Forum Discussion

danny_grasso's avatar
danny_grasso
Brass Contributor
Mar 19, 2025

Automated Attack Disruption Testing

In the past I vaguely remember seeing attack simulation walkthroughs for MDE and there still is a link in the MDE onboarding to explore simulations and tutorials but that now just takes me to the XDR homepage.

There are cases where we're talking to customers about the capability of Defender XDR and want to showcase in a safe way, without endangering demo devices. With Automated Attack Disruption announcements at Ignite 2024, I'd like to be able to showcase this particularly in the area of Ransomware protection, similar to the case study "protecting against ransomware when others couldn't" from the Ignite AI-driven Ransomware Protection session.

Does anyone have an updated link to the attack simulation walkthroughs that were available and also any similar walkthoughs for Automated Attack Disruption?

microsoft defender for endpoint

2 Replies

  • noam_hadash's avatar
    noam_hadash
    Icon for Microsoft rankMicrosoft
    Apr 26, 2026

    hey danny_grasso​ , i lead the attack disruption team in Defender. we are currently working on a dedicated Attack Disruption DIY capability in the product allowing customers to test attack disruption in their environment. hope to give more update soon as we introduce it more broadly

     

    thank you for sharing the feedback and please keep that coming!

  • Lucaraheller's avatar
    Lucaraheller
    MCT
    Apr 16, 2026

    Hi Danny,

    You’re absolutely right — the older MDE simulation/tutorial links used to be very useful, but many of them were retired or redirected after the move into the unified Microsoft Defender XDR portal, so today they often land only on the homepage.

    For showcasing Automated Attack Disruption safely to customers, the best current resources are:

    Official Microsoft walkthrough / explanation

    Microsoft published a dedicated session that explains the feature and includes demo context:

    Answering Your Questions: Attack Disruption Explained
    https://learn.microsoft.com/en-us/shows/microsoft-sentinel-defender-xdr-virtual-ninja-training/answering-your-questions-attack-disruption-explained

    Official documentation

    Current reference documentation with supported scenarios, containment actions, and prerequisites:

    Automatic attack disruption in Microsoft Defender XDR
    https://learn.microsoft.com/en-us/defender-xdr/automatic-attack-disruption

    This is especially useful for explaining scenarios like:

    • Ransomware disruption
    • Compromised users
    • Device isolation
    • Lateral movement interruption
    • Critical asset containment

    Best safe demo approach

    For customer demos, instead of using real malware, I normally recommend a storyboarded simulation:

    1. Suspicious user compromise detected
    2. Lateral movement indicators triggered
    3. Defender XDR correlates signals into one incident
    4. Attack Disruption automatically contains user/device
    5. Analyst reviews actions in Action Center

    That usually demonstrates the value very effectively without risking demo machines.

    My suggestion to Microsoft

    It would be great to bring back a dedicated interactive Attack Simulation / Attack Disruption demo lab directly inside Defender XDR, because it was a strong enablement tool for partners and customers.

    Hope this helps.