VECTR
VECTR (Vectorized Engagement and Campaign Tracking for Reporting) is SecurityRisk Advisors’ open-source platform for purple team operations, enabling teams to document adversary emulation campaigns, align techniques to MITRE ATT&CK, and measure detection coverage gaps over time. It bridges red and blue teams by tracking both attack execution and detection outcomes in a unified interface.
Installation
Docker Compose Setup
VECTR is deployed via Docker Compose from the official repository:
# Clone VECTR repository
git clone https://github.com/SecurityRiskAdvisors/VECTR.git
cd VECTR
# Start Docker Compose (includes nginx, application, and postgres)
docker-compose up -d
# Verify containers are running
docker-compose psInitial Configuration
# Check logs for startup status
docker-compose logs -f app
# Access web interface
# http://localhost:8080 (default)
# or https://localhost:443 (if TLS enabled)
# Default credentials (CHANGE IMMEDIATELY)
# Username: admin
# Password: adminEnvironment Variables
# docker-compose.yml customization
environment:
- NODE_ENV=production
- DB_HOST=postgres
- DB_PORT=5432
- DB_USER=vectr
- DB_PASSWORD=change_me
- REDIS_HOST=redis
- REDIS_PORT=6379Quick Start
First-Time Setup
-
Access Web UI
- Navigate to http://localhost:8080
- Login with default credentials
- Change admin password immediately
-
Create First Assessment
- Click “New Assessment”
- Enter assessment name (e.g., “Q2 2026 Purple Team Campaign”)
- Select MITRE ATT&CK version (default: latest)
- Define assessment scope and objectives
- Assign team members
-
Invite Team Members
- Navigate to Settings → Users
- Add user email addresses
- Assign roles: Admin, Red Team, Blue Team, Analyst
- Send invitations
Dashboard Overview
| Component | Purpose |
|---|---|
| Campaigns | High-level purple team exercise containers |
| Assessments | Sub-campaigns with specific scope and timeline |
| Test Cases | Individual adversary emulation techniques and detections |
| Results | Outcome tracking (detected, alerted, blocked, etc.) |
| Heat Maps | Visual ATT&CK coverage analysis |
Core Concepts
Campaigns
Campaigns are top-level containers for purple team activities, representing organization-wide adversary emulation programs:
Campaign Structure:
- Campaign Name: "2026 Annual Purple Team Program"
- Duration: Start and end dates
- Objectives: Measurable goals for coverage improvement
- Phases: Grouped assessments by campaign phase
- Participants: Cross-functional team rosterAssessments
Assessments are scoped sub-campaigns with defined target systems, techniques, and timelines:
Assessment Properties:
- Name: Specific assessment name
- Campaign: Parent campaign
- Target Systems: Scope (endpoints, servers, networks)
- Start/End Date: Assessment window
- MITRE Version: ATT&CK version used (v13, v14, etc.)
- Status: Planning, Active, CompleteTest Cases
Test cases document individual adversary emulation executions:
- Technique ID: MITRE ATT&CK technique (e.g., T1566.002)
- Name: Descriptive test case name
- Description: Attack scenario details
- Procedure: Step-by-step execution instructions
- Tool Used: Red team tool (Mimikatz, certutil, etc.)
