What Is Adversary Emulation?

Adversary emulation is a threat-intelligence–driven security assessment method that replicates the exact tactics, techniques, and procedures (TTPs) of specific real-world threat groups. By translating verified attacker behaviors into controlled, repeatable scenarios aligned to frameworks like MITRE ATT&CK, it evaluates how well an organization’s controls detect, prevent, and respond to multi-stage attacks. This provides a realistic, measurable view of defensive readiness against the adversaries most likely to target the environment.

In this comprehensive blog, we explain what adversary emulation is, outline its core benefits, and walk through how to design an effective adversary emulation plan. We then present a step-by-step methodology for conducting emulation exercises using the MITRE ATT&CK framework, clarify the differences between adversary emulation and simulation, and conclude by examining how adversary emulation strengthens an organization’s ability to defend against real-world attacks.

Is Adversary Emulation a Subset of Penetration Testing?

TL;DR

• Adversary emulation is not a subset of penetration testing
• It’s often sold as one
• It’s best viewed as a CTI-driven branch of red teaming
• The differentiator is intent, constraints, and measurement, not tools

No — adversary emulation is not a subset of penetration testing.
It overlaps with pen testing in tooling and techniques, but it sits in a different problem space.

A more accurate way to think about it is (with overlap, not strict inheritance):

Why is adversary emulation not a subset of pentesting?

A pentest might accidentally emulate an adversary. Adversary emulation must justify every action in threat context. That’s a fundamentally different discipline.

Here’s the cleanest way to see it:

Why people think it’s a subset (and why marketing abuses it)

People often assume adversary emulation is a subset of penetration testing largely because of how it looks in practice and how it’s marketed. 

The first source of confusion is shared tooling: adversary emulation, red teaming, and penetration testing all rely on the same technical mechanisms such as C2 frameworks, credential abuse, living-off-the-land binaries, and so on. To an external observer, the activity appears identical even though the intent is fundamentally different. 

A second reason is widespread misunderstanding of MITRE ATT&CK. Many teams equate “mapping activity to ATT&CK” with adversary emulation, but this is a category error. ATT&CK is a behavioral taxonomy, not threat intelligence, and simply tagging techniques does not mean the activity reflects a real or plausible adversary. 

Finally, commercial incentives play a major role. It is far easier to run a traditional red team engagement, annotate the report with ATT&CK technique IDs, and sell it as adversary emulation than it is to perform the kind of preparation adversary emulation actually requires. 

What Is an Adversary Emulation Plan?

TL:DR;

• Replicates real-world adversary behavior using intelligence-driven (CTI) tactics.
• Focuses on how adversaries operate, not just tools or malware.
• Flexible in execution, but guided by defined objectives and tradecraft.
• Helps emulate realistic attacks for realistic security testing.

An Adversary Emulation Plan (AEP) is a CTI-driven operational blueprint that defines how a specific adversary would realistically operate against a specific organization. Its purpose is to prevent adversary emulation from collapsing into generic red teaming by constraining execution to what intelligence indicates the adversary would plausibly do, rather than what is merely technically possible.

Introduced by the MITRE Corporation [1], adversary emulation plans shift security testing away from tools, exploits, and indicators of compromise and toward adversary behaviors as described in ATT&CK. The objective is not to replay malware samples or replicate exact infrastructure, but to emulate how real threat actors select, chain, and adapt techniques over time to achieve their goals.

Because threat intelligence rarely captures complete hands-on-keyboard detail, an AEP is intentionally not a script. It is a behavioral framework that allows implementation flexibility, enabling operators to exercise judgment while remaining constrained by intelligence-defined objectives, tradecraft patterns, and risk tolerance. Techniques are selected for realism and relevance, and operator decisions are expected to be explainable, documented, and defensible.

Step-by-Step Walkthrough of Designing an Adversary Emulation Plan with MITRE ATT&CK Framework

In order to conduct an effective adversary emulation exercise, it is important to follow a systematic process. This process involves several key steps that help gather threat intelligence, map it to the MITRE ATT&CK framework, analyze and organize the information, develop the necessary tools and procedures, and finally, execute the adversary emulation engagement. Let's explore each step in more detail.

Figure 1. Creating your own Adversary Emulation Plan Leveraging the MITRE ATT&CK Framework.

