atomic red team: Small & highly portable detection tests

Atomic Red Team is small, highly portable, community developed detection tests mapped to Mitre’s ATT&CKATT&CK was created by and is a trademark of The MITRE Corporation.

Our Atomic Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework. Each test is designed to map back to a particular tactic. This gives defenders a highly actionable way to immediately start testing their defences against a broad spectrum of attacks.


Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are focused, have few dependencies, and are defined in a structured format that is used by automation frameworks.

Three key beliefs made up the Atomic Red Team charter:

  • Teams need to be able to test everything from specific technical controls to outcomes. Our security teams do not want to operate with “hopes and prayers” attitude toward detection. We need to know what our controls and program can detect, and what it cannot. We don’t have to detect every adversary, but we do believe in knowing our blind spots.
  • We should be able to run a test in less than five minutes. Most security tests and automation tools take a tremendous amount of time to install, configure, and execute. We coined the term “atomic tests” because we felt there was a simple way to decompose tests so most could be run in a few minutes.

    The best test is the one you actually run.

  • We need to keep learning how adversaries are operating. Most security teams don’t have the benefit of seeing a wide variety of adversary types and techniques crossing their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used, which makes the community working together essential to making us all better.

Download & Tutorial

Copyright (c) 2018 Red Canary, Inc.