VECTR

VECTR (Vectorized Engagement and Campaign Tracking for Reporting) is SecurityRisk Advisors’ open-source platform for purple team operations, enabling teams to document adversary emulation campaigns, align techniques to MITRE ATT&CK, and measure detection coverage gaps over time. It bridges red and blue teams by tracking both attack execution and detection outcomes in a unified interface.

Installation

Docker Compose Setup

VECTR is deployed via Docker Compose from the official repository:

# Clone VECTR repository
git clone https://github.com/SecurityRiskAdvisors/VECTR.git
cd VECTR

# Start Docker Compose (includes nginx, application, and postgres)
docker-compose up -d

# Verify containers are running
docker-compose ps

Initial Configuration

# Check logs for startup status
docker-compose logs -f app

# Access web interface
# http://localhost:8080 (default)
# or https://localhost:443 (if TLS enabled)

# Default credentials (CHANGE IMMEDIATELY)
# Username: admin
# Password: admin

Environment Variables

# docker-compose.yml customization
environment:
  - NODE_ENV=production
  - DB_HOST=postgres
  - DB_PORT=5432
  - DB_USER=vectr
  - DB_PASSWORD=change_me
  - REDIS_HOST=redis
  - REDIS_PORT=6379

Quick Start

First-Time Setup

1. Access Web UI

   • Navigate to http://localhost:8080
   • Login with default credentials
   • Change admin password immediately

2. Create First Assessment

   • Click “New Assessment”
   • Enter assessment name (e.g., “Q2 2026 Purple Team Campaign”)
   • Select MITRE ATT&CK version (default: latest)
   • Define assessment scope and objectives
   • Assign team members

3. Invite Team Members

   • Navigate to Settings → Users
   • Add user email addresses
   • Assign roles: Admin, Red Team, Blue Team, Analyst
   • Send invitations

Dashboard Overview

Component	Purpose
Campaigns	High-level purple team exercise containers
Assessments	Sub-campaigns with specific scope and timeline
Test Cases	Individual adversary emulation techniques and detections
Results	Outcome tracking (detected, alerted, blocked, etc.)
Heat Maps	Visual ATT&CK coverage analysis

Core Concepts

Campaigns

Campaigns are top-level containers for purple team activities, representing organization-wide adversary emulation programs:

Campaign Structure:
  - Campaign Name: "2026 Annual Purple Team Program"
  - Duration: Start and end dates
  - Objectives: Measurable goals for coverage improvement
  - Phases: Grouped assessments by campaign phase
  - Participants: Cross-functional team roster

Assessments

Assessments are scoped sub-campaigns with defined target systems, techniques, and timelines:

Assessment Properties:
  - Name: Specific assessment name
  - Campaign: Parent campaign
  - Target Systems: Scope (endpoints, servers, networks)
  - Start/End Date: Assessment window
  - MITRE Version: ATT&CK version used (v13, v14, etc.)
  - Status: Planning, Active, Complete

Test Cases

Test cases document individual adversary emulation executions:

• Technique ID: MITRE ATT&CK technique (e.g., T1566.002)
• Name: Descriptive test case name
• Description: Attack scenario details
• Procedure: Step-by-step execution instructions
• Tool Used: Red team tool (Mimikatz, certutil, etc.)
• Execution Date: When test was performed
• Evidence: Screenshots, logs, artifacts
• Detection Status: Outcome from blue team perspective

Outcomes

Outcomes track both attack execution and detection results:

Red Team Outcome	Blue Team Detection
Success	Detected / Alerted / Blocked
Success	Not Detected
Failure	N/A (technique didn’t execute)
N/A	Not Applicable (not targeted)

ATT&CK Mapping

Every test case maps to MITRE ATT&CK techniques:

Campaign Heat Map:
  - Reconnaissance: 8/12 techniques covered (67%)
  - Resource Development: 5/10 techniques covered (50%)
  - Initial Access: 6/8 techniques covered (75%)
  - Execution: 12/15 techniques covered (80%)

