The Adaptive Adversary Engine
Cybrium's adversary engine runs autonomous, AI-driven attack campaigns that emulate how a real threat actor behaves on your network — not just a list of checks, but a continuous loop of reconnaissance, decision, execution, and adaptation. Every step is mapped to the MITRE ATT&CK framework so that defenders can read campaign output in the same language they already use for detection engineering and purple-team exercises.
Scans vs. Campaigns
Scans are single-purpose: point them at a host, a web app, a repository, or a cloud account and they run one type of assessment to completion. They are fast, deterministic, and ideal for continuous coverage.
Campaigns are multi-phase adversary emulation. The engine chains tactics together — initial access leads to discovery, discovery informs lateral movement, lateral movement surfaces credentials that feed privilege escalation — and the path is picked dynamically based on what the target reveals at each step.
| Scan | Adversary Campaign | |
|---|---|---|
| Scope | One capability | Full kill chain |
| Flow | Fixed pipeline | Adaptive, AI-planned |
| Output | Findings list | Findings + tactics + artifacts |
| Duration | Minutes | Hours to days |
Core Components
AI Phase Planner. Before a campaign launches, the planner reads the target profile, the selected box type, and the authorized scope, then assembles an ordered plan of ATT&CK tactics. It re-plans mid-campaign whenever the engine's confidence about the environment shifts — a discovered service, a harvested credential, a blocked technique.
Adaptive Exploit Chain. Each technique runs in an isolated runner. When a step succeeds, its output (hosts, users, hashes, tokens) is normalized into the campaign's shared intel graph. Subsequent steps query that graph to pick the highest-value next move.
Live Execution Viewer. Operators can attach to a running campaign at any time — watch the terminal of the attacker agent, observe the desktop of the exploit VM, inspect intel as it streams in, and abort individual steps or the full campaign. Every action is signed, timestamped, and recorded to the tamper-evident audit log.
See Box Types to pick the right campaign mode and Launching a Campaign to start your first run.