# Use Cases ## EVE Use Cases ### Purpose Epiphany Validation Engine (EVE) is designed to help organizations validate whether their security controls can detect, block, contain, and generate visibility against realistic adversary behaviors in a controlled manner. Rather than relying only on theoretical coverage, policy assumptions, or vendor claims, EVE allows teams to verify control effectiveness through structured emulations, guided attack campaigns, and endpoint-based validations. The following use cases describe common ways in which EVE can be applied across security operations, security engineering, control assurance, purple teaming, incident readiness, and continuous validation programs. ### Core Value of EVE Across Use Cases EVE supports multiple validation scenarios by combining: * Controlled emulations against real security controls * Endpoint and network validation paths * Execution and non-execution testing options * Threat-aligned artifacts and emulation packages * Custom script-based adversary behavior simulation * Email-based attack campaign validation * Centralized evidence, tracking, and operational governance This allows organizations to move from assumed protection to demonstrated protection. ### Use Case 1 - Validate Endpoint Protection Effectiveness #### Objective Determine whether endpoint security controls such as EDR, XDR, NGAV, or host-based protection can detect, prevent, or respond to adversary behaviors executed on a protected endpoint. #### How it works A security team selects a prepared artifact, sample, or emulation package from the EVE Threat Library and launches an emulation against a controlled endpoint with the EVE agent installed. Depending on the selected emulation vector, the test may validate: * Network-level delivery * Endpoint-level prevention * Full execution and response The organization can observe whether the security tool blocks the payload before execution, detects the behavior during execution, or produces the expected telemetry and alerts after execution. #### Typical outcome This use case helps answer questions such as: * Is the endpoint protection platform actually preventing malicious behavior? * Does the tool generate telemetry at the right stage? * Are security analysts receiving actionable alerts? * Is detection limited to known signatures, or does it also cover behavior? #### Operational value This is one of the most common EVE use cases because it transforms endpoint protection validation into a measurable and repeatable process. ### Use Case 2 - Validate Security Controls Without Executing the Sample #### Objective Test whether perimeter and endpoint controls would stop a threat before execution, without requiring full execution of the artifact on the target endpoint. #### How it works EVE supports emulation modes that validate delivery and control interception without necessarily executing the sample. This is especially useful when the organization wants to confirm whether controls such as email gateways, proxies, secure web gateways, endpoint prevention layers, or file inspection technologies would stop the threat at an earlier stage. #### Typical outcome Security teams can determine: * Whether a control blocks the artifact in transit * Whether the endpoint protection layer quarantines or deletes the file * Whether the organization can validate preventive effectiveness with reduced operational risk #### Operational value This use case is especially useful in environments with strict production controls, sensitive workloads, or limited tolerance for execution-based exercises. ### Use Case 3 - Continuous Validation of Security Controls #### Objective Move from one-time assessments to recurring security validation. #### How it works EVE allows organizations to schedule repeated emulations over time using selected threats, artifacts, or adversary techniques. These recurring validations can be aligned to critical controls, business units, technology stacks, or security priorities. For example, an organization may schedule recurring tests to validate: * Ransomware-related prevention behaviors * Script interpreter monitoring * Payload download detection * Lateral movement controls * Credential access protections #### Typical outcome Teams can identify when security performance changes due to: * New agent versions * Policy modifications * Infrastructure changes * Product updates * Coverage gaps introduced by operational drift #### Operational value This use case supports security maturity by turning validation into an ongoing practice instead of an isolated event. ### Use Case 4 - Measure Detection and Response Visibility #### Objective Confirm whether emulated malicious behaviors generate the expected alerts, logs, telemetry, and analyst visibility. #### How it works An emulation is launched against a prepared endpoint or target scenario. While the exercise runs, the security team monitors third-party tools such as EDR, SIEM, SOAR, NDR, firewall logs, or SOC dashboards to verify what is actually seen by the defensive stack. The purpose is not only to check whether something was blocked, but also whether: * The event is visible to analysts * The behavior is classified correctly * The alert has enough context for triage * The event reaches downstream logging and correlation systems #### Typical outcome This use