- The CyberLens Newsletter
- Posts
- Inside CALDERA: How the MITRE Open-Source Adversary Emulation Framework Is Powering the Next Generation of Cybersecurity Testing
Inside CALDERA: How the MITRE Open-Source Adversary Emulation Framework Is Powering the Next Generation of Cybersecurity Testing
An Examination into MITRE’s CALDERA Platform—Its Architecture, Use Cases, Implementation, Challenges, and the Strategic Role It Plays Across Public and Private Sector Cyber Defense
Devona Green Jordan
July 09, 2025
In partnership with
Start learning AI in 2025
Everyone talks about AI, but no one has the time to learn it. So, we found the easiest way to learn AI in as little time as possible: The Rundown AI.
It's a free AI newsletter that keeps you up-to-date on the latest AI news, and teaches you how to apply it in just 5 minutes a day.
Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses – tailored to your needs.
Interesting Tech Fact:
One rare and fascinating fact about cybersecurity frameworks is that the concept of the MITRE ATT&CK framework was originally inspired by the same behavioral science used in military war-gaming simulations. Unlike traditional rule-based systems, ATT&CK was designed to catalog adversary behavior in a way that mimics how real threat actors think and operate—drawing parallels from cognitive decision loops like the OODA (Observe–Orient–Decide–Act) loop. This unique psychological foundation allows frameworks like MITRE ATT&CK and its counterpart emulation tools (like CALDERA) to simulate not just tools and exploits, but the strategic decision-making process behind real-world cyberattacks—something most standard security frameworks overlook entirely.
Introduction
In the dynamic world of cybersecurity, where threat actors constantly evolve their tactics, tools, and procedures (TTPs), defenders are compelled to innovate their approach. The MITRE CALDERA™ framework—an open-source adversary emulation platform—is emerging as a critical asset for red teams, blue teams, and purple teams alike. Created and maintained by the MITRE Corporation, CALDERA enables automated, intelligence-driven adversary simulation using real-world TTPs mapped to the MITRE ATT&CK® framework.
CALDERA is not just a tool—it's a modular, extensible ecosystem for testing, validating, and hardening defenses in a controlled, repeatable, and scalable manner. This article presents an examination as to what CALDERA is, who uses it, how it is implemented, and why it is shaping the future of cyber threat emulation. We’ll also discuss its limitations—and how organizations can mitigate them for effective usage.
What Is MITRE CALDERA?
MITRE CALDERA is an open-source, automated adversary emulation platform developed to help security teams test and improve their defenses by simulating realistic attack scenarios. First released in 2018, CALDERA is written in Python and designed around the MITRE ATT&CK® knowledge base, which categorizes real-world adversarial behaviors.
Core Capabilities
Automated Adversary Emulation: Simulate advanced persistent threats (APTs) by running realistic attack sequences based on real-world TTPs.
Red Team Operations: Emulate attackers to test detection and response capabilities.
Blue Team Readiness: Provide defenders with alerts and logs to improve detection and monitoring strategies.
Purple Team Collaboration: Facilitate shared learning between offensive and defensive security teams.
Key Features
Plugin-Based Architecture: Enables modular expansion with custom plugins.
Agent-Based Operations: Uses lightweight agents (e.g., Sandcat) that run commands on target systems across platforms.
Operation Scheduling: Allows complex chains of behavior (attack chains) to be deployed and timed.
Human Emulation Plans (HEPs): Scripted sequences of behavior mimicking real-world attacker movement through networks.
Cross-Platform Support: Supports Windows, Linux, and macOS endpoints.
Who Uses CALDERA and Why?
1. Government Agencies
U.S. federal agencies such as the Department of Defense (DoD), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Homeland Security (DHS) utilize CALDERA to test resilience against nation-state threat actors. Given its alignment with ATT&CK, CALDERA enables these agencies to simulate APT tactics with precision.
2. Private Sector Enterprises
Fortune 500 companies, especially in critical infrastructure, finance, energy, and healthcare, use CALDERA to simulate threats from ransomware groups, insiders, and external hackers. It allows defenders to rehearse responses and refine security controls without causing real-world impact.
3. Managed Security Service Providers (MSSPs) and Red Teams
Consulting firms and MSSPs integrate CALDERA into their red teaming and penetration testing offerings. It reduces manual effort and brings consistency and repeatability to testing.
4. Security Researchers and Academia
Universities and independent researchers use CALDERA to study attacker behavior and develop new detection mechanisms. Its open-source nature allows in-depth customization and exploration of TTPs.
