Stop the Spreadsheet Madness: Visualize Your Atomic Red Team Tests with VECTR
A follow-up to Simulate. Detect. Tune. Repeat.
Let’s be honest, your security team didn’t go to the trouble of simulating adversary behavior with Atomic Red Team just to… copy and paste test results into another Excel spreadsheet you’ll forget exists by next week.
We’ve all been there. The “Red Team Results” tab has 19 color-coded cells, 3 different versions of “Needs Review,” and at least one row labeled “¯\_(ツ)_/¯.”
It’s time to mature just a little and put your testing data where it belongs: in VECTR.
Meet VECTR: The Open-Source Sanity Saver
VECTR is like that one friend who organizes your chaotic group chat into threads and action items. It’s an open-source Purple Team engagement platform built to:
Log your offensive testing activities (Atomic Red Team, manual scripts, PowerShell spaghetti, etc.)
Track defensive outcomes (Observed, Not Detected, Alerted, Investigated, Ignored, oops)
Visualize detection coverage across ATT&CK techniques and campaigns
Prove you're maturing, not just memeing your way through TTPs
And the cherry on top?
✅ No Excel acrobatics
✅ Self-hosted & open-source
✅ Dashboards that make execs feel like they’re in CSI: Cyber
Scenario: Your CISO Just Read the DBIR... and Now You’re on a Mission
So it’s Monday. You’re halfway into your third coffee. The CISO pings the team:
“Just read the new 2025 Verizon DBIR. We need to know if we’re protected against Kimsuky.”
Kimsuky? Yup! North Korean APT known for credential harvesting, spear-phishing, and living off the land harder than a survivalist in a zombie apocalypse.
The directive?
Spin up a Purple Team engagement simulating Kimsuky TTPs to assess if our detection stack can stop ‘em.
So, what do you do? 🤔
Step 1: Use ATT&CK + Atomic to Build the Campaign
You start with the MITRE ATT&CK page for Kimsuky and pull-out relevant techniques.
Then you cross-reference them with Atomic Red Team tests. Boom! You now have:
T1566.002 – Spear Phishing Link - Macro
T1059.005 – Execution using VBScript
T1543.003 – Persist via new Windows service created in Registry
T1547.001 – Payload execution using Registry RunOnce key
T1562.001 – Disable security tool service remotely
T1003.001 – LSASS credential dumping
T1550.003 – Pass-the-ticket
T1056.001 – Keylogger
T1071.001 – Cobalt Strike Beacon
✅ Aligned TTPs
✅ Tested procedures
✅ A vengeful sense of purpose
Step 2: Build the Campaign Within VECTR
In VECTR, you build out a “Kimsuky Simulation” campaign and simply add the MITRE ATT&CK techniques. VECTR makes this SUPER easy because the techniques are already included in their platform!
For each technique:
Add the corresponding Atomic test
Include Red Team execution results
Document Blue Team detection status
e.g., "Payload on disk deleted/quarantined by antivirus or other endpoint security tool"
Assign confidence ratings, upload evidence, track what failed
Your campaign is now not just a test. It’s a report card for your defense capabilities against the Kimsuky APT group. One the CISO can read without needing a decoder ring.
Step 3: Show the Data, Not Just the Drama
When the CISO asks, “Are we protected against Kimsuky?” You don’t say “uhhh maybe?”
You pull up your VECTR dashboard and drop the mic:
Threat Resilience Metrics
Once all test cases were imported and scored, here’s what the VECTR dashboard showed:
60% Threat Resilience
🔵 3 Blocked
🟢 3 Alerted
🟡 4 Logged only
Translation: You’ve got decent visibility, but 40% of your simulated attacks were quietly logged without alerting anyone. Great for hindsight, terrible for stopping threats in real-time.
Stats by Detection Stack
Where exactly did the wins and misses happen?
Windows Defender: 3 Blocked, 2 Alerted — MVP of the campaign
SIEM: Logged 3 events, 0 alerted, 0 blocked — could use better correlation rules
Zeek (BRO): 1 alert — Solid network-layer visibility, but no prevention mechanism
Email Platform: Logged 1 event, 0 alerted, 0 blocked — Needs serious tuning
This view makes it crystal clear where your detection gaps live and who owns them.
You don’t just think you're safe, you know where the gaps are. You even have a list of follow-up actions for your next Purple team engagement! Additionally, VECTR makes it easy to re-run the same campaign again at a later time once the gaps have been remediated to visibly see maturity (e.g., that 60% Threat Resilience Metric is now at 95% the following quarter).
Final Thoughts: From Chaos to Clarity
If Atomic Red Team is how you unleash controlled chaos, then VECTR is how you bring order to it with structure, insight, and direction.
You’re not just testing, you’re maturing.
You’re not just alerting, you’re measuring.
You’re not just red teaming, you’re purple teaming like a pro.
And what we've shown in this post? It's just scratching the surface. VECTR offers a ton of functionality. From campaign scheduling and trend analytics to analyst reporting, threat intelligence mapping, and deeper API integrations. But we kept it light here to keep you out of the weeds. 😄
Great work, this is a very useful tool for the info sec community.