AttackGen: A Cybersecurity Exercise Tool Based on LLM and MITRE ATT&CK

AttackGen is a cybersecurity incident response testing tool developed and maintained by mrwadams, released on GitHub on May 30, 2026 (original link: https://github.com/mrwadams/attackgen). Its core is combining large language models (LLMs) with the MITRE ATT&CK framework to generate customized exercise scenarios based on the user-selected threat actor group and target organization details. It aims to address the pain points of traditional security exercises and create a new model of intelligent security exercises.

In today's complex threat environment, traditional security exercises face four major challenges:

1. Single scenario: Predefined scenarios are too generic and difficult to reflect the complexity of real threats;
2. Lagging updates: Threat situations change rapidly, making it hard for exercise content to keep up in a timely manner;
3. Resource-intensive: Designing high-quality exercises requires a lot of input from security experts;
4. Lack of targeting: Generic scenarios cannot meet the specific needs of organizations in different industries and sizes. AttackGen is designed to solve these problems.

MITRE ATT&CK Framework Integration

MITRE ATT&CK is a globally recognized knowledge base of attack tactics and techniques. After deep integration, AttackGen ensures that scenarios are: based on real intelligence, cover the complete attack lifecycle, reflect the latest methods, and are operable and verifiable.

LLM-driven Advantages

• Dynamic scenario generation: Generate unique scenarios in real time, so each exercise experience is different;
• Context awareness: Understand the organization's environment (industry, size, technology stack) to generate relevant scenarios;
• Natural language description: Present clearly using professional terminology, making it easy for teams to understand and execute.

Customized Threat Modeling

Allows selection of specific threat actors, enabling exercises targeting APT groups, industry-common attackers, and specific TTPs to assess defense readiness.

Typical Usage Flow

1. Input organization information (industry, size, technical infrastructure, etc.);
2. Select threat actors from the MITRE ATT&CK library;
3. Generate customized attack scenarios;
4. The security team conducts the exercise;
5. Review, analyze, and improve.

Application Scenarios

• Red-Blue Team Exercises: Red team simulates attacks, blue team defends;
• Incident response plan verification: Test the effectiveness of the plan in responding to specific threats;
• Security awareness training: Create training materials with real scenarios;
• Security tool evaluation: Verify the ability of monitoring and detection tools to identify specific TTPs.

Structured Data Fusion

Requires precise prompt engineering, effective indexing and retrieval of ATT&CK data, and a content generation constraint verification mechanism to achieve seamless integration of structured data and LLM capabilities.

Configurability and Extensibility

May provide: scenario complexity adjustment, technology stack customization, output format options, and integration interfaces with other security tools.

Threat Intelligence Update Mechanism

Regularly synchronize MITRE ATT&CK updates, integrate the latest threat intelligence, and reflect new attack techniques to maintain the realism of scenarios.

The significance of AttackGen for the industry lies in:

1. Lowering the threshold for exercises: Allowing small and medium-sized enterprises to carry out high-quality exercises;
2. Enhancing exercise authenticity: Scenarios based on real intelligence and AI generation are closer to actual threats;
3. Accelerating response preparation: Quickly generate new threat scenarios to speed up response preparation;
4. Promoting knowledge transfer: Transforming ATT&CK professional knowledge into easy-to-understand scenarios to popularize security knowledge.

Recommendations for using AttackGen:

1. Establish a threat intelligence input process: Regularly update the list of threat actors of concern;
2. Provide real environment information: Accurate technology stack information generates more relevant scenarios;
3. Multi-round iterative optimization: Adjust parameters to optimize scenarios based on exercise feedback;
4. Combine with other exercise methods: Complement traditional methods to form a complete system;
5. Record and measure: Establish exercise effect indicators to continuously improve response capabilities.

By combining the authoritative MITRE ATT&CK framework with cutting-edge LLM technology, AttackGen creates a practical security tool. It does not replace experts but enhances their capabilities. In a complex threat environment, such tools are of great significance for improving an organization's security exercise efficiency and establishing effective defense capabilities.