Skip to content
Carrie Roberts edited this page Aug 12, 2020 · 39 revisions

What is Atomic Red Team?

Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks. Learn all about it here.

How can Atomic Red Team help me?

Atomic Red Team serves many needs: validating visibility, testing detection coverage, and emulating adversary behaviors. However, it’s increasingly clear that while the platform was designed with the intention of helping security teams execute simple red team exercises (as the name implies), it may be just as useful as an educational resource. Check out this blog post to see how it can help you gain development experience, become familiar with tools and tech, hone your analytical skill set, and network with other security professionals.

How well does Atomic Red Team cover the MITRE ATT&CK Techniques?

We can visualize how well Atomic Red Team covers the MITRE ATT&CK TTPs by viewing the available atomic tests on the MITRE ATT&CK Navigator.

The colored items on the matrix indicate that at least one atomic test exists for the given technique.

How can I get started?

Are there Atomic Tests for Linux and macOS?

How did the Atomic Red Team project get started?

What does Red Canary do?

Couldn't AV vendors use this tool too and render it useless?

How does Atomic Red Team compare to other free and open source attack emulation tools?

Does Atomic Red Team negate the need for a traditional red team?

There will always be things that red teams can do that can't be scripted in the Atomic Red Team project. For example, realistic phishing emails from a believable source, vishing, credential stuffing, zero-day exploitation, etc. There are things that red teams can do better than atomic red team and vice versa, so there is a need for both.

Can I chain multiple atomic tests together to emulate specific attack groups?

You can manually chain tests together by running individual atomic tests back to back but there is no automated solution for emulating a specific attack group as a whole. But stayed tuned, this feature has been requested and is in the works.

Can I run an Atomic Red Team test on a remote machine where Atomic Red Team is not installed?

Is there a notification when new atomic tests are added?

The Atomic Red Team Slack Workspace has a public channel called "atomic-git" where notifications for all contributions are posted.

Does Atomic Red Team cover cloud infrastructure attacks?

No atomic tests have been contributed in this category but the test definition format is universal enough to support this kind of test in the future.

Where can I go to learn more?

Clone this wiki locally