TL;DR, What is Atomic Red Team?
Atomic Red Team is a library of simple security tests mapped directly to the MITRE ATT&CK framework. Security validation can be complex, often leaving you unsure if your defensive controls actually work. Atomic Red Team helps by providing small, specific tests that simulate real-world adversary techniques. Using these tests lets you quickly validate detection capabilities, find coverage gaps, and improve your security posture without a full-scale exercise. The framework empowers both blue and purple teams to test defenses in a practical, repeatable way. Red Canary developed Atomic Red Team as an open-source project, and the tool has become a community standard for continuous security validation.
At-A-Glance
GitHub: https://github.com/redcanaryco/atomic-red-team
License: MIT
Primary Language: PowerShell
Stars: 11k ⭐
Last Relevance: Daily/Weekly Commits
Topics/Tags: mitre-attck, adversary-emulation, security-testing, red-teaming, blue-team
Super-charge your cloud security with Wiz
Wiz’s automated attack path analysis can be your trusted security sidekick, providing a clear blueprint of the weak points in your environment and how attackers could exploit them to compromise your resources.
Common use cases
1. Security control validation: Blue teams run atomic tests to check that security controls like SIEM rules and EDR solutions work correctly. The results provide direct evidence that your detection and prevention tools are configured to spot and block specific adversarial techniques.
2. Collaborative purple team exercises: The framework offers a standard library of attacks for purple team exercises. Red and blue teams can use a common language to work together, test defenses, find gaps, and improve detection and response.
3. Continuous security testing: You can integrate atomic tests into CI/CD pipelines to automate security validation as part of a DevSecOps workflow. An automated approach ensures security controls are checked against infrastructure changes, helping prevent regressions and maintain a consistent security posture.
4. Security analyst training and education: In a lab environment, the tool works as a hands-on training platform. Analysts can run real attack techniques to see what adversary behavior looks like in logs and on endpoints, sharpening their skills for responding to threats.
5. Threat intelligence validation: When new threat intelligence appears, you can run the corresponding atomic tests to see if your environment is vulnerable. Turning intelligence into an actionable test helps you proactively validate defenses against current, real-world TTPs.
What is Threat Intelligence?
Threat intelligence, also called cyber threat intelligence (CTI), is the practice of gathering and analyzing trends about potential or ongoing cyber threats.
Read more
How does Atomic Red Team work?
Atomic Red Team uses a file-based system with a library of “atomic tests” mapped to the MITRE ATT&CK framework. When you select a technique to simulate, the execution framework manages the whole process. The framework checks for prerequisites, sets up parameters, runs the attack commands for your chosen platform, and cleans up after the test. A test flow can be fully automated or run manually by copying commands from Markdown files.
Test Library: The core repository where individual, self-contained atomic tests are stored in a structure mirroring ATT&CK. Each test is a YAML file defining attack commands, dependencies, supported platforms (Windows, macOS, Linux), and cleanup steps.
Execution Framework: A flexible layer that automates the test process. The framework reads test definitions, handles dependency checks, and orchestrates the execution and cleanup, with `Invoke-AtomicRedTeam` being the primary PowerShell tool.
Integration Points: The system connects with SIEMs, logging platforms, and other security tools, allowing you to validate your entire security workflow by observing test results and generated artifacts.
Core Capabilities:
1. MITRE ATT&CK mapping: Every test is mapped to a specific MITRE ATT&CK technique, providing a structured approach to security validation. Such alignment allows you to systematically measure defensive coverage against known adversary behaviors. The mapping ensures testing efforts are relevant to real-world threats and gives you a common framework for finding and prioritizing gaps.
2. Multi-platform test execution: The framework supports diverse IT environments with tests for Windows, macOS, and Linux. Having multi-platform coverage enables you to validate security controls consistently across your entire tech stack. Each test is tailored to the specific behaviors and native tools of its target OS, making sure attack simulations are realistic.
