Loading...
Red-team and adversary emulation tools let your offensive operators behave like a real attacker inside your environment: establishing command and control, moving laterally, escalating privilege, and running the specific techniques a threat actor would use against you. The category spans full C2 frameworks, scripted adversary emulation platforms mapped to MITRE ATT&CK, and purple-team tooling that runs attacks and measures detection in the same loop. If you run an internal red team, manage an MSSP offering, or just want proof your detections actually fire, this is where you test the assumption that your defenses work before someone else does it for you.
We cover 149 Red-Team & Adversary Emulation tools, 134 free and 15 commercial.
Accuracy and depth improve over time. Last reviewed Jul 2026. Is something off? Reach out.
A covert channel technique that uses WebDAV protocol features to deliver malicious payloads and establish C2 communication while bypassing security controls.
MITRE Caldera™ is an automated adversary emulation platform built on the MITRE ATT&CK framework that supports red team operations and incident response activities through a modular C2 server and plugin architecture.
GraphSpy is a browser-based post-exploitation tool for Azure Active Directory and Office 365 environments that enables token management, reconnaissance, and interaction with Microsoft 365 services.
Shadow Workers is an open source C2 framework and proxy tool for penetration testers to exploit XSS vulnerabilities and malicious Service Workers.
Maintaining account persistence via XSS and Oauth
A golang utility to spider through a website searching for additional links.
Caldera is a cybersecurity framework by MITRE for automated security assessments and adversary emulation.
CrackMapExec (CME) - A tool for querying internal database for host and credential information in cybersecurity.
A post-exploitation tool for pentesting Active Directory
A tool that exposes the functionality of the Volume Shadow Copy Service (VSS) for creation, enumeration, and manipulation of volume shadow copies, with features for persistence and evasion.
A command line utility for managing volume shadow copies with capabilities for evasion, persistence, and file extraction.
Tool for randomizing Cobalt Strike Malleable C2 profiles to evade static, signature-based detection controls.
A tutorial on how to use Apache mod_rewrite to randomly serve payloads in phishing attacks
Customize Empire's GET request URIs, user agent, and headers for evading detection and masquerading as other applications.
Learn how to create new Malleable C2 profiles for Cobalt Strike to avoid detection and signatured toolset
Collection of Windows oneliners for executing arbitrary code and downloading remote payloads.
UPX is a high-performance executable packer for various executable formats.
A featured networking utility for reading and writing data across network connections with advanced capabilities.
A workshop on hacking Bluetooth Smart locks, covering architecture, vulnerabilities, and exploitation techniques.
A project for demonstrating AWS attack techniques with a focus on ethical hacking practices.
A Python-based red team toolkit that leverages AWS boto3 SDK to perform offensive operations including credential extraction and file exfiltration from EC2 instances.
Common questions about Red-Team & Adversary Emulation tools, selection guides, pricing, and comparisons.
They let security teams simulate real attacker behavior against their own environment. This includes command-and-control (C2) frameworks that operate implants and beacons, adversary emulation platforms that run scripted attack chains mapped to MITRE ATT&CK techniques, and purple-team tools that execute those attacks while measuring whether detections fire. The point is proving your defenses work, not assuming they do.
A scanner finds exposures; adversary emulation tests what happens after one is exploited. Rather than cataloging weaknesses, these tools reproduce the specific tradecraft of a named threat actor or technique: lateral movement, credential theft, persistence, and exfiltration. Compared to a one-time pentest, emulation is repeatable and often continuous, so you can rerun the same attack after tuning a detection and confirm the gap closed.
A C2 framework is the operator's tool: it manages implants, beacons, and post-exploitation actions during an engagement, optimized for stealth and operator control. A purple-team platform is the measurement layer: it fires known techniques on a schedule and checks whether your SIEM, EDR, or analysts caught them. Many programs use both, with the C2 framework driving the attack and the purple-team workflow scoring the defensive response.
A lot of mature, widely-used tooling here is open source and free, covering credential operations, scripted ATT&CK emulation, and full C2. Open source is often the right starting point for an internal team. Commercial tools tend to add managed evasion against current EDRs, hardened operational security, reporting, support, and licensing controls that matter for client-facing or regulated work. The deciding factor is whether you are building capability internally or delivering engagements at scale.