AttackIQ

AttackIQ

Overview

The AttackIQ integration connects the Praetorian Guard Platform (PGP) with your AttackIQ breach and attack simulation (BAS) platform, importing assessment results and security control validation data into your attack surface. AttackIQ tests whether your security controls actually detect and prevent real-world attack techniques — PGP imports these results as risks so you can see where your defenses have gaps alongside every other vulnerability in your environment.

This integration is ideal for organizations running AttackIQ assessments who want to correlate control validation failures with their broader attack surface. When AttackIQ identifies that a security control failed to detect a specific MITRE ATT&CK technique, PGP surfaces that gap as a risk tied to the affected assets, giving you a unified view of both theoretical vulnerabilities and proven defensive failures.

What the Integration Does

When connected, PGP performs a read-only import from the AttackIQ REST API:

  • Assessment Results as Risks: Failed and partially failed assessment scenarios from AttackIQ are imported as PGP risks. Each risk captures the MITRE ATT&CK technique tested, the control that failed, the detection outcome, and the affected asset — giving you actionable proof that a specific defense is not working as expected.

  • Assessment Targets as Assets: Systems and endpoints targeted during AttackIQ assessments are imported as PGP assets, providing an inventory of tested infrastructure and its validation status.

  • Tested Endpoints as Seeds: IP addresses and hostnames of assessment targets are imported as PGP seeds, feeding them into the Guard discovery and scanning pipeline.

Data flows one direction only — from AttackIQ into PGP. The integration never writes back to AttackIQ, modifies assessments, or triggers simulations.

Prerequisites

Before setting up the integration, ensure you have:

  • An AttackIQ subscription (Flex, Enterprise, or Ready! tier) with an active deployment you can sign in to

  • An AttackIQ user with permission to create API tokens. By default this requires the Account Admin or Security Manager role; some organizations also grant this to a custom integration role.

  • The Server URL of your AttackIQ deployment. AttackIQ is multi-tenant SaaS with per-customer subdomains. Common examples:

    • https://firedrill.attackiq.com -- shared production tenant

    • https://<your-company>.attackiq.com -- dedicated tenant

    • https://<your-company>-flex.attackiq.com -- Flex offering tenant

Creating an AttackIQ API Token

  • Sign in to your AttackIQ deployment as a user with admin permissions

  • Click your profile avatar in the top-right corner and choose My Account

  • Open the API Tokens tab (or navigate to Settings > API Tokens depending on your deployment version)

  • Click Add Token (or Generate Token)

  • Give the token a descriptive name (e.g., praetorian-guard-integration) so it is easy to revoke later

  • Click Create. AttackIQ displays the token value once -- copy it immediately into a secrets manager. If you lose it, you must delete the token and create a new one.

Setup

  • In PGP, go to Integrations and click Add Integration

  • Find AttackIQ (Preview) in the Breach and Attack Simulation category and click it

  • Enter the required credentials and choose your import preferences

  • Click Submit -- PGP will issue a GET /v1/assessments?page_size=1 call to verify the token is valid and the server URL is reachable

Field Reference

Field

Description

Required

AttackIQ Server URL

The base URL of your AttackIQ deployment (e.g., https://firedrill.attackiq.com). Do not include a trailing slash or path.

Yes

API Token

The AttackIQ API token

Yes

Import Vulnerabilities

Ingest failed-test results as risks in PGP. This is the primary value of the integration. (on by default)

No

Import Assets

Create AttackIQ-discovered hosts as assets in PGP. Leave unchecked if your asset inventory is already authoritative from another source. (off by default)

No

If validation fails, verify that your API token has the correct permissions and that the server URL is reachable.

Permissions

The API token inherits the permissions of the user who created it. The minimum effective scopes the integration needs are:

  • Read assessments -- to enumerate which security tests have run

  • Read scenarios / results -- to ingest individual test outcomes as risks

  • Read assets (optional) -- only required if Import Assets is enabled

The integration does not need write, delete, or assessment-execution permissions. AttackIQ does not currently expose granular per-scope tokens; the practical control is the role assigned to the token's creating user. Use a dedicated service-style account with the least-privileged role your organization allows, rather than a personal admin account.

What Data Is Synced

Assessment Results

Failed and partially failed AttackIQ scenarios create PGP risks with:

  • Risk name: Derived from the scenario name and MITRE ATT&CK technique (e.g., "Failed: T1059.001 — PowerShell Execution")

  • Severity: Mapped from the assessment's impact rating and the criticality of the MITRE ATT&CK technique tested

  • Proof artifacts: MITRE ATT&CK technique ID, tactic, assessment name, scenario details, detection outcome (detected/not detected/partially detected), control tested, and timestamp

  • Description: Full assessment context including what was simulated and what the expected vs. actual outcome was

Detection outcome mapping: AttackIQ scenario outcomes map to PGP status:

AttackIQ Outcome

PGP Status

Not Detected

Triage

Partially Detected

Open

Detected (previously failed)

Remediated

Error

Triage

Detected (always passed)

Not imported

Only scenarios with failed or partially failed outcomes are imported as risks. Scenarios where controls consistently pass are not imported, since they represent working defenses rather than vulnerabilities.

Assessment Targets

Systems targeted during assessments are imported as assets with:

  • Asset name: Hostname or IP address of the target system

  • Asset type: Endpoint or server

  • Metadata: Operating system, agent ID, last assessment date, and overall pass/fail ratio

Tested Endpoints

Endpoints involved in assessments are imported as seeds:

AttackIQ Element

PGP Seed Type

Target IP address

IPv4 Asset

Target hostname

Domain Seed

Target FQDN

Domain Seed

API Endpoints Used

Endpoint

Method

Purpose

/api/v1/assessments

GET

Fetch all assessments in your AttackIQ instance

/api/v1/assessments/{assessmentId}/results

GET

Fetch scenario results for each assessment (paginated)

/api/v1/assets

GET

Fetch the inventory of assessment target systems

Base URL: Your AttackIQ Server URL (e.g., https://firedrill.attackiq.com or https://your-org.attackiq.com)

All requests use Bearer token authentication over HTTPS. The integration paginates through all assessments and results in a single sync.

Troubleshooting

Issue

Cause

Fix

"Authentication Failed"

The token has been revoked, or the user it was created under has been deactivated

Generate a new token in AttackIQ and re-enter it

"Insufficient Permissions"

The creating user's role does not include read access to assessments

Have an admin assign the role described under Permissions

"Connection Failed"

The AttackIQ Server URL is wrong or unreachable

Confirm the URL by opening it in a browser; you should see the AttackIQ login page

No risks appearing

All scenarios passed (controls are working)

Only failed or partially failed scenarios are imported — if all controls pass, no risks are created

Missing assessment data

Assessments have not been run or completed

Ensure assessments have been executed in AttackIQ and results are available

Stale results

Sync interval has not elapsed since last assessment run

PGP syncs periodically — new results will appear after the next sync cycle

Unexpected severity ratings

Severity is derived from ATT&CK technique criticality

Review the MITRE ATT&CK technique mapping in your assessment configuration

Security and Data Handling

  • Read-only access: The integration only reads data from AttackIQ. It never creates, modifies, or deletes assessments, scenarios, or triggers any simulations.

  • Credential handling: Your API Token is stored as an encrypted credential within PGP and is never exposed in logs or the UI after initial entry.

  • Authentication: The API token is transmitted as a Bearer token in the Authorization header over HTTPS to the AttackIQ API.

  • Data filtering: Risks pass through PGP standard VM filter rules, allowing you to control which severity levels or ATT&CK techniques are imported.