We're releasing a library of adversary emulation plans that translates real threat actor behavior into working tools for security testing.

What You Get

Open source. Works with your existing tools.

Why This Exists

Most adversary emulation research is behind paywalls or scattered across vendor blogs. We wanted something practical that security teams could use without buying a platform or stitching together fragments.

This is what we needed when setting up purple team operations.

Coverage

Starting with three diverse threat actors:

Nation-state APTs and ransomware. Broad enough for most security teams.

Process

1. Research public threat intel (MITRE, CISA, vendor reports)
2. Map TTPs to ATT&CK, document actual commands
3. Build Caldera abilities and detection rules
4. Test in lab environments
5. Release everything

What gets released:

threat-actor-name/
├── caldera/abilities/          # Ready to import
├── detection-rules/sigma/      # Tested rules
├── atomic-red-team/            # Test cases
├── docs/                       # Full documentation
└── iocs.json                   # Sanitized indicators

Who This Helps

• Purple teams testing detections
• Security engineers validating controls
• Detection engineers writing rules
• Researchers studying threat actors
• Anyone who needs emulation without buying a platform

Philosophy

Open source. No licensing. Works with your tools. Learn the techniques, don't just run them.

Community contributions welcome.

Get Involved

Hosted on GitHub at Secure-Origin.

Ways to contribute:

• Download and test the emulation plans
• Submit improvements or new techniques
• Contribute threat actors
• Help validate detection rules
• Report issues

Write-ups published as each actor completes.

What's Next

Currently researching Lazarus Group's Linux and Windows TTPs.

Follow for updates.