Frequently Asked Questions
Clear answers to common questions about RAP's methodology, services, and approach to continuous security validation.
How is RAP different from breach and attack simulation (BAS)?
BAS tools simulate techniques from frameworks like MITRE ATT&CK, running predefined playbooks to check if defenses fire. RAP executes observed attacker methodology—the actual command sequences, timing patterns, and decision logic captured from real adversary operations. BAS asks if you can detect a technique. RAP asks if you can stop what attackers actually do when they use that technique, including the steps that follow.
How is this different from AI-powered pentesting tools?
AI pentesting tools often promise to replace human operators with automation. RAP uses automation for what machines do well: repetition, drift detection, and regression testing at continuous cadence. Humans retain decision authority for mission planning, rules of engagement, and high-consequence actions. RAP is not a prompt or a dashboard—it is a system of methodology, authorization, infrastructure, and operators shaped by real-world offensive experience.
What is an adversary-informed tradecraft engine?
An adversary-informed tradecraft engine is a system that captures, composes, and replays observed attacker methodology under disciplined rules of engagement. Rather than replaying static technique checklists, it executes the actual decision trees, branching logic, and sequencing patterns observed from real adversary operations. This approach validates whether defenses can stop how attackers actually operate, not how frameworks assume they do.
What access does RAP require?
RAP operates under explicit authorization and defined rules of engagement agreed before any technical activity begins. Access requirements vary by engagement scope but typically include network access to in-scope environments, minimal telemetry context to understand your defensive posture, and coordination with your team for timing and deconfliction. Authorization is verified first; execution follows only after documented approval. No surprise operations.
What does an engagement typically look like?
Engagements begin with rules of engagement definition and scope agreement. RAP then performs ongoing target development, executes observed attacker methodology against authorized assets, and validates whether defenses would stop realistic attack paths. Outputs include attack path narratives, detection gap summaries, and board-ready impact assessments. Operations run on a defined cadence—monthly or quarterly depending on maturity—with regression testing after remediation.
Is this a replacement for red teams or detection engineering?
No. RAP is upstream of red teams and detection engineering, not a replacement. RAP provides fresh, observed attacker methodology that red teams can consume for campaign planning. Detection engineering teams use RAP output to validate coverage against real tradecraft, not theoretical techniques. RAP feeds existing security programs with continuous, evidence-driven validation and methodology that would otherwise require dedicated research capacity most organizations lack.