atomic-red-team

Atomic Red Team is a library of small, focused tests that security teams run against their own systems to check whether their defenses detect known attack techniques. Each test simulates a specific behavior that a real attacker might use, such as modifying registry keys, running specific commands, or interacting with system tools in suspicious ways. The tests are organized according to a publicly maintained framework called MITRE ATT&CK, which catalogs hundreds of real-world attack techniques observed in the wild.

The goal is not to actually compromise anything, but to trigger the kinds of actions that a real intrusion would involve and then verify that your detection tools noticed. If a test runs and your security software does not fire an alert, you know you have a gap. If it does alert, you know that particular technique is covered. This gives security teams a concrete, repeatable way to measure what they can and cannot detect.

The tests are designed to be portable and runnable directly from the command line without a separate installation step. The repository currently contains close to 1,800 individual tests. A companion tool called Invoke-Atomic provides a more structured way to select, run, and report on groups of tests, but it is a separate project.

Atomic Red Team is open source and maintained by Red Canary, a security company, with contributions from the broader security community. New tests can be contributed through a documented process, and there is a Slack workspace for community discussion. The project has a wiki covering how to get started, how to write new tests, and the philosophy behind the approach.