MITRE Caldera
MITRE Caldera: An Advanced Platform for Threat-Informed Cybersecurity Emulation
Executive Summary
MITRE Caldera stands as an open-source adversary emulation platform meticulously designed to automate breach-and-attack simulation exercises. Its foundational alignment with the MITRE ATT&CK framework underscores its primary goal: to empower organizations in rigorously enhancing their cybersecurity defenses through realistic threat simulation.1
The platform offers versatile capabilities, including robust support for autonomous red-team engagements, automated incident response, and manual red-teaming operations. Furthermore, it serves as a valuable tool for advanced cybersecurity research. Its modular design, facilitated by a comprehensive plugin architecture and seamless integration with ATT&CK, represents a core strength, allowing for extensive customization and expansion of its functionalities.1
Caldera caters to a diverse user base, encompassing cybersecurity professionals such as Red Teamers, Blue Teamers, Security Analysts, and dedicated researchers. The core advantages derived from its utilization include significant time and cost savings, a measurably improved defense posture, and invaluable training opportunities for security personnel.2 The automation capabilities of Caldera fundamentally transform the landscape of cybersecurity testing. By reducing the resource intensity typically associated with advanced security assessments, it makes sophisticated threat emulation accessible to organizations with fewer resources, effectively democratizing advanced security testing. For well-resourced organizations, this efficiency allows expert red teams to dedicate their efforts to more complex, novel threats rather than repetitive tasks, thereby accelerating vulnerability management and continuous security evaluation.5
Beyond its foundational capabilities, Caldera demonstrates sophisticated utility in mimicking Advanced Persistent Threats (APTs) through the strategic application of specialized plugins and the crafting of custom Tactics, Techniques, and Procedures (TTPs).4 This report delves into the comprehensive practical implementation guidance and deeper technical aspects of MITRE Caldera, providing a thorough understanding of its operational methodology and strategic value.
1. Introduction to MITRE Caldera
1.1 What is MITRE Caldera?
MITRE Caldera is fundamentally an open-source adversary emulation platform. Its core design is centered around the automation of breach-and-attack simulation exercises. A critical aspect of its architecture and functionality is its deep integration with the MITRE ATT&CK™ framework, which serves as its backbone.1 This integration is more than a mere reference; it transforms ATT&CK from a static knowledge base into a dynamic, operational language. By leveraging the globally accessible knowledge of adversary tactics and techniques, Caldera provides a practical, executable manifestation of threat intelligence. This allows security teams to translate abstract threat data into concrete, repeatable actions, fostering a common understanding and shared operational blueprint for security testing and defense improvement.14
The overarching objective of Caldera is to empower cybersecurity professionals and organizations. It achieves this by providing a robust mechanism to assess existing defenses, proactively identify vulnerabilities, and consequently enhance their overall security posture. This is accomplished through the emulation of real-world cyber threats under highly realistic and controlled conditions.2
Beyond its primary role in autonomous breach-and-attack simulations, Caldera demonstrates remarkable versatility. It can be effectively utilized for conducting manual red-team engagements, streamlining automated incident response procedures, and contributing significantly to cybersecurity research, including cutting-edge applications in artificial intelligence.1
The framework is architecturally composed of two main components: the core system and a modular plugin ecosystem. The core system provides the foundational framework code, which includes an asynchronous command-and-control (C2) server equipped with a REST API and a user-friendly web interface. Plugins, as separate repositories, extend these core capabilities, offering additional functionalities such as diverse agents, specialized GUI interfaces, and extensive collections of Tactics, Techniques, and Procedures (TTPs).1