Campaign Management

Creating a Campaign

1. Dashboard → Create Campaign
2. Enter campaign metadata:
   - Campaign Name: "2026 Detection Engineering Program"
   - Campaign Manager: Select lead
   - Objective: "Improve detection coverage in EDR"
   - Start Date: 2026-04-01
   - End Date: 2026-12-31
   - Description: Campaign context and goals
3. Click Create
4. Add phases (e.g., "Phase 1: Initial Access", "Phase 2: Persistence")

Defining Campaign Scope

# Scope Definition
Target Tactics:
  - Initial Access
  - Execution
  - Persistence
  - Privilege Escalation
  - Defense Evasion

Target Platforms:
  - Windows
  - Linux
  - macOS

Asset Groups:
  - Production Servers
  - Endpoint Devices
  - Network Infrastructure

Selecting ATT&CK Techniques

• Navigate to Campaign → Technique Selection
• View full ATT&CK matrix
• Filter by tactic, platform, or sub-technique
• Select techniques to target in campaign
• Export technique list for red team planning

Organizing Phases

Phase Management:
1. Create phase within campaign
   - Name: "Initial Access & Execution"
   - Duration: 2 weeks
   - Focus areas: Phishing, scripting techniques
2. Link assessments to phases
3. Schedule red team operations by phase
4. Track phase completion and coverage

Test Cases

Creating Test Cases

Assessment → Create Test Case

Required Fields:
  - MITRE Technique ID: T1566.002 (Phishing: Spearphishing Link)
  - Test Case Name: "Phishing Link Campaign to Marketing"
  - Description: Description of attack scenario
  - Attack Procedure: Step-by-step attack execution
  - Tool Used: Browser, domain registrar info
  - Execution Date: When red team executed
  - Red Team Notes: Observations, success/failure details

Mapping to ATT&CK

# Example test case structure
Test Case: T1566.002
├── Tactic: Initial Access
├── Name: Spearphishing Link Delivery
├── Sub-techniques: Attached file is not used
├── Platform: Windows
├── Procedure: 
│   1. Create malicious URL with payload
│   2. Spoof marketing sender email
│   3. Send to 100 marketing employees
│   4. Track link clicks and execution
└── Evidence: Email logs, URL visit records

Documenting Outcomes

Field	Example
Tool Used	Gophish + Custom payload
Procedure	Spearphishing URL in email body
Red Team Outcome	Success - 25 clicks, 5 executed
Blue Team Detection	Alerted on phishing link (Proofpoint)
Detection Status	Detected
Remediation	Updated email filter, user training
Evidence	Screenshots, alert logs, forensics

Outcome Tracking

Recording Outcomes

Test Case → Add Outcome

Red Team Perspective:
  ✓ Success: Attack achieved objective
  ✗ Failure: Attack did not execute
  ⊘ N/A: Not attempted/applicable

Blue Team Perspective:
  ✓ Detected: Security control identified attack
  ✓ Alerted: Alert/notification triggered
  ✓ Blocked: Attack blocked before success
  ✗ Not Detected: Attack completed undetected
  ⊘ Not Applicable: Technique not in scope

Red vs. Blue Scoring

VECTR calculates coverage metrics:

Coverage Calculation:
  - Total Techniques Executed: 45
  - Total Techniques Detected: 38 (84%)
  - Detection Gap: 7 techniques (16%)
  
Trend Analysis:
  - Previous Campaign: 72% detected
  - Current Campaign: 84% detected
  - Improvement: +12 percentage points

Generating Outcome Reports

Campaign → Reports → Detection Coverage

Output Includes:
- Technique-by-technique detection status
- Detected vs. Not Detected breakdown
- Trend graphs (coverage over time)
- Tactics with highest/lowest detection
- Red team success rate by technique
- Blue team detection speed (time-to-detect)

ATT&CK Integration

Heat Maps

Campaign Dashboard → ATT&CK Heat Map

Color Coding:
  🟢 Green: Technique tested and detected (100%)
  🟡 Yellow: Technique tested, partially detected (50-99%)
  🔴 Red: Technique tested, not detected (0-49%)
  ⚪ Gray: Technique not tested

Coverage Visualization

Matrix View:
- X-axis: MITRE ATT&CK Techniques
- Y-axis: Detection Status
- Click technique to view all test cases for that technique
- Export heat map as PNG or JSON for presentations

Technique Selection from ATT&CK Navigator

# ATT&CK Navigator Integration
1. Navigate to Campaign Technique Selection
2. Open MITRE ATT&CK Navigator (embedded or external link)
3. Create technique layer in Navigator
4. Import layer into VECTR campaign
5. VECTR auto-populates campaign techniques

Navigator Layer Export

Campaign → Export as Navigator Layer

Output:
- JSON format compatible with ATT&CK Navigator
- Includes detection status and metadata
- Share with stakeholders and executives
- Upload to Navigator for visualization

Reporting

Campaign Reports

Reports → Generate Campaign Report

Report Sections:
1. Executive Summary
   - Campaign overview and objectives
   - High-level metrics (% coverage, trends)
   - Key findings and recommendations

2. Detailed Findings
   - Technique-by-technique analysis
   - Detection gaps with remediation
   - Red team success rates

3. Appendix
   - Full test case listing
   - Evidence and screenshots
   - Timeline of executions

Detection Gap Analysis

Gap Analysis Report:
- Not Detected Techniques:
  - T1547.001: Registry Run Keys (no EDR detection)
  - T1574.001: DLL Search Order Hijacking (bypasses defenses)
  - T1562.001: Disable or Modify System Firewall (insufficient logging)

- Recommendations:
  - Implement ETW-based detection for T1547.001
  - Deploy DLL hijacking behavioral detection
  - Enable advanced logging for firewall modifications

Trend Tracking

Metrics → Trend Analysis

Metrics Tracked:
- Detection coverage over time (%) 
- Techniques tested per month
- Average red team success rate
- Detection speed (TTD in hours)
- Top tactics for improvement
- Year-over-year improvement

PDF/CSV Export

# Export Options
Reports → Export

Formats:
- PDF: Full formatted report with branding
- CSV: Technique data for spreadsheet analysis
- JSON: Programmatic export for integrations
- PNG: Heat maps for presentations

Customization:
- Logo and branding
- Include/exclude sections
- Redact sensitive data
- Custom date ranges

Templates

Assessment Templates

Settings → Templates → Assessment Templates

Pre-built Templates:
- "Initial Access Focus" (phishing, watering hole, supply chain)
- "Persistence & Privilege Escalation" (scheduled tasks, registry, kernel)
- "Defense Evasion" (UAC bypass, AMSI evasion, LOLBins)
- "Lateral Movement" (pass-the-hash, Kerberos, SMB abuse)

Reusable Test Case Libraries

Create from Existing Assessment:
1. Assessment → Save as Template
2. Strip sensitive data (client names, real targets)
3. Generalize procedures for reuse
4. Add tags for searching (phishing, Windows, EDR)
5. Share with team or organization

Use Template:
1. Create Assessment → Select Template
2. Review and customize procedures for target environment
3. Assign to red team
4. Execute and track outcomes

Importing/Exporting Templates

# Export template
Settings → Templates → Export Template
# Generates JSON file with all test cases and configurations

# Import template
Settings → Templates → Import Template
# Select JSON file
# Creates new assessment from template

# Share templates
# Send JSON file via secure channel
# Import in target VECTR instance

Multi-User Collaboration

Role-Based Access

Role	Permissions
Admin	Full system access, user management, settings
Red Team Lead	Create/edit assessments, manage red team ops
Red Team	Execute test cases, submit outcomes
Blue Team Lead	Configure detections, analyze coverage gaps
Blue Team	View test cases, record detection outcomes
Analyst	Read-only access, generate reports

Team Management

Settings → Team Management

User Invite:
- Email: user@organization.com
- Role: Red Team, Blue Team, or Analyst
- Campaign Access: Specific campaigns or all
- Send invitation → User accepts → Account created

Concurrent Assessments:
- Multiple teams work on different assessments
- Real-time synchronization across users
- Comments and notes on test cases
- Activity log tracks all changes

Concurrent Operations

Real-time Collaboration:
- Multiple red teamers execute test cases simultaneously
- Blue team updates detection outcomes in parallel
- Lock test case during active recording to prevent conflicts
- Merge comments and evidence from team members