- Execution Date: When test was performed
- Evidence: Screenshots, logs, artifacts
- Detection Status: Outcome from blue team perspective
Outcomes
Outcomes track both attack execution and detection results:
| Red Team Outcome | Blue Team Detection |
|---|---|
| Success | Detected / Alerted / Blocked |
| Success | Not Detected |
| Failure | N/A (technique didn’t execute) |
| N/A | Not Applicable (not targeted) |
ATT&CK Mapping
Every test case maps to MITRE ATT&CK techniques:
Campaign Heat Map:
- Reconnaissance: 8/12 techniques covered (67%)
- Resource Development: 5/10 techniques covered (50%)
- Initial Access: 6/8 techniques covered (75%)
- Execution: 12/15 techniques covered (80%)Campaign Management
Creating a Campaign
1. Dashboard → Create Campaign
2. Enter campaign metadata:
- Campaign Name: "2026 Detection Engineering Program"
- Campaign Manager: Select lead
- Objective: "Improve detection coverage in EDR"
- Start Date: 2026-04-01
- End Date: 2026-12-31
- Description: Campaign context and goals
3. Click Create
4. Add phases (e.g., "Phase 1: Initial Access", "Phase 2: Persistence")Defining Campaign Scope
# Scope Definition
Target Tactics:
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
Target Platforms:
- Windows
- Linux
- macOS
Asset Groups:
- Production Servers
- Endpoint Devices
- Network InfrastructureSelecting ATT&CK Techniques
- Navigate to Campaign → Technique Selection
- View full ATT&CK matrix
- Filter by tactic, platform, or sub-technique
- Select techniques to target in campaign
- Export technique list for red team planning
Organizing Phases
Phase Management:
1. Create phase within campaign
- Name: "Initial Access & Execution"
- Duration: 2 weeks
- Focus areas: Phishing, scripting techniques
2. Link assessments to phases
3. Schedule red team operations by phase
4. Track phase completion and coverageTest Cases
Creating Test Cases
Assessment → Create Test Case
Required Fields:
- MITRE Technique ID: T1566.002 (Phishing: Spearphishing Link)
- Test Case Name: "Phishing Link Campaign to Marketing"
- Description: Description of attack scenario
- Attack Procedure: Step-by-step attack execution
- Tool Used: Browser, domain registrar info
- Execution Date: When red team executed
- Red Team Notes: Observations, success/failure detailsMapping to ATT&CK
# Example test case structure
Test Case: T1566.002
├── Tactic: Initial Access
├── Name: Spearphishing Link Delivery
├── Sub-techniques: Attached file is not used
├── Platform: Windows
├── Procedure:
│ 1. Create malicious URL with payload
│ 2. Spoof marketing sender email
│ 3. Send to 100 marketing employees
│ 4. Track link clicks and execution
└── Evidence: Email logs, URL visit recordsDocumenting Outcomes
| Field | Example |
|---|---|
| Tool Used | Gophish + Custom payload |
| Procedure | Spearphishing URL in email body |
| Red Team Outcome | Success - 25 clicks, 5 executed |
| Blue Team Detection | Alerted on phishing link (Proofpoint) |
| Detection Status | Detected |
| Remediation | Updated email filter, user training |
| Evidence | Screenshots, alert logs, forensics |
Outcome Tracking
Recording Outcomes
Test Case → Add Outcome
Red Team Perspective:
✓ Success: Attack achieved objective
✗ Failure: Attack did not execute
⊘ N/A: Not attempted/applicable
Blue Team Perspective:
✓ Detected: Security control identified attack
✓ Alerted: Alert/notification triggered
✓ Blocked: Attack blocked before success
✗ Not Detected: Attack completed undetected
⊘ Not Applicable: Technique not in scopeRed vs. Blue Scoring
VECTR calculates coverage metrics:
Coverage Calculation:
- Total Techniques Executed: 45
- Total Techniques Detected: 38 (84%)
- Detection Gap: 7 techniques (16%)
Trend Analysis:
- Previous Campaign: 72% detected
- Current Campaign: 84% detected
- Improvement: +12 percentage pointsGenerating Outcome Reports
Campaign → Reports → Detection Coverage
Output Includes:
- Technique-by-technique detection status
- Detected vs. Not Detected breakdown
- Trend graphs (coverage over time)
- Tactics with highest/lowest detection
- Red team success rate by technique
- Blue team detection speed (time-to-detect)ATT&CK Integration
Heat Maps
Campaign Dashboard → ATT&CK Heat Map
Color Coding:
🟢 Green: Technique tested and detected (100%)
🟡 Yellow: Technique tested, partially detected (50-99%)
🔴 Red: Technique tested, not detected (0-49%)
