Let’s be honest, your security team didn’t go to the trouble of simulating adversary behavior with Atomic Red Team just to… copy and paste test results into another Excel spreadsheet you’ll forget exists by next week.

We’ve all been there. The “Red Team Results” tab has 19 color-coded cells, 3 different versions of “Needs Review,” and at least one row labeled “¯\_(ツ)_/¯.”

It’s time to mature just a little and put your testing data where it belongs: in VECTR.

Meet VECTR: The Open-Source Sanity Saver

VECTR is like that one friend who organizes your chaotic group chat into threads and action items. It’s an open-source Purple Team engagement platform built to:

• Log your offensive testing activities (Atomic Red Team, manual scripts, PowerShell spaghetti, etc.)
  

• Track defensive outcomes (Observed, Not Detected, Alerted, Investigated, Ignored, oops)
  

• Visualize detection coverage across ATT&CK techniques and campaigns
  

• Prove you're maturing, not just memeing your way through TTPs
  

And the cherry on top?
✅ No Excel acrobatics
✅ Self-hosted & open-source
✅ Dashboards that make execs feel like they’re in CSI: Cyber

Scenario: Your CISO Just Read the DBIR... and Now You’re on a Mission

So it’s Monday. You’re halfway into your third coffee. The CISO pings the team:

“Just read the new 2025 Verizon DBIR. We need to know if we’re protected against Kimsuky.”

Kimsuky? Yup! North Korean APT known for credential harvesting, spear-phishing, and living off the land harder than a survivalist in a zombie apocalypse.

The directive?
Spin up a Purple Team engagement simulating Kimsuky TTPs to assess if our detection stack can stop ‘em.

So, what do you do? 🤔

Step 1: Use ATT&CK + Atomic to Build the Campaign

You start with the MITRE ATT&CK page for Kimsuky and pull-out relevant techniques.

Then you cross-reference them with Atomic Red Team tests. Boom! You now have:

• T1566.002 – Spear Phishing Link - Macro

• T1059.005 – Execution using VBScript

• T1543.003 – Persist via new Windows service created in Registry

• T1547.001 – Payload execution using Registry RunOnce key

• T1562.001 – Disable security tool service remotely

• T1003.001 – LSASS credential dumping

• T1550.003 – Pass-the-ticket

• T1056.001 – Keylogger

• T1071.001 – Cobalt Strike Beacon

✅ Aligned TTPs
✅ Tested procedures
✅ A vengeful sense of purpose

Step 2: Build the Campaign Within VECTR

In VECTR, you build out a “Kimsuky Simulation” campaign and simply add the MITRE ATT&CK techniques. VECTR makes this SUPER easy because the techniques are already included in their platform!

For each technique:

• Add the corresponding Atomic test
  

• Include Red Team execution results
  

• Document Blue Team detection status
  

  • e.g., "Payload on disk deleted/quarantined by antivirus or other endpoint security tool"
    

• Assign confidence ratings, upload evidence, track what failed

Your campaign is now not just a test. It’s a report card for your defense capabilities against the Kimsuky APT group. One the CISO can read without needing a decoder ring.

Step 3: Show the Data, Not Just the Drama

When the CISO asks, “Are we protected against Kimsuky?” You don’t say “uhhh maybe?”
You pull up your VECTR dashboard and drop the mic:

Threat Resilience Metrics

Once all test cases were imported and scored, here’s what the VECTR dashboard showed:

60% Threat Resilience

• 🔵 3 Blocked

• 🟢 3 Alerted

• 🟡 4 Logged only

Translation: You’ve got decent visibility, but 40% of your simulated attacks were quietly logged without alerting anyone. Great for hindsight, terrible for stopping threats in real-time.

Stats by Detection Stack

Where exactly did the wins and misses happen?

• Windows Defender: 3 Blocked, 2 Alerted — MVP of the campaign

• SIEM: Logged 3 events, 0 alerted, 0 blocked — could use better correlation rules

• Zeek (BRO): 1 alert — Solid network-layer visibility, but no prevention mechanism

• Email Platform: Logged 1 event, 0 alerted, 0 blocked — Needs serious tuning

This view makes it crystal clear where your detection gaps live and who owns them.

You don’t just think you're safe, you know where the gaps are. You even have a list of follow-up actions for your next Purple team engagement! Additionally, VECTR makes it easy to re-run the same campaign again at a later time once the gaps have been remediated to visibly see maturity (e.g., that 60% Threat Resilience Metric is now at 95% the following quarter).

Final Thoughts: From Chaos to Clarity

If Atomic Red Team is how you unleash controlled chaos, then VECTR is how you bring order to it with structure, insight, and direction.

You’re not just testing, you’re maturing.
You’re not just alerting, you’re measuring.
You’re not just red teaming, you’re purple teaming like a pro.

And what we've shown in this post? It's just scratching the surface. VECTR offers a ton of functionality. From campaign scheduling and trend analytics to analyst reporting, threat intelligence mapping, and deeper API integrations. But we kept it light here to keep you out of the weeds. 😄