API Access

REST API for Automation

# Authentication
curl -X POST http://localhost:8080/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"admin"}'
# Returns: { "token": "eyJhbGciOiJIUzI1NiIsInR5..." }

Creating Assessments Programmatically

# Create assessment via API
curl -X POST http://localhost:8080/api/assessments \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Q2 2026 Initial Access Campaign",
    "campaignId": "camp_abc123",
    "startDate": "2026-04-01",
    "endDate": "2026-06-30",
    "mitre_version": "14"
  }'

Submitting Test Cases via API

# Add test case
curl -X POST http://localhost:8080/api/test-cases \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "assessmentId": "assess_xyz789",
    "techniqueId": "T1566.002",
    "name": "Spearphishing Link",
    "procedure": "Send malicious link via email",
    "toolUsed": "Gophish",
    "executionDate": "2026-04-15"
  }'

# Record outcome
curl -X POST http://localhost:8080/api/outcomes \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "testCaseId": "tc_123",
    "redTeamOutcome": "Success",
    "blueTeamDetection": "Detected",
    "notes": "Proofpoint alert triggered"
  }'

Bulk Operations

# Export all assessments
curl http://localhost:8080/api/assessments \
  -H "Authorization: Bearer YOUR_TOKEN" | jq '.' > assessments.json

# Import test cases from CSV
python3 bulk_import.py \
  --token YOUR_TOKEN \
  --file test_cases.csv \
  --assessment assess_xyz789

Troubleshooting

Common Issues

Issue	Solution
Port 8080 already in use	Change port in docker-compose.yml, restart containers
Postgres connection error	Check DB credentials in environment, verify postgres container running
ATT&CK data not loading	Run database migration: docker-compose exec app npm run migrate
Slow heat map generation	Increase container memory, reduce technique count temporarily
Login failures	Clear browser cache, reset admin password via postgres CLI

Database Troubleshooting

# Access postgres container
docker-compose exec postgres psql -U vectr

# Check assessment count
SELECT COUNT(*) FROM assessments;

# Reset admin password
UPDATE users SET password=hash('newpassword') WHERE username='admin';

# Backup database
docker-compose exec postgres pg_dump -U vectr > backup.sql

Performance Optimization

# Increase container resources
# docker-compose.yml
services:
  app:
    mem_limit: 4g
    memswap_limit: 4g
  postgres:
    mem_limit: 2g

# Restart containers
docker-compose down && docker-compose up -d

Best Practices

Campaign Planning

• Define clear objectives before campaign launch (detection gaps, remediation, training)
• Map to adversary TTPs relevant to your threat landscape
• Schedule phases strategically (avoid high-ops periods, coordinate with blue team)
• Set realistic metrics (coverage targets, detection speed goals)
• Document assumptions about tooling, network conditions, and defenses

Red Team Execution

• Preserve evidence (screenshots, logs, artifacts) for audit trail
• Document procedures precisely so findings are reproducible
• Use realistic tools that threat actors employ in your vertical
• Test detection evasion (UAC bypass, AMSI evasion, LOLBins) alongside technique execution
• Coordinate with blue team to avoid unplanned business impact

Blue Team Detection

• Record detection method (EDR, IDS, SIEM, manual investigation)
• Note detection time (immediate vs. delayed detection)
• Identify false negatives quickly for remediation priority
• Track false positives from test cases
• Implement detections incrementally to avoid alert fatigue

Reporting & Remediation

• Executive summaries focus on coverage improvement and business impact
• Technical details support remediation prioritization
• Trend analysis demonstrates program maturity and progress
• Assign ownership for detection gap remediation
• Schedule follow-up campaigns to verify detection improvements

Related Tools

Tool	Purpose
CALDERA	Automated adversary emulation platform (pairs with VECTR)
Atomic Red Team	Library of small, testable ATT&CK techniques
AttackIQ	Commercial continuous red teaming (similar to VECTR)
MITRE ATT&CK Navigator	Visualize and plan ATT&CK-based assessments
PlexTrac	Purple team reporting and engagement tracking
Incident Response Runbooks	Proceduralize detection and response
EDR Platforms	Endpoint Detection and Response (primary detection layer)