1.2 The Genesis: Who Created Caldera?
MITRE Caldera originated as an active research project within MITRE, commencing its development in 2015 and officially launching as a comprehensive adversary emulation platform in 2019.17 The development of Caldera v5, codenamed “Magma,” involved a dedicated team of experts. Michael Kouremetis is credited as a key author of the v5 announcement, while Jamie Scott, Joey Morin, and Adam Gaudreau were responsible for significant UI/UX improvements. Chris Lenk served as the core developer, focusing on integration, quality, and testing. Crucially, Mark Perry and Dan Martin, MITRE’s in-house red-teamers, provided the “voice of the operator,” ensuring key features were designed with practical offensive security operations in mind.1
MITRE actively fosters community involvement through its Caldera Benefactor Program. This initiative invites global community members, such as cybersecurity services leaders Coalfire and NVISO, to provide charitable donations that directly support the platform’s ongoing development, advancement, and maintenance. These contributions specifically fund additional features, rigorous testing, and design reviews, directly enhancing the platform for its global user community.10
A notable strategic partnership includes the collaboration with the Critical Infrastructure Security Agency (CISA) for the release of Caldera for OT (Operational Technology). This specialized version provides free and open-source OT adversary emulation capabilities, directly benefiting critical infrastructure stakeholders, including asset owners and operators, and OT cyber practitioners.10 The integration of direct operator feedback from internal red-teamers and external community and industry contributions creates a powerful, continuous feedback loop. This collaborative, operator-centric development model is vital for Caldera’s sustained relevance and effectiveness in the dynamic cybersecurity landscape, allowing for rapid adaptation to new adversary TTPs and emerging defensive requirements. This approach ensures that the tool remains a robust and trusted platform for critical security assessments, balancing academic rigor with operational practicality.
2. Purpose and Applications of MITRE Caldera
2.1 Core Functionality and Design Principles
Caldera’s primary function is to automate adversary behavior by leveraging real-world Tactics, Techniques, and Procedures (TTPs). This capability enables security teams to construct and deploy specific threat profiles within their networks, facilitating the identification of vulnerabilities and a thorough assessment of existing security measures.3
A cornerstone of Caldera’s design is its full integration with the MITRE ATT&CK framework. This deep connection ensures comprehensive emulation scenarios and allows for precise mapping of simulated attacks to documented adversary techniques, enhancing the relevance and actionable nature of the assessments.1 This integration propels organizations beyond mere attack simulation. By generating detailed logs and behavioral evidence during operations, Caldera provides actionable intelligence. This empowers blue teams to move past static Indicator of Compromise (IOC) detection and focus on developing robust, behavioral-based detection and response mechanisms. This shift is critical for identifying advanced threats and continuously improving security posture based on concrete, observed behaviors rather than just signatures.2
Caldera is built upon a highly modular architecture that readily supports the integration of various plugins, custom tools, and tailored TTPs. This inherent flexibility is crucial, as it allows organizations to craft highly targeted and specific emulation scenarios that align precisely with their unique security requirements and operational contexts.1
The platform operates by deploying custom backdoors, referred to as “agents” (such as Sandcat, Manx, and Ragdoll), onto target systems. These agents are instrumental in emulating diverse adversary techniques and are equipped with built-in functionalities to mimic realistic command-and-control (C2) communications, providing a lifelike attack simulation environment.2
Recent advancements, particularly in Caldera v5 (code-named “Magma”), have prioritized key design themes: “operator awareness, speed of comprehension, and confidence of control.” This focus translates into a streamlined user interface that highlights the most critical information, views, and actions for cyber operators executing adversary emulation operations, making the platform more intuitive and efficient to use.19
2.2 Who Uses Caldera and Why?
Caldera serves a broad spectrum of cybersecurity professionals and organizations, each leveraging its capabilities for distinct but interconnected purposes.