Here are the steps of creating an adversary emulation plan using the MITRE ATT&CK framework.

• Step 1: Gather comprehensive threat intelligence
• Step 2: Extract the ATT&CK techniques
• Step 3: Analyze and organize
• Step 4: Develop tools and procedures 
• Step 5: Emulate the adversary

In the below, each step is provided with an extensive explanation.

Step 1: Gather Comprehensive Threat Intelligence 

The first step in adversary emulation is gathering extensive threat intelligence. This involves selecting an adversary that poses a significant threat to your organization. Start by leveraging resources like malware dump platforms, threat intelligence feeds, sandboxes, and vendor blogs to identify active attack campaigns targeting your industry or similar sectors.

If you choose to emulate the TTPs of a specific adversary, such as FIN7, your next step is to find reliable, up-to-date analysis. Look for aggregated data from malware analysis, vendor blogs, and threat reports. For instance, a blog post that consolidates multiple FIN7 threat reports can offer valuable insights. This analysis should document and categorize the TTPs observed in real-world attacks, providing a comprehensive view of the adversary's operations.

Once you identify a credible resource, cross-reference it with other trusted threat intelligence platforms to verify its reliability. After confirming the source's credibility, proceed to extract the relevant TTPs to form the foundation of your emulation plan.

Step 2: Extract the ATT&CK Techniques 

Once you have collected your threat intelligence, the next step is to map this intel to specific techniques in the MITRE ATT&CK framework. This process is similar to mapping your own red team operations to ATT&CK techniques.

Figure 2. Using the MITRE ATT&CK Navigator for Behaviour Mapping.

The following steps can be used to map the adversary behavior to the MITRE ATT&CK framework.

• Understand the ATT&CK Framework
• Find the Behavior 
• Research the Behavior 
• Translate the Behavior into a Tactic
• Figure Out What Technique Applies to the Behavior

Here is an example.

Let us say that in the course of conducting your threat intelligence research, you identified that the FIN7 APT group is utilizing the Kerberoasting method to steal hashes from Active Directory.

Now, you are going to map the "FIN7 importing and executing the Invoke-Kerberoast script to extract service account hashes in HashCat format" behavior to the ATT&CK framework.

Understand the ATT&CK Framework

The ATT&CK framework provides a structured methodology for categorizing and understanding an adversary's tactics (their objectives), techniques (how they achieve those objectives), and procedures (specific ways they apply those techniques).

Find the Behavior

FIN7 was observed executing the following command on a compromised system in late December 2025:

The key action is the execution of Invoke-Kerberoast, which extracts Kerberos Service Principal Name (SPN) hashes from Active Directory, saving them to a file (hash.txt) in a format suitable for offline cracking (HashCat).

Research the Behavior 

Kerberoasting is an attack used for privilege escalation and lateral movement. It exploits a Kerberos feature that allows any authenticated user to request a service ticket for any Service Principal Name (SPN).

The Domain Controller returns this ticket encrypted with the SPN's password hash. The attacker's motivation is that these targeted service accounts often have significant, domain-wide privileges and weak, rarely changed passwords. By capturing the hash and cracking the weak encryption offline (to remain stealthy), the attacker obtains the plaintext password of a high-value account.

Translate the Behavior into a Tactic 

The overarching objective for this behavior is to obtain valid credentials (usernames and passwords) that can be used to escalate privileges or perform Lateral Movement. In the ATT&CK framework, this falls under the Credential Access (TA0006) tactic.

Figure Out What Technique Applies to the Behavior

Given that FIN7 is using a script to request and capture encrypted service tickets to steal credentials, this procedure is best mapped to the Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003) technique. This specific sub-technique covers the abuse of the Kerberos protocol to collect credentials for offline cracking.

This methodology, when consistently applied, can help in predicting and mitigating future threats, as well as in informing strategic planning and improving defenses.

Step 3: Analyze and Organize 

Organizing the mapped threat intelligence into a sequential, operational flow, commonly known as the "Kill Chain", is crucial for understanding the adversary's overall campaign structure. This approach enhances threat hunting and helps prioritize defensive controls.

For example, in this blog, as we are emulating the FIN7 APT, we have created an operational flow based on FIN7 APT’s known behaviors. We divided it into three different phases such as the following.

