Operating at 1.0.0 percent

The first stable build of Prelude Operator is now available

Have you read about our partnership with MITRE?

After 27 beta versions, Prelude Operator is now at a stable, version 1.0 state. Aside from a tenacious security engineering effort, what does this show? A simpler, more accessible form of advanced security is here - lowering the barrier of entry for all.

For years the security industry has met technical advances with extra layers of security. This layering has created additional security holes through obfuscated engineering effort. Look at the recent MacOS vulnerability in their Gatekeeper service. The bug, by many accounts, was introduced by engineering oversights while layering security measures intended to make the computer more secure.

The complexity has even crept into the terminology, with many ways of saying the same - or very parallel thing. Penetration testing has turned into red teaming, which has split into purple teaming and cyber security engineering. Organizations trying to stay current are required to make a decision: do you continue with your red team, bring in compliance penetration testers, pick up a breach-and-simulation tool or fund your own internal purple team?

Why we're here

Operator's main purpose is to simplify. Simplify the options and redirect the attention to security. We believe there shouldn't be security and advanced security. There should be security, accessible to large enterprises, governments and small businesses.

How does Operator do this?

We start on your desktop. Download and install it like any other app on your Window, MacOS or Linux computer. It should feel familiar, comfortable even.

From there you're confronted with a decision: drop an agent on a target or deploy an adversary against a range of agents already running. Operator, at it's heart, is a command-and-control center (C2). It allows you to quickly, continuously and repeatably test your defenses.

If you hire a red team today and they find 10 vulnerabilities. Six months later you bring them back and they find 5 vulnerabilities. Did you fix 5 of them or did the red team just miss 5 things the second time (maybe they lost a talented member or just lost focus during the test)?

Technical advancements

Operator is not the first C2 to hit the market. Others have come before it. So it takes more than ease-of-use and simplicity to stand out; it requires power and an advancement of the underlying technology to make a difference. That is what Operator brings to the table, in a way that highlights simplicity, not complexity.

Operator uses a unique process we've dubbed chaining.

To understand chaining, think about getting from point A to point B. Your instinct tells you the best way is the most efficient: just go from A to B. However, your instinct is also the most predictable. Chaining defines a new, unpredictable way of navigating between these points. It may show other ways of making the journey, moving through points C, D and E.

Adversaries, in the wild, don't take the predicable paths to accomplish a goal. They would get caught. Instead they link benign actions together which, when combined into a chain, have the same effect as the predictable path but with far less risk of getting caught.

Operator contains hundreds (growing daily) of TTPs and dynamic chains (477 at this writing) which use them. These are open and available to review and audit but Operator manages the automatic execution of them (if you want).

And the technology advancements don't stop there. Operator chains are dynamic, meaning that they fluctuate based on historical data. New chains will populate in your environment - and only your environment - based on the results from your security testing and the attacks you personally load into the platform.

What you won't find at Prelude are buzzwords and flashy marketing campaigns. The security industry is full of acronyms and buzzwords, from artificial intelligence and machine learning to running in the cloud. We aim to stick to simple terms that explain what we do, nothing more, nothing less.

Are there more technical advancements, aside from chaining, in Operator? There are many. Here is a sampling:

  • The ability to intelligently decipher your security results and build security recommendations on the fly

  • An interface for Remote Access Trojans (RATs or agents) so you can write or port your own

  • The process of parsing indicators of compromise out of your security results and immediate "unlocking" of future TTPs based on a variable-syntax language built into our TTP structure

  • A speedy process for taking Cyber Threat Intelligence (CTI) reports and building customized adversary profiles you can immediate try in a real environment

  • Probably the fastest, simplest cloud provisioning tool

  • A full "attack Integrated Development Environment (IDE)" for building your own attacks and embedding them next to ours

  • The coupling of security education alongside the daily duties of security through embedded training programs inside Operator

Research and development

We are committed to advancing the state of security through common-sense research and development. We believe that the future of security requires an advancement in automation.

From the above example, imagine if there are 10,000 points beyond A and B. And that each point has a dozen variations of itself. Navigating these potential paths to find the possible ones, filtering down to the optimal ones and balancing the remainder between predicted effectiveness of the outcome with predicted odds of being detected is an enormous challenge. It requires a combination of existing technology and soon-to-be exposed techniques for making big data decisions based on small available data.

In other words: it requires a scale of automation that does not exist within the security space at this time.

Prelude Research Inc., as an organization, is committed to research for the greater good. We believe we have the right experience and the right platform in Operator to tackle this problem at a scale that outputs a more secure world.

Where we go from here

Beyond R&D, what's next? Our team and platform is growing. We'll be expanding our available TTPs, our embedded training will get stronger, our security recommendations more intelligent. We'll be integrating with the important processes and tools security teams should be focused on, in categories such as threat intelligence, centralized logging systems, endpoint detection and more.

As we do this, we'll be keeping a careful eye on simplicity.

You'll see us roll out changes across design, UI and UX, all intended to close the skills gap between your most junior and senior security practitioners. And these changes won't just be outward facing, we'll also look inward at Operator as a platform.

A DARPA study found that while the average lines of code (LOC) in a piece of malware is 125, the average LOC in a defensive product to keep a computer safe is 10 million. The going rule of thumb is every 1,000 lines of code equals 15 unknown bugs. So line count matters. Operator currently has 6,500 LOC and we're holding strong in that range. Does this take time, effort and serious engineering to keep this count? You bet. Does it matter, you bet.


Operator is an application that we believe will change the security industry.

It is built around the pillars of transparency and realism. There is no "secret sauce" in what we develop. We are focused on absorbing the most complicated of security ideology and spitting it back out in a simplified version that everyone from your most advanced security pro to your interns can use on their desktop in a way that makes you more secure.

Use Operator to strengthen your red teaming efforts. Use Operator to start red teaming for the first time. Use Operator to kick-start a continuous training ground for your security team. Use Operator to identify which defensive products are working - and not - in your environment. Use Operator to test the cyber hygiene of your workforce.

Most of all: use Operator to demystify what security means and to actually start practicing it.