Automated Adversary Emulation

v1.0.0Securitystable

An automated Adversary Emulation lab with terraform and MCP server. Build Caldera techniques and operations assisted with LLMs. Built for IaC stability, consistency, and speed.

automatedemulationmcpai-integration
Share:
209
Stars
0
Downloads
0
Weekly
0/5

What is Automated Adversary Emulation?

Automated Adversary Emulation is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to automated adversary emulation lab with terraform and mcp server. build caldera techniques and operations assisted with llms. built for iac stability, consistency, and speed.

An automated Adversary Emulation lab with terraform and MCP server. Build Caldera techniques and operations assisted with LLMs. Built for IaC stability, consistency, and speed.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • An automated Adversary Emulation lab with terraform and MCP

Use Cases

Build Caldera techniques and attack operations with LLM assistance.
Conduct automated adversary emulation labs.
Automate security testing with infrastructure as code.
iknowjason

Maintainer

LicenseMIT
Languagehcl
Versionv1.0.0
UpdatedApr 25, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx automatedemulation

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Automated Adversary Emulation

AutomatedEmulation is an Infrastructure-as-Code lab for building and running automated adversary emulation exercises, combining Terraform-provisioned AWS infrastructure with MITRE Caldera 5.3 and its MCP server plugin. The Caldera MCP server acts as an API wrapper that gives LLMs context for building new attack techniques, operation planners, and CTI pipelines with RAG integration — all within a self-contained lab environment. Security teams and red teams use it to design and execute realistic attack simulations against Windows Server 2022 targets, track results in VECTR, and monitor LLM inference calls through an integrated MLflow server, enabling reproducible, LLM-assisted adversary emulation at IaC speed.

Prerequisites

  • Terraform installed (for provisioning the AWS lab infrastructure)
  • AWS account with programmatic access: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
  • Sufficient AWS permissions to create EC2 instances, security groups, and VPCs
  • An MCP-compatible client such as Claude Desktop for interacting with the Caldera MCP server
  • Git to clone the repository
1

Clone the repository

Clone the AutomatedEmulation repository to your local machine.

git clone https://github.com/iknowjason/AutomatedEmulation
cd AutomatedEmulation
2

Set AWS credentials

Export your AWS credentials. The Terraform configuration will use these to provision EC2 instances, security groups, and VPC resources in your AWS account.

export AWS_ACCESS_KEY_ID=your_access_key
export AWS_SECRET_ACCESS_KEY=your_secret_key
3

Initialize and apply Terraform

Initialize the Terraform providers and apply the configuration to provision the lab. This creates the Linux Caldera server and Windows client EC2 instances automatically.

terraform init
terraform apply -auto-approve
4

Retrieve lab access credentials

After Terraform finishes, retrieve the IP addresses and credentials for your lab instances.

terraform output
5

Access the Caldera and VECTR consoles

Log in to the Caldera interface at the URL shown in terraform output. The Caldera MCP server plugin and MLflow monitoring server start automatically.

# Caldera console: https://[ec2-address]:8443
# VECTR console:   https://[ec2-address]:8081
# MLflow server:   http://[ec2-address]:5000
6

Configure your MCP client to connect to Caldera

Add the Caldera MCP server connection to your claude_desktop_config.json. The Caldera MCP plugin exposes API-wrapped tools for building abilities, operations, and CTI queries.

{
  "mcpServers": {
    "caldera": {
      "command": "npx",
      "args": ["automatedemulation"],
      "env": {
        "CALDERA_URL": "https://your-ec2-address:8443",
        "CALDERA_API_KEY": "your_caldera_api_key"
      }
    }
  }
}

Automated Adversary Emulation Examples

Client configuration

Configure your MCP client to connect to the Caldera MCP server running on your provisioned EC2 instance. Retrieve the API key from terraform output.

{
  "mcpServers": {
    "caldera": {
      "command": "npx",
      "args": ["automatedemulation"],
      "env": {
        "CALDERA_URL": "https://your-ec2-ip:8443",
        "CALDERA_API_KEY": "your_caldera_api_key"
      }
    }
  }
}

Prompts to try

These prompts leverage the Caldera MCP server to build attack techniques, design operations, and query threat intelligence within the emulation lab.

- "List all available Caldera abilities and their ATT&CK technique mappings"
- "Create a new Caldera ability that performs credential dumping using Mimikatz on the Windows agent"
- "Build an operation that executes a phishing simulation followed by lateral movement to the Windows target"
- "Show me the results of the last adversary emulation operation in VECTR format"
- "Query the CTI knowledge base for techniques associated with APT29"

Troubleshooting Automated Adversary Emulation

Terraform apply fails with AWS permission errors

Ensure your IAM user or role has permissions to create EC2 instances, VPCs, security groups, and related networking resources. A policy with EC2FullAccess and VPCFullAccess is the minimum requirement. Check that your AWS credentials are correctly exported and that you are targeting the right AWS region.

Caldera console is not accessible after terraform apply

Wait 3-5 minutes after terraform apply completes — Caldera and its plugins take time to install and start on the EC2 instance. Verify the EC2 instance is running in the AWS console. Check that your local IP is permitted in the security group rules, which are configured in bas.tf.

Lab costs money even when not in use

Run terraform destroy -auto-approve when you are finished with the lab. The EC2 instances will continue to incur costs while running. The lab is designed to be ephemeral — provision it when needed and destroy it when done to minimize AWS charges.

Frequently Asked Questions about Automated Adversary Emulation

What is Automated Adversary Emulation?

Automated Adversary Emulation is a Model Context Protocol (MCP) server that automated adversary emulation lab with terraform and mcp server. build caldera techniques and operations assisted with llms. built for iac stability, consistency, and speed. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Automated Adversary Emulation?

Follow the installation instructions on the Automated Adversary Emulation GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with Automated Adversary Emulation?

Automated Adversary Emulation works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Automated Adversary Emulation free to use?

Yes, Automated Adversary Emulation is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

Automated Adversary Emulation Alternatives — Similar Security Servers

Looking for alternatives to Automated Adversary Emulation? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "automatedemulation": { "command": "npx", "args": ["-y", "automatedemulation"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Automated Adversary Emulation?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides