The Industrialization of Cybercrime: How Phishing Became a Business

In March 2026, law enforcement achieved what seemed impossible: a 72-country coordinated operation dismantled 45,000+ malicious servers, arrested 94 cybercriminals, and seized 330+ phishing domains. But this wasn't just a victory. It was a window into how sophisticated and industrialized cybercrime has become.

The attacks that modern penetration testing services now simulate aren't coming from lone hackers in hoodies. They're coming from organized cybercrime syndicates operating like Fortune 500 companies, complete with customer support, affiliate programs, and quarterly revenue targets. March 2026's unprecedented takedowns of Operation Synergia III, the Tycoon 2FA platform, and the GridTide espionage campaign revealed just how far this industrialization has progressed.

This isn't the cybercrime your firewall was built to stop.

From Basement Hackers to Billion-Dollar Industries

The evolution from individual hackers to industrial cybercrime operations didn't happen overnight. In the 2010s, individual hackers built custom tools and sold stolen data on forums. By the early 2020s, organized groups began sharing tools and infrastructure. But by 2025-2026, cybercrime had completed its transformation into a full-fledged industry with Software-as-a-Service business models.

Today's cybercrime economy operates on multiple service tiers, each more sophisticated than the last.

Ransomware-as-a-Service (RaaS) has become the most profitable model. Groups like LockBit, BlackCat, and ALPHV don't just attack victims. They recruit affiliates through revenue-sharing programs that typically split profits 70/30 in favor of the attacker. These affiliates get turnkey ransomware deployment packages, requiring minimal technical expertise. The barrier to entry for launching a ransomware attack has dropped to near zero, while the potential payouts have skyrocketed to an average of $1.5 million per successful breach.

Phishing-as-a-Service (PhaaS) platforms like Tycoon 2FA took credential theft to industrial scale. For just $200-$500 per month, cybercriminals could access pre-built phishing kits, hosting infrastructure, professionally designed templates that bypass email filters, and automated credential harvesting systems. The Tycoon 2FA platform alone facilitated over 64,000 attacks before its March 2026 takedown, affecting nearly 100,000 organizations worldwide.

Malware-as-a-Service provides everything needed for sustained infections. Loader services deliver malware payloads past antivirus software, crypter services modify malware signatures to evade detection, and exploit kit rentals provide access to zero-day vulnerabilities. These services are advertised openly on dark web marketplaces with customer reviews, refund policies, and technical support channels.

Infrastructure-as-a-Service completes the ecosystem with bulletproof hosting providers that ignore law enforcement requests, command and control (C2) server rentals for botnet management, domain generation algorithms that automatically create new phishing domains, and traffic distribution systems that route victims through layers of proxies. Organizations conducting web application penetration testing must now defend against threats using this professional-grade infrastructure.

The economics are staggering. Average RaaS affiliates earn between $500,000 and $2 million annually. The return on investment for cybercriminals ranges from 200-500%. The global cybercrime economy reached an estimated $10.5 trillion in 2025, making it more profitable than the global trade of all illegal drugs combined.

Operation Synergia III: Dismantling a Global Criminal Network

The scale of Operation Synergia III reveals both the scope of modern cybercrime infrastructure and the unprecedented level of international cooperation required to fight it.

INTERPOL coordinated simultaneous actions across 72 countries, involving hundreds of national cyber units and law enforcement agencies. Over a multi-month investigation culminating in March 2026, the operation dismantled 45,000+ malicious IP addresses and servers, made 94 arrests across multiple continents, and seized 212 electronic devices containing evidence of coordinated cybercrime operations.

The infrastructure targeted wasn't random. Intelligence gathering identified over 15,000 phishing domains, C2 servers controlling massive botnets used for distributed denial-of-service attacks and malware distribution, ransomware payment infrastructure including cryptocurrency wallets and leak sites where stolen data was published to pressure victims into paying, and credential harvesting servers storing millions of stolen usernames, passwords, and authentication tokens.

The operation disrupted multiple attack methodologies simultaneously. Business Email Compromise (BEC) campaigns that had successfully defrauded companies of millions were shut down overnight. Massive credential stuffing operations using billions of stolen login attempts were halted. Ransomware deployment platforms lost their delivery infrastructure. Malware distribution networks that had infected hundreds of thousands of systems went offline.

The investigation process demonstrated how modern cybercrime requires modern investigation techniques. Six to twelve months before the March 2026 takedown, intelligence agencies began sharing threat data across borders. Private sector cooperation from Microsoft, Google, and Cloudflare provided crucial visibility into attack infrastructure. Botnet tracking systems identified command and control servers, while forensic analysis traced attack patterns back to specific threat actors.

Infrastructure mapping revealed the global nature of modern cybercrime. IP geolocation identified servers spread across dozens of hosting providers worldwide. Cryptocurrency blockchain analysis tracked ransom payments through multiple wallets and exchanges. Domain registration forensics uncovered patterns in how cybercriminals registered thousands of phishing domains using fake identities and stolen payment methods.

The coordinated execution phase happened simultaneously across all 72 countries. Server seizures were timed to prevent criminals from destroying evidence. Warrants were executed across multiple jurisdictions at the same moment. Domain takedowns redirected traffic to law enforcement sinkholes, allowing victim identification and evidence collection.

The impact was immediate and substantial. The operation disrupted an estimated $500 million in cybercrime revenue, protected over 100,000 organizations that were targeted but not yet successfully attacked, and halted more than 200 active ransomware campaigns. Yet despite this success, organizations still need robust vulnerability assessment and penetration testing to defend against the cybercriminals who weren't caught.

Tycoon 2FA: The Industrial-Scale Credential Theft Operation

While Operation Synergia III dismantled infrastructure, the Tycoon 2FA takedown revealed the sophisticated business model behind modern phishing operations.

Tycoon 2FA launched around 2024 and operated as a subscription-based Phishing-as-a-Service platform for approximately two years before its March 2026 takedown. During that time, it facilitated over 64,000 successful attacks, compromised approximately 100,000 organizations, and operated through 330+ domains that were eventually seized by law enforcement.

The platform's technical capabilities were frighteningly advanced. Unlike traditional phishing that simply steals passwords, Tycoon 2FA specializes in bypassing two-factor authentication through real-time proxy attacks called Adversary-in-the-Middle (AiTM). When victims entered their credentials and 2FA codes on fake login pages, Tycoon 2FA immediately proxied that authentication to the real service, captured the session cookie that proved successful authentication, and gave attackers persistent access that didn't require knowing the password or 2FA code.

The platform supported the most valuable targets: Microsoft 365 and Office 365 environments, Google Workspace accounts, Salesforce CRM systems, and identity providers like Okta and Auth0. These targets were chosen deliberately. Compromising a single administrator account in these systems could give attackers access to an entire organization's data and communications.

For criminals subscribing to Tycoon 2FA, the service provided everything needed to launch professional phishing campaigns. Pre-built templates were pixel-perfect replicas of legitimate login pages, making detection nearly impossible. Automated credential harvesting meant attackers didn't need to monitor their campaigns. The system collected stolen credentials automatically. Real-time victim tracking dashboards showed which campaigns were successful and which organizations had been compromised. Credential validation APIs tested stolen passwords against real services to confirm they were still active. Most impressively, the entire system could be deployed in under 30 minutes, even by attackers with minimal technical skills.

The typical victim journey was seamless and deadly effective. A targeted employee received an email that appeared to come from their IT department or a trusted service. The email contained a link to what looked like a standard login page, perhaps a password reset or security verification request. When the victim clicked and entered their credentials plus their 2FA code from their phone, Tycoon 2FA's infrastructure proxied those credentials to the real service in real-time. The victim successfully logged in and saw nothing unusual, while the attacker captured the session cookie that would give them access for hours or days. This is why organizations conducting AI penetration testing now specifically test for these AiTM attack scenarios.

Law enforcement response required international cooperation across Europol, the FBI, and the UK's National Crime Agency. The operation seized 330+ domains and sinkholed them to prevent further attacks. Server infrastructure was dismantled across 12 countries simultaneously to prevent operators from destroying evidence. Arrests included the platform operators and top-tier affiliates who had used the service for large-scale attacks. Perhaps most importantly, 100,000+ organizations received notification that they had been targeted or compromised, allowing them to begin incident response.

