Module 16: Attack Simulation & Detection Validation
Test your defenses. Close the purple team loop.
You'll replay the attack with Caldera and validate your detections caught every step.
Lessons & Labs
Purple Team Fundamentals
Red vs Blue vs Purple teams, why blue teams simulate attacks, ATT&CK-based testing methodology, intro to Caldera and Atomic Red Team
Lab 16.1 — Your First Atomic Test
Run Atomic Red Team Linux tests and observe corresponding alerts in Wazuh.
Atomic Red Team — Technique-Level Testing
Atomic test library structure, YAML format, running Linux atomics, interpreting results, mapping to ATT&CK techniques
Lab 16.2 — Deploy & Operate Caldera
Explore Caldera UI, verify agent connection, run discovery adversary profile.
Caldera — Adversary Emulation Platform
Architecture (C2 server, Sandcat agents, abilities, adversary profiles), operations and planners, web UI walkthrough
Lab 16.3 — Detection Coverage Assessment
Use ATT&CK Navigator to map detections, identify gaps, prioritize techniques.
Building Detection Validation Workflows
Running attacks then verifying detections fire in Wazuh, coverage gap analysis, rule tuning based on test results
Lab 16.4 — Adversary Emulation Campaign
Execute multi-step Operation Shadow Test in Caldera, monitor each stage in Wazuh.
Automated Purple Team Operations
Caldera REST API, scripting attack-then-verify workflows, measuring detection maturity, continuous validation concepts
Lab 16.5 — Purple Team Automation
Use Caldera REST API + bash scripts to automate attack-detect-validate cycles.