OpenAEV: Open-source adversarial exposure validation platform
OpenAEV is an open source platform designed to plan, run, and review cyber adversary simulation campaigns used by security teams. The project focuses on organizing exercises that blend technical actions with operational and human response elements, all managed through a single system.
Scenarios as the foundation
At the core of OpenAEV is the concept of a scenario. A scenario defines a threat context and turns it into a structured plan made up of events called injects. Scenarios can include background material such as documents, media files, and contextual data that help frame the exercise for participants. Players and assets are defined at this level, linking people and endpoints to the planned activity.
Scenarios also serve as reusable templates. Teams can run multiple simulations from the same scenario to track results over time and observe patterns across repeated exercises tied to a specific threat model.
Simulations and timed injects
A simulation represents a single execution of a scenario. Each simulation schedules injects along a timeline, allowing events to unfold in a controlled sequence. Injects cover a range of actions, including endpoint activity and player-focused tasks such as incident communications or coordination steps.
Injects can include conditions that determine when they run. These conditions rely on defined expectations, which describe the outcomes teams want to observe during the exercise. Expectations cover areas such as prevention behavior, detection signals, vulnerability handling, and human decision making. Results from expectations feed into scoring and reporting functions that summarize how controls and processes performed during the simulation.
Integrations through injectors and collectors
OpenAEV connects to external systems through injectors and collectors. Injectors deliver actions into target environments. Some injectors trigger payload execution on endpoints, and others deliver messages through communication channels used by participants. The platform supports extending injectors to fit different environments and workflows.
For endpoint simulations, OpenAEV uses neutral agents that execute payloads as detached processes on target systems. Agent support includes Windows, Linux, and macOS, allowing exercises across mixed operating system environments.
Collectors handle inbound data. They retrieve alerts and events from security tools such as EDR and XDR platforms and map them to expectations defined in the simulation. This process allows teams to link injected activity to observed telemetry and evaluate detection and response behavior in a structured way. The platform exposes a REST API to support custom collectors and integrations.
OpenAEV supports deployment through container-based setups as well as manual installations. The documented architecture relies on common infrastructure components such as a relational database, search services, message queues, and object storage.
OpenAEV is available for free on GitHub.
Must read:
- 40 open-source tools redefining how security teams secure the stack
- OpenGuardrails: A new open-source model aims to make AI safer for real-world use
Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!