Attackmate enables realistic cyberattack emulation across the full cyber kill chain.

Researchers are increasingly focused on accurately simulating cyber attacks to improve security testing and threat detection. Max Landauer, Wolfgang Hotwagner, Thorina Boenke, Florian Skopik, Markus Wurzenberger, and colleagues at the Austrian Institute of Technology have developed AttackMate, a novel attack scripting language and execution engine designed to address critical shortcomings in existing adversary emulation tools. Unlike current solutions that rely on detectable agents, AttackMate mimics genuine attacker behaviour more convincingly, offering realistic emulation across the entire cyber kill chain , including often-neglected initial access stages. This advancement is significant because it allows for more effective and nuanced security exercises, and improves the accuracy of intrusion detection research by generating log artefacts indistinguishable from those of a real human attacker.

The core innovation lies in AttackMate’s ability to avoid the use of implanted agents, a common flaw in current tools that introduces artificial artifacts into log data. Instead, the system executes attacks in a manner that closely resembles a human operator, generating more authentic and difficult-to-detect attack traces. Results demonstrate that log artifacts produced by AttackMate are significantly more similar to those generated by actual human attackers than those created by standard adversary emulation tools, improving the fidelity of security assessments and training exercises.

This work establishes a new benchmark for realism in adversary emulation, addressing the need for more accurate and reliable security testing methodologies. The team’s approach focuses on the technical execution of attacks, moving beyond abstract attack planning to deliver a functional system capable of generating authentic attack traces. By avoiding reliance on automated tools and commands atypical for human operators, AttackMate minimizes the creation of easily identifiable patterns in log data. The researchers also publish the log datasets collected during their evaluation, providing a valuable resource for the security community and facilitating further research in this critical area.
Furthermore, AttackMate supports full attack chaining and addresses gaps in existing tools by enabling emulation of all stages of the kill chain, including initial access. This comprehensive capability allows security professionals to simulate complete attack scenarios, providing a more holistic and realistic assessment of their defenses. The development of AttackMate opens new possibilities for improving the effectiveness of cyber exercises, enhancing intrusion detection research, and ultimately strengthening an organisation’s overall cybersecurity posture. The team anticipates that this tool will be invaluable for both red teaming exercises and the development of more robust intrusion detection systems.

AttackMate scripting for realistic adversary emulation simplifies red

Unlike conventional tools, AttackMate avoids installing agents on target systems, thereby producing log artifacts more closely. The team measured the realism of attack traces generated by AttackMate and compared them to those produced by conventional adversary emulation tools. Results demonstrate that AttackMate’s activities generate log artifacts that more closely resemble those of human attackers, significantly improving the authenticity of emulated attacks. Specifically, the work avoids the use of implanted agents, a common source of artificiality in existing tools, and instead focuses on scripting attacks that mirror human actions and progression.
This approach ensures coherent process trees and traceable attack paths, crucial for accurate analysis during cyber exercises and intrusion detection evaluations. Tests prove that AttackMate overcomes limitations of current tools by enabling the automation of realistic cyber attack execution, focusing on the technical aspects of attack chaining rather than automatic attack plan derivation. Data shows that AttackMate successfully emulates these stages without introducing the artificial artifacts commonly found in agent-based systems. Measurements confirm that AttackMate addresses the lack of support for complete attack chains and initial access techniques found in many existing tools.

The system allows for the scripting of complex attack sequences, enabling comprehensive security assessments. Furthermore, the team highlights that while the current implementation relies on manually modelled attack chains, the tool is compatible with any attack-planning algorithm, offering flexibility and scalability. This advancement is critical for creating authentic training scenarios and evaluating the performance of intrusion detection systems under realistic conditions.

Realistic Attack Emulation via Human Mimicry improves security

This tool distinguishes itself by focusing on technically accurate replication of attack techniques throughout the entire kill chain, unlike conventional adversary emulation tools. AttackMate avoids deploying agents on target systems, instead mimicking human attacker behaviour through interactive prompting and session handling, resulting in log artifacts that more closely resemble those of genuine attacks. The authors acknowledge that the current implementation requires further development, particularly in areas such as integration with attack-planning algorithms and large language models for automated playbook creation. Future work could explore leveraging these technologies to automatically generate or adapt attack playbooks, and to create realistic test environments with intentionally embedded vulnerabilities, enhancing the tool’s capabilities for generating comprehensive evaluation datasets.