Skip to main content

Live Execution Viewer

Every running campaign has a drawer in the Adversary page that streams the engine's activity in real time. Operators can watch what the attacker agent is typing, see the desktop of the exploit VM, and follow the ATT&CK timeline — all without touching the underlying infrastructure.

Screenshot: Remote terminal drawer with terminal and desktop tabs

Opening the Viewer

Click any row in the active campaigns table to open the drawer. The drawer is modal-less and pinned to the right edge; you can resize it, keep it open while browsing other pages, or pop it out into its own window. The viewer reconnects automatically if the browser is reloaded or the network drops.

Terminal Tab

The Terminal tab is a WebSocket-backed, read-only stream of the attacker agent's stdout and stderr. As each tactic step runs, its command output appears in the terminal with colorized phase markers, timestamps, and step identifiers in the gutter. ANSI control codes are honored, so colored tool output renders faithfully.

The terminal is strictly read-only. Operators cannot type commands, paste payloads, or cancel individual processes from the stream — that would break the campaign's deterministic replay guarantee. To intervene, use the Abort Step and Abort Campaign buttons in the drawer toolbar, both of which are logged as operator events.

A search bar at the top scrolls to the next match across the full session buffer. Export as plain text or as an ANSI-preserving .log file.

Desktop Tab

The Desktop tab streams the attacker VM's screen over WebRTC. When the engine opens a GUI-driven tool — a browser for a manual-assisted web test, a vulnerability workbench, or a credential dumper's interactive prompt — you can see exactly what the agent sees. Latency is typically under 150 ms on a regional connection.

Like the terminal, the desktop is read-only. Mouse and keyboard events from the operator's browser are not forwarded. A small overlay indicates when the agent is actively interacting so observers can distinguish engine activity from idle frames.

Token Gating

Access to the live viewer is gated by a short-lived, per-campaign token. Tokens expire 15 minutes after issue and are automatically refreshed while the drawer is open. Sharing a token outside the tenant is blocked by IP binding.