case helps determine whether the organization has true operational visibility or only nominal technical coverage. #### Operational value A control that blocks or detects a behavior but fails to provide useful evidence to the SOC still represents a readiness gap. EVE helps reveal that gap. ### Use Case 5 - Validate Specific MITRE ATT\&CK Techniques #### Objective Verify defensive coverage against specific adversary techniques and behaviors mapped to MITRE ATT\&CK. #### How it works A security team selects artifacts, packages, or custom threats associated with a desired technique or stage of the attack chain. The test is then run against a controlled target to determine whether existing controls detect or prevent that behavior. Examples may include validation of: * PowerShell abuse * Command and scripting interpreter activity * Payload execution * Persistence mechanisms * Credential dumping attempts * Discovery behaviors * Defense evasion actions #### Typical outcome The organization can confirm whether its controls truly cover the techniques it claims to monitor and defend against. #### Operational value This use case is valuable for maturity assessments, ATT\&CK-based reporting, control mapping exercises, and discussions with blue teams or control owners. ### Use Case 6 - Validate Detection Logic Before and After Tuning #### Objective Test the effectiveness of security control tuning, policy changes, or new detection logic. #### How it works A team runs a baseline emulation to identify current defensive behavior. After adjusting EDR policies, detection rules, SIEM use cases, exclusions, hardening controls, or alert thresholds, the same emulation is repeated. The comparison allows the organization to determine whether tuning improved defensive coverage, reduced blind spots, or introduced unintended side effects. #### Typical outcome Teams can answer: * Did the tuning improve prevention or visibility? * Did a rule change reduce useful telemetry? * Did policy changes unintentionally weaken protection? #### Operational value This is highly useful for security engineering teams that need evidence-based validation of tuning efforts. ### Use Case 7 - Validate Patch, Hardening, or Remediation Effectiveness #### Objective Confirm whether a remediation effort actually reduced exploitable behavior or improved defensive outcomes. #### How it works A relevant emulation is launched before and after a remediation action such as: * Patch deployment * Endpoint hardening * Macro restriction * PowerShell restriction * Attack surface reduction rule enablement * Application control enforcement The organization compares the before and after results to determine whether the environment is more resilient. #### Typical outcome This provides measurable confirmation that remediation actions are effective, rather than simply marked as completed. #### Operational value This use case is important for proving security improvement to internal stakeholders, audit teams, and control owners. ### Use Case 8 - Validate Email Security and User Exposure #### Objective Assess the effectiveness of email controls and user susceptibility using controlled phishing or infiltration-style campaigns. #### How it works Using EVE campaign capabilities, organizations can launch structured email-based validation scenarios to evaluate: * Email gateway filtering * URL protection * Attachment handling * User interaction * Downstream endpoint response * Security team visibility across the email attack path These exercises are centrally administered, time-bounded, and designed to simulate attack scenarios without treating them as uncontrolled incidents. #### Typical outcome Organizations can identify: * Whether the email control stack blocks the message * Whether users interact with the payload * Whether endpoint and monitoring tools detect follow-on actions * Whether the security team can trace the event end to end #### Operational value This use case is highly relevant for validating real attack paths that begin with email rather than with direct endpoint execution. ### Use Case 9 - Simulate Custom Adversary Behaviors #### Objective Validate organization-specific scenarios that are not fully covered by standard malware samples or predefined packages. #### How it works EVE supports custom threats and script-based validations, allowing security teams to reproduce specific techniques, behaviors, or internal detection scenarios. These may include command execution, scripting activity, local discovery, persistence simulation, or custom attack logic relevant to the environment. This enables teams to emulate behaviors aligned with their own concerns, such as: * A technique observed during a recent incident * A red team finding * A SOC detection use case * A hardening control under review * An environment-specific abuse path #### Typical outcome Instead of depending only on general threat content, the organization can validate its own operational concerns directly. #### Operational value This is particularly useful for mature security programs that want precision testing rather than generic validation. ### Use Case 10 - Support Purple Team and Collaborative Validation Exercises #### Objective Create a practical workflow for collaboration between offensive and defensive teams. #### How it works EVE can be used to run structured