What Is Threat Actor Replication in AI Red Team Simulations?

Threat actor replication is the practice of modelling red team engagements on the specific techniques, tactics, and procedures (TTPs) of known adversary groups. Instead of running generic attack scenarios, security teams simulate how actual threat actors (such as Scattered Spider, FIN7, or Lazarus Group) would target their organisation.

This approach tests whether defences work against the adversaries most likely to attack, rather than against hypothetical threats that may not reflect reality.

How Threat Actor Replication Differs from Standard Red Teaming

Why Threat Actor Replication Matters

Not all adversaries attack in the same way. According to Unit 42’s 2025 Incident Response Report, social engineering serves as the initial access vector in 36% of incidents, but the specific social engineering techniques vary significantly by threat actor.

Scattered Spider, for example, has become known for targeting help desk staff through sophisticated impersonation calls. They exploit identity verification weaknesses to obtain password resets or MFA bypasses. An organisation defending against Scattered Spider needs to test whether their help desk procedures hold under this specific type of pressure.

A generic phishing simulation would not reveal this vulnerability.

What Threat Actor Replication Looks Like in Practice

A threat actor replication engagement typically involves:

• Intelligence gathering: Reviewing threat intelligence on the selected adversary group, including documented attacks and TTPs
• TTP mapping: Identifying which of the adversary’s techniques are relevant to the target organisation
• Scenario development: Building attack chains that replicate how the adversary would approach the organisation
• Realistic execution: Running the simulation with the tools, timing, and pretexts the adversary would use
• Gap analysis: Identifying which defences succeeded and which failed against the replicated attack

Common Threat Actors Replicated in Engagements

Depending on industry and geography, organisations may want to test against:

• Scattered Spider (UNC3944): Social engineering of help desks, SIM swapping, MFA fatigue attacks. Relevant for any organisation with IT help desk functions
• FIN7: Highly targeted phishing with malicious attachments, often impersonating legitimate business communications. Relevant for financial services
• Lazarus Group: Advanced social engineering combined with custom malware. Relevant for financial institutions and cryptocurrency organisations

The choice of which adversary to replicate should be informed by threat intelligence relevant to your industry and risk profile.

Building Playbooks for Repeatable Testing

Threat actor replication becomes more valuable when systematised. Playbooks capture:

• The specific steps an adversary would take
• The tools and techniques involved
• Expected responses at each stage
• Decision points based on target behaviour

These playbooks enable repeatable testing, allowing organisations to measure improvement over time or to test whether remediation measures have closed previously identified gaps.

Frequently Asked Questions

Is threat actor replication only for large enterprises?

No. While sophisticated threat actors often target larger organisations, they also target supply chain partners and smaller organisations with weaker defences. The FBI’s Internet Crime Report documents $16.6 billion in US social engineering losses in 2024, affecting organisations of all sizes.

How do we choose which threat actor to replicate?

Start with threat intelligence relevant to your industry. Financial services organisations face different adversaries than healthcare or government. Your security team or external advisors can help identify which threat actors are most relevant to your risk profile.

Does threat actor replication replace standard penetration testing?

No. Threat actor replication focuses on social engineering and human-layer attacks. It complements technical penetration testing, which focuses on network, application, and infrastructure vulnerabilities. Many organisations run both.

How often should we run threat actor replication engagements?

Most organisations benefit from annual engagements, with more frequent testing for high-risk environments. The goal is to test against current adversary TTPs, which evolve over time.

Breacher.ai offers threat actor replication engagements that simulate specific adversary TTPs, including Scattered Spider help desk attacks, voice cloning, and deepfake video calls.