Atomic Red Team FAQ

While Red Canary may have detector coverage for a specific technique, we commonly fine-tune our detectors with requirements on the process chain and surrounding telemetry to focus on true adversary activity and limit false positives from normal admin activity or regular business procedures.

No, Atomic Red Team is an alert validation tool that helps you identify gaps in your security posture whether it be lack of telemetry or misconfigured alert logic. Penetration testing, on the other hand, verifies that the security measures in place are effective at blocking and preventing adversary activity. Red Team exercises take penetration testing a step further in that they are more focused on testing the security team’s investigation and response processes. For more information about the different kinds of security testing, see our blog.

We have an on-demand webinar that shows how to use Docker and Windows Sandbox with Atomic Red Team to simplify the setup process.

Choosing the right or best Atomic Red Team test is very dependent on your use case and goals for testing. That being said, Red Canary’s annual Threat Detection Report calls out the tactics and techniques we commonly see in the wild. We also have blogs that outline emulation plans for common threat profiles like SocGholish and GootLoader.

ATT&CK coverage statistics are available here.

Yes, the on the Atomic Red Team Test library page you’ll see links for Azure AD, Containers, Office 365, and other platforms.