adversary emulations while defenders observe security telemetry, analyze control behavior, and refine detections in near real time. The exercise becomes a shared validation activity rather than a one-sided offensive test. The red, purple, or validation team launches the emulation. The blue team then reviews: * Whether the behavior was detected * Which controls responded * Which alerts were created * Which stages lacked visibility * What should be tuned or added #### Typical outcome This enables direct alignment between attack simulation and defensive improvement. #### Operational value This use case is ideal for organizations that want to operationalize purple teaming without requiring full-scale manual adversary simulation for every exercise. ### Use Case 11 - Validate Incident Readiness and Analyst Response #### Objective Determine whether SOC analysts, incident responders, or security operations teams can recognize and act on adversary activity effectively. #### How it works A controlled emulation is executed while the security team operates under standard monitoring conditions. The organization then reviews whether: * The event was noticed * The analyst understood the severity * Escalation occurred correctly * Investigation data was sufficient * Response actions were timely and accurate #### Typical outcome This use case tests not only the technology stack, but also the operational readiness of the people and processes around it. #### Operational value Many organizations have detection tools in place but still struggle with triage quality, prioritization, and response consistency. EVE helps expose that gap. ### Use Case 12 - Validate Segmentation and Lateral Movement Restrictions #### Objective Assess whether network segmentation and endpoint restrictions reduce the ability of an adversary behavior to communicate or move beyond the intended target context. #### How it works EVE endpoint-based validation can be run in a controlled and isolated model, where communications are restricted according to defined policies and approved destinations. This allows organizations to test adversary-like behavior while keeping the exercise contained and governed. #### Typical outcome Organizations can validate whether: * The scenario remains contained * Defensive controls observe the behavior * Network restrictions contribute to reducing risk * Security teams can monitor the event safely #### Operational value This use case is important when internal stakeholders require technical assurance that validation exercises are controlled and do not represent open-ended risk. ### Use Case 13 - Generate Evidence for Security Assurance and Audit Support #### Objective Provide evidence that security controls are being validated, not only configured. #### How it works EVE stores execution results and validation outcomes that can be used to demonstrate control testing practices, defensive validation programs, and security assurance activities. Organizations can use this evidence internally for: * Security governance reviews * Control owner discussions * Risk committee reporting * Internal audit support * Security improvement tracking #### Typical outcome The organization can show that it is actively validating defenses through structured exercises rather than relying only on implementation status. #### Operational value This strengthens assurance narratives and supports more credible security reporting. ### Use Case 14 - Validate Security in High-Control or Sensitive Environments #### Objective Perform security validation in environments where risk tolerance is low and controls must be exercised carefully. #### How it works EVE supports controlled validation models that can reduce exposure by using non-execution tests, governed execution paths, endpoint preparation, and isolated communication models. Organizations can therefore choose the level of validation appropriate to the sensitivity of the target environment. #### Typical outcome Security teams can still validate important protections without defaulting to open or uncontrolled testing methods. #### Operational value This is useful for regulated, operationally sensitive, or business-critical environments where any security testing must be carefully bounded. ### Use Case 15 - Test the Full Defensive Chain End to End #### Objective Validate the full path from delivery, to endpoint interaction, to alerting, to investigation. #### How it works A security scenario is designed so that multiple stages of the control stack can be observed in sequence. Depending on the scenario, this may include: * Delivery channel validation * Endpoint prevention or execution validation * Logging and telemetry review * SIEM ingestion * SOC alerting * Analyst investigation * Response workflow confirmation #### Typical outcome This helps organizations avoid siloed validation and instead confirm whether the complete defensive process works as an integrated system. #### Operational value Security controls rarely fail in isolation. More often, they fail in the transitions between technologies, teams, and workflows. EVE helps validate those transitions. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.reveald.com/technical-documentation/admin-guides/epiphany-validation-engine-users-guide/use-cases.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.