Cyberattack simulation, aka adversary emulation, is an emerging IT security technology that helps discover gaps, vulnerabilities, and misconfigurations in your security infrastructure. Whether you're evaluating Atomic Red Team alternatives, comparing BAS simulation tools, or building a comprehensive adversary emulation program, this guide covers the top 10 open-source adversary emulation tools available today.
What is Adversary Emulation?
Adversary emulation (also called adversary simulation) is the process of mimicking an attacker's behaviour — their techniques, tactics, and procedures (TTPs) — to test how well your defenses hold up. Unlike penetration testing, which focuses on finding exploitable vulnerabilities, adversary emulation replicates specific threat actor campaigns to validate your detection and response capabilities against real-world attack patterns mapped to the MITRE ATT&CK framework.
Most attack simulation tools and platforms provide an automated or semi-automated means of attaining the attacker's perspective of the victim's network. The goal isn't always to reach the crown jewels — it's to identify the different attack paths an adversary might take, mitigate the most impactful threats, and prioritise with an actionable remediation plan to maximise security resources and reduce cyber risks.
Adversary Emulation vs Adversary Simulation vs Red Teaming
These terms are often used interchangeably, but they have distinct meanings:
| Aspect | Adversary Emulation | Adversary Simulation | Red Teaming |
|---|---|---|---|
| Approach | Replicates specific threat actor TTPs | Mimics general attacker behaviors | Full-scope offensive engagement |
| Goal | Test detection against known campaigns | Validate security controls broadly | Find any path to compromise |
| Automation | High (tools-driven) | Medium-High | Low (human-driven) |
| ATT&CK Mapping | Direct (campaign-specific) | General (technique-level) | Custom (operator-dependent) |
| Frequency | Continuous/automated | Continuous/periodic | Point-in-time |
| Cost | Low (open-source tools) | Low-Medium | High (skilled operators) |
Bottom line: If you want to test whether your SOC can detect a specific APT group's playbook, use adversary emulation. If you want continuous validation of security controls across your stack, use a BAS simulation platform. If you need a human to try everything possible to break in, hire a red team.
Why Adversary Emulation Matters for CISOs
As a CISO, you must maintain a proactive security program that defends your organisation against all sorts of cyber attacks. However, even maintaining a security baseline is difficult, let alone having a mature security program.
It is a constant war against attackers. The answer lies in maintaining a healthy security posture by continuously validating your security controls against adversary behaviours. You may need to answer the board on how you will allocate the cybersecurity fund for maximum ROI. Continuous security validation through adversary emulation gives you the metrics to demonstrate effectiveness — benchmarked against the MITRE ATT&CK framework.
Recently, companies have adopted a more aggressive approach through Breach and Attack Simulation (BAS) platforms. With continuous security controls validation, companies can simulate different types of cyber attacks, including insider threats and lateral movements. This proactive approach provides the feedback needed to stay ahead.
Open Source Adversary Emulation Tools
Here's an overview of the top open source adversary emulation tools:
- MITRE CALDERA
- Atomic Red Team
- The DumpsterFire Toolset
- firedrill from FourCore (us!)
- The Mordor project
- Infection Monkey from Guardicore
- Red Team Automation
- Stratus Red Team from DataDog
- Metta
- Encripto Blue Team Training Toolkit
MITRE CALDERA

MITRE CALDERA is a cybersecurity framework developed by MITRE that empowers cyber practitioners to save time, money, and energy through automated security assessments. It offers an intelligent, automated adversary emulation system that can reduce resources needed by security teams for routine testing, freeing them to address other critical problems.
Caldera leverages the ATT&CK model to identify and replicate adversary behaviors as if a real intrusion is occurring. It empowers cyber teams in three main ways:
-
Autonomous Adversary Emulation allowing teams to build a specific threat (adversary) profile and launch it in a network to see where you may be susceptible. This helps with testing defenses and training blue teams on how to detect specific threats.
-
Autonomous Incident Response enables your team to perform automated incident response on a given host, allowing them to find new ways to identify and respond to threats.
-
Manual Red-Team Engagements helps your red team perform manual assessments with computer assistance by augmenting existing offensive toolsets. The framework can be extended with any custom tools you may have.
Atomic Red Team

Atomic Red Team is a library of simple tests that every security team can execute to test their defenses. Tests are focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks. The ART maps small and highly portable detection tests to the Mitre ATT&CK Framework. This framework is not automated, yet supports Microsoft Windows, MacOS & Linux flavours.
It’s used for many purposes, including but not limited to:
- Validating assumptions about security controls
- Testing detection coverage
- Learning what malicious activity looks like
DumpsterFire