Why Is CALDERA Being Recommended?
The increasing emphasis on threat-informed defense strategies has elevated the value of CALDERA. It is recommended by cybersecurity professionals and institutions for several reasons:
Realism: Unlike basic penetration testing tools, CALDERA emulates multi-step attack paths using TTPs seen in the wild.
Automation: Allows continuous testing of detection and response capabilities without requiring round-the-clock human red teams.
Customization: Fully extensible for custom TTPs, detection logic, and integrations with SIEM/SOAR platforms.
Free and Open Source: Reduces cost barriers and fosters community-driven innovation.
Alignment with MITRE ATT&CK: Ensures emulations are grounded in real-world threat intelligence.
Types of Organizations That Implement CALDERA
CALDERA's versatility makes it attractive across a range of industries:
Organization Type | Use Case |
Financial Institutions | Simulating banking trojans, BEC attacks, and data exfiltration scenarios |
Energy Sector | Testing ICS/SCADA security postures against APT-level intrusions |
Healthcare Providers | Emulating ransomware and lateral movement across endpoints and EMR systems |
Technology Firms | Validating endpoint security agents and SIEM alerting rules |
Government Contractors | Ensuring compliance with NIST 800-53, CMMC, and Zero Trust strategies |
Academia | Conducting research and building cyber range labs for student training |
How Is CALDERA Implemented?
Implementing CALDERA involves several steps, from environment setup to operation design. Here's a detailed overview:
1. Environment Preparation
Infrastructure Setup: Install CALDERA server (Linux preferred) on a secure host with access to the internal network.
Agent Deployment: Distribute the Sandcat agent on target machines using scripting, group policy, or manual installation.
Credential Management: Configure credentials and SSH/WinRM access as needed.
2. Configuration
Create an Adversary Profile: Define TTPs to be used in operations by referencing ATT&CK techniques.
Build Operations: Chain together TTPs into a logical attack flow using Human Emulation Plans (HEPs).
Setup Fact Sources: Include environmental variables such as IPs, credentials, hostnames to enrich realism.
Security Controls Testing: Integrate with your SIEM/XDR for detection validation.
3. Execution
Run Operations: Launch emulations using the GUI or REST API. Monitor execution in real time.
Monitor and Collect Telemetry: Observe logs, alerts, endpoint behavior, and telemetry data.
Conduct Post-Op Analysis: Identify detection gaps, blind spots, and missed alerts.
4. Reporting and Feedback
Generate executive-level and technical reports.
Feed findings back into detection engineering pipelines.
Refine adversary emulations based on test outcomes.
Disadvantages of Using CALDERA
While CALDERA is a powerful platform, it’s not without limitations:
1. Complex Setup and Learning Curve
Issue: New users often find CALDERA’s architecture and configuration overwhelming.
Mitigation: Use prebuilt adversary profiles and community plugins. Consider integrating CALDERA with training programs or labs to build team competence.
2. Operational Detection Risk
Issue: Running CALDERA in a production environment can accidentally trigger defensive controls or cause system slowdowns.
Mitigation: Use isolated test environments or sandboxed segments of the network. Employ rate-limiting, and ensure operations are scheduled during off-peak hours.
3. Limited Native UI/UX
Issue: The interface can feel clunky and unintuitive compared to commercial alternatives.
Mitigation: Use the REST API or integrate CALDERA into broader platforms like DeTT&CT, SnapAttack, or custom dashboards.
4. TTP Limitations
Issue: While aligned to ATT&CK, not all TTPs are covered natively or have full behavioral fidelity.
Mitigation: Develop custom plugins or modify existing ones to cover organization-specific threat scenarios.
5. Agent Detection by AV/EDR
Issue: CALDERA’s agents like Sandcat may be flagged by antivirus or EDR solutions.
Mitigation: Recompile agents, obfuscate payloads, and perform whitelisting or exclusions in test environments.
Final Thoughts
MITRE CALDERA is a strategic asset in the ongoing effort to simulate, understand, and defend against sophisticated cyber threats. Its alignment with the ATT&CK framework, extensibility, and open-source availability make it a powerful tool for organizations aiming to move beyond checkbox security and into a realm of real, threat-informed resilience.
However, like any tool, its effectiveness hinges on skilled implementation and contextual adaptation. By recognizing its limitations and applying structured mitigations, organizations can turn CALDERA into a force multiplier—one that brings clarity to chaos, and confidence to the ever-evolving cybersecurity landscape.
