security instrumentation platform (SIP)
end-to-end cybersecurity validation
SIP instruments customer IT environments to test the effectiveness of network, endpoint, email and cloud controls. SIP continuously executes tests and analyzes the results to proactively alert on drift from a known-good baseline and validate control configuration. SIP provides evidence demonstrating if a customer's controls are actually delivering the desired business outcomes.


the director

Think of the Director as an “effectiveness analysis engine.” It is the primary management and reporting console and overall central brain of the Verodin Security Instrumentation Platform (SIP). The Director is available as a SaaS platform (our cloud or yours) or an on-premises solution in both virtual appliance and installable software formats.


The Director seamlessly integrates into an organization’s defensive stack across network, endpoint, email and cloud controls. These integrations enable the Director to report on how effective controls are and where they are misconfigured. The Director then provides prescriptive details on how to optimize existing controls, enabling organizations to increase the value of the dollars they have already spent. Integrations also enable the Director to report on control gaps and overlap, providing evidence demonstrating which controls can be retired and removed from the stack.

All integrations come out-of-the-box with the Director. To ensure they are quick and easy to configure, Director’s integrations leverage the native APIs provided by the control.

over 50 technology Integrations
and many more...

Verodin SIP Actors perform tests in the production IT environment to validate and assess control effectiveness. SIP Actors come in several types and form factors to ensure test safety and provide a granular understanding of defense-in-depth. Actors are able to test four primary control types:


Network controls are controls inspecting network traffic (e.g. IDS, IPS, NGFW, etc.). To safely test production IT environments, Network Actors act as both the source and destination of a test, sending traffic between each other to see how the network control responds. These tests include segmentation and policy validation, malicious file transfer, C2, data exfiltration, etc. Verodin SIP is the only platform that is able to safely leverage real malware and real attack bytes to provide 100% reliability of test results. Verodin Network Actors are deployed within a customer’s business zones and are available as a virtual machine, physical appliance or installable software.


Endpoint controls are implemented to protect the host. Endpoint Actors are installed directly onto a customer’s “gold images” in the production IT environment. There is no need to install Endpoint Actors on every endpoint, simply a sampling of systems that represent deployed endpoint and user configurations. Endpoint Actors execute tests within the context of a user to validate access to resources, attempt privilege escalation, exfiltrate data and perform other behaviors across the Cyber Kill Chain. Tests can leverage all aspects of the endpoint’s operating system, including the CLI and even Powershell for Windows endpoints. Endpoint Actors can be installed onto Windows, Mac and Linux endpoints.


Email controls are designed to stop inbound phishing, emails containing malware and data leaving the production IT environment. The Verodin SIP Email Theater module enables Network Actors to test customer email controls, including on-premises Microsoft Exchange, Office 365 and other email platforms.


Verodin SIP Actors are able to test cloud controls, including commonly deployed AWS and Azure controls. Virtual host and API options are available, depending on the cloud platform and service offering being tested.

effectiveness validation process (EVP)

A lot has to go right for security to work. As the Director instructs Actors to run tests, it queries the controls in the environment to determine what they are seeing, which are blocking, what detection events are generated and if those events are properly formatted and make it through the network maze to their destination. Once at their destination -- likely a SIEM, log management platform or analytics engine — the Director validates that the events are properly timestamped, correctly parsed, and if the correlation rules and threat models defined actually generate an alert. This process is called Verodin’s Effectiveness Validation Process (EVP), and it is the result of several years of working with organizations to determine how best to validate their cybersecurity effectiveness.

dashboards and reports

The Director analyzes the results of the tests run in the environment and provides reports designed to enable customers to measure where their effectiveness is today, manage the dynamic environment and evolving threat landscape on a daily basis, and show improvement over time with real, evidence-based data.


Verodin Protected Theater is deployed as a segmented region of the Verodin Platform, that enables the testing of destructive malware, attack actions or behaviors within a protected environment. Typically, gold desktop versions are deployed with security controls into the Protected Theater.

protected theater

Verodin Protected Theater is deployed as a segmented region of the Verodin Platform, that enables the testing of destructive malware, attack actions or behaviors within a protected environment. Typically, gold desktop versions are deployed with security controls into the Protected Theater.

email theater

Verodin Email Theater enables the execution of non-destructive behaviors and non-destructive actions evaluating the effectiveness of email security tools such as Proofpoint, Symantec, Mimecast or Ironport.

cloud theater

Verodin Cloud Service Theater core value is enablement and deployment of Actors in the Verodin cloud service, that will allow the execution of both destructive and non-destructive behaviors and actions at Actors deployed as targets externally (i.e. exfil) or internally (confirm) to the organization.

sip faq

Does Verodin SIP require integrations to work?

