Performing Purple Team Atomic Testing

When to Use

• Validating detection coverage against specific MITRE ATT&CK techniques
• Running purple team exercises using Atomic Red Team test library
• Performing ATT&CK coverage gap analysis to identify blind spots in SIEM/EDR
• Building a detection validation loop: execute atomic test, check SIEM, tune rule, retest
• Generating ATT&CK Navigator heatmap layers for executive reporting
• Automating continuous atomic testing in CI/CD or scheduled pipelines
• Mapping threat intelligence reports to executable atomic tests

Do not use for full-scope red team engagements requiring custom implants or live adversary simulation beyond atomic tests; use Caldera, SCYTHE, or Cobalt Strike for advanced adversary emulation.

DISCLAIMER: Atomic Red Team tests execute real attack techniques. Run only on systems you own or have explicit written authorization to test. Many tests modify system state, create artifacts, or trigger security alerts. Always execute cleanup commands after testing. Never run atomic tests in production without risk acceptance from stakeholders.

Prerequisites

• Windows host with PowerShell 5.1+ or PowerShell Core 7+ (Linux/macOS supported for cross-platform atomics)