PurpleForge transforms attack technique execution into measurable detection coverage, collaborative exercises, and executive‑level risk insights — all within a multi‑tenant, enterprise-ready architecture.
# build & run all services
docker-compose up -d --build
# initialize database (first run)
python -m app.db.init_dbAccess the API at http://localhost:8000 and explore the interactive docs at http://localhost:8000/docs.
The development of PurpleForge has been divided into deliverable milestones. Each one adds a layer of capability to the platform.
- CLI wrapper for Stratus Red Team techniques
- Asynchronous task execution via Celery & Redis
- PostgreSQL tracking of technique runs and validation
- Basic REST API & Docker deployment
- Define multi-stage attack chains (DAG model)
- Conditional branching between nodes
- Cleanup verification hooks with failure enforcement
- Store SIEM validation results per execution
- Generate structured coverage reports
- Risk scoring introduced in Spec‑3 for enterprise
- Multi-tenant architecture with row-level security
- Exercises, comments, audit logs, and role-based access control
Detailed below with five sub-milestones that transform the tool into a full adversary simulation intelligence platform.
Import threat campaigns (STIX-style) and map MITRE techniques.
Automatically build attack chains from campaigns filtering by environment and asset compatibility.
Calculate per-technique risk using:
Risk = Likelihood × Impact × Detection Gap
Integrate with webhooks, SIEM, SOAR, ticketing systems (Jira/ServiceNow), and broadcast events.
Provide high-level dashboards and API endpoints tailored for leadership.
graph TD
A[Threat Campaigns] --> B[Campaign Tech] --> C{Asset Filter}
C --> D[Attack Chain Generator]
D --> E[Chain Execution]
E --> F[Validation & Cleanup]
F --> G[Risk Engine]
G --> H[Reports / Dashboards]
G --> I[Executive Overview]
F --> J[Integrations]
I --> K[UI]
J --> K
Figure: High-level flow from campaign ingestion to executive reporting.
app/
├─ api/v1/endpoints # FastAPI routes
├─ models # SQLAlchemy models
├─ services # Business logic (intel, risk, chain gen, integrations)
├─ tasks # Celery tasks
├─ static # Frontend dashboard assets
└─ schemas # Pydantic models
Register a Technique
curl -X POST "http://localhost:8000/api/v1/techniques/" \
-H "Content-Type: application/json" \
-d '{
"name": "Stop CloudTrail Logging",
"description": "Simulates stopping an AWS CloudTrail trail",
"mitre_id": "aws.defense-evasion.cloudtrail-stop"
}'Generate Executive Report
curl "http://localhost:8000/api/v1/executive/report"
A docker-compose.yml is included to launch API, Celery workers, Redis, and PostgreSQL:
docker-compose up -d --buildOpen issues and PRs are welcome! Follow the project's style guide and ensure tests pass.
> PurpleForge is licensed under the MIT License. Build, simulate, and defend with confidence.
-
Install requirements (if running locally):
pip install -r requirements.txt
-
Run infrastructure & application (Automatically initializes DB):
docker-compose up -d --build
-
Access the API:
- Web API:
http://localhost:8000 - Interactive Docs (Swagger):
http://localhost:8000/docs
- Web API:
curl -X POST "http://localhost:8000/api/v1/techniques/" \
-H "Content-Type: application/json" \
-d '{
"name": "Stop CloudTrail Logging",
"description": "Simulates stopping an AWS CloudTrail trail",
"mitre_id": "aws.defense-evasion.cloudtrail-stop"
}'curl -X POST "http://localhost:8000/api/v1/executions/" \
-H "Content-Type: application/json" \
-d '{"technique_id": 1}'curl "http://localhost:8000/api/v1/executions/1"- FastAPI: Core REST API
- Celery + Redis: Task queue for simulation detonation
- PostgreSQL 16: Persistence of techniques and execution metadata
- Stratus Red Team: The underlying engine for simulated attacks