Primary Users:
Red Teams: These offensive security specialists utilize Caldera for both autonomous and manual red-team engagements. The platform enables them to develop and test offensive capabilities, augmenting their existing offensive toolsets with automated assistance and exploring new attack vectors.1
Blue Teams/Defenders: Defensive security teams employ Caldera to rigorously test and develop cyber defenses, evaluate the efficacy of security products, and verify Security Operations Center (SOC) analytics. This ultimately enhances their detection and response capabilities against real-world threats.2
Incident Response Teams: Caldera is instrumental in automating various incident response scenarios, streamlining their ability to react swiftly and effectively to security incidents and practice their response playbooks.1
Researchers: The platform is a valuable tool for conducting cutting-edge research in artificial intelligence within cybersecurity, cyber gaming, advanced emulation and simulation, and the development of automated offensive and defensive cyber operations.1
Critical Infrastructure Stakeholders: Specifically, Caldera for OT is tailored for asset owners, operators, and OT cyber practitioners, providing essential capabilities for assessing the security of industrial control systems (ICS/OT environments) against specialized threats.10
Trainers and Educators: Caldera provides a robust environment for training computer incident response teams and SOC analysts, offering interactive tutorials and capture-the-flag style courses to build practical skills and certify user proficiency.7
Motivation for Use:
The widespread adoption of Caldera is driven by several compelling motivations:
Efficiency and Resource Optimization: It significantly reduces the time, cost, and effort traditionally associated with manual security assessments and routine testing. This efficiency allows security teams to reallocate valuable human and financial resources to more complex and strategic cybersecurity challenges.4
Threat-Informed Defense: By enabling the emulation of real-world adversaries and their observed TTPs, Caldera provides deep understanding into an organization’s resilience against specific, relevant cyber threats, allowing for targeted defense improvements.3
Continuous Assessment: The platform facilitates the establishment of continuous security evaluation pipelines, allowing for the rapid tuning and validation of behavioral-based intrusion detection systems in an ongoing manner. This moves organizations towards a more adaptive and resilient security posture.5
Training and Skill Development: It offers a hands-on, practical platform for training security personnel, allowing them to gain invaluable experience in detecting and responding to specific threats in a controlled environment.4
Caldera’s ability to serve both offensive and defensive teams, coupled with its ATT&CK-mapped emulation capabilities, positions it as a pivotal platform for Purple Teaming. It provides a shared, objective framework that facilitates direct collaboration between red and blue teams. Red teams can execute TTPs, and blue teams can use the generated logs and behaviors to validate and improve their detections and responses. This fosters a more constructive, iterative, and adaptive security improvement cycle, where insights from offensive operations directly inform and validate defensive enhancements, leading to a more mature and resilient security posture.10
2.3 Key Benefits of Adversary Emulation with Caldera
Adversary emulation with MITRE Caldera offers several profound benefits that collectively enhance an organization’s cybersecurity posture:
Enhanced Security Posture: By providing a controlled environment for simulating real-world cyber threats, Caldera enables organizations to conduct comprehensive assessments of their defenses, proactively uncover vulnerabilities, and systematically improve their overall security posture against evolving threats.2
Significant Time and Cost Savings: The automation of routine security assessments through Caldera dramatically reduces the time, financial cost, and human effort typically associated with manual testing methodologies. This efficiency allows security teams to reallocate valuable resources to more complex and strategic cybersecurity challenges, maximizing their impact.4
Realistic Testing Environment: Caldera empowers blue teams to test their detection and response mechanisms under highly realistic conditions. This moves the focus beyond simplistic indicator-of-compromise (IOC) based detection to more sophisticated behavioral detection, which is crucial for identifying advanced threats and understanding the nuances of adversary actions.2
Improved Detection and Response Capabilities: The platform directly contributes to the refinement of behavioral-based intrusion detection systems. Furthermore, by offering perceptive understanding into the operational modalities of Advanced Persistent Threats (APTs), Caldera fosters the development and implementation of preemptive cybersecurity initiatives, moving organizations towards a more proactive defense.5 This capability allows security teams to anticipate and mitigate risks by testing defenses against anticipated threats
before they manifest as actual incidents. The continuous nature of these emulations enables an ongoing process of adaptation, allowing organizations to identify and remediate weaknesses, validate controls, and train staff in a controlled environment, thereby significantly reducing their attack surface and improving readiness against future attacks.14
Standardized and Consistent Assessments: For specialized domains like Operational Technology (OT), Caldera for OT leverages existing open-source OT protocol libraries. This ensures consistency in emulation and facilitates the development and capture of standardized testing metrics, which is vital for compliance and continuous improvement in critical infrastructure environments.10
Comprehensive Training and Skill Development: Caldera provides an invaluable practical platform for training computer incident response teams and SOC analysts. Through hands-on adversary emulation, security personnel gain direct experience with real-world attack scenarios, significantly enhancing their skills and readiness to detect and respond effectively.4
3. Operational Methodology: How Caldera Works
3.1 Fundamental Concepts: Agents, Abilities, Adversaries, Operations, Facts, Planners, Plugins
Understanding the core components of MITRE Caldera is essential for effective adversary emulation. These elements work in concert to simulate complex attack scenarios.
