Caldera : An Automated Adversary Emulation System

CALDERA is an automated adversary emulation system, built on the MITRE ATT&CK™ framework. It works by attaching abilities to an adversary and running the adversary in an operation. Full documentation for this system can be found in the wiki.

Python 3.5.3+ is required to run this system.


Start by cloning this repository recursively. This will pull all available plugins.

git clone –recursive

From the root of this project, install the PIP requirements.

pip install -r requirements.txt

Then start the server.


Also Read – Pown Duct : Essential Tool For Finding Blind Injection Attacks

Quick start

To understand CALDERA, it helps to run an operation. Below are pre-built missions you can execute to understand the system. The missions assume CALDERA is running locally.

Mission #1: Nosy Neighbor

Perform reconnaissance on a compromised laptop. Your employer needs a list of the laptop user’s preferred WIFI networks. Grab this list, collecting anything else along the way, then knock the user offline. Finally, get out. Quickly. Leave no trace. There is one caveat: the laptop’s AV scans the machine in full every minute. You must complete this mission in less than 60 seconds.

Start a 54ndc47 agent on the same computer as CALDERA. Do this by opening a terminal and pasting in the correct delivery command for your operating system. You should be welcomed by a log message indicating the agent has sent a “beacon” to CALDERA.

Move to a browser, at, logging in with the credentials admin:admin. Click into the Chain plugin and use the “Operations” section to fire off an operation using the “nosy neighbor” adversary and the my_group group. Fill in an operation name but leave all other fields at their defaults.

Once the operation is complete, compare the execution time of the first and last commands. Was the mission a success? Did the adversary run without a trace? Can you figure out why the abilities are being run in the order they are?

Mission #2: File Hunter

A laptop containing secret, sensitive files has been compromised. Scan the computer for files which match the file extensions (.txt and .yml) the sensitive files are known to have. Then steal the files.

Similar to mission #1, start a 54ndc47 agent and confirm it “beacons” back to CALDERA.

Once confirmed, move to a browser at and click into Chain mode. Click into the “facts” section and examine the available fact sources. Note that the extensions fact source contains the file extensions that you will be hunting for.

Click into the “operations” section and start a new operation. Choose the “file hunter” adversary and ensure that you select the fact source of extensions. By feeding these facts into the operation, the adversary profile chosen (file hunter) will utilize them inside its abilities.

Did the operation find the sensitive files? How many? Can you determine what controls the number of files it looks for?


Bleeding-edge code can be run by using the latest master branch source code. Stable versions are tagged by major.minor.bugfix numbers and can be used by cloning the appropriate tagged version:

git clone –branch 2.2.0 –recursive

Check the GitHub releases for the most stable release versions.

IMPORTANT: The core system relies on plugins (git submodules). If you are unfamiliar with this concept and want to run the bleeding-edge code, a “git pull” on this code will likely not be sufficient. The easiest way to run bleeding-edge code is to recursively re-clone all of CALDERA when you want to update it.


We use the basic feature branch GIT flow. Create a feature branch off of master and when ready, submit a merge request. Make branch names and commits descriptive. A merge request should solve one problem, not many.