explaingit

redcanaryco/atomic-red-team

11,943CAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

Atomic Red Team is a library of nearly 1,800 small command-line tests that simulate real attacker behaviors so security teams can verify their detection tools actually catch known attack techniques.

Mindmap

mindmap
  root((Atomic Red Team))
    What it does
      Simulate attacks
      Test defenses
      Find detection gaps
    Organization
      MITRE ATT&CK
      1800 tests
      Portable scripts
    Use Cases
      Detection testing
      Coverage auditing
      Tool validation
    Community
      Red Canary maintained
      Open contributions
      Slack workspace
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run simulated attack techniques on your own systems to check whether your security tools fire the right alerts.

USE CASE 2

Find gaps in your detection coverage by testing which MITRE ATT&CK techniques go completely undetected.

USE CASE 3

Measure the effectiveness of a new security tool configuration before relying on it in a production environment.

Tech stack

PowerShellBashC

Getting it running

Difficulty · easy Time to first run · 30min

In plain English

Atomic Red Team is a library of small, focused tests that security teams run against their own systems to check whether their defenses detect known attack techniques. Each test simulates a specific behavior that a real attacker might use, such as modifying registry keys, running specific commands, or interacting with system tools in suspicious ways. The tests are organized according to a publicly maintained framework called MITRE ATT&CK, which catalogs hundreds of real-world attack techniques observed in the wild. The goal is not to actually compromise anything, but to trigger the kinds of actions that a real intrusion would involve and then verify that your detection tools noticed. If a test runs and your security software does not fire an alert, you know you have a gap. If it does alert, you know that particular technique is covered. This gives security teams a concrete, repeatable way to measure what they can and cannot detect. The tests are designed to be portable and runnable directly from the command line without a separate installation step. The repository currently contains close to 1,800 individual tests. A companion tool called Invoke-Atomic provides a more structured way to select, run, and report on groups of tests, but it is a separate project. Atomic Red Team is open source and maintained by Red Canary, a security company, with contributions from the broader security community. New tests can be contributed through a documented process, and there is a Slack workspace for community discussion. The project has a wiki covering how to get started, how to write new tests, and the philosophy behind the approach.

Copy-paste prompts

Prompt 1
I want to test if my SIEM detects registry key modification attacks. Which Atomic Red Team tests cover that MITRE ATT&CK technique and how do I run them from the command line?
Prompt 2
Walk me through running an Atomic Red Team test on a Windows machine to verify that my endpoint detection tool catches credential dumping attempts.
Prompt 3
Using Invoke-Atomic, show me how to select a group of Atomic Red Team tests for a specific MITRE ATT&CK tactic and generate a detection coverage report.
Prompt 4
How do I contribute a new atomic test to the Atomic Red Team library? Show me the required YAML structure and the validation steps before submitting a pull request.
Prompt 5
I ran several Atomic Red Team tests and my SIEM missed two of them. How do I interpret those results and what should I do next to close the detection gap?
Open on GitHub → Explain another repo

← redcanaryco on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.