Atomic Red Team
What is Atomic Red Team?
Atomic Red TeamAn open-source library of small, focused tests created by Red Canary that emulates individual MITRE ATT&CK techniques to validate detections and security controls.
Atomic Red Team is an open-source project maintained by Red Canary that provides a library of small, portable tests mapped to MITRE ATT&CK techniques and sub-techniques. Each atomic test is a YAML-defined procedure with prerequisites, executor (PowerShell, sh, command_prompt, manual), and cleanup steps that runs in seconds. The companion Invoke-AtomicRedTeam PowerShell module orchestrates execution. Blue teams use Atomic Red Team to validate that endpoint and SIEM detections fire, measure detection coverage by ATT&CK matrix, and onboard new analysts with reproducible adversary emulation. Atomics complement broader emulation tools like Caldera and commercial breach-and-attack-simulation platforms.
● Examples
- 01
Running Atomic T1059.001-1 to confirm that the EDR detects a benign PowerShell encoded command execution.
- 02
Generating an ATT&CK Navigator layer of executed atomics to visualize detection coverage gaps.
● Frequently asked questions
What is Atomic Red Team?
An open-source library of small, focused tests created by Red Canary that emulates individual MITRE ATT&CK techniques to validate detections and security controls. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Atomic Red Team mean?
An open-source library of small, focused tests created by Red Canary that emulates individual MITRE ATT&CK techniques to validate detections and security controls.
How does Atomic Red Team work?
Atomic Red Team is an open-source project maintained by Red Canary that provides a library of small, portable tests mapped to MITRE ATT&CK techniques and sub-techniques. Each atomic test is a YAML-defined procedure with prerequisites, executor (PowerShell, sh, command_prompt, manual), and cleanup steps that runs in seconds. The companion Invoke-AtomicRedTeam PowerShell module orchestrates execution. Blue teams use Atomic Red Team to validate that endpoint and SIEM detections fire, measure detection coverage by ATT&CK matrix, and onboard new analysts with reproducible adversary emulation. Atomics complement broader emulation tools like Caldera and commercial breach-and-attack-simulation platforms.
How do you defend against Atomic Red Team?
Defences for Atomic Red Team typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Atomic Red Team?
Common alternative names include: ART, Red Canary Atomic Red Team.
● Related terms
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- defense-ops№ 1147
Threat Hunting
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.