• Phase 1: Initial Access and Execution
• Phase 2: Discovery, Credential Access, and Lateral Movement
• Phase 3: Defense Evasion (and Exfiltration)

Phase 1: Initial Access and Execution

This phase covers the first foothold on the network and the initial running of malicious code.

Phase 2: Discovery, Credential Access, and Lateral Movement

This phase covers the internal activities needed to find targets, steal credentials, and pivot to high-value systems.

Phase 3: Defense Evasion (and Exfiltration)

This phase covers methods used throughout the operation to remain stealthy and includes activities often related to data handling (though exfiltration itself was not explicitly detailed in the provided TTPs, Defense Evasion is a constant priority).

This three-phase operational view clearly outlines the logical progression of a FIN7 attack, from the initial breach to internal maneuvering and stealthy operations.

Refine Your Cybersecurity Layers Explore our whitepaper to seamlessly integrate adversary emulation into your defense framework for enhanced protection.
Download Now

Step 4: Develop Tools and Procedures 

With a clear understanding of what you want your red team to emulate, the next step is figuring out how to implement these behaviors. This may involve choosing or developing specific tools to replicate the tactics, techniques, and procedures (TTPs) of the threat actor. You should consider the context in which the threat group uses each technique, and how the group varies their use of each technique based on the environment.

For this step, you can ask yourself the following questions:

• Question 1: In what context and manner did the threat group employ this specific technique?
• Question 2: Were there variations in the threat group's use of the technique depending on the surrounding environment?
• Question 3: Which resources can we leverage to successfully imitate these TTPs?

Example: Developing PowerShell Scripting for FIN7 APT Emulation

For instance, in our example we saw that FIN7 was leveraging native PowerShell scripting for execution (check out the Phase 1: Initial Access and Execution part of the example).

FIN7’s signature method is using low-prevalence flags to run PowerShell scripts, often launched via cmd.exe.

Context & Variation: FIN7 specifically combines parameters like -ex bypass (execution policy bypass) with -f or -file (to run a script). They often wrap this command in cmd.exe using non-interactive flags (-noni, -nop) to make the execution even stealthier.

Red Team Tooling: Leverage Native PowerShell and any standard, benign script (such as a simple process enumeration or network test) or a testing shell from a C2 framework.

Emulation Procedure (Testing Detections):

• Stage a safe, benign PowerShell script (C:\Windows\Temp\test.ps1).
• Execute the script using the full FIN7 command line structure: cmd.exe /c start powershell.exe -noni -nop -exe bypass -f C:\Windows\Temp\test.ps1
• Verification Goal: Check if your SIEM captured the entire command line and correctly identified the parent-child relationship (cmd.exe launching powershell.exe).

Ensure all actions are reversible and aim to identify security vulnerabilities, and gaps in the implemented prevention and detection layer solutions, not cause damage.

Step 5: Emulate the Adversary 

Before execution begins, establish the following guidelines to ensure the test is both safe and maximizes learning:

Pre-Execution Guidelines

Establish a Collaboration Bridge: Create a dedicated, real-time communication channel (e.g., chat room or war room) to facilitate instant, structured communication between the Red Team, Blue Team, and CTI throughout the exercise.

Define Participation: Ensure the Blue Team (Detection & Response) and the Red Team (Emulation) are mandatory participants. If the organization has a separate CTI Team, they must be included to validate the fidelity of the emulation. For smaller or less mature teams, designate specific individuals as the Red/Blue/CTI point-of-contact for the duration of the test.

Safety and Reversibility: Reiterate the principle that all actions must be non-destructive and reversible. The Red Team must be prepared to stop or reverse a procedure instantly if it causes an unintended system impact or is confirmed as detected.

No Spoilers Policy: The Red Team communicates the intent of the emulation (e.g., "We are beginning Phase 2 Credential Access"), but does not disclose the specific TTP or command being executed until the Blue Team confirms detection or the procedure window closes.

Execution and Continuous Collaboration

During execution, the focus shifts to real-time learning:

Red Team Execution: The Red Team executes the FIN7 procedures (as planned in Step 4) and documents the exact time, process IDs, and commands used for each TTP.

Blue Team Monitoring: The Blue Team independently monitors their environment, tools (SIEM, EDR), and security logs, attempting to detect and respond to the live adversary activity.

