Every threat in the Threadlinqs Intelligence feed ships with atomic red team-style attack simulations in three flavors. Select a threat, pick your environment, and validate your detection coverage in seconds.
Attack simulations are executable code snippets that replicate the exact techniques used by real-world threat actors. Each simulation maps to MITRE ATT&CK techniques and links directly to the detection rules that should catch it.
Self-contained, single-technique simulations modeled after the Atomic Red Team framework. Each one exercises a specific TTP in isolation so you know exactly what triggered your alert.
Every simulation is tagged with its MITRE technique ID, tactic, and sub-technique. Validate your coverage matrix by running simulations across the kill chain.
Simulations are paired with the SPL, KQL, and Sigma detection rules written for that exact threat. Run the simulation, then confirm your SIEM fires the expected alert.
New threats get simulations within hours of publication. As the intelligence feed grows, your simulation library grows with it automatically.
Every threat ships with simulations in Windows CMD, Linux Bash, and Python. Choose the flavor that matches your test environment.
Native Windows command-line simulations using built-in tools like cmd.exe, PowerShell, certutil, and reg.exe. No dependencies required.
POSIX-compatible shell simulations using curl, wget, crontab, iptables, and standard utilities. Runs on any Linux distribution.
Cross-platform Python scripts using standard libraries. Simulates network callbacks, file operations, registry access, and process injection patterns.
From threat selection to detection confirmation in under a minute.
Browse the threat feed or search by MITRE technique, actor, or keyword. Open the threat detail panel and navigate to the simulations tab. Every threat with mapped techniques has simulations ready to run.
Pick Windows CMD, Linux Bash, or Python based on your test environment. Each flavor replicates the same technique using native tools for that platform. Copy the simulation with one click.
Run the simulation in your sandbox or test environment. Check your SIEM for the expected alert. The linked detection rules tell you exactly which query should fire and what fields to verify.
Attack simulations exist for one reason: to prove your detections work. Every simulation links back to the detection rules that should catch it.
Execute the attack technique in your test environment
The simulation generates telemetry your SIEM should ingest
Confirm the linked SPL, KQL, or Sigma rule fires correctly
Every simulation is designed to be run in test and sandbox environments without risk to production systems.
Simulations target localhost (127.0.0.1) and temporary directories. No external network calls, no lateral movement, no destructive payloads.
Each simulation includes cleanup steps that undo any system changes. Registry keys, cron jobs, and temp files are removed after execution.
Simulations are scoped to generate detection telemetry without causing actual damage. They emulate technique patterns, not destructive outcomes.
Attack simulations are available on the Purple tier. Access 160+ threats, 3 simulation flavors per threat, and 1,897 linked detection rules.
[ try_simulations ]