Skip to content

Migration note: Migrated from ADR-0027 on 2026-05-02 per ADR-0047. Original file retained at docs/adr/0027-purple-team-tooling.md with deprecation banner.

SECOPS-0001: Purple Team Tooling Selection

Sources

  • ADR-0027: Purple Team Tooling Selection (2026-04-06)
Field Value
ID SECOPS-0001
Date 2026-04-06
Status Accepted
Author Ben Peries
Phases Phase 3 (simulation groundwork), Phase 5 (enterprise hardening), Phase 6 (threat persona dataset)
ADO WI #116
Class security/SECOPS

Context

Archon Phase 3/5 requires adversarial simulation capability to validate defensive controls (Wazuh, Falco, Conpot, OPNsense rules) against realistic attack patterns. Phase 6 introduces three fictional threat personas — Bob Tremblay (manufacturing operator, MFA not enforced), Stacy Gagnon (accounting, targeted phishing surface), and Marcus Leblanc (over-privileged sysadmin) — each mapped to MITRE ATT&CK techniques relevant to their role.

A purple team approach is required: simulation exercises run in a controlled, documented manner with both offensive (red) and defensive (blue) visibility, producing artifacts that demonstrate detection fidelity and response capability. This is a portfolio differentiator for director/CIO-level audiences.

Three candidates were evaluated:

Candidate 1 — Atomic Red Team (Invoke-AtomicRedTeam)

  • What it is: Open-source library of MITRE ATT&CK-aligned atomic tests. Each test is a minimal, discrete simulation of a specific technique (e.g., T1059 Command Scripting, T1078 Valid Accounts). Tests are YAML-defined; executor is PowerShell (cross-platform via pwsh) or bash/sh for Linux/macOS nodes.
  • Agent requirement: None — runs directly on the target node via SSH or AWX job template.
  • ATT&CK alignment: Native — every test maps to a specific ATT&CK technique/sub-technique ID.
  • Homelab fit: Lightweight, modular, easy to scope to individual nodes. No persistent infrastructure needed. Tests can be triggered by AWX job templates using ansible-svc-account.
  • Maintenance: Upstream Red Canary community maintains the test library; local effort is test selection and result documentation.

Candidate 2 — Caldera (MITRE)

  • What it is: Full C2-style adversary emulation framework. Runs an agent (Sandcat) on target nodes; server orchestrates multi-step attack chains from a web UI. Supports ability chaining, adversary profiles, and plugin ecosystem (Emu, Stockpile, COMPASS).
  • Agent requirement: Persistent Sandcat agent on each target node — significant operational footprint for a homelab.
  • ATT&CK alignment: Deep — supports full kill-chain emulation including lateral movement, persistence, and exfiltration profiles.
  • Homelab fit: Heavy; requires dedicated Caldera server (Docker/k8s), agent management, and persistent connectivity. Better suited to enterprise lab environments with 20+ nodes. Phase 6 stretch is the appropriate scope for Caldera.
  • Maintenance: High — agent/server version coupling, plugin compatibility, ongoing config.

Candidate 3 — Custom Scripts

  • What it is: Bespoke bash/Python scripts simulating specific persona behaviours (e.g., Bob's lateral move from OT zone, Marcus's privilege abuse, Stacy's phishing-triggered credential reuse).
  • Agent requirement: None.
  • ATT&CK alignment: Manual — must map each script to ATT&CK techniques explicitly.
  • Homelab fit: Maximum control and persona fidelity; zero external dependencies.
  • Maintenance: High — scripts must be updated as platform changes; no community support.

Decision

Primary: Atomic Red Team (Invoke-AtomicRedTeam) via PowerShell Core (pwsh) on Linux nodes.

Secondary: Custom scripts for persona-specific scenarios where Atomic tests do not cover the exact behaviour (e.g., Bob's OT-zone lateral movement path, Stacy's credential reuse pattern, Marcus's NOPASSWD sudo abuse).

Stretch (Phase 6 only): Caldera — deferred until the lab has sufficient node count and dedicated simulation infrastructure to justify the operational overhead.

Rationale:

  1. Atomic Red Team is the simplest path to MITRE ATT&CK coverage with zero persistent agent infrastructure — aligns with the homelab's resource constraints (3 IT nodes, limited RAM).
  2. AWX job templates can invoke pwsh Atomic tests against caneast-it inventory using ansible-svc-account — no additional tooling or secrets required beyond what is already deployed.
  3. ATT&CK technique IDs in test output map directly to Wazuh alert rules and Falco conditions, enabling a tight blue-team detection feedback loop.
  4. Custom scripts give persona-specific fidelity that Atomic's generic tests cannot provide, at controlled, documented scope.
  5. Caldera's C2 model is appropriate for enterprise red teams with dedicated operators; for a homelab portfolio it adds complexity without proportional detection value at Phase 3/5 scale.

Threat Personas — ATT&CK Mapping

Persona Role Deliberate Misconfiguration Primary ATT&CK Techniques
Bob Tremblay Manufacturing operator MFA not enforced on OT-facing account T1078 Valid Accounts, T1021 Remote Services, T1040 Network Sniffing
Stacy Gagnon Accounting Phishing-susceptible (no MFA, email on shared workstation) T1566 Phishing, T1056 Input Capture, T1539 Steal Web Session Cookie
Marcus Leblanc Sysadmin Over-privileged (NOPASSWD sudo, broad SSH access, no PAM logging) T1068 Privilege Escalation, T1098 Account Manipulation, T1070 Indicator Removal

Persona profiles and full technique mapping are maintained in docs/internal/security/threat-personas.md (internal only — never published via sanitization pipeline).

Constraints

  • Isolated test environment required. No simulations against production nodes without an explicit documented test window. Test nodes must be snapshotted (KVM) before execution and restored after. Production services (AWX, Infisical, Portainer, AdGuard) are out of scope for any live simulation.
  • ansible-svc-account execution only. All AWX-triggered simulations run as ansible-svc-account. Never run Atomic tests interactively as operator — execution must be auditable and reproducible via AWX job history.
  • All simulation runs documented in docs/internal/. Each exercise produces:
  • Technique ID(s) tested
  • Node(s) targeted
  • Detection result (Wazuh alert / Falco event / not detected)
  • Gap remediation action (ADR or WI if detection failed)
  • ccagnt-purpleteam agent is unblocked after this ADR merges. The agent must reference this ADR as its tooling authority and must not introduce Caldera or any C2 agent without a superseding ADR.
  • Grype only for scanning. Any container images used in simulation infrastructure (e.g., a future Caldera server) must be scanned with Grype. Trivy remains avoided (APPSEC-0001).

Consequences

Positive

  • MITRE ATT&CK coverage demonstrable from Phase 3 onward — significant portfolio value.
  • AWX becomes the simulation orchestrator — no new infrastructure required to begin.
  • Wazuh/Falco detection fidelity can be measured against known Atomic test outputs.
  • Caldera path preserved for Phase 6 without re-architecting — decision is additive.

Negative

  • Atomic Red Team requires pwsh (PowerShell Core) installed on IT nodes — new dependency, managed via Ansible role (caneast.purple_team_prereqs).
  • Custom persona scripts require ongoing maintenance as platform topology changes.
  • Without Caldera, multi-stage kill-chain emulation (lateral movement chaining) is less automated — Phase 6 will need Caldera or equivalent.

Neutral

  • Phase 6.3 roadmap entry ("Purple team tooling TBD") is now resolved by this ADR. Update roadmap to reference SECOPS-0001.

References

  • Atomic Red Team — Red Canary
  • Caldera — MITRE
  • MITRE ATT&CK
  • APPSEC-0001: Supply chain scanning (Grype over Trivy)
  • IAM-0003: IT Ansible service account (ansible-svc-account)
  • WI #116 — feat: purple team ADR
  • docs/internal/security/threat-personas.md (internal)