Introduction to Adversary Emulation

What is adversary emulation? 

Adversary emulation leverages adversary tactics, techniques, and procedures, enhanced by cyber threat intelligence, to create a security test based on real world intrusion campaigns.

Security tests using adversary emulation identify gaps, verify defensive assumptions, and prioritize resources. Red teams and penetration tests often cover identification and verification, but when it comes to prioritizing organizational needs and budgets they typically fall short. Traditionally, these approaches have also not focused on answering questions like

“Could that attack that we saw in the news have happened to us?”


“What would happen if our systems were targeted by an organized crime group looking to profit from ransomware?”

Adversary emulation helps organizations focus their security testing to prioritize threats that their defenders may face each day.

Successful adversary emulation is a collaborative effort between multiple cybersecurity domains of expertise, particularly red team and cyber threat intelligence (CTI) professionals. CTI professionals work with the security operations center (SOC) and senior leadership to determine what types of threats might target the organization, while red teams work to test and probe defenses. Red teams have the tradecraft and skillset to perform malicious actions to subvert defenses, but that expertise is far more valuable to organizations trying to understand the implications of red team findings on their security posture when it is tied to real world threat data. 

Previously, the synthesis of CTI and red teaming was more challenging due to a lack of readily available data and a consistent way to share information. In 2016, the MITRE Corporation released the very first version of ATT&CK, a framework which served as a foundation for information sharing related to adversary behaviors. ATT&CK’s success is driven by the community contributions of organizations world-wide, enabling adversary data coverage unlike anything previously seen. The tactics and techniques in ATT&CK have been identified in real world intrusions, making them ideal candidates for emulations. New adversary campaigns can be mapped to ATT&CK and shared so that others can emulate adversaries of interest to their organization.

SCYTHE and adversary emulation

Adversary emulation is a key component of a successful security testing program, but it can be  difficult to hire people with the requisite knowledge and even more difficult to scale. SCYTHE’s platform was built specifically for SOCs and security professionals to easily add adversary emulation to their arsenal.

As creators of the Purple Team Exercise Framework, SCYTHE’s team has a deep understanding of how organizations can effectively build tests to maximize return on their security investments. SCYTHE integrates the adversary emulation process into an easily deployed platform. The platform maps to ATT&CK to provide a common language between testing and defensive technologies like endpoint detection and response tools or managed security service providers. SCYTHE’s team provides updates with new adversaries from Threat Thursdays, and the platform enables test repeatability to measure improvements in organizational defenses.

SCYTHE Professional Services

Want to learn how to perform adversary emulation and build a high-value program in your organization? In addition to the platform, SCYTHE offers professional services including exercises to build adversary emulation as an internal capability. Learn more here.


SCYTHE Expertise

Tim Schulz is SCYTHE’s Adversary Emulation Lead. He has been helping organizations build and train teams to understand and emulate cyber threats for the last six years while working at multiple FFRDCs. He has given talks on Adaptive Emulation with ATT&CK and on Technical Leadership, and holds GXPN, GDAT, and OSCP certifications.

Jorge Orchilles is SCYTHE’s Chief Technology Officer, co-creator of the C2 Matrix project, and author of the Purple Team Exercise Framework. He is a SANS Certified Instructor and the author of Security 564: Red Team Exercises and Adversary Emulation. He was a founding member of MITRE Engenuity Center of Threat-Informed Defense.


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.