⚪ Gray: Technique not testedCoverage Visualization
Matrix View:
- X-axis: MITRE ATT&CK Techniques
- Y-axis: Detection Status
- Click technique to view all test cases for that technique
- Export heat map as PNG or JSON for presentationsTechnique Selection from ATT&CK Navigator
# ATT&CK Navigator Integration
1. Navigate to Campaign Technique Selection
2. Open MITRE ATT&CK Navigator (embedded or external link)
3. Create technique layer in Navigator
4. Import layer into VECTR campaign
5. VECTR auto-populates campaign techniquesNavigator Layer Export
Campaign → Export as Navigator Layer
Output:
- JSON format compatible with ATT&CK Navigator
- Includes detection status and metadata
- Share with stakeholders and executives
- Upload to Navigator for visualizationReporting
Campaign Reports
Reports → Generate Campaign Report
Report Sections:
1. Executive Summary
- Campaign overview and objectives
- High-level metrics (% coverage, trends)
- Key findings and recommendations
2. Detailed Findings
- Technique-by-technique analysis
- Detection gaps with remediation
- Red team success rates
3. Appendix
- Full test case listing
- Evidence and screenshots
- Timeline of executionsDetection Gap Analysis
Gap Analysis Report:
- Not Detected Techniques:
- T1547.001: Registry Run Keys (no EDR detection)
- T1574.001: DLL Search Order Hijacking (bypasses defenses)
- T1562.001: Disable or Modify System Firewall (insufficient logging)
- Recommendations:
- Implement ETW-based detection for T1547.001
- Deploy DLL hijacking behavioral detection
- Enable advanced logging for firewall modificationsTrend Tracking
Metrics → Trend Analysis
Metrics Tracked:
- Detection coverage over time (%)
- Techniques tested per month
- Average red team success rate
- Detection speed (TTD in hours)
- Top tactics for improvement
- Year-over-year improvementPDF/CSV Export
# Export Options
Reports → Export
Formats:
- PDF: Full formatted report with branding
- CSV: Technique data for spreadsheet analysis
- JSON: Programmatic export for integrations
- PNG: Heat maps for presentations
Customization:
- Logo and branding
- Include/exclude sections
- Redact sensitive data
- Custom date rangesTemplates
Assessment Templates
Settings → Templates → Assessment Templates
Pre-built Templates:
- "Initial Access Focus" (phishing, watering hole, supply chain)
- "Persistence & Privilege Escalation" (scheduled tasks, registry, kernel)
- "Defense Evasion" (UAC bypass, AMSI evasion, LOLBins)
- "Lateral Movement" (pass-the-hash, Kerberos, SMB abuse)Reusable Test Case Libraries
Create from Existing Assessment:
1. Assessment → Save as Template
2. Strip sensitive data (client names, real targets)
3. Generalize procedures for reuse
4. Add tags for searching (phishing, Windows, EDR)
5. Share with team or organization
Use Template:
1. Create Assessment → Select Template
2. Review and customize procedures for target environment
3. Assign to red team
4. Execute and track outcomesImporting/Exporting Templates
# Export template
Settings → Templates → Export Template
# Generates JSON file with all test cases and configurations
# Import template
Settings → Templates → Import Template
# Select JSON file
# Creates new assessment from template
# Share templates
# Send JSON file via secure channel
# Import in target VECTR instanceMulti-User Collaboration
Role-Based Access
| Role | Permissions |
|---|---|
| Admin | Full system access, user management, settings |
| Red Team Lead | Create/edit assessments, manage red team ops |
| Red Team | Execute test cases, submit outcomes |
| Blue Team Lead | Configure detections, analyze coverage gaps |
| Blue Team | View test cases, record detection outcomes |
| Analyst | Read-only access, generate reports |
Team Management
Settings → Team Management
User Invite:
- Email: user@organization.com
- Role: Red Team, Blue Team, or Analyst
- Campaign Access: Specific campaigns or all
- Send invitation → User accepts → Account created
Concurrent Assessments:
- Multiple teams work on different assessments
- Real-time synchronization across users
- Comments and notes on test cases
- Activity log tracks all changesConcurrent Operations
Real-time Collaboration:
- Multiple red teamers execute test cases simultaneously
- Blue team updates detection outcomes in parallel
- Lock test case during active recording to prevent conflicts
- Merge comments and evidence from team membersAPI Access
