Breach Attack Simulation (BAS) platforms continuously execute simulated attack techniques against your environment to validate whether existing security controls detect or block them. AttackIQ, SafeBreach plus Cymulate are the major BAS vendors. Sherlock EoP Auditor enumerates the local Windows privilege escalation surface on individual hosts. BAS answers "do our controls catch what attackers do?" EoP Auditor answers "what is the local attack surface attackers would find on this Windows host?" The two tools serve different defense in depth roles in mature security programs.
What BAS platforms test
Breach Attack Simulation platforms execute simulated attacker techniques against the live production environment plus measure whether the deployed security controls (EDR, NDR, SIEM, firewall, email gateway) detect or block the technique. The simulations are mapped to the MITRE ATT&CK framework so coverage is reported per ATT&CK technique ID.
Specific BAS test categories include phishing payload delivery simulation, lateral movement technique execution, credential dumping simulation, persistence mechanism deployment, data exfiltration technique simulation, ransomware behavior simulation plus living-off-the-land technique execution. The simulations use real attacker tools plus techniques but with safety harnesses that prevent actual damage to production systems.
The reports surface per-ATT&CK-technique coverage scores, control gap analysis (where the simulation succeeded because no control detected it), trending over time as controls are tuned plus integration with security operations center workflow. The continuous-validation pattern means security teams get ongoing feedback on whether their controls remain effective as the environment changes plus as attacker techniques evolve.
Major BAS vendors include AttackIQ (platform-leader in the enterprise tier), SafeBreach (strong network-attack simulation), Cymulate (mid-market accessible plus broad coverage), Picus Security plus several others. Pricing varies but typically annualized cost runs five to six figures USD for mid-market deployment.
What Sherlock EoP Auditor tests
Sherlock EoP Auditor enumerates the local Windows privilege escalation surface on a single host. The tool runs on demand against the host plus surfaces the conditions that would allow a regular user account to escalate to SYSTEM or other privileged identity on that machine.
Specific conditions EoP Auditor enumerates include third-party Windows services running as SYSTEM with weak access controls, kernel driver attack surfaces, named pipe authorization gaps, scheduled task misconfigurations, COM object permission gaps, registry key ACL issues, file system permission vectors on privileged executables plus token impersonation opportunities. The findings are configuration-class findings on the local host independent of which controls are deployed.
EoP Auditor does not simulate attacker techniques. It enumerates the static attack surface. The findings represent what an attacker would discover if they ran their own local enumeration on the host. The tool surfaces the discoverable surface before the attacker does.
Different question classes
The reason these two tools coexist in mature programs is that they answer different security questions about Windows endpoints.
BAS answers: "Given the controls we have deployed, can we detect or block specific attacker techniques?" The output is a coverage map against MITRE ATT&CK with detection plus prevention efficacy per technique. The remediation is control tuning, SIEM rule development plus detection engineering.
EoP Auditor answers: "What configuration-class privilege escalation surfaces exist on this specific host independent of which controls are deployed?" The output is a list of authorization gaps, misconfigurations plus design-class issues in third-party software. The remediation is configuration change, vendor coordination plus sometimes vendor product replacement.
The two outputs are largely non-overlapping. BAS might show "lateral movement technique X is detected by our EDR." EoP Auditor might show "host Y has a third-party service with named pipe authorization gap that any user can exploit." Both findings are independently actionable plus together they paint a more complete picture than either alone.
Where BAS may miss EoP findings
BAS platforms simulate known attacker techniques mapped to ATT&CK. The simulation surface is constrained by what techniques the vendor has implemented as test modules. Privilege escalation via third-party software named pipe authorization gaps is rarely covered as a BAS test module because the specific gap depends on which third-party software is installed plus the specific authorization design choices the vendor made.
A BAS platform might test the general MITRE ATT&CK technique T1068 (Exploitation for Privilege Escalation) using a public CVE proof-of-concept against a known unpatched vulnerability. The platform would not test the specific authorization gap in a particular third-party service that has no CVE assigned because the gap is configuration-class plus design-class rather than CVE-class. The EoP Auditor finding would not show up in the BAS report.
This is the same gap that Sherlock Forensics Labs disclosed in our SF-LABS-2026-04 PARTY LINE category. The configuration-class privilege escalation surface in third-party software is invisible to BAS platforms because BAS does not enumerate static surface; it executes known techniques.
Where EoP Auditor may miss BAS findings
EoP Auditor enumerates the local privilege escalation surface but does not test detection efficacy of deployed controls. A finding may exist that an attacker could exploit, but the deployed EDR might detect the exploitation attempt plus block it. The EoP Auditor finding does not tell you whether the control would catch the attack; it only tells you the surface is present.