The lessons for defenders are clear and urgent. Two-factor authentication is necessary but not sufficient. Tycoon 2FA proved that traditional 2FA can be bypassed. Organizations must implement phishing-resistant MFA using FIDO2 or WebAuthn standards, which cannot be proxied by AiTM attacks. Conditional access policies that verify device trust and location patterns add crucial defense layers. User education about AiTM attacks must become a standard part of security awareness training, similar to how mobile app security testing now includes authentication bypass scenarios.

GridTide: When Nation-States Use Criminal Infrastructure

The GridTide malware campaign, disrupted in March 2026, revealed how the lines between organized cybercrime and nation-state espionage have completely blurred.

Attributed to Chinese state-sponsored Advanced Persistent Threat (APT) groups, GridTide targeted 53 organizations across 42 countries. The victims spanned government agencies, defense contractors, critical infrastructure operators, and technology companies with valuable intellectual property. The campaign's discovery by Google's Threat Analysis Group demonstrated the critical role of public-private partnerships in modern cybersecurity.

GridTide's technical sophistication was extraordinary. The infection vector used spear-phishing emails with weaponized documents tailored to each target organization. Once inside a network, the malware established rootkit-level implants that survived reboots and security scans. Command and control infrastructure was distributed across multiple bulletproof hosting providers, making takedowns difficult. The malware's capabilities included exfiltrating terabytes of sensitive data, moving laterally through networks to reach the most valuable systems, harvesting credentials from memory and Active Directory, and capturing screenshots plus keystrokes to monitor high-value targets.

Google TAG's discovery triggered a coordinated response involving CISA (Cybersecurity and Infrastructure Security Agency), the NSA, and the UK's National Cyber Security Centre. Together, these organizations traced the infrastructure, notified victims, and provided remediation support to help compromised organizations remove the malware and assess what data had been stolen.

What made GridTide particularly concerning was how it blurred the traditional lines between cybercrime and espionage. State-sponsored groups were using the same infrastructure as ransomware gangs. In some cases literally sharing C2 servers with criminal operators. Stolen data was sometimes sold on dark web marketplaces rather than used purely for intelligence gathering. Money laundering operations used cryptocurrency mixing services developed by and for cybercriminals. Attribution became nearly impossible when APT groups deliberately mimicked criminal gang tactics to create plausible deniability.

This convergence means that organizations implementing penetration testing methodologies must now defend against both profit-motivated criminals and geopolitically-motivated nation-state actors, often using the same techniques and infrastructure.

Ransomware: The Most Profitable Industrial Cybercrime

Ransomware remains the crown jewel of industrial cybercrime, and 2026 trends show the model evolving faster than defenses can adapt.

The statistics are sobering. Average ransom payments climbed to $1.5 million in 2026, up from $800,000 just two years earlier. Despite this increase, the payment rate actually declined to 41% of victims, down from 50% in 2024. This is evidence that better backup strategies and law enforcement pressure are having some effect. However, 87% of ransomware attacks in 2026 used double or triple extortion, threatening to publish stolen data even if systems were restored from backups. Attackers now exfiltrate an average of 500GB of data per breach before deploying ransomware, ensuring they have leverage even if encryption fails.

The Ransomware-as-a-Service model reached new heights of sophistication. LockBit 4.0 introduced automated victim profiling to calculate optimal ransom amounts based on company revenue and cyber insurance coverage. BlackCat and ALPHV successors implemented AI-powered target selection that identified victims most likely to pay quickly. The Play ransomware group specialized in data theft and extortion without encryption, recognizing that data leak threats alone could be profitable. Clop continued focusing on supply chain attacks, compromising software vendors to reach thousands of downstream victims simultaneously.

New tactics emerged throughout 2026. Initial Access Brokers (IABs) developed a thriving marketplace selling access to compromised networks, with prices ranging from $500 for small businesses to $100,000+ for Fortune 500 networks. Zero-day exploits were increasingly integrated directly into RaaS platforms, letting even low-skilled affiliates leverage sophisticated vulnerabilities. AI-powered target selection algorithms analyzed public financial data, news reports, and cyber insurance filings to identify optimal victims. Some groups even deployed automated negotiation bots that adjusted ransom demands based on victim responses and payment patterns.

