🛡️ GuardFoxCopilot Documentation

Red Team & BAS

MITRE ATT&CK emulation plans, CVE exploit mapper, detection gap reports, and threat feed marketplace.

Route: /red-team

How BAS works

Overview

How Breach and Attack Simulation Works

BAS (Breach and Attack Simulation) tests your detection capabilities by safely emulating the techniques real threat actors use. Unlike a penetration test, BAS:

  • Uses non-destructive techniques that cannot cause actual damage
  • Runs continuously (not just annually)
  • Produces a detection gap report showing exactly which MITRE techniques you can and cannot detect
  • Requires no specialist red team knowledge

Emulation vs simulation

  • Simulation — mimics the effects of an attack without actually executing malicious code (what GuardFoxCopilot does)
  • Emulation — fully replicates attacker tools and techniques (requires specialist red team)

What gets tested

Each emulation plan covers a specific threat actor or attack pattern and contains 4–15 MITRE ATT&CK techniques. GuardFoxCopilot checks whether your SIEM, EDR, and detection rules flagged each technique.

Running an emulation plan

How to use

Running an Emulation Plan

  1. Go to Cloud & Testing → Red Team BAS → ⚔️ Emulation Plans
  2. Select a plan from the left panel (APT29, LockBit 3.0, Credential Harvesting)
  3. Click Run Emulation
  4. Watch each technique resolve in real-time — green (detected), red (missed), yellow (partial)
  5. When complete, click Show Gap Report

Reading the gap report

  • Coverage % — overall detection rate across all techniques
  • By tactic breakdown — which ATT&CK phases you're weak in
  • Gaps list — each missed/partial technique with an analyst note explaining why it was missed and what rule to add

Acting on gaps

For each missed technique:

  1. Check if the relevant data source is connected (e.g., ETW for process injection)
  2. Add or tune the SIEM rule
  3. Re-run the emulation plan to verify the gap is closed

Pre-built plans

PlanActorTechniques
APT29 EmulationCozy Bear (Russia)11 techniques
LockBit 3.0Ransomware group6 techniques
Credential HarvestingFIN7-style4 techniques

CVE Exploit Mapper

How to use

Using the CVE Exploit Mapper

The CVE Exploit Mapper shows you which vulnerabilities have public exploit code available, so you can prioritise patching correctly.

Understanding EPSS

EPSS (Exploit Prediction Scoring System) is the probability that a CVE will be exploited in the wild in the next 30 days. It's more actionable than CVSS alone:

  • CVSS 9.8 with EPSS 0.1% — theoretically severe, rarely exploited
  • CVSS 7.5 with EPSS 97% — high exploitation probability — patch first

Exploit source tags

  • 🟠 PoC — proof-of-concept code publicly available
  • 🔴 Metasploit — fully weaponised exploit module in Metasploit Framework
  • 🔵 Nuclei — detection/exploitation template for automated scanning
  • 🟣 ExploitDB — documented exploit on exploit-db.com

CISA KEV

If a CVE has the CISA KEV badge, it is confirmed as actively exploited in the wild and US federal agencies are legally required to patch within the FCEB deadline. Treat these as P1 regardless of CVSS.