Agents: These are the essential implants deployed on target systems, often referred to as victim machines. Agents establish communication with the Caldera C2 server, receive instructions for execution, perform defined abilities, and transmit results back to the server. Prominent examples include Sandcat (Caldera’s default, cross-platform agent written in GoLang), Manx (a TCP-based agent providing reverse shell capabilities), and Ragdoll (a Python-based agent). Agents can be dynamically compiled, allowing for variations in their characteristics to enhance stealth, such as generating different file hashes and random names to blend into the operating system.2
Abilities: Abilities represent the granular actions or specific techniques that an agent is capable of performing. These are meticulously mapped to the MITRE ATT&CK techniques, serving as the fundamental building blocks from which complex adversary emulation scenarios are constructed.6
Adversaries: An adversary in Caldera is a sophisticated construct representing a malicious actor. It is defined as a curated collection of abilities, strategically grouped into “phases” to depict the realistic progression of an attack chain. Caldera provides a library of pre-built adversaries (e.g., “Discovery,” “Hunter,” “Advanced Thief via GitHub Repo”), and users have the flexibility to create custom adversary profiles tailored to specific threat intelligence.1
Operations: An operation constitutes the execution phase of an adversary’s defined TTPs against a designated target network or specific hosts. The progress of operations is dynamically monitored through the Caldera user interface, providing real-time understanding into the status, including compromised hosts and discovered credentials.1
Facts: Facts are discrete pieces of information discovered or collected during an ongoing operation. Examples include host details, discovered credentials, or network connection data. These facts are crucial as they can dynamically influence and dictate subsequent actions within the emulation. Fact sources are configurations that define the origins from which these facts are gathered.1
Planners: Planners are intelligent components responsible for determining the optimal sequence of abilities to execute. Their decisions are based on the current state of an operation and the available facts, enabling autonomous and adaptive cyber operations that mimic realistic adversary decision-making. This dynamic adaptation is a key differentiator from static, pre-defined attack scripts.1
Plugins: Plugins are modular extensions that significantly expand Caldera’s core capabilities. They provide a wide array of additional functionalities, including diverse agent types, specialized GUI interfaces, extensive collections of TTPs, and domain-specific modules such as Atomic (for Red Canary Atomic tests), Stockpile (for technique and profile storage), Manx (for reverse shells), and Caldera for OT (for Industrial Control Systems emulation).1
Key Table 3.1: Core Components of MITRE Caldera
| Component Name | Brief Definition | Key Function/Role in Emulation |
|---|---|---|
| Agent | Implant deployed on target systems. | Executes abilities, communicates with C2, reports results. |
| Ability | Granular action or technique. | Fundamental building block mapped to MITRE ATT&CK. |
| Adversary | Collection of abilities grouped into phases. | Represents a malicious actor’s attack chain. |
| Operation | Execution of an adversary’s TTPs. | Simulates an attack against a target network/hosts. |
| Fact | Discovered information during an operation. | Dynamically influences subsequent actions. |
| Planner | Intelligent component for sequencing abilities. | Enables autonomous and adaptive cyber operations. |
| Plugin | Modular extension to core capabilities. | Expands functionality with agents, TTPs, and specialized modules. |
3.2 Step-by-Step Workflow for Adversary Emulation
Conducting an adversary emulation with MITRE Caldera involves a structured workflow, from initial setup to post-operation analysis.
