3 min read

Why exploit tests aren’t the only way to prove risk

Picus argues defenders can validate exploitability without launching live exploits, using attack-step testing to prioritize patches faster.

Image: BleepingComputer

The old buffer between disclosure and exploitation has largely vanished, according to Picus Software. In a sponsored post, the company says the first half of 2026 alone produced more CVEs than any full year on record prior to 2024, with new entries appearing about every 7.4 minutes. At the same time, the Zero Day Clock now puts the median time to exploit in 2026 at well under a day, down from weeks a few years ago.

That leaves security teams with a basic problem: too many flaws, too little time, and no practical way to safely test every vulnerable system with live exploits. Picus argues that traditional automated pentesting only covers about 10 to 15% of a typical enterprise attack surface, because many systems are too sensitive, too regulated, air-gapped, or lack a public exploit.

The CISO's case for moving budget to BAS
The CISO's case for moving budget to BAS

Instead of waiting for weaponized code, Picus pitches a different approach: prove whether an attack chain would work by validating its required steps. That means mapping a vulnerability to behaviors such as initial execution, defense evasion, privilege escalation, credential theft, and lateral movement, then testing whether those steps can pass through the defenses already deployed. If one required step is blocked, the exploit chain fails even if the vulnerability remains unpatched.

The company illustrates that model with Nightmare-Eclipse, also referred to as Chaotic Eclipse and Dead Eclipse. Picus describes it as a series of uncoordinated Windows zero-day disclosures published by a single researcher beginning in early April 2026, often without a CVE or patch at release. Three tools are central to the example:

  • BlueHammer: a local privilege escalation technique using a privileged file read tied to a race condition in Windows Defender
  • RedSun: a privileged file write that overwrites TieringEngineService.exe and triggers it as SYSTEM
  • UnDefend: a Defender disruption tool that locks signature files and prevents updates while falsely reporting healthy status to the EDR console

How Picus simulates the attack chain

Building the TTP Chain
Building the TTP Chain

Rather than running the real exploit, Picus says it can emulate the key behaviors safely. In the Nightmare-Eclipse example, that includes creating a harmless “Evilsvc” service to represent SYSTEM execution, dumping the SAM hive through Volume Shadow Copy to test credential-access detection, and using unDefender to stop the Windows Defender service and check whether tamper protection holds.

Recommended reading

Joomla extension bugs hit CISA’s exploited list

According to the company, running those steps in sequence shows whether the full chain would succeed in a live environment without deploying malware on production systems.

Download ebook
Download ebook

Picus frames this as a complement to live exploit testing, not a replacement. Where a usable exploit exists and it is safe to launch, the company says autonomous pentesting offers the strongest proof. Where it is not safe, or no exploit exists yet, TTP-chaining is meant to fill the gap. The pitch is straightforward: use both methods continuously, because a control that blocked an attack last month may fail after the next configuration change.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

// Keep reading