The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Turn paper tabletop exercises into controlled "live fire" range events. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
The toolset is designed to be dynamically extensible, allowing you to create your own Fires (event modules) to add to the included collection of toolset Fires. Just write your own Fire module and drop it into the FireModules directory. The DumpsterFire toolset will auto-detect your custom Fires at startup and make them available for use.
firedrill from FourCore

firedrill is an open-source library from FourCore Labs to build malware simulations quickly. We have built a set of four different attack simulations for you to use and build on top of Ransomware Simulations, Discovery Simulation, UAC Bypass, and Persistence Simulation. Download them now from the firedrill GitHub repo. In addition, you can use the firedrill binaries to find out how effective your antivirus is or if your sandbox is detecting the proper signatures. To learn more about Firedrill, read the linked blog by FourCore.
Mordor

The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. The pre-recorded data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework. The pre-recorded data represents not only specific known malicious events but additional context/events that occur around it. This is done on purpose so that you can test creative correlations across diverse data sources, enhancing your detection strategy and potentially reducing the number of false positives in your own environment.
The name Mordor comes from the awesome book/film series "The Lord of the Rings", and it was a place where the evil forces of Sauron lived. This repository is where data generated by known "malicious" adversarial activity lives, hence the name of the project.
Roberto Rodriguez created Mordor to help analysts who might not have extensive testing or red team experience simulate adversary behaviors to test their ability to detect or prevent.
The Mordor Projects fulfils the following goals:
- Provide free portable malicious datasets to expedite the development of data analytics.
- Facilitate adversarial techniques simulation and output consumption.
- Allow security analysts to test their skills with real known bad data.
- Improve the testing of hunting use cases and data analytics in an easier and more affordable way.
- Enable data scientists to have semi-labeled data for initial research.
- Map threat hunter playbooks to their respective pre-recorded data for validation purposes.
Sharing a wonderful article by Roberto employing Mordor Datasets: https://medium.com/threat-hunters-forge/threat-hunter-playbook-mordor-datasets-binderhub-open-infrastructure-for-open-8c8aee3d8b4
Infection Monkey from Guardicore

Infection Monkey is an open-source breach and attack simulation (BAS) platform that helps you validate existing controls and identify how attackers might exploit your current network security gaps. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server. It is also coded in Python and is environment agnostic. On-premises, containers, public and private clouds are all supported. It allows continuous testing to regularly run the platform to test your security strategy and specific controls. It also provides actionable data using reports on your network’s performance against a broad set of attacker behaviors.
Red Team Automation

Red Team Automation provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK. RTA is composed of python scripts that generate evidence of over 50 different ATT&CK tactics, as well as a compiled binary application that performs activities such as file timestopping, process injections, and beacon simulation as needed.
Where possible, RTA attempts to perform the actual malicious activity described. In other cases, the RTAs will emulate all or parts of the activity. For example, some lateral movement will by default target local host (though with parameters typically allow for multi-host testing). In other cases, executables such as cmd.exe or python.exe will be renamed to make it appeas as if a Windows binary is doing non-standard activities.
A great article by Elastic: https://www.elastic.co/blog/introducing-endgame-red-team-automation
Stratus Red Team

As the developers put it, Stratus Red Team is Atomic Red Team for the Cloud. It comes with a variety of common attack techniques mapped to the MITRE ATT&CK matrix that attackers can use to exploit your AWS environment. You can use the single Stratus Red Team binary available for free on GitHub.
Some of the attack techniques you can simulate:
- Retrieve EC2 Password Data - AWS - Credential Access
- Steal EC2 Instance Credentials - AWS - Credential Access
- Execute Discovery Commands on an EC2 Instance - AWS - Discovery
- Remove VPC Flow Logs - AWS - Defense Evasion
Find all the techiques availalble here.
Metta

Uber open sourced this adversarial simulation tool, which was born out of multiple internal projects. Metta uses Redis/Celery, python, and vagrant with VirtualBox to perform adversarial simulation, which allows you to test your host based security systems. This also may allow you to test other network based security detection and controls depending on how you set up your vagrants. Metta is compatible with Microsoft Windows, MacOS and Linux endpoints. More details on Metta here.
Encripto Blue Team Training Toolkit