Real-Time Review: The Red Team collaborates with the Blue Team to help identify gaps in visibility and understand why a particular TTP was not detected or blocked. This should be a learning opportunity, not a pass/fail audit.

Post-Engagement Wrap-up

After the execution phase is complete, the entire security team should collaborate:

The Red and Blue Teams can collaborate with the CTI team to validate the success or failure of the emulation against real-world FIN7 TTPs.

This process allows the organization to identify the next critical threat to emulate, creating a continuous, cyclical process of improvement against real-world threats. This strengthens an organization's defenses and ensures a proactive approach toward potential threats.

What Are the Benefits of Threat Emulation in Cybersecurity?

TL:DR;

• Replicates real-world attacker tactics, techniques, and procedures (TTPs)
• Tests defenses against how adversaries actually operate, not theoretical scenarios
• Validates whether security controls truly prevent or detect attacks
• Exposes exploitable kill chains instead of isolated security vulnerabilities
• Reveals detection gaps and response blind spots across the kill chain
• Improves risk prioritization by focusing on what is practically exploitable
• Aligns security testing with current threat intelligence
• Enables repeatable, measurable testing to track security improvements over time
• Supports continuous exposure and security validation programs
• Strengthens SOC readiness through realistic, controlled attack scenarios

Often used interchangeably with adversary emulation, threat emulation is a crucial element in augmenting an organization's cybersecurity. By emulating the tactics, techniques, and procedures (TTPs) of real-world adversaries, threat emulation enables proactive identification of potential vulnerabilities, allowing for adversary-focused and effective defense preparation.

The threat emulation approach tests an organization's incident response strategies by simulating cyberattacks based on the real tactics, techniques and procedures (TTPs) used by adversaries that target your region or industry. This process provides a practical assessment of how the security teams perform under these simulated attacks, revealing areas for enhancement and consequently fine-tuning the overall incident response plan.

Utilizing a shared framework like MITRE ATT&CK boosts collaboration between offensive and defensive cybersecurity teams, fostering improved communication and understanding of strategies and tactics. 

Through threat emulation, organizations can gain data-driven visibility on their security posture. This provides critical data to identify weaknesses, track progress, and shape future cybersecurity strategies. It enriches threat intelligence, adding a real-world context to theoretical knowledge. 

Lastly, threat emulation guides effective resource allocation in cybersecurity investments. By knowing existing vulnerabilities and potential threats, organizations can prioritize their resources efficiently, bolstering their cybersecurity posture.

Adversary Simulation vs Adversary Emulation: Key Differences

TL;DR

• Adversary emulation recreates the exact behavior of a specific real-world threat actor to validate defenses against known attacks.
• Adversary simulation models broader attacker behaviors and techniques to explore a wider range of possible attack scenarios.

Although the terms are often used interchangeably, adversary emulation and adversary simulation serve distinct purposes and differ in scope and methodology.

Adversary emulation is a highly focused approach designed to replicate the exact tactics, techniques, and procedures (TTPs) of a specific, known threat actor. The goal is fidelity: closely mirroring how a real adversary operates based on detailed, up-to-date threat intelligence. By reproducing an identified attacker’s behavior end to end, adversary emulation allows organizations to evaluate how well their defenses stand up to the threats most likely to target them and to validate control effectiveness against real-world attack patterns.

Adversary simulation, by contrast, takes a broader and more flexible approach. Rather than adhering to the playbook of a single threat actor, it models general adversarial behaviors and attack techniques that could plausibly be used against an environment. This flexibility enables security teams to explore a wider range of attack scenarios, combine techniques from different sources, and identify potential weaknesses that may not be tied to one specific adversary.

In summary, adversary emulation delivers high-fidelity, threat actor–specific validation, while adversary simulation provides broader coverage of possible attack paths and techniques. Used together, they offer a more complete and balanced approach to assessing and strengthening an organization’s security posture.

How Can Adversary Emulation Help Improve an Organization's Security Posture?

