Threatest is a Go framework for testing threat detection end-to-end. Threatest allows you to detonate an attack technique, and verify that the alert you expect was generated in your favorite security platform.
A detonator describes how and where an attack technique is executed.
Supported detonators:
An alert matcher is a platform-specific integration that can check if an expected alert was triggered.
Supported alert matchers:
Each detonation is assigned a UUID. This UUID is reflected in the detonation and used to ensure that the matched alert corresponds exactly to this detonation.
The way this is done depends on the detonator; for instance, Stratus Red Team and the AWS Detonator inject it in the user-agent; the SSH detonator uses a parent process containing the UUID.
See examples for complete usage example.
threatest := Threatest() threatest.Scenario("AWS console login"). WhenDetonating(StratusRedTeamTechnique("aws.initial-access.console-login-without-mfa")). Expect(DatadogSecuritySignal("AWS Console login without MFA").WithSeverity("medium")). WithTimeout(15 * time.Minute) assert.NoError(t, threatest.Run())
ssh, _ := NewSSHCommandExecutor("test-box", "", "") threatest := Threatest() threatest.Scenario("curl to metadata service"). WhenDetonating(NewCommandDetonator(ssh, "curl http://169.254.169.254 --connect-timeout 1")). Expect(DatadogSecuritySignal("EC2 Instance Metadata Service Accessed via Network Utility")) assert.NoError(t, threatest.Run())
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…