Frequently Asked Questions about Prelude Operator

How often should I run this tool?

Prelude Operator should be run on a continuous basis, daily or weekly, depending on what your goals are. As an automated tool, you can hook Prelude Operator into continuous integration tools, such as Jenkins, to run as often as you’d like. This allows you to test much more frequently than manual red-teaming.

Can Prelude Operator perform initial access exploits?

Prelude Operator was originally developed as a post-compromise tool, meaning it assumed you had breached a network already and established a foothold (agent). However, in modern versions of Prelude Operator, you can deploy a local agent and task it with initial access techniques, pointed at remote systems. Doing so allows you to hide your attacks through proxy hosts. For example, you can spin up an AWS EC2 server, deploy an agent on it, connected to your Prelude Operator desktop application. You can task that with initial access commands, allowing you to hide non-attributable, behind the EC2 proxy.

How much of the ATT&CK framework is covered?

We get this question a lot. The ATT&CK framework is a great classification tool, creating a common language for attackers and defenders to use - however, covering every box on the matrix does not mean you are protected. As such, we aim to cover procedures which are impactful and most commonly seen in the wild. Note that we focus on procedures, not the techniques above them. There are 1000s of procedures for every technique, so covering a single one does not guarantee safety: we aim to create procedures that will keep you safe.

What makes Prelude Operator different from other breach-and-simulation tools?

There are several differentiating points in Prelude Operator:

  • Self-learning. As Prelude Operator runs adversary profiles, it parses the output of each command and attempts to parse and learn information about what it just did. This information is dynamically fed into future commands, creating command combinations that could not have been predicted from the start.
  • Easy procedure development. Many tools require you to know programming languages in order to create procedures, which are then loaded into their systems. In Prelude Operator, the procedure format is a simple, human readable YML, which allows anyone to create procedures quickly and easily.

How many endpoints (computers) can Prelude Operator run on simultaneously?

Prelude Operator has been tested on as many as 1,500 endpoints, simultaneously. However, this type of testing is strongly discouraged, as it is not representative of how adversaries actually work. One of our biggest goals is realistic emulation. As a hacker, you generally try to work through a network undetected and establishing too many footholds in a network can be noisy and open you up to getting caught. It’s typically better to run agents on 3-5 computers and rotate these computers between tests.

Is this tool only for red-teamers?

Contrary to popular belief, Prelude Operator is actually primarily a blue-team tool! The goal of automated red teaming is to lessen the need for manual red-teamers. While offensive security experts certainly use Prelude Operator, our primary audience is blue-team or defensive-minded professionals looking to secure their networks.

Can Prelude Operator only execute shell commands?

No, Prelude Operator can actually run any type of command in any language. Essentially, if you can do something from behind the keyboard, you can easily have Prelude Operator replicate the same thing.

By default, Prelude Operator’s agent executes shell commands such as PowerShell, command-line and bash, but it can easily be extended to execute commands in assembly, C, system calls, shell code and more.

Won’t this teach defenders to just find Prelude Operator agents, not the actual effects happening?

By default, Prelude Operator agents take several defensive evasion precautions, such as having the ability to compile on the fly with a different file hash each time. We also make it easy for users to write their own agents and connect them to Prelude Operator. These evasion techniques encourage defenders to look for the effects of commands, instead of the actual Prelude Operator binaries.

How is Prelude Operator different from antivirus or vulnerability scanners?

Antivirus programs (AV) primarily look for file signatures of known malware and flags or quarantine them. More advanced AV will look at browser traffic and warn or block malicious websites.

Vulnerability scanners primarily scan software versions of installed applications, in order to identify known CVEs associated with the versions. This gives members the ability to identify when to upgrade software when patches are available.

By contrast, Prelude Operator executes actions that a hacker is likely to attempt. Oftentimes, these are benign actions that an AV or vulnerability scanner is not going to catch - but combining benign actions can result in a malicious attack. A good example of this is scanning local files, looking for passwords the user may have jotted down in a text file.

Related Content


Adversary Emulation

Mimic known threats to your organization by combining threat intelligence and continuous red teaming to emulate attacks.


Defensive Training

Train yourself or your organization on real-world attacks using the first training platform integrated directly into an attack emulation platform. Perform attacks and learn how to stop them.


Desktop Application

Prelude takes care of the complexity behind the scenes and delivers Operator as the first desktop application in autonomous red-teaming. Simple design and free to use, download it here.


Continuously Updating

New TTPs and training content added every week (and sometimes, daily). Stay up-to-date, automatically. Threat intelligence, adversary creation, TTPs and training content all updated within the desktop app.