OpenAEV: Free Open-Source Adversarial Exposure Validation Tool
▼ Summary
– OpenAEV is an open-source platform for planning, running, and reviewing cyber adversary simulation campaigns that blend technical and human response elements.
– Its core concept is a scenario, which defines a threat context as a structured plan of events called injects and serves as a reusable template for multiple simulations.
– A simulation executes a scenario by scheduling injects along a timeline, with conditions and expectations that feed into scoring and reporting on control performance.
– The platform connects to external systems via injectors to deliver actions and collectors to retrieve data from security tools, linking activity to observed telemetry.
– OpenAEV supports deployment via containers or manual installation, is compatible with multiple operating systems, and is freely available on GitHub.
For security teams seeking to improve their defensive posture, OpenAEV provides a free, open-source platform for planning, executing, and reviewing comprehensive adversary simulation campaigns. This tool moves beyond simple technical testing by integrating operational workflows and human response elements into a unified exercise management system.
The entire framework is built around the concept of a scenario. A scenario establishes a threat context and transforms it into a structured plan composed of individual events known as injects. This foundational layer can include background documents, media files, and other contextual data to immerse participants in the exercise narrative. It also defines the players and assets involved, linking specific people and endpoints to the planned activity. Crucially, scenarios act as reusable templates, enabling teams to run multiple simulations from the same base plan. This allows for tracking results over time and identifying patterns across repeated exercises focused on a particular threat model.
When a scenario is put into action, it becomes a simulation. Each simulation schedules the scenario’s injects along a precise timeline, letting events unfold in a controlled, sequential manner. These injects can represent a wide array of actions, from technical endpoint activity to player-focused tasks like sending incident communications or executing coordination steps. Injects can also be governed by conditions that determine their execution, based on predefined expectations. Expectations describe the outcomes teams aim to observe, covering areas like prevention behavior, detection signals, vulnerability handling, and human decision-making. The results from these expectations feed directly into scoring and reporting functions, providing a clear summary of how security controls and processes performed.
To bridge the gap between the platform and real-world environments, OpenAEV utilizes injectors and collectors. Injectors are responsible for delivering actions into target systems. Some trigger payload execution on endpoints, while others deliver messages through communication channels used by participants. The platform is designed to be extended, allowing teams to adapt injectors to fit unique environments and workflows. For endpoint simulations, OpenAEV employs neutral agents that run payloads as detached processes, with support for Windows, Linux, and macOS systems to accommodate mixed operating system estates.
On the other side, collectors manage inbound data. They retrieve alerts and events from security tools like EDR and XDR platforms, mapping this telemetry back to the expectations defined in the simulation. This critical process enables teams to directly link injected activity with observed security tooling data, allowing for a structured evaluation of detection and response capabilities. The platform also exposes a REST API to support the development of custom collectors and integrations for specialized needs.
Deployment is flexible, supporting both container-based setups and manual installations. The documented architecture relies on standard infrastructure components such as a relational database, search services, message queues, and object storage. As a community-driven project, OpenAEV is freely available on GitHub for organizations to implement and customize.
(Source: HelpNet Security)