- Installation and Server Startup:
The initial step involves installing the Caldera framework on a chosen operating system, typically Linux or macOS. For enhanced portability and simplified dependency management, deployment via Docker is a highly recommended and viable option.24
Once installed, the Caldera server is initiated, commonly using a command such as python3 server.py --insecure --build. The --build flag is crucial for the first boot or after any changes to the user interface or plugins, as it automatically handles the necessary VueJS UI dependencies and bundles the UI into a distributable directory.7
Access to the web user interface is typically via http://localhost:8888. Initial login credentials are often found in the conf/local.yml file, which is generated upon server start. For --insecure setups, common default credentials like red/admin may apply.7
- Agent Deployment:
From the Caldera UI, the user navigates to the “Agents” page. Here, the desired agent type is selected (e.g., Sandcat for cross-platform compatibility, Manx for reverse shell functionality) and the target operating system of the victim machine is specified.16
Caldera then generates a specific command, often a Curl command for agent download, which must be copied and executed on the victim machine to establish the agent’s presence and initiate communication. It is imperative to ensure that the agent can connect back to the Caldera server; this typically involves verifying that the app.contact.http value in the agent’s configuration matches the Caldera server’s URL.2 Successful deployment is confirmed when the newly connected agent appears in the “Connected Agents” list within the Caldera UI.16 It is important to note that certain abilities within Caldera require elevated privileges on the target system, necessitating that the agent be deployed within an elevated shell (e.g., Administrator PowerShell on Windows).16
- Creating/Selecting an Adversary Profile:
The next step involves proceeding to the “Adversaries” page in the Caldera UI. Users have the flexibility to either select from a range of pre-built adversary profiles (such as “Discovery” or “Hunter,” often found within the Stockpile plugin) or construct a custom adversary. Custom adversaries are built by meticulously grouping and chaining specific abilities to simulate the TTPs of a unique threat actor or a specific attack chain of interest.16 Reviewing the abilities associated with the chosen or custom-built adversary is a crucial step to understand the TTPs that will be emulated and to ensure they align with the assessment objectives.16
- Defining the Target Network/Hosts:
While not always a distinct UI step, users must define the scope of the operation by assigning target agents to a specific network or group. This ensures the emulation is directed at the intended victim systems, allowing for precise control over the attack surface.29
- Launching an Operation:
To initiate the emulation, navigate to the “Operations” page and add a new operation, providing a descriptive name. The user then selects the chosen adversary profile, the defined target network or group, and a starting host from which the emulation will commence.16 Various operational parameters can be configured, including the start method (e.g., “bootstrap rat”), the parent process for agent execution, a desired command delay, and jitter. The latter two are vital for simulating realistic adversary behavior and evading simple timing-based detection mechanisms. Users also have the option to disable “Auto-cleanup,” which is recommended for post-operation forensic analysis, as it preserves artifacts (e.g., logs, staged files) on the target system for later review.29 Finally, clicking the “Start” button initiates the operation.
- Reviewing and Analyzing Operations (Post-Setup Usage and Testing):
Once an operation is launched, its progress can be dynamically monitored in the “Operation view” within the Caldera UI. This view displays the operation’s status at the top, with colored bubbles indicating the number of compromised hosts and discovered credentials.29 As the operation runs, abilities are executed on the deployed agents, and their outputs can be reviewed by clicking on the stars next to the executed abilities.16
For effective testing, it is recommended to have network security monitoring tools, such as Zeek, running on the network where Caldera agents are deployed. Zeek can analyze network traffic and detect suspicious activity, including C2 communications and file downloads associated with Caldera agents like Sandcat, Manx, and Ragdoll. This allows blue teams to validate their detection mechanisms in real-time.2 For instance, Zeek scripts can monitor HTTP headers for file download requests (e.g.,
POST /file/download) and match specific filenames (e.g., sandcat.go, manx.go, ragdoll.py), flagging suspicious file downloads and generating notices with contextual information.2 Similarly, Zeek signatures can identify Manx C2 communications over TCP and UDP protocols by inspecting payloads for JSON fields like
architecture, exe_name, and platform, or by detecting acknowledgement keywords like “roger” in UDP traffic. Sandcat beaconing (e.g., /beacon URI with Go-http-client User-Agent) and Ragdoll C2 activity (e.g., /weather URI with python-requests/ User-Agent) can also be detected.2 This multi-layered detection approach helps security teams monitor their networks for indicators of compromise and improve their overall readiness against real-world threats.2
- Post-Operation Analysis and Improvement:
Upon completion of an operation, Caldera allows users to export operation reports in JSON format and download operation event logs, also in JSON format. These logs are automatically written to disk when the operation finishes.1 These reports and logs are critical for post-assessment analysis. Defenders can use this data to evaluate their security team’s effectiveness in detecting various red team tactics. Frameworks like Cyb3rWard0g’s scoring system, aligned with the MITRE ATT&CK framework, can be used to grade detection capabilities from “none” to “excellent”.29 This iterative process of running emulations, analyzing results, and refining defenses is central to continuous security improvement.
3.3 Mimicking APT Adversaries with Top Modules/Plugins
Caldera’s modular architecture and deep integration with ATT&CK make it an exceptionally powerful tool for emulating Advanced Persistent Threats (APTs). The platform achieves this by leveraging specific plugins and allowing for the creation of highly customized adversary profiles that reflect real-world threat intelligence.
Atomic Plugin: The Atomic plugin is a crucial component for APT emulation. It is designed to import all Red Canary Atomic tests directly from their open-source GitHub repository.1 These atomic tests are small, modular procedures that execute specific ATT&CK techniques.14 By integrating this extensive library, Caldera users can quickly and efficiently simulate individual adversary techniques that are known to be used by various APT groups, providing a granular approach to TTP emulation.18
Stockpile Plugin: The Stockpile plugin adds a wealth of components to Caldera, including a vast collection of abilities, pre-defined adversaries, planners, and facts.23 This plugin is invaluable for building complex APT emulation scenarios, as it provides a comprehensive storehouse of techniques and profiles. For instance, the Stockpile plugin includes abilities for advanced file search and staging, compressing data, and exfiltrating archives to various destinations like Dropbox, GitHub repositories/Gists, FTP, and AWS S3 buckets.1 These exfiltration capabilities are vital for mimicking the data theft objectives of many APTs. The plugin also provides pre-built adversaries, such as “Advanced Thief via Dropbox,” “Advanced Thief via FTP,” and “Advanced Thief via GitHub Repo,” which can be used to quickly test specific exfiltration TTPs.1
Manx Agent: While not a plugin in itself, the Manx agent, typically part of a plugin like “Terminal,” provides reverse-shell capability and TCP-based communication.23 This is a common C2 communication method used by APTs, allowing for manual interaction with compromised hosts. The ability to run manual commands through a Manx session enables red teamers to execute highly specific and adaptive TTPs that might not be fully automated in a pre-defined adversary profile, closely mirroring the hands-on keyboard actions of sophisticated adversaries.16
Caldera for OT: For critical infrastructure, Caldera for OT is a specialized collection of plugins that exposes native Operational Technology (OT) protocol functionality (e.g., BACnet, DNP3, Modbus, IEC 61850 – MMS, Profinet/DCP protocols) mapped to the ATT&CK for ICS matrix.10 This allows for the emulation of APTs targeting industrial control systems, which often utilize specific OT protocols for reconnaissance, control, and disruption. This dedicated module is crucial for organizations protecting critical infrastructure, enabling them to test their defenses against highly specialized and potentially devastating threats.10
To effectively mimic APT adversaries, security teams typically gather comprehensive threat intelligence on specific APT groups, extract their known ATT&CK techniques, analyze and organize this information, and then develop or adapt Caldera abilities and adversaries to replicate these TTPs. This process allows for the emulation of complex attack chains, from initial access and lateral movement to privilege escalation and data exfiltration, providing a realistic assessment of an organization’s resilience against targeted threats.
3.4 Example Case Studies / Real-World Applications
MITRE Caldera has demonstrated its utility in various real-world and simulated cybersecurity scenarios, providing tangible benefits to organizations.