Supply chain ransomware became the most dangerous trend. Managed Service Providers (MSPs) that manage IT infrastructure for hundreds of clients became prime targets. Compromising one MSP could deliver access to hundreds of victims simultaneously. Software vendor attacks, reminiscent of the SolarWinds breach, allowed attackers to push malware through trusted update mechanisms. Cloud service provider compromises affected all customers simultaneously. The backdoored Telnyx PyPI packages discovered in March 2026 exemplified how supply chain attacks now target development infrastructure itself.

Operation Synergia III had measurable impact on ransomware operations. The disruption of payment infrastructure forced some groups to pause operations while they rebuilt laundering capabilities. Cryptocurrency seizures and improved blockchain tracking made payments riskier for both victims and attackers. International arrest warrants and actual extraditions, once rare, became more common, creating real consequences for ransomware operators. Economic sanctions against ransomware facilitators, including certain cryptocurrency exchanges and hosting providers, restricted the infrastructure available to cybercriminals.

Defense strategies have evolved in response. Organizations now maintain offline, immutable backups that ransomware cannot encrypt. Network segmentation limits how far attackers can move after initial compromise. Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) systems detect ransomware behavior before encryption begins. Comprehensive incident response plans and tabletop exercises ensure teams know how to react when, not if, an attack occurs. Cyber insurance coverage continues to evolve, though insurers are increasingly requiring specific security controls before issuing policies.

The Dark Web: Marketplace of Industrial Cybercrime

The dark web economy fuels every aspect of industrial cybercrime through sophisticated marketplaces that operate with the polish of legitimate e-commerce platforms.

Access sales have become a thriving market. RDP (Remote Desktop Protocol) and VPN credentials for compromised corporate networks sell for $10 to $5,000 per account, depending on the target organization's size and industry. Network access to healthcare organizations commands premium prices due to valuable patient data and typical willingness to pay ransoms quickly to avoid disruption to patient care.

Database dumps containing stolen credentials flow constantly through dark web markets. Prices average $5 to $20 per thousand records, with premium pricing for fresh breaches from high-value targets. A database dump from a Fortune 500 company can sell for tens of thousands of dollars. These credentials fuel the credential stuffing attacks that security testing services must now detect and prevent.

Exploit kits represent the highest-value items. Zero-day exploits, vulnerabilities unknown to software vendors, sell for $50,000 to $500,000 depending on the affected software and the exploit's reliability. Exploits for widely-used enterprise software command the highest prices because they provide access to the most targets.

Ransomware affiliate programs operate through dedicated recruitment channels. These programs advertise guaranteed revenue sharing, technical support for affiliates, and access to the latest evasion techniques. Some programs even provide "customer success managers" to help affiliates maximize their earnings.

Cryptocurrency remains the backbone of dark web commerce, though law enforcement capabilities have improved dramatically. Bitcoin, once considered anonymous, now faces sophisticated chain analysis. Privacy-focused currencies like Monero and Zcash have gained popularity, but still face tracking through network analysis and exchange compliance. Mixing services and decentralized exchanges (DEXs) help launder proceeds, but law enforcement increasingly infiltrates these services or compels cooperation from centralized components.

Reputation systems have evolved to prevent scams within the criminal ecosystem. Vendor ratings and reviews help cybercriminals identify reliable suppliers. Escrow services hold payments until goods are delivered, whether those "goods" are stolen data, malware, or network access. Forum credibility scores track vendors' history and help identify potential exit scams where vendors collect payments and disappear. Community moderation removes obvious scammers and law enforcement honeypots, though the moderators themselves are sometimes compromised.

Law enforcement has become increasingly sophisticated in infiltrating these markets. Undercover operations establish credibility over months or years before making high-value purchases or vendor arrests. Honeypot deployments create fake marketplaces to identify buyers and sellers. Vendor takedowns, following the precedents of AlphaBay and Hansa market seizures, often involve letting markets operate under law enforcement control to gather intelligence before shutting them down. The intelligence gathered from these operations informs defensive strategies, including those used in offensive security assessments.

Threat Intelligence: Your Defense Against Industrial Cybercrime

Defending against industrialized cybercrime requires industrialized defense, and that starts with threat intelligence.

Open-source intelligence provides the foundation. The MITRE ATT&CK framework catalogs adversary tactics and techniques observed in real attacks, providing a common language for describing threats. CISA's Known Exploited Vulnerabilities (KEV) catalog identifies vulnerabilities actively exploited in the wild, helping security teams prioritize patching. Threat actor profiles published by security vendors like Mandiant, CrowdStrike, and Microsoft detail the specific groups behind major campaigns, including their techniques, infrastructure, and targeting patterns.

