Autonomous Attack Simulation & Detection Coverage Agent

Simulate any cyberattack with a chat message. A 5-agent AI pipeline injects real telemetry into Elastic, validates your detection rules, and auto-generates fixes for every coverage gap.

Comment

Inspiration

Every SOC has detection rules. Almost no SOC knows which ones actually work. Validating coverage the traditional way requires a full purple team lab with attacker VMs, victim machines, and endpoint agents, plus 30 to 60 minutes of manual work per attack type. Most teams skip it entirely, leaving silent gaps where rules look correct but miss real attacks in production.

What We Built

“Autonomous Attack Simulation & Detection Coverage Validation Agent” is a multi-agent attack simulation system built entirely on Elastic Agent Builder and Kibana Workflows. You type a plain-English attack description into a chat window, for example "generate a Kerberoasting attack from 10.10.10.2 on multiple hosts", and the system returns a definitive detection coverage verdict in approximately 4 minutes, with zero manual steps and no real systems involved. Five components work in sequence. An Attack Simulation Agent receives the chat message, extracts parameters, and fires the attack_simulation workflow as a tool call. Inside the workflow, four Agent Builder agents run sequentially: a Log Profiler that queries your live Elasticsearch environment to discover real telemetry structure; a TTP Researcher that reasons from MITRE ATT&CK knowledge to build a realistic simulation plan using real offensive tool behavior; an Event Fabricator that generates ECS 8.x compliant events and bulk-indexes them via a custom bulk_index_events workflow tool; and a Coverage Analyst that independently queries both the event index and the alerts index to return a verdict of DETECTED, PARTIALLY_DETECTED, or MISSED. If the verdict is MISSED, the Coverage Analyst generates a working ES|QL detection rule derived from the attack's actual distinctive fields.

Features Used

  • Agent Builder — Five agents with distinct reasoning roles, scoped tool assignments, and system prompt guardrails.
  • Kibana Workflows — Master orchestration pipeline chaining all agents sequentially; bulk_index_events workflow exposed as a callable agent tool.
  • ES|QL — Telemetry profiling, event verification, and alert cross-referencing across logs-* and .alerts-security.alerts-default.

What We Liked

Agent Builder's ability to assign specific tools to individual agents, including custom workflow-backed tools, was the most impactful design pattern in this project. Each agent has a minimal, purpose-specific toolset. The Event Fabricator has exactly one tool; the TTP Researcher has none by design. Pairing this with per-agent system prompt guardrails meant each component only knows what it needs to know and can only do what it is meant to do, which is what makes the end-to-end verdict trustworthy.

Challenges

The Agent Builder chat UI shows an error after 2 minutes, but the underlying pipeline continues running in the background and the full result appears in the chat once execution completes at around the 4 to 5 minute mark. This is a platform limitation rather than a system failure. During development, watching the Kibana Workflows Executions tab was useful for debugging per-step output in real time, but in normal use the chat interface delivers the complete result on its own. A separate constraint was the agent step execution timeout. When generating large numbers of synthetic events, the Event Fabricator would frequently time out mid-run. The fix was constraining generation to 12 events per simulation, which is enough to trigger threshold-based detection rules while staying within the execution budget.

Built With

  • agent
  • api
  • converse
  • elastic
  • es|ql
  • workflow
  • yaml
Share this project:

Updates