One notable application involves adversarial emulation in Kubernetes environments. A case study highlighted how Caldera could be used to conduct such emulations, exploring attack scenarios including cryptomining, privilege escalation, and ransomware targeting Hashicorp Vault secrets stores. This demonstrates Caldera’s adaptability to modern cloud-native environments and its capacity to simulate complex, multi-stage attacks.28
Another significant example showcases Caldera’s use in bypassing Microsoft Windows Security. In a study, the “54ndc47” (Sandcat) agent, utilizing GoLang features within Caldera, successfully bypassed Windows Security systems (specifically MS Windows 10) to display entire files on the victim’s device. This underscores Caldera’s effectiveness in testing endpoint security solutions and identifying weaknesses in common operating system defenses.12
Caldera is extensively used for continuous security evaluation pipelines. Organizations can integrate Caldera into their security operations to automate repeatable evaluations of network and OT systems. This allows them to emulate real-world adversaries and threats using observed TTPs, generate and evaluate logs for systems under test, and verify SOC analytics on an ongoing basis.5 This continuous testing approach helps organizations move beyond static security assessments to a dynamic model where they can rapidly tune behavioral-based intrusion detection systems and adapt their defenses as their environment changes or new threats emerge.14
Furthermore, Caldera is a core tool for red team engagements and purple teaming exercises. It assists red teams in performing manual assessments by augmenting existing offensive toolsets and developing advanced offensive capabilities. For blue teams, it enables testing and evaluation of detection, analytic, and response platforms. The platform’s ability to facilitate “Red vs Blue Research” directly supports cutting-edge research in cyber gaming, automated offensive and defensive cyber operations, and cyber defense analytics.6 This collaborative utility allows organizations to improve their security posture by understanding how attacks map to the MITRE ATT&CK framework and how attackers establish footholds in target assets.15
4. Setup Steps for Different Environments
4.1 Home Lab Setup for Beginners
Setting up MITRE Caldera in a home lab environment for beginners is a straightforward process, typically taking less than 10 minutes. This setup provides a safe, controlled space to learn and experiment with adversary emulation.
Requirements for the Caldera Server:
The primary system running Caldera (the server) should ideally be a Linux or macOS operating system. Essential software requirements include Python 3.8 or later (with pip3) and NodeJS v16 or later (for Caldera v5’s VueJS UI). A modern browser, such as Google Chrome, is recommended for accessing the web interface. For optimal agent functionality and dynamic compilation of GoLang-based agents, GoLang 1.17+ is recommended. Hardware-wise, the server should have at least 8GB RAM and 2+ CPUs.7
Concise Installation Steps:
Clone the Repository: Open a terminal and clone the Caldera repository recursively, ensuring all available plugins are pulled. It is advisable to specify a stable version (e.g., 5.0.0) to avoid potential bugs from development branches:
git clone https://github.com/mitre/caldera.git –recursive –branch 5.0.0
Navigate to Directory: Change into the newly cloned Caldera directory:
cd caldera
Install Python Requirements: Install the necessary Python packages using pip:
pip3 install -r requirements.txt
Start the Server: Launch the Caldera server. The –build flag is required for the first boot to compile the UI:
python3 server.py –insecure –build
Upon successful startup, the Caldera UI will be accessible at http://localhost:8888. Default credentials for the “red” user are typically found in the conf/local.yml file, which is generated on server start.7
Docker Deployment for Beginners:
For an even simpler setup, especially for those less familiar with dependency management, Caldera can be run in a Docker container.
Clone Repository:
git clone https://github.com/mitre/caldera.git --recursive --branch x.x.x(replacex.x.xwith desired version).Navigate and Build:
cd calderathendocker build --build-arg WIN_BUILD=true. -t caldera:serverRun Container: docker run -p 7010:7010 -p 7011:7011/udp -p 7012:7012 -p 8888:8888 caldera:server
This command maps the necessary ports for Caldera’s operation. A DNS entry pointing to the host running the Docker container may be required if not using localhost.24
Agent Deployment to a Victim VM:
For a home lab, a Windows 10 VM or a Linux endpoint (e.g., Ubuntu) can serve as the victim machine.
Prepare Victim: Install necessary prerequisites on the victim, such as Visual C++ Redistributable for Windows, or Python 3 for Linux.33
Download Agent: From the Caldera UI (Agents page), select the desired agent (e.g., Sandcat) and OS. Copy the generated Curl or PowerShell command.16
Execute on Victim: Run the copied command in an administrative PowerShell (Windows) or root terminal (Linux) on the victim machine. This downloads and executes the agent, connecting it back to your Caldera server.34
Verify Connection: Confirm the agent appears under “Debug > Connected Agents” in the Caldera UI.33
4.2 Advanced/Enterprise Deployment Considerations
For advanced users and enterprise deployments, Caldera offers more robust installation and configuration options to ensure scalability, security, and integration within complex environments.