BAS coverage is required to answer the detection question. The two tools layer: EoP Auditor surfaces the static attack surface, BAS validates whether deployed controls catch attacks against that surface. The combined picture is "we have surface X plus our controls catch attacks against it" or "we have surface X plus our controls miss attacks against it." The combined picture is more actionable than either alone.
Coverage matrix
Continuous validation of deployed security controls: BAS covers extensively. EoP Auditor does not.
MITRE ATT&CK technique coverage measurement: BAS covers. EoP Auditor does not produce ATT&CK coverage maps.
Detection engineering feedback loop: BAS provides. EoP Auditor does not.
Static local privilege escalation surface enumeration: EoP Auditor covers in depth. BAS does not enumerate static surface; it executes known techniques.
Third-party Windows service authorization gaps: EoP Auditor covers. BAS rarely covers (no CVE often means no test module).
Named pipe authorization gaps: EoP Auditor covers. BAS does not.
Kernel driver attack surface enumeration: EoP Auditor covers. BAS partially covers via specific known-CVE driver attack simulations.
Network attack technique simulation: BAS covers (especially SafeBreach has strong network coverage). EoP Auditor does not.
Email gateway plus payload delivery simulation: BAS covers. EoP Auditor does not.
Lateral movement simulation: BAS covers. EoP Auditor does not.
Ransomware behavior simulation: BAS covers. EoP Auditor does not.
Pre-deployment validation of new Windows server: EoP Auditor covers. BAS may cover via simulation but the surface enumeration is more direct.
Cost and operational characteristics
BAS platforms are enterprise-tier subscription products. AttackIQ, SafeBreach plus Cymulate annualized cost for a mid-market organization typically runs five to six figures USD depending on platform tier plus number of simulated environments. The platforms require integration with deployed controls (EDR, SIEM, etc.) for measurement plus require dedicated detection engineering team capacity to act on findings.
Sherlock EoP Auditor is a one-time per-license tool that runs on demand against individual Windows hosts. The cost structure is materially below the BAS subscription tier because the use case is targeted surface enumeration not continuous control validation. The two cost classes are not substitutes for each other.
The operational pattern that mature security teams adopt is to deploy BAS for continuous control validation plus run EoP Auditor on demand against specific hosts that warrant deeper privilege escalation surface audit. New Windows server deployments, post-incident host audits, third-party software vendor evaluation plus hosts that BAS findings flag as control-gap-affected are the primary EoP Auditor use cases.
When BAS is the right starting point
Choose BAS first if your security program has:
(1) significant existing investment in EDR, SIEM plus other security controls but limited visibility into whether they work against current attacker techniques,
(2) mature detection engineering capability that can act on BAS findings,
(3) compliance or board reporting needs for security control efficacy measurement,
(4) enterprise-tier budget for continuous validation platform plus operational team capacity.
When EoP Auditor is the right starting point
Choose Sherlock EoP Auditor first if your security program has:
(1) need for specific host-level privilege escalation surface audit (new server deployment, post-incident audit, third-party vendor evaluation),
(2) limited budget that does not stretch to BAS platform tier plus needs concrete Windows hardening evidence on specific hosts,
(3) BAS already deployed but finding that BAS coverage does not extend to local privilege escalation surface,
(4) significant third-party Windows software heterogeneity (each vendor adds new privilege escalation surface).
What this means for security planning
The mistake security programs make is treating continuous validation tools as complete attack surface coverage. They are not. BAS validates whether deployed controls catch known attacker techniques. EoP Auditor enumerates the configuration-class attack surface that exists below the control layer. Both layers matter.
The Sherlock Forensics incident response casework consistently surfaces breaches where the BAS deployment was sound plus the local Windows attack surface was vulnerable. The BAS coverage map showed strong technique detection. The attacker did not need to execute a known technique because the host configuration handed them privilege escalation directly. The control validation was not the gap; the configuration class was the gap.
The honest practitioner posture is to layer BAS for continuous control validation plus EoP Auditing for configuration-class surface enumeration. Skipping either layer leaves a class of finding unaddressed.
The Sherlock Forensics services practice handles ransomware response, breach investigation plus court-defensible forensic examination. The forensic toolchain includes the Sherlock Disk Imager for acquisition with chain of custody, the Sherlock Universal Events Viewer for timeline reconstruction plus the Sherlock EoP Auditor for privilege escalation surface assessment. Talk to our team about incident response or proactive Windows hardening assessment.
BAS validates controls. EoP Auditing enumerates surface. Two layers of defense in depth. Get on the EoP Auditor early access list for the surface enumeration layer. Talk to our team about pairing it with your BAS program.