Encripto Blue Team Training Toolkit (BT3) is software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level. The toolkit allows you to create realistic computer attack scenarios, while reducing infrastructure costs, implementation time and risk.Blue Team Training Toolkit. It is written in Python and includes the latest version of Encripto’s Maligno, Pcapteller and Mocksum. It also includes multiple malware indicator profiles that ensure a “plug & play” experience, when planning and preparing a training session, incident response drill or red team engagement.
How to Choose the Right Adversary Emulation Tool
With 10+ open-source adversary emulation tools available, the right choice depends on your team's maturity, infrastructure, and goals:
| If you need... | Use this tool | Why |
|---|---|---|
| ATT&CK-mapped detection tests | Atomic Red Team | Largest library of portable, single-purpose tests |
| Full adversary emulation campaigns | MITRE Caldera | Autonomous agent-based emulation with planning |
| Cloud-native attack simulation | Stratus Red Team | Purpose-built for AWS attack techniques |
| Quick malware simulation for EDR testing | FourCore Firedrill | Ready-made ransomware, persistence, UAC bypass sims |
| Pre-recorded attack datasets for SIEM tuning | Mordor | JSON security datasets mapped to ATT&CK |
| Network propagation testing | Infection Monkey | Self-propagating breach simulation across networks |
| Blue team detection validation | Red Team Automation | 50+ ATT&CK tactic evidence generators |
| Time-delayed attack narratives | DumpsterFire | Modular event chains for blue team drills |
| Host-based security testing | Metta | Redis/Celery-based adversarial simulation |
| Defensive security training | Encripto BT3 | Incident response drills with realistic scenarios |
Pro tip: Most mature security programs use multiple tools. A common stack is Atomic Red Team for continuous detection testing + MITRE Caldera for full campaign emulation + a BAS platform like FourCore ATTACK for automated, continuous security validation.
Adversary Emulation Tools vs BAS Platforms
Open-source adversary emulation tools are powerful but require manual setup, scripting expertise, and analyst time. Breach and Attack Simulation (BAS) platforms automate this process:
| Open-Source Tools | BAS Platforms | |
|---|---|---|
| Setup | Manual, requires scripting | Agent-based, minutes to deploy |
| Coverage | Single techniques per test | Full kill-chain campaigns |
| Frequency | Ad-hoc, analyst-driven | Continuous, automated |
| Reporting | Raw logs, manual analysis | Dashboards, executive metrics |
| Cost | Free (but high time cost) | License fee (but low time cost) |
| Best for | Security engineers, detection teams | CISOs, SOC teams, compliance |
If your team has the engineering capacity and wants full control, open-source tools are excellent. If you need continuous validation with minimal analyst overhead, a BAS platform like FourCore ATTACK bridges the gap.
If building and maintaining this test infrastructure is not where your team wants to spend its time, book a demo. FourCore ATTACK runs relevant techniques against your controls, shows what blocked, detected, or missed them, and gives your team a clear starting point for the fix and retest.
Frequently Asked Questions
What is the difference between adversary emulation and adversary simulation?
Adversary emulation replicates specific threat actor TTPs (techniques, tactics, and procedures) mapped to MITRE ATT&CK campaigns. Adversary simulation is broader — it mimics general attacker behaviors to test security controls without necessarily replicating a specific threat group's playbook. Both fall under the umbrella of Breach and Attack Simulation (BAS).
Is Atomic Red Team still maintained in 2026?
Yes, Atomic Red Team is actively maintained by Red Canary and the open-source community. It remains one of the most widely-used adversary emulation libraries with 10,000+ GitHub stars and regular updates mapped to the latest MITRE ATT&CK releases. It's the go-to choice for teams that want portable, single-purpose detection tests.
What is the best Atomic Red Team alternative?
The best alternative depends on your use case. MITRE Caldera is the best alternative for autonomous, agent-based adversary emulation campaigns. Stratus Red Team is the best alternative for cloud-native (AWS) attack simulation. FourCore Firedrill is the best alternative for quick malware simulation and EDR validation without scripting overhead.
Can I use adversary emulation tools for compliance?
Yes. Adversary emulation tools help demonstrate continuous security controls validation — a requirement in frameworks like SEBI CSCRF, NIST CSF, ISO 27001, and DORA. BAS platforms that automate adversary emulation provide the audit-ready reports and metrics that compliance teams need.
What is BAS simulation?
BAS simulation (Breach and Attack Simulation) is the automated practice of simulating cyber attacks against your security infrastructure to identify gaps, test detection capabilities, and validate security controls. Unlike manual penetration testing, BAS simulation runs continuously and provides real-time feedback on your security posture.
