Atomic Red Team Runner
An open-source toolset for safely executing MITRE ATT&CK–mapped atomic tests to validate detection and response capabilities.
Atomic Red Team Runner is part of the Atomic Red Team project maintained by Red Canary. It enables security teams to execute small, discrete “atomic” adversary simulations that map directly to MITRE ATT&CK techniques, allowing organizations to continuously test visibility, detections, and response workflows in a controlled manner.
Rather than emulating full attack chains, Atomic Red Team focuses on validating individual techniques, making it ideal for purple team operations, SOC readiness testing, and detection engineering.
First time seeing this?
What Atomic Red Team Runner Does
Atomic Red Team Runner executes predefined atomic tests that simulate real-world adversary behaviors such as credential dumping, persistence mechanisms, lateral movement, and defense evasion. Each test includes execution steps, cleanup actions, required privileges, and ATT&CK technique mappings.
The runner provides a repeatable and safe way to verify whether security controls, SIEM, EDR, XDR, and SOAR, detect and alert on specific attacker techniques.
Atomic Red Team is widely used for continuous security validation rather than one-time penetration testing.
Key Features of Atomic Red Team Runner
MITRE ATT&CK–Mapped Tests
Executes atomic tests aligned directly to ATT&CK tactics and techniques.Granular Technique Validation
Tests individual adversary behaviors instead of full kill chains.Multiple Execution Runners
Supports runners such as Invoke-Atomic (PowerShell), shell scripts, and manual execution.Built-In Cleanup Actions
Includes cleanup steps to safely revert system changes after tests.Cross-Platform Coverage
Supports Windows, Linux, and macOS atomic tests.Detection Engineering Friendly
Designed to help SOC teams validate alerts, telemetry, and log coverage.Extensible Test Library
Community-maintained repository with continuously expanding techniques.Automation and CI/CD Ready
Can be integrated into scheduled testing and security pipelines.Clear Documentation per Test
Each atomic includes prerequisites, commands, and expected outcomes.
Advanced Use Cases
Purple Team Operations
Coordinate offensive simulations with defensive validation to improve detection fidelity.
SOC Readiness Testing
Continuously assess whether alerts trigger correctly for known attacker techniques.
Detection Gap Analysis
Identify blind spots where adversary behaviors go undetected or unalerted.
Security Control Validation
Verify EDR, SIEM, and logging configurations after rule or policy changes.
Threat-Informed Defense
Translate threat intelligence directly into actionable defensive testing.
Latest Observations (as of 2026)
Recent and ongoing developments include:
Continuous expansion of atomic tests aligned to evolving ATT&CK techniques
Improved cross-platform atomic coverage
Enhanced documentation and prerequisites handling
Strong community contributions and peer review
Ongoing alignment with modern EDR and XDR telemetry
Atomic Red Team remains actively maintained and is widely adopted across enterprise and research environments.
Why It Matters
Traditional penetration testing often validates exploitation success but not detection quality. Atomic Red Team Runner shifts the focus to defensive effectiveness, answering whether security teams can see, detect, and respond to real adversary techniques.
For modern SOCs and purple teams, it is a foundational tool for threat-informed defense and continuous improvement.
Requirements and Platform Support
Atomic Red Team Runner supports:
Windows
Linux
macOS
It requires:
Appropriate execution runner (e.g., PowerShell for Invoke-Atomic)
Administrative or user-level privileges depending on the atomic test
Security approval for controlled adversary simulation
Official repository and documentation:
https://github.com/redcanaryco/atomic-red-team