arsenal intel tree about store contact
~/home / arsenal store / adversary_emulation
// 003 · THREAT ACTOR REPLICATION 28 ACTORS LOADED

Adversary
Emulation.

We don't simulate attackers in the abstract. We replicate named threat actors using their authentic tradecraft — APT29's stealth, Lazarus's persistence, FIN7's discipline. Test your defenses against the real thing.

select actor view tradecraft
sim@stealthbyte · campaign-247
#01
what it is

Real adversaries. Replicated.

// the discipline Faithful replication of named threat actors

For every named threat actor we maintain — APT29, Lazarus, Conti, Scattered Spider, Volt Typhoon, and 23 others — we replicate their authentic TTPs end-to-end. The same initial access vectors, the same C2 infrastructure patterns, the same lateral movement habits, the same exfiltration timing.

Your SOC isn't tested against a generic attacker. They're tested against the specific adversary most likely to come for your industry, using techniques drawn directly from confirmed incidents.

// why you need it Detect what you're actually facing

Generic pen tests measure generic exposure. But your real threat is specific: ransomware affiliates if you're in healthcare, state actors if you're in defense, financially-motivated crews if you're in fintech.

Adversary emulation tells you whether your detection content catches your actual adversaries — not whether it catches Nmap. The answer to "would we have seen this?" is the question that matters.

// 001

MITRE ATT&CK Full Coverage

Every emulated actor maps to specific ATT&CK techniques. 14 tactics, 600+ techniques, fully traceable in your detection content.

// 002

Actor Library · 28 Profiles

Nation-state, e-crime, hacktivist, and insider threat profiles — each maintained with confirmed-incident provenance and TTP fidelity scoring.

// 003

Purple Team Mode

Run as either blind (red) or collaborative (purple) — defenders watch our attacks in real time, refine detections, and re-run for measurable improvement.

// 004

Detection Engineering Output

Every campaign produces Sigma rules, Splunk SPL, Sentinel KQL, and Elastic queries — tested against your environment before delivery.

#02
how a campaign runs

Four phases. One actor.

01

Actor Selection & Profiling

You choose which threat actor to emulate, or we recommend based on your industry threat profile. We brief the operator team on TTPs, infrastructure habits, and confirmed-incident behavior.

Duration 3–5 days
02

Campaign Execution

Operators run the actor's full kill chain end-to-end. Initial access, foothold, escalation, lateral movement, objective — each step performed using the actor's actual tradecraft.

Duration 3–6 weeks
03

Detection Gap Analysis

For every technique we used, we measure whether you saw it, when you saw it, and what alerted (or didn't). Detection coverage scored against the actor's full kill chain.

Output Coverage map
04

Re-run & Validate

After your team deploys new detection content, we re-run the same campaign and measure improvement. Same actor, same TTPs, different defense posture. Provable ROI.

Included 60-day retest
#03
inside the campaign

Tradecraft, made measurable.

// actor_library.json 28 profiles · v15.3
G0016 · cozy bear
APT29
nation-state stealth cloud
G0032 · hidden cobra
Lazarus Group
nation-state destructive crypto
G0046 · carbanak
FIN7
e-crime retail POS
G1015 · scattered spider
Scattered Spider
e-crime social-eng ransomware
G1017 · volt typhoon
Volt Typhoon
nation-state critical-infra LotL
G0102 · wizard spider
Conti (legacy)
ransomware healthcare double-extort
// campaign.telemetry apt29-engagement · live
TTPs Executed
47 / 52
campaign progressing
SOC Alerts
11
+3 since last hour
Detected TTPs
22%
below industry avg
Dwell time
18d
undetected
Recon detection14%
Lateral detection31%
Exfil detection8%
// apt29.profile.yaml actor tradecraft 
# APT29 — Cozy Bear · MITRE G0016
actor: apt29
aliases: [cozy_bear, nobelium, midnight_blizzard]
sponsor: SVR # Russian Foreign Intel

tradecraft:
  initial_access:
    - T1566.001 # spearphishing attachment
    - T1199    # trusted relationship (supply chain)
    - T1078.004 # valid cloud accounts

  persistence:
    - T1098.001 # cloud account modification
    - T1556.006 # MFA registration manipulation

  defense_evasion:
    - T1550.001 # application access tokens
    - T1078.004 # valid cloud accounts
    - T1027    # obfuscated files/info

infrastructure:
  c2: [azure_blob, microsoft_graph, teamsapi]
  staging: legitimate_cloud_providers
  avoid: [direct_inbound, tor_exits]
// campaign.ttps.live apt29 · 22 / 52 detected
T1595
Active scanning · subdomain enum
undetected
T1589
Gather victim identity · LinkedIn scrape
undetected
T1566.001
Spearphishing · trusted vendor doc
detected · 12m
T1078.004
Valid cloud account · SSO replay
undetected
T1556.006
MFA bypass · registration manipulation
undetected
T1098.001
Persistence · cloud account modification
detected · 47m
T1567.002
Exfil over Microsoft Graph API
undetected
#04
what you get

Three artifacts. Measurable defense.

