Red Team Summit CFP now open! Register Here
Shopping Cart

No products in the cart.

Purple Teaming: Attack Emulation, Reporting, and Detection Identification with Carrie Roberts

Purple Teaming Attack Emulation, Reporting, and Detection Identification with Carrie Roberts

Overview

  • Course Length: 16 hours
  • Support from expert instructors
  • Includes a certificate of completion
  • 12 months access to Cyber Range
Instructor:

This class will provide an overview of the MITRE ATT&CK framework and give you in-depth, hands-on knowledge of how to execute scripted attack emulations that exercise many of the techniques defined in the MITRE ATT&CK Framework.

The primary source for the attack emulation scripts will be the free and open-source Atomic Red Team library. You will be provided with hands-on lab instructions for emulating a variety of attacks and creating visualizations using the MITRE ATT&CK Navigator. At the end of this class, you will have the knowledge and tools to begin executing simulated attacks within your own test environment, allowing you to create and validate detections in a script-able and consistent way. You will also be exposed to methods for tracking this work, including reporting on improvements over time. Lastly, you will learn about many open-source detection libraries and look at tools for correlating those detections to your emulated attacks.

Major course topics include:

  • MITRE ATT&CK and the ATT&CK Navigator
  • Atomic Red Team library of scripted cyber attacks
  • MITRE CALDERA Command-and-Control style attack emulation tool
  • VECTR Purple Team reporting and attack automation
  • SnapAttack detection library

Minor topics include MITRE AT&CK Evaluations, MITRE Adversary Emulation Library, and the MITRE ATT&CK Powered Browser Extension.

Whether you are a student of information security or a seasoned network defender there is something to learn from getting involved in the Attack Emulation space and this course will help you do that.

Note: We do not write detections in this class.

KEY TAKEAWAYS:

  • General understanding of MITRE ATT&CK framework and tools
  • In-Depth knowledge of Atomic Red Team and tools for executing this library of attacks
  • Understanding of how Attack Emulation can help you build and validate your detections
  • Purple team reporting methodologies

WHO SHOULD TAKE THIS COURSE:

Anyone interested in hands-on learning about cyber-attacks including tools to emulate and report on them should take this course.

  • Defenders and Blue Teamers
  • Students interested in Information Security
  • Penetration Testers and Red Teamers
  • General Security Practitioners

AUDIENCE SKILL LEVEL:

  • Entry level through advanced information security skills.

STUDENT REQUIREMENTS:

  • General familiarity with the Windows and Linux operating systems.

WHAT A STUDENT SHOULD BRING:

  • A web browser and solid internet access.

Note: Hands-on labs with be completed from Virtual Machines hosted in the cloud which you will be able to access from your web browser. All operating systems including iOS and Android are acceptable.

APPLICABLE BUSINESS SKILLS:

  • Understanding of attacker tactics and techniques using MITRE ATT&CK
  • In-Depth knowledge of Atomic Red Team and tools for executing this library of attacks
  • Ability to portray attack readiness to management using the MITRE ATT&CK navigator and the VECTR reporting tool
  • Access to detection libraries through the SnapAttack threat intelligence platform.

Intro

  • Attack Emulation Tools Introduction
  • The Value of Attack Emulation

MITRE ATT&CK Framework and Tools

  • MITRE ATT&CK Framework and Tools Overview
  • MITRE ATT&CK Framework
  • MITRE ATT&CK Navigator
    • Lab: MITRE ATT&CK Navigator
    • Lab: Navigator and Combining Layers
    • Lab: MITRE ATT&CK Navigator and Atomic Red Team
  • MITRE ATT&CK Powered Suit Browser Extension
  • MITRE CALDERA
  • MITRE ATT&CK Evaluations
  • MITRE Adversary Emulation Library
  • MITRE ATT&CK Wrap-Up

Atomic Red Team

  • Atomic Red Team Intro
  • Install Atomic Red Team
    • Lab: Install Atomic Red Team
    • Lab: Import the Atomic Red Team Module
    • Lab: List Atomic Tests
  • Invoke-AtomicRedTeam Execution Framework
    • Lab: Check or Get Prerequisites for Atomic Test
    • Lab: Execute Atomic Tests
    • Lab: Specify Custom Input Arguments
    • Lab: Cleanup After Atomic Test Execution
  • Invoke-AtomicRedTeam Execution Logging
    • Lab: Execution Logging
  • Execute Atomic Tests Remotely
    • Lab: Execute Atomic Tests Remotely (Windows → Linux)
  • Execute Atomic Tests on Linux
    • Lab: Execute Atomic Tests on Linux
  • Chain Execution of Atomics
    • Lab: Chain Execution of Atomics
  • Define Your Own Atomic Test
    • Lab: Define Your Own Atomic Test
  • Adversary Emulation and Continuous Atomic Execution
    • Lab: Full Adversary Emulation with Invoke-AtomicRedTeam
  • Atomic Red Team Wrap-Up

VECTR

  • VECTR Intro
    • Lab: Getting Started with VECTR
    • Lab: Create Assessments and Campaigns in your own Database
  • VECTR and Atomic Red Team
    • Lab: Import Atomic Red Team Tests into VECTR
    • Lab: Import Atomic Red Team Logs into VECTR
  • VECTR Execution Automation
    • Lab: Execution Automation & Logging
  • VECTR Wrap-Up

SNAPATTACK

  • SnapAttack Intro
  • SnapAttack and Atomic Red Team
    • Lab: Detection Identification

Course Wrap-Up

  • Purple Teaming Course Wrap-Up

Wild West Hackin’ Fest – Deadwood (Oct 7th – Oct 8th, 2025) – Deadwood, SD

  • October 7th – 8:30 AM to 5:00 PM MDT
  • October 8th – 8:30 AM to 5:00 PM MDT

FAQ:

Will I have access to the lab environment after class?

Yes. You will be given credits within the MetaCTF portal to run the lab VMs. You control when and how you use those credits. You can use them during class or any time thereafter. You can also purchase additional credits as needed.

Will we be writing detections in this class?

No, but we will be learning about open-source libraries of detections and correlating those to the emulated attacks in the Atomic Red Team library.

Is this course more offensive or defensive focused?

This case is presented from a defender’s perspective. However, we do learn a lot about attacker tactics and techniques through the MITRE ATT&CK framework and the Atomic Red Team library of scripted attacks.

Can we use Atomic Red Team to replace our red team or pentest team?

No, but it can ease the workload of such teams. Atomic Red Team does a really good job of making continuous validation of detections possible through automation, but only for those attacks that are automatable. These automations free up time for the red team to work on the more important and engaging aspects of cyber security that require a human in the loop.

This class is being taught at Wild West Hackin’ Fest – Deadwood 2025.

For more information about our conferences, visit Wild West Hackin’ Fest!

Clicking on the button above will take you
to our registration page on the website.

Course Categories:

Purple Team