RedTeamSimmer is an open-source, web based adversary emulation platform providing a modern UI for orchestrating Atomic Red Team tests across enterprise Windows environments. It was initially created for the 'Mastering Breach and Adversarial Attack Simulation' training at DEF CON Trainings. Traditional atomic test execution demands memorizing PowerShell syntax, manually managing prerequisites per endpoint, and collecting scattered results with no centralized visibility. RedTeamSimmer solves this with a Flask server, lightweight Golang agents, and a real-time web interface, enabling security teams to execute MITRE ATT&CK mapped techniques in a few clicks. Operators deploy agents to multiple endpoints, browse the full ATT&CK catalog, run tests with automatic prerequisite handling, and monitor live color-coded output from a single dashboard.
RedTeamSimmer bridges the gap between complex adversary emulation tooling and practical usability, giving you the power of Atomic Red Team with a clean, intuitive interface.
It also ships with adversary emulation plans modelled using Atomic Red Team for real threat actors including APT28, APT3, APT41, FIN7, Lazarus Group, and Wizard Spider for multi-stage attack simulations. Detection rule mappings for Sigma, Splunk, and Elastic Security help blue teams identify coverage gaps and validate alerting. A full operations history provides a complete audit trail for compliance. It is designed for red teamers, blue teamers, purple team exercises, EDR/AV testing, and training.
RedTeamSimmer is created and maintained by the BreachSimRange team. The original RedTeamSimmer was created by @abhijithbr.
RedTeamSimmer was first publicly presented at DEF CON Singapore Demo Labs 2026. The Demo Labs showcase was used to demonstrate the platform's adversary emulation capabilities and live atomic test execution to the security community.
Under the hood, RedTeamSimmer pairs a Flask server with lightweight Golang agents and a real-time web interface. The server hosts the dashboard and API, parses the Atomic Red Team definitions, distributes tasks, correlates detection rules, and keeps the full operations history. Operators deploy agents to multiple Windows endpoints, and each agent registers with the server, polls for work, runs techniques locally, and streams color-coded output back to a single dashboard.
RedTeamSimmer organizes all atomic tests by MITRE ATT&CK tactics, making it easy to navigate and select techniques for execution.
Deploy lightweight agents on target systems and orchestrate test execution remotely from the central server.
Currently only Windows agents are fully supported. Linux and macOS agent support is planned for future releases.
Test output streams in real time as the agent executes, not after completion, so you can watch prerequisites run, the main command fire, and cleanup trigger as it happens. Output types (stdout, stderr, and agent messages) can be toggled independently to cut noise. Each test phase is separated by decorative log banners, timed individually, and the exit code surfaces immediately on completion.
Atomic tests often need tools or files in place before they execute. RedTeamSimmer parses the YAML test definition, runs the prereq_command to check whether dependencies are already satisfied, and if not, runs get_prereq_command to install them. A re-verification step confirms the prerequisites are in place before the main command fires. If you want to skip this, for example when you have already staged the target, the UI exposes a manual override to run the test directly.
RedTeamSimmer ships with pre-built emulation plans modelled on real-world APT tradecraft. Each plan chains together Atomic Red Team tests mapped to the techniques documented in the corresponding MITRE ATT&CK group profile, so you execute the actor's kill chain in sequence rather than running isolated techniques. Plans are JSON-defined, fully editable, and extensible. You can modify ordering, add or remove techniques, or build your own from scratch using the custom plan builder.
| Threat Actor | Origin | Focus |
|---|---|---|
| APT28 (Fancy Bear) | Russia, GRU Unit 26165 | Government espionage, election interference, credential harvesting |
| APT3 (Gothic Panda) | China, MSS | Aerospace, defence, and telecom targeting |
| APT41 (Wicked Panda) | China, dual-use | Hybrid espionage and financially motivated intrusions |
| FIN7 (Carbanak) | Financially motivated (eCrime) | POS malware, retail and hospitality breach patterns |
| Lazarus Group | North Korea, RGB | Financial theft, destructive attacks, cryptocurrency operations |
| Wizard Spider | Financially motivated (eCrime) | Ryuk/Conti ransomware kill chains, credential access, lateral movement |
Each plan includes the attack chain ordering, GetPrereqs flags for test dependencies, and MITRE technique IDs for ATT&CK Navigator layer export. Execution runs techniques sequentially across one or more agents with full output captured per step.
The dashboard gives you a single view of active agents with online and offline status, total emulations executed, technique coverage count, success and failure statistics, recent task history, and a failed operations list for quick triage.
Three chart types visualise the operational picture: a doughnut chart for task status distribution, a bar chart for tactic coverage, and a pie chart for agent status breakdown.
The MITRE ATT&CK heatmap renders executed techniques against the ATT&CK matrix with color-coded status (completed, failed, running, pending), click-through to detailed output, and live updates as operations progress.
The details modal is where you drill into a single technique execution. The execution summary shows the technique ID, exit code, and duration at a glance, followed by a parsed breakdown of test name, description, executor, and platform. Input arguments are displayed in both their raw form (with variable placeholders) and resolved form (with actual values), so you can see exactly what ran. The prerequisite, main command, and cleanup sections each display their own output streams with syntax highlighting. Cleanup commands are shown for reference but not auto-executed. External links route to MITRE ATT&CK, SigmaHQ, and the Atomic Red Team repository for further investigation.
Every executed technique is correlated against detection rules from three sources:
Rules are matched automatically against the technique ID, with a count summary per technique and expandable views for full query content. Direct links route to the upstream rule repositories. The rule database is local and offline, so no external API calls fire during execution, which is useful when running in restricted or air-gapped environments.
The operations view lists every operation with status, progress, and timestamps. Running operations can be paused, resumed, or stopped from the interface. Progress is shown as a percentage completion bar, and clicking into any operation opens the full execution timeline with a per-technique results table (status, duration, exit codes) and a filterable log view for debugging specific runs.
When an emulation requires specific technique folders on the target, the server bundles them into a ZIP archive and distributes them to the selected agents. Agents confirm successful extraction before execution begins, and the staged files are removed after the test completes or when the agent shuts down cleanly.
The agent list shows every registered agent with status indicators alongside hostname, username, OS, architecture, and last-seen time. AV detection results are displayed per agent so you can see exactly which security products are installed on the target. Agent configuration (startup persistence, jitter timing, metadata) can be modified from the UI without redeploying the binary. The remote shutdown action cleanly removes the agent along with its artifacts: registry entries, scheduled tasks, and dropped files.
Screenshots below are pulled from the project repository and act as placeholders.
Browse the source, try RedTeamSimmer in your own lab, and contribute. Issues, feature ideas, and pull requests are all welcome, and a star helps the project reach more defenders.
View on GitHub