Commercial threat intelligence services provide real-time feeds of malicious indicators. Recorded Future, Mandiant Advantage, and CrowdStrike Falcon Intelligence offer continuously updated threat data. Dark web monitoring services track criminal marketplaces for mentions of your organization, stolen credentials, or planned attacks. Botnet tracking feeds identify compromised systems in your network before they're weaponized. These services are increasingly essential for organizations conducting continuous security testing.

Information sharing through industry-specific Information Sharing and Analysis Centers (ISACs) multiplies defensive capability. FS-ISAC serves financial services organizations, sharing threat data specific to banking, payment processing, and fintech attacks. H-ISAC supports healthcare providers facing ransomware and data theft threats. Energy, transportation, and other critical infrastructure sectors maintain their own ISACs. Public-private partnerships between government agencies and private companies facilitate rapid threat sharing during active attacks.

Actionable intelligence comes in multiple forms. Indicators of Compromise (IOCs) include malicious IP addresses hosting phishing sites or C2 servers, domain names and URLs used in active campaigns, file hashes (MD5, SHA-256) of malware samples, and YARA rules for detecting specific malware families. These IOCs can be automatically imported into security tools for immediate protection.

Tactics, Techniques, and Procedures (TTPs) provide deeper understanding of adversary behavior. Operation Synergia III revealed common infrastructure patterns used by cybercrime groups. Tycoon 2FA's methodologies inform detection of similar AiTM phishing platforms. GridTide's malware behavior helps identify other state-sponsored espionage tools. Understanding TTPs allows defenders to detect attacks even when specific IOCs change.

Integrating threat intelligence into security operations requires technical implementation and organizational process. SIEM (Security Information and Event Management) correlation rules match threat intelligence against real-time security events. Firewall and IDS/IPS updates block known malicious infrastructure automatically. EDR behavioral detection identifies attack patterns even without specific indicators. Security awareness training incorporates current threat actor techniques to help employees recognize sophisticated attacks.

AppSecure's approach to threat intelligence leverages unique advantages. Our security team includes top-10 bug bounty hunters from programs at PayPal, Reddit, LinkedIn, and other major platforms, giving us insight into real-world attack techniques as they emerge. Penetration testing engagements are informed by current threat actor TTPs, ensuring tests reflect actual adversary capability. Red team exercises simulate industrial cybercrime operations, including RaaS deployment, PhaaS campaigns, and supply chain compromises. Our Penetration Testing as a Service (PTaaS) model provides continuous security validation aligned with the evolving threat landscape.

Defending Your Organization: A Strategic Action Plan

March 2026's law enforcement victories prove that coordinated action can disrupt even the most sophisticated cybercrime operations. But individual organizations cannot wait for the next international operation. They must implement defenses now.

Infrastructure hardening must be your first priority. Deploy phishing-resistant MFA using FIDO2 or WebAuthn standards that cannot be proxied by AiTM attacks like those used by Tycoon 2FA. Implement zero-trust architecture that verifies every access request regardless of network location. Segment networks to limit lateral movement if initial compromise occurs. Maintain offline, immutable backups that ransomware cannot encrypt, and test backup restoration regularly under realistic conditions.

Detection and monitoring capabilities must match attacker sophistication. Subscribe to threat intelligence feeds and integrate them into your security tools. Monitor specifically for indicators from Operation Synergia III and similar takedowns. Attackers will rebuild infrastructure with new domains and IPs. Deploy EDR and XDR solutions with behavioral detection that identifies attack patterns rather than just known malware signatures. Implement 24/7 Security Operations Center (SOC) coverage or engage a Managed Detection and Response (MDR) service provider if you lack internal capacity.

Proactive testing validates that your defenses actually work. Schedule quarterly penetration testing that specifically simulates PhaaS attacks, credential stuffing campaigns, and ransomware deployment. Conduct annual red team exercises that test your security team's ability to detect and respond to sophisticated, multi-stage attacks like those Operation Synergia III disrupted. Implement continuous vulnerability scanning to identify and patch weaknesses before attackers exploit them. Foster purple team collaboration where attackers (red team) and defenders (blue team) work together to improve both detection and response capabilities. Organizations can schedule security assessments to begin this testing process.