TL:DR;

• Replicates real-world attacker TTPs to test defenses against realistic threats
• Identifies exploitable weaknesses and control gaps
• Validates incident detection and response under real attack conditions
• Bridges the gap between threat intelligence and practical defense testing
• Improves coordination and communication across security teams
• Provides measurable data to guide remediation and security investments
• Strengthens and maintains a resilient security posture over time

Adversary emulation significantly contributes to enhancing an organization's security posture. By mimicking the tactics, techniques, and procedures (TTPs) of real-world adversaries, adversary emulation helps organizations identify potential security vulnerabilities and test the effectiveness of defensive measures against the latest threats posing the greatest risk to their industry. 

This realistic approach encourages an accurate evaluation of the organization's incident response capabilities under realistic threat emulation plans. Moreover, it provides valuable context, bridging the gap between theoretical threat intelligence and practical defense scenarios. 

Adversary emulation exercises promote better communication and collaboration within security teams, fostering a unified front against cyber threats. Additionally, it offers quantifiable data to guide future cybersecurity strategies and investments. Hence, adversary emulation plays a pivotal role in maintaining a robust security posture.

Which Frameworks are Commonly Used for Threat Emulation, and Why?

The MITRE ATT&CK framework is a commonly used tool for threat emulation, also known as adversary emulation. This globally-accessible knowledge base consists of real-world observations about the tactics, techniques, and procedures (TTPs) that cyber threat actors utilize in their attacks.

The framework's widespread use is largely due to its comprehensiveness and flexibility. MITRE ATT&CK framework offers a detailed, structured, and systematic way to emulate the behavior of various threat actors, providing context to an organization's specific threat landscape.

Moreover, MITRE ATT&CK encourages improved communication and collaboration within cybersecurity teams. Its standardized terminology helps bridge the gap between offense and defense teams, enabling more efficient identification, prevention, and mitigation of cyber threats.

In essence, the MITRE ATT&CK framework facilitates a threat-centric approach to security, enhancing an organization's ability to understand, prepare for, and defend against cyber threats through realistic threat emulation plans.

What Are Adversary Emulation Tools?

Adversary emulation tools are a great alternative for security teams starting to adopt automated adversary emulation to their toolset. 

Figure 3. Adversary Emulation Tools Comparison Table.

MITRE Caldera: An open-source, automated adversary emulation system that uses the MITRE ATT&CK framework to model threats and replicate their behaviors.

Atomic Red Team: A library of scripts designed to simulate adversary behaviors and validate detection capabilities. It does not offer automation by default, but is versatile and widely used.

Infection Monkey: An open-source breach and attack simulation tool that prioritizes breaching a target and infecting the entire network by moving laterally from host to host.

Stratus Red Team: An adversary emulation tool specifically for cloud environments, emulating adversary techniques from the MITRE ATT&CK for Cloud Matrix.

DumpsterFire: A tool that replicates security events to test and validate security controls, aiming to simulate a wide range of adversaries including insider threats, non-technical threat actors, and sophisticated attackers.

Metta: An adversarial simulation tool from Uber that runs adversary actions described in YAML format to test and validate detection capabilities of hosts and networks.

Red Team Automation (RTA): An open-source framework of scripts for assessing detection capabilities with test scenarios modeled after the MITRE ATT&CK framework.

Breach and Attack Simulation (BAS): Breach and Attack Simulation (BAS) tools automate adversary emulation to continuously and safely assess the effectiveness of preventive and detective security controls. BAS executes prebuilt attack techniques derived from real-world threat intelligence, mapping them to known adversary tactics, techniques, and procedures (TTPs). These techniques are delivered through continuously maintained threat libraries that model attacker behavior at each stage of the kill chain.

BAS enables organizations to validate control coverage and detection logic in a non-disruptive manner, allowing security teams to identify gaps in prevention, misconfigurations, and detection blind spots without introducing operational risk or requiring extensive red team resources.

These tools can provide valuable insights into how well your organization can withstand actual cyber threats, helping you to improve your security posture over time.

Can Adversary Emulation Be Automated with BAS?

Yes, adversary emulation can be automated. Given the significant effort required to prepare an individual adversary emulation plan, many organizations may not have the resources to dedicate entire teams to this task. This is where Breach and Attack Simulation (BAS) tools come into play.

BAS vendors offer automated solutions for adversary emulation. They maintain comprehensive, continuously updated threat libraries, enriched by deep cyber threat intelligence research conducted by red team professionals. This research focuses on analyzing and creating adversary emulation plans that mimic the behaviors of various threat actors in a safe, non-disruptive manner.

