Atomic Red Team FAQ

Why did an ART test not generate a Red Canary published threat?

While Red Canary may have detector coverage for a specific technique, we commonly fine-tune our detectors with requirements on the process chain and surrounding telemetry to focus on true adversary activity and limit false positives from normal admin activity or regular business procedures.

Does this tool replace the need for performing a penetration test or red team exercise?

No, ART is an alert validation tool that helps you identify gaps in your security posture whether it be lack of telemetry or misconfigured alert logic. Penetration testing, on the other hand, verifies that the security measures in place are effective at blocking and preventing adversary activity. Red team exercises take penetration testing a step further in that they are more focused on testing the security team’s investigation and response processes. For more information about the different kinds of security testing, you can read more details here.

Is there an ISO or Docker image I can use to install Atomic Red Team?

We have an on-demand webinar on how to use Docker and Windows Sandbox with ART to simplify the setup process.

Are there recommended Atomic Red Team tests?

Choosing the right or best ART test is very dependent on your use-cases and goals for testing. That being said, Red Canary’s annual Threat Detection Report calls out the tactics and techniques we commonly see in the wild. We also have blogs that outline emulation plans for common threat profiles like SocGholish and GootLoader.

How many ATT&CK techniques are covered by ART tests?

Some ATT&CK coverage statistics are available here.

Does Atomic Red Team cover threats that do not occur on the endpoint (Cloud/SaaS)?

Yes, under “Supported Platforms” on the left side of this page, you’ll see links related to azure-ad, containers, office-365 and so on.