The purple-team
cyber range that runs itself.
One click provisions an isolated cloud lab of attacker and defender machines — right in your browser. Every action is mapped to MITRE ATT&CK, correlated with your detections, and turned into a finished report.
Ransomware Outbreak
Readytenant: acme-soc · 5 hosts · session #A7F3
- T1566.001
Spearphishing attachment opened
12:04:41
- T1059.001
PowerShell stager executed
12:05:12
- T1548.002
UAC bypass — privilege escalation
12:06:58
- T1021.002
Lateral movement via SMB (DC01)
12:08:20
- T1486
Data encrypted for impact
12:09:03
Aligned with the frameworks your assessors already use
Attack, detect, and report — in one loop
Tyrian closes the gap between red and blue. The same session that runs the attack captures the defense and produces the evidence.
One click, a whole network
Provision an AD domain, workstations, