Adversary Emulation

and Breach Attack Simulations

Learn more


Adversary emulation is a type of red team engagement that mimics a known threat to an organization by blending in threat intelligence to define what actions and behaviors the red team uses. This is what makes adversary emulation different from penetration testing and other forms of red teaming. Adversary emulators construct a scenario to test certain aspects of an adversary’s tactics, techniques, and procedures (TTPs). The red team then follows the scenario while operating on a target network in order to test how defenses might fare against the emulated adversary.

Breach and Attack Emulation solutions allow you to continuously assess risk posture and exposure to attacks in modern network environments. The validation of the detection coverage has become one of the key responsibilities of SOC team members. 

Attack Emulation tools allow you to safely create and run dedicated real-world adversary campaigns at scale by mimicking different phases of attack and mapping them to MITRE ATT&CK Framework:

  • Initial Access Execution 
  • Persistence
  • Privilege Escalation 
  • Defense Evasion
  • Credential Access 
  • Discovery 
  • Lateral Movement 
  • Collection 
  • Command and Control 
  • Exfiltration

Attackers constantly find new ways to attack and infect Linux / Windows networks using more and more sophisticated techniques and tools. As defenders, we need to stay up to date with adversaries, understand their TTPs, be able to respond quickly, and repeat their actions on demand. As SUN TZU said: “To know your enemy, you must become your enemy” and this is the main goal of this Purple-team-oriented Adversary Emulation training. 

This training program is about monitoring and measuring security controls by executing (semi-) automated scripted attacks. Every single emulation job or tool in use will be well-described and analyzed in terms of their nature and detection scopes including TTP’s artifacts and behaviors which we are going to hunt for using live PurpleLabs Cyber Range telemetry and analytics including Sysmon, Windows Event Logs, Zeek IDS, Suricata IDS, Moloch FPC, Elastiflow, Velociraptor, OSquery, Sigma rules, Splunk, Hunting ELK and more.

Through the hands-on labs you will be playing with a variety of emulation scenarios based on:

  • PurpleSharp / PurpleAD
  • Atomic Red Team
  • Caldera
  • Infection Monkey
  • APTSimulator
  • Metta
  • AutoTTP
  • ATTPwn
  • DumpsterFire
  • Purple Metasploit
  • TestMyNIDS
  • PyExfil
  • FlightSim
  • RTA
  • GoPurple
  • Covenant
  • Empire
  • Sliver
  • Vectr, Unfetter and many more

Different ways of automation and customization will be presented as well.

At the end of this class, you will understand the value of the Assume Breach approach and the business need for emulation of threats after getting early access (C2, Lateral Movement, Persistence, Evasion). You will gain the knowledge and tools to begin executing assumed-breached, chained attack paths. You will get knowledge also about important Open Source defensive security stack and visibility needs within your environment at many different levels.

In terms of data leakage protection and for better understanding the current status of your network security posture, this training helps you identify risks, network security blind spots, issues with event logging pipelines, and unexpected and uncovered areas by emulating a real cyber adversary behavior.


  • Introduction to Adversary Emulation, BAS solutions, and Purple Teaming:
    • The Build / Attack / Defend Pyramid
  • MITRE Attack Framework → The industry standard and common language between Blue Teams, Red Teams and CTI
  • The overview of Security Control Framework Mappings
  • Visibility is the key → Open Source Defensive Security Stack for Blue / Threat Hunting Team:
    • Sysmon
    • Windows Event Logs
    • Zeek IDS
    • Suricata IDS
    • Moloch FPC
    • Velociraptor DFIR
    • Wazuh 
    • Netflow Elastiflow
    • OSquery
    • Splunk
    • Hunting ELK
    • Strelka
    • Sigma rules
  • Atomic Red Team tests at scale vs detection
  • PurpleSharp architecture and advanced simulation playbooks in Active Directory
  • Caldera architecture, plugins overview, and APT-based evaluation scenarios: 
    • FIN6
    • APT28
    • APT29
    • APT41
    • FIN7
    • menuPass
    • Hafnium
    • Carbanak
    • and more
  • Egress testing, C2 channels, and suspicious network events vs detection
  • Playing with various Windows / Linux shellcode injection techniques vs detection
  • Hands-on analysis and activity replication of the latest APT groups
  • Integration and automation of emulation arsenal tools
  • Challenge - create your own APT emulation scenario

Time Duration

3 days (9:00am - 5:00pm)

Who should attend

  • CSIRT / Incident Response Specialists
  • Red and Blue team members
  • Penetration testers
  • Threat Hunters
  • Security / Data Analytics
  • IT Security Professionals, Experts & Consultants
  • SOC Analysts and SIEM Engineers
  • AI / Machine Learning Developers
  • Open Source Security Enthusiasts

TRAINER: Leszek Miś

Leszek Miś is the Founder of Defensive Security, Principal Trainer and Security Researcher with over 15 years of experience in Cyber Security and Open Source Security Solutions market. He went through the full path of the infosec carrier positions: from OSS researcher, Linux administrator and DevOps through penetration tester and security consultant delivering hardening services and training for the biggest players in the European market, to become finally an IT Security Architect / SOC Security Analyst with deep non-vendor focus on Network Security attack and detection. He’s got deep knowledge about finding blind spots and security gaps in corporate environments. Perfectly understands technology and business values from delivering structured, automated adversary simulation platform.

Recognized speaker and trainer: BruCON 2017/2018, Black Hat USA 2019, OWASP Appsec US 2018, FloCon USA 2018, Hack In The Box Dubai / Amsterdam / Singapore / Abu Dhabi 2018/2019, 44CON UK 2019, Confidence PL, PLNOG, Open Source Day PL, Secure PL, Advanced Threat Summit PL 2019.

Holds many certifications: OSCP, RHCA, RHCSS, Splunk Certified Architect.

His areas of interest include network “features” extraction, OS internals and forensics. Constantly tries to figure out what the AI/ML Network Security vendors try to sell. In free time he likes to break into “IoT world” just for fun.

Still learning hard every single day.


If you are interested in dedicated, private training for your SOC team let us know. We love delivering on-site training sessions!