<a href="https://collection.sciencemuseumgroup.org.uk/objects/co8457570/black-and-white-photographic-print-1st-of-8-showing-the-july-1945-new-mexico-atomic-bomb-explosion-test" rel="nofollow">Black and white photographic print, 1st of 8, showing the July 1945 New Mexico atomic bomb explosion test</a> by <a href="" rel="nofollow">Science Museum Photographer</a> is licensed under <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" rel="nofollow">CC-BY-NC-SA 4.0</a>
“Why wait for attackers when you can simulate them — atomically.”
🔬 What is Atomic Red Team?
Atomic Red Team (ART) is an open-source library of small, highly portable detection tests mapped to MITRE ATT&CK. Think of it as a DIY lab kit for defenders — each test (aka “atomic”) simulates a real-world attack technique, minus the drama of actual compromise.
It’s like ordering a bag of mini red team payloads — only they’re legal, controlled, and built to sharpen your blue team skills.
🧰 How Atomic Tests Work
Each atomic test:
- Simulates one ATT&CK technique (e.g., credential dumping, lateral movement)
- Is language-agnostic (Bash, PowerShell, Python, etc.)
- Includes preconditions, execution steps, cleanup, and input args
Atomic tests live in YAML files and can be executed manually or automated with Invoke-AtomicRedTeam (a PowerShell framework for automation).
🚀 Getting Started with ART
- Clone the Repo
git clone https://github.com/redcanaryco/atomic-red-team.git- Install Prerequisites (for Windows tests)
Install-Module -Name Invoke-AtomicRedTeam -Force
Import-Module Invoke-AtomicRedTeam- Run a Test
Invoke-AtomicTest T1059.001 -TestNumbers 1Bam. You just simulated a PowerShell command execution technique. ✨
- Run All Atomics for a Technique
Invoke-AtomicTest T1112 -ShowDetailsBrief | Invoke-AtomicTest- Simulate, Detect, Tune Use these tests to:
- Validate SIEM rules
- Tune EDR logic
- Reproduce threat intel TTPs
🔍 Pro Tips for Using ART Effectively
- Always cleanup: Many tests include
cleanup_command. Use it. - Isolate your lab: These tests are safe-ish, but still noisy.
- Map to MITRE: Each test is tied to a technique — build coverage dashboards.
- Don’t assume success: Validate the test actually did what it claimed — use Sysmon or EDR to watch.
🛡️ ART + Blue Team = ❤️
Running ART is like throwing flashbangs at your SOC — on purpose. It forces your detection stack to react. Or not. Either way, you learn.
Pair this with:
- SIEM alert correlation
- MITRE coverage analysis
- Purple team exercises
And you’ve got a recipe for continuous, testable defense.
📘 Final Words
You wouldn’t test your parachute by hoping, so why test your defenses by waiting for an attacker?
Atomic Red Team gives you the tools to simulate, detect, and improve — one atomic at a time.
So fire up those scripts, trigger some EDRs, and give your SOC something to chew on. 🍽️
✍️ Written by your cyber lab assistant with too many SIEM tabs open and a passion for reproducible mayhem.
