2 requirements increased the importance of ongoing supervision over the ICT environment, vulnerability detection, and recurring testing of security mechanisms in order to confirm the actual resilience of systems.

However, the teams responsible for cybersecurity testing were concerned about adopting solutions that would multiply costs and consume operational resources. Implementing a global BAS-class platform (Breach and Attack Simulation) was usually associated with a licensing model based on devices or CPUs, which in practice made testing the full software lifecycle – from DEV and TEST environments, through UAT, to PROD – financially unviable.

In previous implementations, hidden infrastructure costs were also a key limitation. Global tools required the purchase of additional licenses for external databases and the installation of dedicated servers on the client side. From a technical perspective, another issue was the ability of platforms to operate efficiently within the bank’s operational realities – in highly secured zero-trust networks, aggressive SSL inspection mechanisms blocked simulation traffic, requiring complex whitelisting.

Additional communication and financial friction appeared in the area of support – traditional vendor models treated professional support as an extra paid service, offering only a slow helpdesk as standard. The bank needed a solution free of hidden costs, with a transparent license covering all environments and guaranteed access to engineers as part of the base subscription.

Key challenges

• the need for continuous, technical, and reliable verification of SIEM/EDR rules in a highly secured network environment
• the need to include all environments in testing (DEV, TEST, UAT, PROD) without multiplying licensing costs
• the requirement to eliminate hidden infrastructure costs, such as maintaining additional servers and external databases
• the risk of tool communication being blocked by the bank’s proxy systems (SSL inspection)
• the need for guaranteed engineering support (SLA) as part of the standard subscription fee
• high and recurring costs of manual Red Team tests, making it difficult to scale verification processes (the need to shift CAPEX to OPEX)

What was implemented and how did it work in practice?

The bank implemented IOC Simulator – a BAS platform for continuous SIEM/EDR detection validation through safe, repeatable simulation scenarios. The solution provided immediate access to up-to-date attack scenarios mapped to the MITRE ATT&CK framework, enabling teams to automate testing.

The key advantage of the implementation was the elimination of licensing and infrastructure barriers. IOC Simulator is delivered as an annual SaaS subscription, with no distinction between environment types and no per-CPU or per-device limits. As a result, the bank could freely run tests both in production and in DEV/TEST/UAT environments under the same fee. The architecture did not require the installation of any additional servers or external databases – on the client side, only a lightweight, standalone Agent executable file was launched.

A technological breakthrough for the bank was the use of an Application-Layer Encryption mechanism (RSA-2048 + AES-256 encryption applied before the TLS layer). This made it possible to avoid issues with restrictive proxy policies, guaranteeing 99.9% reliability of command delivery without the need to weaken the bank’s SSL inspection mechanisms.

A support model was also used in which engineering assistance on business days, a defined pool of consulting hours, and guaranteed SLA response times are an integral part of the standard license, with no hidden surcharges.

What were the results and what changed operationally?

Direct contact with engineers and a transparent licensing model drastically shortened the product’s time-to-value. Security testing teams could integrate IOCS agents into CI/CD processes without concerns about costs, automatically validating so-called “Gold Images” in test environments before their deployment to production.

In practice, the bank moved from costly and sporadic manual testing to continuous, structured resilience testing. The solution reduced verification costs by approx. 80% compared with global competitors, transforming irregular CAPEX expenses into predictable OPEX. Automatic artifact cleanup (auto-restore) ensured full safety of test cycles on endpoint systems.

From a regulatory perspective, IOC Simulator provided measurable evidence of recurring validation of detection and response mechanisms, supporting DORA requirements and cybersecurity risk management areas resulting from NIS2. Generated reports were based on actual threat scenario tests, making it easier to pass audits without the need to involve external Red Team teams for every verification.

The lack of need to maintain additional databases and management servers freed up IT administrators’ time, while the implemented support model guaranteed that in the event of any operational challenges, the bank’s team could immediately consult PREBYTES engineers as part of the existing subscription.

As a result, IOC Simulator became a permanent operational element – a foundation for continuous verification of security effectiveness, without generating hidden costs or architectural barriers.

Post-implementation effects

• Ability to test detection effectiveness in DEV/TEST/UAT/PROD environments under a single license, with no hidden per-device/CPU fees
• 80% reduction in security validation costs compared with global BAS solutions, as well as savings compared with manual penetration testing
• complete elimination of hidden infrastructure costs – no requirement to install additional servers or databases on the client side
• 99.9% reliability of scenario delivery in a rigorous zero-trust network thanks to Application-Layer Encryption technology, which limits communication issues resulting from SSL/TLS inspection
• engineering support on business days, a pool of hours, and guaranteed SLA included in the base subscription price
• attack mapping to MITRE ATT&CK and support for DORA and NIS2 audit requirements
• readiness for automation in CI/CD cycles thanks to the built-in auto-restore mechanism

Want to learn the implementation details? Contact us.