Getting started
OpenAEV allows you to validate your security posture by simulating real-world adversary techniques.
It has been designed as part of the Filigran XTM suite and can be integrated
with OpenCTI to generate meaningful attack scenarios based on real threats.
This guide introduces the key concepts and workflows behind the platform.
What you can do with OpenAEV
Some typical use cases include:
- Designing attack scenarios based on real threats
- Evaluating your security posture against technical simulations on endpoints
- Enhancing team skills during exercises and simulations
- Organizing Capture The Flag events with multiple challenges
- Conducting atomic testing on assets
Players & Teams
Before running a simulation, define who will participate.
- Players represent humans or roles (SOC analyst, sysadmin, end-user).
- Teams group players into units (SOC, IT Ops, HR).
Creating players and teams lets you measure not only technical outcomes but also the human response: who reports an alert, who escalates, who reacts according to playbooks.
Agents & Assets
Assets are the systems you want to test: workstations, servers, VMs, or logical groups.
You can:
- Deploy an OpenAEV agent for agent-based testing (executes payloads, reports telemetry, supports automated checks)
- Use agentless endpoints when software installation is not possible
Assets are reused across scenarios and simulations β itβs worth naming and tagging them carefully (OS, owner, environment).
Payloads & Injects
Payloads are the technical actions: running a command, scanning a network, or checking for a vulnerability.
Injects wrap payloads with context:
- who is the target
- when it should run
- what is expected in return
OpenAEV includes collectors with ready-to-use payloads: OpenAEV curated payloads and Atomic Red Team.
Scenarios & Simulations
A scenario is a blueprint: a sequence of injects that tell the story of an attack.
You can:
- Import pre-built scenarios from the XTM Hub
- Create your own from scratch
Once defined, a scenario can be turned into a simulation: a live execution in your environment, either one-shot or scheduled regularly.
During simulations, expectations are validated:
- Automatically, via integrations with your stack
- Manually, by observers validating human reactions
Results & Dashboards
After a simulation, results are consolidated along four axes:
- Prevention β were attack steps blocked?
- Detection β were they detected?
- Vulnerability β which exposures were identified?
- Human response β how did players/teams react?
Dashboards let you explore these results at different levels: from a global overview of your posture to the detailed timeline of a simulation.
The Starter Pack
OpenAEV includes a Starter Pack to accelerate onboarding.
It provides:
- Pre-built scenarios (tabletop, agentless, agent-based)
- Four dashboards
- Injectors (Nmap, Nuclei)
- Collectors (Atomic Red Team, MITRE ATT&CK, OpenAEV payloads, CVE/NVD feed)
- One agentless endpoint + an asset group
With the Starter Pack, you can launch a complete simulation right after installation.
An end-to-end atomic example (with agent)
Letβs walk through the simplest possible scenario, using only an agent and an atomic payload.
Imagine you deployed an OpenAEV agent on a Windows endpoint named endpoint-win-01.
Step 1 β Create the payload
```bash echo "OpenAEV Atomic Test" > C:\temp\atomic.txt ````
Step 2 β Build the inject
- Create an atomic testing in the UI
- Use the created payload
- Target
endpoint-win-01
Step 3 β Run the simulation
Click Launch now. The platform executes the payload via the agent. The result should appear in the atomic testing overview.
A more complete example
Now imagine simulating a phishing attack followed by reconnaissance.
Assets:
- Windows workstation with an agent (
endpoint-win-01) - Database server without agent (
srv-db-01)
Injects:
-
Phishing email β expected to be reported (manual validation)
-
Initial access β benign file creation on
endpoint-win-01
- Network scan β from the endpoint
- Exploit attempt β non-destructive CVE check on the DB server
Outcome: You can validate phishing reporting, check EDR blocking, IDS detection of the scan, and see vulnerability results. Dashboards consolidate both technical and human responses.
Next steps
- Create custom injects and payloads
- Import threat-informed scenarios from the XTM Hub
- Connect with OpenCTI
- Track improvements over time in dashboards
OpenAEV is more than running tests β it is about continuously validating your exposure and transforming insights into stronger defense.