As a red teamer, I've always enjoyed creating and improving attacks and tools. That interest led me to research different APT groups - from nation-state actors like APT29 and Lazarus Group to financially motivated crews like FIN7 and Scattered Spider. Understanding how they operate and the techniques they use is a core part of what I do.
But as a purple teamer, I've also experienced the other side. Throughout my career, I've spent countless hours modifying TTPs defined by existing frameworks and atomic tests to make them work in each specific environment. Adjusting paths, fixing broken scripts, adapting techniques that were written for a different OS version - it takes a huge amount of time and effort that could be better spent actually improving detections.
My Motivation as an Adversarial Engineer
What started as a personal project has grown organically, adding features and capabilities along the way. The goal has always been the same: make purple teaming easier. I wanted to create an environment with mature, battle-tested TTPs that work reliably. No more flaky scripts that break halfway through an engagement. No more spending hours debugging why a technique failed.
I wanted to build something that bridges the gap between red and blue. Something that lets you:
- Execute real threat actor playbooks with documented TTPs
- Run techniques with or without deploying agents
- Test cloud environments alongside traditional infrastructure
- Generate actionable reports that map directly to detection improvements
That's why I built Cyllex.
Core Philosophy: Flexibility Over Complexity
Cyllex is built on a simple principle: the right tool for the right situation. Not every engagement requires a persistent agent. Not every test needs to touch production systems. Sometimes you just need to validate that your EDR catches a specific technique. Other times your team wants to emulate a complete attack campaign that was just reported in the latest advisory or research paper.
Key Features
APT Emulation Made Simple
This is the core of Cyllex. The goal is to make APT emulation accessible - you shouldn't need to spend weeks researching a threat actor before you can test your defenses against them. Cyllex provides a built-in knowledge base with detailed profiles for major threat groups, including their known TTPs, targeted sectors, associated malware, and operational patterns.
Select a threat group like APT29 or MuddyWater, and Cyllex automatically loads their documented techniques. You get context about who they are, what they target, and how they operate. Execute their TTPs in sequence to simulate a realistic intrusion, or pick specific techniques to test individual detections.
The threat intelligence database covers groups across different regions and motivations:
- Russia: APT28 (Fancy Bear), APT29 (Cozy Bear), Sandworm Team
- China: APT41 (Winnti), APT1 (Comment Crew), Salt Typhoon
- North Korea: Lazarus Group, APT38
- Iran: APT33 (Elfin), MuddyWater
- Financial: FIN7 (Carbanak), Scattered Spider
The TTPs for each group are carefully researched and represent their most documented techniques. This library will continue to expand throughout development, with new techniques and threat actors added regularly based on emerging threat intelligence.
Each profile includes descriptions, known aliases, targeted industries, and direct links to their techniques in the MITRE ATT&CK framework. No more jumping between threat reports and your testing tools - everything is integrated.
Flexible Execution Methods
Cyllex supports multiple execution modes to fit different engagement scenarios. Deploy a lightweight Rust-based agent (Windows or Linux) when you need persistent access and complex techniques. Go agentless via WinRM or SSH for minimal footprint reconnaissance. Or leverage cloud API integrations to test AWS, Azure and Office 365 environments directly. The choice is yours based on the engagement scope and target infrastructure.
Cloud & Container TTPs
Modern attacks don't stop at the perimeter. Cyllex includes dedicated TTPs for AWS, Azure, GCP, and Office 365. Test IAM misconfigurations, enumerate cloud resources, and validate your cloud security posture. The same goes for Kubernetes and Docker environments with container-specific techniques.
Multi-Matrix MITRE ATT&CK View
Navigate TTPs through an interactive MITRE ATT&CK matrix. Switch between Enterprise, Cloud, and Container matrices. See which techniques you've implemented, which ones are pending, and build campaigns directly from the matrix view.
Instant Agent Generation
No compilation delays. Cyllex uses binary patching to generate configured agents in under a second. The server binary includes embedded templates for Windows and Linux - no Rust toolchain needed on your deployment server. Just configure the C2 URL, sleep interval, and jitter, then download your ready-to-deploy agent.
Built for Purple Teams - Big and Small, New and Mature
Whether you're a small team just starting your purple team journey or a mature security organization running continuous adversary simulations, Cyllex adapts to your needs. Everything is designed with purple teaming in mind. Campaign scheduling lets you automate regular assessments. CSV and PDF exports make reporting straightforward. The threat group database provides context for your findings - you're not just saying "we detected T1055", you're saying "we would have caught APT41's DLL side-loading technique."
What's Next
This is just the beginning. The roadmap includes more threat actor playbooks, additional cloud providers, expanded container techniques, and deeper integration with detection platforms. The goal remains the same: make adversary emulation accessible, realistic, and actionable.
Interested in Cyllex?
Stay tuned for updates on the Framework Updates page.