3. Automation framework: Using the `Invoke-AtomicRedTeam` PowerShell module, you can run tests programmatically and at scale. Automation is key for integrating continuous security validation into CI/CD pipelines. The framework supports batch execution and dynamic parameters, which reduces manual effort and ensures consistent testing as your environment changes.
4. Prerequisite and dependency management: To make sure tests run reliably, the framework automatically checks for required tools and system configurations before execution. It provides clear guidance and often includes automated commands to install missing dependencies, simplifying setup so you can focus on analyzing test results.
5. Safe and reversible test procedures: Each atomic test includes a cleanup command to revert any changes made to the system, like removing files or restoring configurations. Including a cleanup command ensures that systems return to their original state after testing, which minimizes operational risk. Safe procedures enable regular testing in environments that closely mirror production, giving you confidence that validation activities won't disrupt system integrity.
Limitations:
1. Limited campaign emulation: The tool focuses on individual techniques and does not simulate complex, multi-stage attack campaigns that chain TTPs over time.
2. Requires high execution privileges: Many tests need admin or root privileges to run because they modify system configurations or access sensitive processes. Requiring these privileges can introduce risk and complicate setup in secure environments.
3. Potential for signature-based detection: Because Atomic Red Team is a well-known tool, signature-based defenses can easily flag its default commands. Relying only on these tests might create a false sense of security if you don't also monitor underlying behaviors.
4. Dependency on external tooling: Tests often require specific system utilities or binaries. In restricted environments where these tools are blocked, many tests will fail without manual configuration.
5. Windows-centric automation framework: The main automation tool is a PowerShell module. While tests work on multiple platforms, automating them on Linux or macOS can have a steeper learning curve for teams not focused on Windows.
Using Atomic Red Team is a great way to validate your defenses, but how do you know which tests to prioritize? That’s where Wiz adds crucial context. While Atomic Red Team executes a specific MITRE technique, Wiz maps the most critical attack paths in your cloud (via attack path analysis), showing you exactly which techniques could expose sensitive data and what to test first.
Getting Started:
Step 1: Clone the Atomic Red Team repository to your local machine.
git clone https://github.com/redcanaryco/atomic-red-team.git
Step 2: Navigate to the atomic-red-team directory.\
cd atomic-red-team
Step 3: To run atomic tests directly from the command line, find the relevant atomic test YAML under the 'atomics' directory and follow the manual command example in the test file.
Step 4: For a streamlined test experience, use an execution framework like Invoke-Atomic. Learn more and install Invoke-Atomic by following its documentation: https://github.com/redcanaryco/invoke-atomicredteam
Step 5: Refer to the wiki for detailed usage and test execution options: https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started
FAQ:
Verified Atomic Red Team User Reviews
"Theres a lot of effort that goes into what is essentially recreating an attackers entire attack method, it’s amazing that atomic red team exists at all." - r/purpleteamsec
Alternatives
| Feature | Atomic Red Team | MITRE Caldera | Stratus Red Team |
|---|---|---|---|
| Primary Focus | Library of discrete, easy-to-run tests mapped to ATT&CK techniques | Automated adversary emulation platform for building and running complex attack campaigns | Cloud-native attack simulation, focusing on AWS, Azure, and GCP environments |
| Architecture | A collection of scripts and a PowerShell/Python execution frameworkNo server or agents required | Client-server architecture with a core C2 server and agents deployed on target systemsIncludes a REST API and web UI | Self-contained Go binary that programmatically sets up, executes, and tears down cloud resources for tests |
| Platform Coverage | Windows, macOS, Linux, and some cloud environments | Windows, macOS, Linux | AWS, Azure, GCP, Kubernetes |
| Use Case | Validating specific security controls, testing detection rules, and security team training | End-to-end red team exercises, automated penetration testing, and security posture assessments | Validating cloud security detections, simulating cloud-specific threats, and training cloud security teams |
| Prerequisite Management | Provides commands to manually or semi-automatically install dependencies for each test | Manages abilities and dependencies through its agent-based framework | Fully automates the setup and cleanup of required cloud infrastructure (e.g., IAM roles, S3 buckets) for each test |