No. Verodin SIP does not require integrations to work. It can run tests and provide basic results without them. However, integrations are essential to providing evidence of the effectiveness of cybersecurity controls. Most organizations are leveraging as little as 25% of the prevention functionality of their controls due to misconfiguration, weak-out-of-the box configurations and environmental drift. Verodin SIP’s integrations enable it to provide the customer a prescriptive set of steps to quickly optimize those controls. Without this level of visibility, it is impossible to clearly understand the results of tests.

Platforms that simply provide a list of attacks that are “blocked or not” do not provide the complete picture an organization needs to make decisions and, worse, encourage a path forward based on inaccurate assumptions.

Are the SIP integrations complicated to install and configure?

No. Verodin SIP leverages the control’s native APIs for the integration, making it quick and easy to set up. Integrations are provided “out of the box” with the Director, so there is nothing to install. Typically, all that is required for configuration is a valid, read-only user account and password from the control.

What types of controls does Verodin SIP test?

Verodin SIP can validate the effectiveness of network, endpoint, email and cloud controls. Common network controls tested include next-gen firewalls (NGFW) and traditional firewalls (FW), intrusion detection systems (IDS), intrusion prevention systems (IPS), malware sandboxes, web application firewalls (WAF), proxies and data loss prevention (DLP) systems. Common endpoint controls tested include tools like anti-virus (AV), host-based intrusion prevention systems (HIPS), software firewalls, and detection and response tools (EDR). Beyond traditional endpoint controls, Verodin SIP can also be leveraged to validate user and group policies, as well as Active Directory Group Policy (GPO) and even identify and access management (IAM) solutions.

Can Verodin SIP test endpoint controls?

Yes. Verodin can test controls on Windows, Mac and Linux endpoints. Tests can be run in the context of a user leveraging the host’s command line interface or even tools like Powershell on Windows systems.

Does Verodin SIP have a rest API?

Yes. The Director is effectively an API server that the web UI is built off of. Verodin has a fully documented REST API and is committed to making 100% of SIP’s functionality available, accessible and executable from the REST API.

Does my team need to be "mature" to get value from SIP?

No. Verodin’s customers range from mid-market organizations with a security team of 2-3 employees and a technical CISO all the way up to the largest Financial Services and Oil & Gas companies in the world. SIP is both powerful and extremely easy to use. For less mature organizations, Verodin SIP provides a platform to maturity. SIP enables their defenders to be more offensive and helps guide them along the path of ultimately providing the evidence needed to know their cybersecurity controls are effective.

Is Verodin SIP a Breach and Attack Simulation (BAS) tool?

The Breach and Attack Simulation (BAS) “category” has a pretty loose collection of vendors that don’t fall into more traditional categories and, in some situations, are not even competitive. This is not unusual for early markets and, over time, will likely break into at least three more distinct categories:

  • Companies focused on providing the business evidence of control effectiveness
  • Companies providing an attack simulation tool for the purpose of essentially becoming “vulnerability scanning 2.0”
  • Companies specifically focused on advanced threats and the realism of using those advanced threats for high-skill training

Verodin provides the ability to quantify if cybersecurity controls are effective and properly offsetting the business’ risk as intended. To do this, we focus on validating that controls are correctly configured, identifying where controls can be optimized, quantifying control gaps and overlap, and then continuously validating the environment against a known-good baseline in order to detect and quickly remediate environmental drift.

No one needs another long report telling them they have more problems. In reality, the lack of context can steer an organization down the wrong path by allowing them to feel confident about a decision that is actually damaging to the organization and creating more risk. Picture a situation where “the attack data” shows you a critical control is missing large amounts of attacks and feeling confident in removing it, when, in reality, the control you purchased is more than capable and just has some basic misconfigurations hampering its ability to be effective.

The last thing organizations need is more “attack data,” which is misleading and really just “vulnerability scanning 2.0”. Verodin SIP provides you the evidence needed to measure, manage and improve the effectiveness of your cybersecurity program.

Business Need