Recommended Hardware and Software:
Beyond the basic requirements, a development environment for Caldera, especially for dynamically compiling agents, benefits from GoLang 1.17+ and hardware with at least 8GB RAM and 2+ CPUs.7
Docker Deployment for Enterprise:
Docker remains a preferred method for enterprise deployments due to its consistency and ease of management. For production environments, it is crucial to ensure data persistence, as the default Docker setup for Caldera might not persist MongoDB data.29 Users can bind-mount custom configuration files (e.g.,
conf/local.yml) to override default settings and manage credentials securely, rather than relying on automatically generated keys/passwords.7 For specific plugin data, like Atomic Red Team, it is recommended to clone their repositories outside the container and bind-mount them into the Caldera container to allow for modifications and updates.7
Offline Installation:
For secure environments without direct internet access, Caldera supports offline installation. This involves downloading all dependencies using pip on an internet-connected machine with a matching platform and Python version, then transferring the Caldera directory and dependencies to the offline server for installation.24
Security Best Practices and Post-Setup Actions:
Access Control: Restrict access to Caldera’s API with network segmentation and rigid controls. The API endpoint, which can be exploited if unauthenticated in older versions, requires careful management.17
Credential Management: Do not rely on default
admin:calderacredentials, especially in production or sensitive lab environments. Always change passwords found inconf/local.yml.7Agent Management: Continuously track unusual agent compilations or API activity to proactively detect potential misuse or threats.40 Agents requiring elevated privileges should be deployed accordingly.16
Troubleshooting Windows Defender: Default Windows 10 installations may flag tools like PowerView (used by some Caldera abilities) as malicious. To work around this, modify the PowerShell scripts using Caldera’s script editor or, for lab environments, temporarily disable Windows Defender.33
Ansible Deployment: For large-scale agent deployment to Windows clients, Ansible can be used to automate the process, configuring
hostsandgroup_varsfiles for user credentials and running playbooks to deploy agents.29SIEM Integration: Integrate Caldera’s output with Security Information and Event Management (SIEM) systems like Zeek, Splunk, or Wazuh. This allows for centralized monitoring and detection of simulated adversary activities. Zeek can detect C2 communications and agent downloads 2, while Splunk Universal Forwarder can collect and forward detections 35, and Wazuh can be configured with custom detection rules to identify modern ransomware and other TTPs.19 This integration is crucial for validating the effectiveness of an organization’s detection and response capabilities against real-world threats.2
5. Conclusions
MITRE Caldera stands as a pivotal open-source platform in the contemporary cybersecurity landscape, fundamentally transforming how organizations approach defensive validation and threat intelligence. Its core strength lies in its ability to automate adversary emulation, meticulously mapping simulated attacks to the globally recognized MITRE ATT&CK framework. This deep integration elevates ATT&CK from a mere reference model to an operational blueprint, enabling security teams to translate abstract threat knowledge into concrete, executable actions.
The platform’s versatile applications, from autonomous red-teaming and automated incident response to advanced cybersecurity research and specialized operational technology assessments, underscore its broad utility. By providing a controlled, realistic environment for testing, Caldera empowers organizations to move beyond reactive, indicator-based defenses towards a proactive, behavioral-centric security posture. This shift allows for the continuous identification of vulnerabilities, the rigorous evaluation of security products, and the refinement of detection and response mechanisms against evolving threats.
Furthermore, Caldera’s collaborative development model, incorporating direct feedback from seasoned operators and contributions from a global community, ensures its continuous relevance and adaptability. This collective effort, combined with its modular plugin architecture, facilitates the emulation of sophisticated Advanced Persistent Threats (APTs) and the development of highly customized attack scenarios. Ultimately, Caldera serves as a critical enabler for Purple Teaming initiatives, fostering a synergistic relationship between offensive and defensive security functions. By providing a shared, objective ground for testing and validation, it drives iterative improvements in an organization’s cyber resilience, making advanced security testing accessible and actionable across diverse operational contexts. The continuous adoption and evolution of Caldera signify a broader commitment within the cybersecurity community to a more threat-informed, adaptive, and resilient defense strategy.
To get in touch with me or for general discussion please visit ZeroDayMindset Discussion