OpenAEV is an open-source solution built to help security teams design, execute, and analyse adversary simulation exercises. It brings technical attack activity together with operational workflows and human decision-making, all coordinated from a single platform to give organisations a clearer view of how they respond to real-world threats.

Scenario-Driven Exercise Design

OpenAEV is structured around scenarios, which define the threat narrative and translate it into an organised set of planned events known as injects. A scenario provides the full context for an exercise, including supporting documents, media, and background information that help participants understand the situation they are responding to.

At this level, teams define the players involved and the assets in scope, linking people, systems, and endpoints directly to the simulated activity. Scenarios are reusable, allowing organisations to run the same threat model multiple times and compare outcomes over time to identify trends, improvements, or recurring weaknesses.

Simulations and Controlled Event Execution

A simulation represents a single run of a scenario. During a simulation, injects are scheduled along a timeline so that events occur in a deliberate, controlled order. These injects can range from technical actions on endpoints to operational tasks such as incident communications, escalations, or coordination between teams.

Injects may also be governed by conditions that determine when they are triggered. These conditions are based on expectations, which define the behaviours or outcomes the organisation wants to measure. Expectations can relate to prevention controls, detection signals, vulnerability management, or human responses. The results are used for scoring and reporting, giving teams structured insight into how well their controls and processes performed.

Integrations via Injectors and Collectors

OpenAEV integrates with external environments through two main components: injectors and collectors. Injectors are responsible for delivering actions into target systems. Some injectors execute payloads on endpoints, while others send messages through communication tools used by participants. The platform is designed to be extensible, allowing organisations to build injectors tailored to their own infrastructure and workflows.

For endpoint-based simulations, OpenAEV relies on neutral agents that run payloads as detached processes on target machines. These agents support Windows, Linux, and macOS, enabling exercises across mixed operating system environments.

Collectors focus on gathering data back into the platform. They pull alerts and events from security technologies such as EDR and XDR tools and align them with the expectations defined in the simulation. This makes it possible to directly correlate injected activity with observed telemetry and objectively assess detection and response effectiveness. OpenAEV also provides a REST API to support custom collectors and deeper integrations.

Deployment and Architecture

OpenAEV can be deployed using container-based environments or through manual installation. Its reference architecture is built on widely used infrastructure components, including relational databases, search engines, message queues, and object storage. This approach keeps the platform flexible and adaptable, while remaining compatible with common enterprise technology stacks.