Home/Atomic Red Team
Atomic Red Team

Atomic test builder

Run one real attacker behaviour on purpose, and find out whether your detections actually fire.

Atomic Red Team is an open library of small, precise tests - one per ATT&CK technique, maintained by Red Canary. Each test performs a single real attacker action (dump LSASS, create a scheduled task, disable the firewall) in the smallest possible way. You run them deliberately, in a lab, to answer one question: when an attacker does this, does my detection catch it?

Why anyone runs these

Owning a SIEM and writing rules is not the same as those rules working. The only way to know is to perform the attack and watch. That tight red-action / blue-check loop is “purple teaming.” A test that runs silently is a hole in your visibility you did not know you had.

What this page adds

The raw tests only give you a command. For the technique each one exercises, we also show whether a detection rule even exists in the open corpus (Sigma / IDS / YARA), and - signed in, with your stack’s coverage declared - whether you detect it. So you run the tests that matter and you know what the result should be.

How to use it  hide
Pick what to test. Start from a tactic (“test my credential-access coverage”), a platform, or type a technique ID or tool name. Narrow to the slice you actually care about instead of scrolling a flat list.
Read the test. Each card shows the ATT&CK technique it maps to (click it for full detail and detections), whether it needs admin, and which platforms it runs on. The description is the attacker behaviour it reproduces.
Check coverage before you run. A green detection-rule badge means the open corpus has a rule for this technique - your SIEM should too. A red no rule badge means nothing maps to it. With a stack selected, a second badge shows whether you declared coverage.
Copy the command and run it - in an isolated lab you own, never production. It is a real action. The “needs admin” flag tells you whether to run it elevated so the test is realistic.
Confirm your SIEM alerted. If it did, your detection works. If it stayed silent, you just found a gap - and this exact test reproduces it on demand while you tune the rule.
Close blind spots first. The bar above counts techniques with no rule; show only blind spots filters to them. Those are the cheapest, highest-value gaps to fix.
Active: technique T1494 clear all

Matching tests

0
No atomic tests match.Try a broader technique (e.g. T1059 instead of a sub-technique), a different platform, or a shorter search term.
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh