A virtual testing environment VTE is instantiated for automated measurement of performance of a security monitoring system (SMS). Predefined attacks are executed against a cloned version of a monitored system in the VTE. The predefined attacks are defined at an attack catalog. Based on an execution result of the predefined attacks, a detection rate of the SMS at the VTE and a protection level of the cloned version of the monitored system are measured. Based on the detection rate and the protection level, an action for improving SMS and the protection of the monitored system is determined. Based on the determined action, logic modifications related to SMS and improvement on protection measures for the monitored system are performed.