REST API for Automation
# Authentication
curl -X POST http://localhost:8080/api/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"admin"}'
# Returns: { "token": "eyJhbGciOiJIUzI1NiIsInR5..." }Creating Assessments Programmatically
# Create assessment via API
curl -X POST http://localhost:8080/api/assessments \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Q2 2026 Initial Access Campaign",
"campaignId": "camp_abc123",
"startDate": "2026-04-01",
"endDate": "2026-06-30",
"mitre_version": "14"
}'Submitting Test Cases via API
# Add test case
curl -X POST http://localhost:8080/api/test-cases \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"assessmentId": "assess_xyz789",
"techniqueId": "T1566.002",
"name": "Spearphishing Link",
"procedure": "Send malicious link via email",
"toolUsed": "Gophish",
"executionDate": "2026-04-15"
}'
# Record outcome
curl -X POST http://localhost:8080/api/outcomes \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"testCaseId": "tc_123",
"redTeamOutcome": "Success",
"blueTeamDetection": "Detected",
"notes": "Proofpoint alert triggered"
}'Bulk Operations
# Export all assessments
curl http://localhost:8080/api/assessments \
-H "Authorization: Bearer YOUR_TOKEN" | jq '.' > assessments.json
# Import test cases from CSV
python3 bulk_import.py \
--token YOUR_TOKEN \
--file test_cases.csv \
--assessment assess_xyz789Troubleshooting
Common Issues
| Issue | Solution |
|---|---|
| Port 8080 already in use | Change port in docker-compose.yml, restart containers |
| Postgres connection error | Check DB credentials in environment, verify postgres container running |
| ATT&CK data not loading | Run database migration: docker-compose exec app npm run migrate |
| Slow heat map generation | Increase container memory, reduce technique count temporarily |
| Login failures | Clear browser cache, reset admin password via postgres CLI |
Database Troubleshooting
# Access postgres container
docker-compose exec postgres psql -U vectr
# Check assessment count
SELECT COUNT(*) FROM assessments;
# Reset admin password
UPDATE users SET password=hash('newpassword') WHERE username='admin';
# Backup database
docker-compose exec postgres pg_dump -U vectr > backup.sqlPerformance Optimization
# Increase container resources
# docker-compose.yml
services:
app:
mem_limit: 4g
memswap_limit: 4g
postgres:
mem_limit: 2g
# Restart containers
docker-compose down && docker-compose up -dBest Practices
Campaign Planning
- Define clear objectives before campaign launch (detection gaps, remediation, training)
- Map to adversary TTPs relevant to your threat landscape
- Schedule phases strategically (avoid high-ops periods, coordinate with blue team)
- Set realistic metrics (coverage targets, detection speed goals)
- Document assumptions about tooling, network conditions, and defenses
Red Team Execution
- Preserve evidence (screenshots, logs, artifacts) for audit trail
- Document procedures precisely so findings are reproducible
- Use realistic tools that threat actors employ in your vertical
- Test detection evasion (UAC bypass, AMSI evasion, LOLBins) alongside technique execution
- Coordinate with blue team to avoid unplanned business impact
Blue Team Detection
- Record detection method (EDR, IDS, SIEM, manual investigation)
- Note detection time (immediate vs. delayed detection)
- Identify false negatives quickly for remediation priority
- Track false positives from test cases
- Implement detections incrementally to avoid alert fatigue
Reporting & Remediation
- Executive summaries focus on coverage improvement and business impact
- Technical details support remediation prioritization
- Trend analysis demonstrates program maturity and progress
- Assign ownership for detection gap remediation
- Schedule follow-up campaigns to verify detection improvements
Related Tools
| Tool | Purpose |
|---|---|
| CALDERA | Automated adversary emulation platform (pairs with VECTR) |
| Atomic Red Team | Library of small, testable ATT&CK techniques |
| AttackIQ | Commercial continuous red teaming (similar to VECTR) |
| MITRE ATT&CK Navigator | Visualize and plan ATT&CK-based assessments |
| PlexTrac | Purple team reporting and engagement tracking |
| Incident Response Runbooks | Proceduralize detection and response |
| EDR Platforms | Endpoint Detection and Response (primary detection layer) |