Skyhawk Security maps cloud attack simulations to real-world threat actors
Radware spin-off Skyhawk Security now maps AI-driven cloud attack simulations to five named adversary groups including Scattered Spider and APT29, helping teams prioritize defenses based on actual threats.
Skyhawk Security, the Radware spin-off focused on cloud threat detection, has added Threat Actor Context to its platform. The feature maps AI-driven attack simulations to real-world adversary groups, giving security teams a way to prioritize based on who is actually targeting organizations like theirs.
How it works
Skyhawk already runs continuous AI Red Team simulations against cloud environments. The new layer connects those simulations to five named threat groups: Scattered Spider (known for the MGM and Caesars attacks), APT29 (NOBELIUM/TeamCity intrusions), APT44/Sandworm (BadPilot operations), TraderTraitor (JumpCloud and Bybit compromises), and APT41 (Operation CuckooBees).
The attribution engine factors in targeted industries, geographies, and campaign methods. Instead of treating all simulated attack paths as equally urgent, teams can focus on scenarios that mirror the actual tradecraft of active threat groups relevant to their sector.
Why this matters for WAF teams
Cloud attack simulations that map to real adversaries change how you think about WAF rule priorities. If your industry is being targeted by groups that favor web application exploits as initial access vectors, your AWS WAF or Cloudflare rules should reflect that. Generic rulesets are not enough when you know which specific techniques are being used against your sector.
Skyhawk is a spin-off of Radware, which has its own WAF and DDoS protection portfolio. The connection matters: threat intelligence from Skyhawk could eventually feed back into Radware WAF rule tuning, though that integration is not announced yet.
WAFplanet take
Threat actor attribution for cloud security simulations is a step in the right direction. Most organizations run generic penetration tests or rely on compliance-driven assessments. Mapping simulations to actual adversary behavior makes the output actionable.
The practical question is how this translates to WAF configuration. If Skyhawk tells you APT41 patterns are relevant to your environment, does that change how you configure ModSecurity rules or open-appsec policies? It should. Threat-informed defense means tuning your web application firewall based on who is likely to attack you, not just what is theoretically possible.
For organizations using Imperva or F5 Advanced WAF with threat intelligence feeds, this is the same idea applied to cloud-native environments. The gap is still the last mile: turning threat intelligence into specific WAF rules and policies without manual effort.