Education and awareness remains critical despite technical controls. Train users specifically on AiTM phishing attacks that bypass traditional 2FA. Most security awareness programs haven't updated for this threat. Simulate credential stuffing scenarios to help employees understand how stolen passwords from one breach can compromise other accounts. Teach secure password practices including unique passwords for each service and password manager usage. Run regular security awareness campaigns that highlight current threat actor techniques and recent breaches.

Incident response planning determines whether a breach becomes a minor incident or a company-ending disaster. Develop a ransomware-specific playbook that covers detection, containment, eradication, and recovery. Establish communication plans for internal teams, customers, regulators, and media. Practice tabletop exercises quarterly to ensure teams remember their roles during high-stress incidents. Have legal counsel and PR teams identified and ready to engage immediately. Breach notification laws and reputational management cannot wait. Know whether you'll pay ransoms before the decision becomes urgent.

Community engagement multiplies defensive capability. Join your industry's ISAC to receive and share threat intelligence specific to your sector. Report security incidents to law enforcement. Even if prosecution seems unlikely, the intelligence helps agencies build cases like Operation Synergia III. Share threat intelligence with peers and competitors, because attackers certainly share information about your industry's common vulnerabilities. Support international cybercrime operations through cooperation, information sharing, and public advocacy for stronger cross-border law enforcement collaboration.

The Arms Race Continues

The March 2026 cybercrime takedowns represent a significant victory, but they are battles in an ongoing war. For every server seized, criminals will establish new infrastructure. For every arrest, new affiliates will join RaaS programs. For every phishing platform shut down, developers will launch improved successors.

The industrialization of cybercrime is not a temporary phenomenon. It is the new reality. Cybercrime groups have adopted the business models, organizational structures, and operational sophistication of legitimate enterprises. They conduct market research to identify lucrative targets. They invest in research and development to create more effective attack tools. They recruit talent through competitive compensation and professional development. They measure performance through metrics and analytics.

Defending against industrial cybercrime requires industrial-strength defense. Organizations can no longer rely on annual penetration tests, signature-based antivirus, and hope. They must implement continuous security testing, behavioral detection, threat intelligence integration, and skilled security personnel capable of thinking like attackers.

AppSecure's penetration testing approach directly addresses industrial cybercrime threats. Our team includes top-ranked bug bounty hunters who find vulnerabilities in the world's largest platforms, the same types of vulnerabilities that PhaaS and RaaS groups exploit. We simulate the exact tactics used by Tycoon 2FA, including AiTM phishing and session hijacking. Our red team exercises replicate ransomware deployment from initial access through data exfiltration and encryption. We test for the supply chain vulnerabilities that Operation Synergia III revealed in thousands of compromised systems.

The difference between being a statistic in the next cybercrime report and successfully defending your organization comes down to one question: Are you testing your defenses against the threats that actually exist today, or against the threats that existed five years ago?

Industrial cybercrime demands an industrial response. Organizations that treat security as a checkbox exercise will continue to appear in breach headlines. Those that embrace continuous testing, threat intelligence, and offensive security methodologies will stay ahead of an adversary that evolves daily.

The cybercrime industry is here to stay. The question is whether your security program is ready for it.

Ready to test your defenses against industrial cybercrime? Contact AppSecure's security experts to schedule a comprehensive security assessment that simulates the exact tactics used by PhaaS platforms, ransomware gangs, and nation-state actors. Our team of top-ranked bug bounty hunters brings real-world attack expertise to help you identify and fix vulnerabilities before criminals exploit them.

1. What is the industrialization of cybercrime?

Cybercrime now operates like a business, with scalable models like RaaS and PhaaS, affiliate programs, and automated attack infrastructure.

2. How did phishing become a business?

PhaaS platforms provide ready-made kits, infrastructure, and automation, allowing attackers to run phishing campaigns with minimal skill.

3. Is two-factor authentication still effective?

Traditional 2FA can be bypassed using AiTM attacks. Phishing-resistant MFA like FIDO2 is now essential.

4. What did Operation Synergia III show?

It exposed the global scale of cybercrime infrastructure and the need for coordinated international disruption.

5. How should organizations respond?

Adopt continuous security testing, threat intelligence, strong MFA, and real-world attack simulations.