// 01 · executive 18–30 pages

The Threat Brief

Plain-language summary of the campaign, your detection posture against the chosen actor, and how it compares to industry peers.

  • Campaign narrative & outcome
  • Detection coverage scorecard
  • Peer benchmarking vs. sector
  • Investment prioritization
// 02 · technical full TTP trace

The Operator Log

Every TTP we executed, every detection (or non-detection), every artifact. Engineering-ready, MITRE-mapped, fully reproducible.

  • TTP-by-TTP execution log
  • Detection gap analysis with timestamps
  • Raw artifacts & IoCs preserved
  • Reproducible playbook for re-run
// 03 · detection deploy-ready

The Detection Pack

For every gap, ready-to-deploy detection content tested against your environment. Vendor-specific, false-positive validated.

  • Sigma rules (vendor-neutral)
  • Splunk SPL · Sentinel KQL · Elastic
  • False-positive validation results
  • Coverage map vs. MITRE ATT&CK
#05
engagement models

Three ways to test your defenses.

// focused

Single actor

Pick one threat actor most relevant to your industry. Three-week campaign emulating their full kill chain. Detection scorecard delivered.

  • 3-week emulation
  • One named threat actor
  • Network or cloud scope
  • Three-artifact deliverable
  • 60-day retest included
brief operators →
// flagship

Threat-modeled panel

We profile your industry threat landscape, select 3–4 most-likely actors, and emulate each in sequence. Full purple-team collaboration optional.

  • 8–12 week engagement
  • 3–4 threat actors
  • Full attack surface scope
  • Purple-team mode available
  • Detection content + 90-day retest
deploy campaign →
// continuous

Persistent emulation

Quarterly campaigns against rotating actors. Detection content updated continuously. Quarterly board briefings on adversary readiness.

  • 4 quarterly campaigns / year
  • Threat-landscape monitoring
  • Continuous detection updates
  • Dedicated lead operator
  • Board-level quarterly briefings
discuss retainer →
#06
common questions

Before you engage.

01 How is this different from a red team engagement? +
A red team chooses any technique that works to reach an objective. Adversary emulation is constrained — we use only the techniques the specific named actor uses, in the order they typically use them. The output is detection scoring: did your defenses catch the actor you're actually facing? It's a more measurable, more focused test.
02 How do you keep actor profiles current? +
Each actor profile has a maintained "as-of" date. We update from confirmed-incident telemetry, vendor threat intel, and original research. Major TTPs are re-validated quarterly. We disclose the profile's confidence level and freshness in every engagement brief.
03 Which actor should we emulate first? +
Depends on your industry. Healthcare: usually a ransomware affiliate like Wizard Spider or Black Basta. Financial services: FIN7 or Scattered Spider. Defense/aerospace: APT29 or APT41. Critical infrastructure: Volt Typhoon. We run a 90-minute threat-modeling session during scoping and recommend based on your risk profile.
04 Will our SOC know an emulation is happening? +
Your call. Blind mode tests your real detection capability honestly. Purple-team mode brings defenders into the loop in real time for higher learning velocity. Most clients run their first campaign blind, then move to purple for subsequent ones.
05 Can you emulate ransomware without actually encrypting data? +
Yes — we execute the full ransomware kill chain up to (but not including) the encryption stage. We stage the encryption binary, demonstrate access to the data, and document the exfiltration paths the affiliate would use, all without ever running the destructive payload. Your detection coverage is tested across every step except the last.
06 Do you provide detection content for technologies we don't have? +
We deliver detection content for the SIEM/EDR/XDR stack you actually use. During scoping we inventory your detection technology and tune the content accordingly. We don't generate generic detections that won't run in your environment.
begin campaign · encrypted channel

The adversary coming for you
has a name. We know it.

Threat-modeling sessions begin under NDA. Briefing delivered within 72 hours.

./select_actor.sh