explaingit

mitre/caldera

6,957PythonAudience · ops devopsComplexity · 4/5Setup · hard

TLDR

MITRE Caldera is an automated security testing platform that simulates real attacker behavior on your network so you can find defense gaps before real attackers do, using playbooks mapped to the MITRE ATT&CK framework.

Mindmap

mindmap
  root((Caldera))
    What it does
      Adversary emulation
      Attack playbooks
      Defense gap finding
    Tech Stack
      Python server
      Go agent Sandcat
      Docker deploy
    Use Cases
      Red team exercises
      ATT&CK coverage
      Analyst training
    Plugins
      Extra techniques
      ICS support
      Visualizations
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run automated red-team exercises against your internal network to surface unpatched attack paths before real attackers find them.

USE CASE 2

Map your security defenses against MITRE ATT&CK categories to see exactly which attack techniques you detect and which you miss.

USE CASE 3

Train security analysts using the built-in capture-the-flag course that teaches the platform interactively.

USE CASE 4

Automate incident response drills by running specific attack technique playbooks against isolated test machines.

Tech stack

PythonGoDockerREST API

Getting it running

Difficulty · hard Time to first run · 1h+

Requires Linux or macOS with Python 3.10 and dedicated test machines to target, read the README security recommendations before deploying.

In plain English

MITRE Caldera is an automated adversary emulation platform built and maintained by MITRE, the US non-profit that also runs the ATT&CK framework. In plain terms, it is a tool that lets security teams simulate how a real attacker would move through their network, so they can find weaknesses before a real attacker does. The way it works is that a security tester deploys Caldera on a server and then installs small agents on the machines they want to test. Caldera then runs pre-built attack playbooks against those machines automatically, recording what succeeded and what failed. The whole operation can be reviewed through a web interface, and reports show which attack techniques worked and which defenses held. Caldera is built on top of MITRE ATT&CK, which is a widely used catalog of real-world attack tactics and techniques. Each test in Caldera maps to a specific technique in that catalog, so the output is directly useful for understanding which ATT&CK categories your defenses cover and which they miss. The platform has a plugin system that extends its capabilities significantly. Plugins add things like additional attack techniques, incident response automation, visualizations of red-and-blue team operations, and support for industrial control system environments. The default agent is called Sandcat and is written in Go. Setup runs on Linux or macOS with Python 3.10 and optionally Go for compiling agents. A Docker image is also available for quicker deployment. Once the server is running, a capture-the-flag style training course built into the platform teaches you how to use it. This is a research-grade security tool, not a consumer product, and the README notes several security recommendations for safe deployment.

Copy-paste prompts

Prompt 1
Set up MITRE Caldera on Linux with Docker and run an automated adversary emulation exercise against a Windows test machine using the Sandcat agent.
Prompt 2
Configure Caldera to test which ATT&CK Credential Access techniques my endpoint defenses can detect and generate a coverage report.
Prompt 3
Build a Caldera plugin that adds a custom attack technique not in the default library and maps it to an ATT&CK sub-technique.
Prompt 4
Use Caldera to simulate a lateral movement attack chain on a segmented test network and produce a report showing which defenses held and which failed.
Prompt 5
Run the Caldera built-in training course to learn how to use the platform for blue-team detection exercises.
Open on GitHub → Explain another repo

← mitre on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.