Cloud Breach Simulation and the Modern SIEM
Upcoming talk on simulating large-scale AWS/Azure breaches to stress-test detection engineering pipelines.
This is an upcoming talk at RSA Conference 2026. The abstract and main arguments are documented here ahead of the event. Slides and recording will be linked after the presentation.
The central argument
Most SIEM deployments are implicitly tested against on-premises attacker models: lateral movement in AD, endpoint compromise, exfiltration over SMB. Cloud breach has a different shape - control plane abuse, identity federation attacks, pivots through managed services - and most production SIEMs are undertested against it.
The talk proposes a simulation framework for cloud breach scenarios: define the attacker objective, enumerate the control-plane and data-plane actions required, and map each action to the CloudTrail or Azure Activity log events it generates. Then check whether your SIEM actually fires on those events.
Why simulation is better than red-team for detection validation
Red-team exercises validate whether an attacker can achieve an objective. Breach simulation validates whether the SIEM can see it. These are different questions. A red-team may achieve an objective via an unanticipated path that the SIEM happens to cover. A simulation deliberately exercises each path you need to cover and checks coverage directly.