How to Use Breach and Attack Simulation (BAS) Vendors for Adversary Emulation?

BAS platforms with strong return on investment, such as Picus Security, enable organizations to execute adversary emulation in multiple, practical ways.

One approach is the use of ready-to-run threat templates that emulate the tactics, techniques, and procedures (TTPs) of specific adversaries targeting a given region or industry. These templates model real attack and malware campaigns associated with known threat actors and Advanced Persistent Threat (APT) groups, allowing teams to test defenses against realistic, intelligence-driven scenarios.

Picus maintains a broad library of such templates, organized by region, industry sector, emerging threats, ransomware activity, APT groups, and active malware campaigns. The templates are continuously curated (either statically or dynamically) based on observed changes in the threat landscape. With a single action, for example by selecting an APT Group threat template, security teams can validate both preventive controls and detection mechanisms against TTPs actively used in the wild, using safe, pre-validated attack actions developed by Picus Labs.

Figure 4. APT Groups Threat Templates from the Picus’ Security Control Validation (SCV) Platform.

How Can You Leverage BAS with LLM Models to Speed Up Adversarial Emulation?

Picus shows that the fastest way to operationalize adversarial emulation with LLMs is not by letting AI generate attacks, but by using AI to translate threat intelligence into validated BAS execution.

Here’s how Picus does it.

Figure 5. Picus Security AI Threat Creation Flow

Turn threat headlines into ready-to-run simulations

With Picus Smart Threat, LLMs ingest unstructured intelligence such as news articles, threat reports, and vendor research. Instead of spending days analyzing reports or waiting on vendor updates, security teams can provide a single URL and let Picus AI extract:

• Adversary intent and campaign structure
• MITRE ATT&CK–mapped TTPs
• Relevant malware behaviors and attack stages

This removes the manual analysis bottleneck that slows down traditional adversary emulation.

Map AI insights to Picus’ pre-validated threat library

Rather than generating payloads, Picus AI maps extracted behaviors to the Picus Threat Library, built and refined by Picus Labs over more than a decade of threat research.

Every emulation step uses:

• Safe, non-disruptive attack actions
• Pre-validated BAS modules
• MITRE-aligned techniques proven to reflect real-world attacker behavior

This ensures simulations remain accurate, repeatable, and safe across production environments.

Use agentic AI for accuracy, speed, and trust

Picus applies an agentic AI model, where multiple specialized agents collaborate:

• Research agents validate threat sources
• Planning agents reconstruct attack flows
• Threat-building agents assemble emulation chains
• Validation agents prevent hallucinations or unsafe mappings

This architecture delivers AI-level speed while preserving the reliability security teams require.

Validate defenses within hours, not days

The result is a complete adversary emulation profile that can be executed immediately in Picus BAS:

• Test prevention and detection controls together
• Validate exposure to active APT, ransomware, or malware campaigns
• Identify real control gaps tied to live threats

What used to take days of reverse engineering can now be done within hours.

Move from dashboards to intent-driven security validation

With Picus Numi AI, teams interact with BAS through intent rather than dashboards. A security leader can state:

Picus continuously aligns new threat intelligence to that intent and alerts teams only when defenses are truly exposed.

Figure 6. Picus Smart Threat Numi AI

Picus enables organizations to close the gap between threat discovery and defense validation. By combining LLM intelligence processing with Picus’ validated BAS execution, security teams gain:

• Faster response to emerging threats
• Higher confidence in control effectiveness
• Safer, more reliable AI-driven emulation

In short, Picus turns AI from a potential risk into a force multiplier for adversarial exposure validation.

How Often Should an Organization Conduct Adversary Emulation Exercises?

The frequency of adversary emulation exercises should be continuous and adjusted according to the specific threats an organization faces.

• Continuously or on a regular cadence to keep pace with changing threats and environments
• After major security changes, such as new controls, architecture updates, or policy changes
• Following significant incidents or near misses to validate improvements and prevent recurrence
• When new threat intelligence emerges that is relevant to the organization’s industry or region
• Before and after major deployments to confirm defensive readiness
• Periodically as part of a CTEM or security validation program, rather than as a one-off exercise

In practice, mature organizations run adversary emulation quarterly or continuously, while less mature teams may start with annual or biannual exercises and increase frequency over time.