Noureddine RAMDI / OpenAEV: A modular platform for multi-channel cyber adversary simulation with threat intelligence

Created Mon, 04 May 2026 10:23:01 +0000 Modified Mon, 06 Jul 2026 15:16:10 +0000

OpenAEV-Platform/openaev

OpenAEV addresses a common challenge in cyber adversary simulation: how to orchestrate diverse attack vectors across multiple communication channels while correlating actions with up-to-date threat intelligence. Instead of a monolithic simulation tool, OpenAEV adopts a modular, pluggable inject system that integrates email, SMS, social media, and alarm systems, enabling realistic and coordinated adversary campaigns. Under the hood, it connects these injects with OpenCTI, a threat intelligence platform, providing real-time monitoring and data enrichment for campaign management.

What OpenAEV is and how it works

OpenAEV is an open-source adversarial exposure validation platform primarily written in Java. Its core mission is to plan and execute cyber adversary simulation campaigns that mimic real-world attack behaviors and tactics.

The architecture is modular, featuring distinct components for scenario management, team coordination, simulation execution, and real-time monitoring. One of the key integrations is with OpenCTI, which supplies threat intelligence data that enriches the simulated campaigns and allows dynamic response based on current threat landscapes.

A standout part of the architecture is the pluggable inject system. This system allows the platform to send simulated attack messages or signals through various channels — email, SMS, social media platforms, and even alarm systems. This multi-channel approach replicates the diverse communication vectors used by real adversaries, making the campaigns more comprehensive.

The platform supports both Docker-based and manual installation, with a dual licensing model: a Community edition under Apache 2.0 and an Enterprise edition with additional features. Telemetry for usage tracking is enabled by default, reflecting active development and operational feedback loops.

Why the inject system architecture differentiates OpenAEV

The inject system is where OpenAEV’s design shines technically. It is built to be pluggable and extensible, allowing new inject types to be added without impacting the core platform. This modularity enables security teams to extend simulations with custom injects tailored to their environments.

Each inject acts as a bridge between the simulation engine and a communication channel. For example, the email inject module sends crafted phishing emails, while the SMS inject can simulate text message-based social engineering. The social media inject integrates with platforms to mimic adversary tactics like fake profiles or malicious posts. Alarm system injects can trigger physical security alerts.

This architectural choice means the platform can orchestrate complex, multi-vector campaigns that closely mirror tactics, techniques, and procedures (TTPs) observed in the wild.

The tradeoff is complexity: maintaining and securing multiple inject integrations requires ongoing effort, especially as communication platforms evolve their APIs and security policies.

From the code quality perspective, the Java codebase is surprisingly clean and well-organized given the scope. The use of interfaces and dependency injection for inject modules promotes testability and extensibility. While the platform is large, the separation of concerns helps keep modules manageable.

The integration with OpenCTI adds a valuable real-time intelligence layer. Campaigns can adapt based on emerging threats, and monitoring dashboards provide actionable insights. This integration, however, means OpenAEV depends on users running or accessing OpenCTI, which might not fit every environment.

Explore the project structure and documentation

Since the installation instructions in the README are brief and point to the official documentation for details, it’s best to explore the repository structure and key resources to understand how to get started.

The main source code is organized under standard Java conventions, with packages separating core platform logic, inject modules, scenario management, and integrations.

Documentation includes guides on Docker deployment, manual installation, and configuration of various inject channels. The docs also cover how to connect OpenAEV to an OpenCTI instance and how to manage campaign scenarios and team coordination.

Key directories to note:

  • injects/: Contains implementations of the various inject modules, showcasing the pluggable design.
  • integration/opencti/: Handles the connection and data exchange with the OpenCTI platform.
  • scenario/ and simulation/: Core logic for defining and running adversary scenarios.

The project also features telemetry hooks, which are enabled by default, to collect usage data. This aspect is worth understanding for privacy and compliance considerations.

Verdict: who should consider OpenAEV

OpenAEV is a solid option for security teams looking to orchestrate multi-channel adversary simulation campaigns with real-time threat intelligence integration. Its modular inject system is a practical design choice, enabling extensibility and realistic attack simulations across communication platforms.

That said, the platform requires Java expertise and operational discipline to manage the various inject modules and maintain integration with OpenCTI. The dependency on OpenCTI can be a limitation if you do not have an existing threat intelligence infrastructure or prefer a lighter setup.

The dual licensing model gives flexibility for community use and enterprise adoption. The active development and telemetry indicate the platform is evolving with user feedback.

Overall, OpenAEV is worth exploring if you need a comprehensive framework for adversary exposure validation and are ready to invest in the operational overhead that comes with its capabilities.


→ GitHub Repo: OpenAEV-Platform/openaev ⭐ 1,694 · Java