The continuing shortage of cybersecurity experts has led to a growing problem in blue team training. The ever-changing attack methods makes it difficult for the blue team to keep pace and gain hands-on practice in real-world situations. Meanwhile, enterprises often need an automatic system to testing their security products.

To address the challenge, an adversary emulator is developed to provide an interface to design attack playbooks and environment specifications. The infra builder component in the adversary emulator can configure, create, revert the infrastructure. Above the infra builder, the adversary emulator integrates several famous red team tools, e.g. Metasploit, Empire and other Toolkits. Therefore, the adversary emulator is able to allows a new attack scenario to be quickly added and automatically replay these attack scenarios. Moreover, real-world APT attacks/attack framework can also be integrated to provide up-to-date and realistic blue team training. To more close real-world APT attacks we use repurposed APT malware (Plead, Lazarus), in our adversary emulator.

As the result, we show how we use adversary emulator to evaluate/training blue team members. Then the adversary emulator is also used to emulate APT 29 and enhance our security product developing and join ATT&CK evaluations (APT29).