Protect yo' self

Operator's new Protect Mode introduces a hands-off approach to security testing

This feature is now available under the settings section of Operator, not the main dashboard. When enabling the mode, the app will be placed in your system tray and run as a system service, not unlike an antivirus program.

In version 0.9.18, Operator dropped in a brand new feature that takes a big stride toward our mission of accessible red teaming for everyone: Protect Mode.

Protect Mode is a completely hands-off approach to security assessments, aimed at organizations that don’t have the time, expertise or money to conduct their own manual red team exercises.

When you open Operator, you’re now given the option of enabling the new mode:

But what, exactly, does enabling it do?

Clicking Protect Mode on, does the following:

  1. It adds Operator to your computer’s login/startup programs, so it’ll launch when you reboot your computer. The goal is to have it “always on” the same way you do for antivirus. Right now, we don’t hide it in the background like an AV program but we pop the GUI open, so you know it’s there.

  2. On a random interval, between 60 seconds and 24 hours - but no more than once per day - a safe, random “micro adversary” will drop on your computer. It will typically run between 1 and 5 TTPs, attempting a known malicious chain of benign actions.

  3. The Cloud publisher flips on. This means when you run security assessments, a record of the tactic, technique and success of each executed TTP is sent to a private Prelude database so we can automatically create custom adversaries, tuned specifically to your environment.

The Cloud publisher does not have the ability to read the request/command or response from any result, this is all encrypted locally.

Ok, but now really, how does it all work?

Internally, our security team has identified 100s of “malicious chains” that adversaries commonly execute to achieve a specific goal, most of them fly under the radar of modern defenses. These chains are comprised of benign actions, like copying a file or visiting a website. When several benign actions are run in sequence, they can have a malicious result.

Adversaries often get from point A to point B by going through C, D and E first. They do this because modern defensive products are tuned to catch adversaries doing known activities, such as running a keylogger or downloading a credential dumper. An adversary can typically achieve the same results by taking “the long way around” so they opt for chaining benign actions together instead.

The TTPs that execute are safe, non-destructive procedures which test not only the defenses on the endpoint computer and network but the employee using the machine. Certain attacks will prompt the user to allow a program access to specific directories or to enter their credentials in a pop up box.

Attacks like these are testing the user’s behavior while using the machine, which is the most vulnerable access point you have as an organization.

Operator instances running Protect Mode will check in with GateKeeper every 60 seconds to 24 hours - but no more than once per day - to ask for a new micro adversary to execute. This infrequent beaconing mimics that of an adversary in the wild, who only sends out an occasional request in order to evade detection.

Modern defensive products tend to look for patterns, especially related to outbound network requests. An adversary beaconing every hour, on the hour, is bound to (quickly) get caught. But random, well-spaced beacons are less likely to get caught, as it’s tricky to identify the pattern.

Micro adversaries are created out of the TTPs you have access to, according to your license. If you have a Community license, this is about 100 TTPs (as of this writing) and if you have Professional, it’ll be closer to 400. This essentially means, if you have a Professional license, your micro adversaries will be smarter.

Cool, I get it - but how do I get value from this?

This is where we’re not done: getting consumable results from security assessments is complicated. We want to make it simple.

Right now, Protect Mode users can see the results and security recommendations generated from these micro adversaries in two places: the Emulate section and the Reporting plugin. The results will look the same as your manual assessments in Operator. You can decipher them the same way you would any other set of red team results.

Soon, we’ll be opening up a web portal so you can view results - and security recommendations - from all the Operator instances in your organization. Through this distributed look, we hope you’ll gain insights into your organization’s overall security posture. And through this, we hope to bring the value of red teaming to every organization.

Interested in getting early, alpha access to this portal? Shoot us a note at and we’ll hook you up when we launch it.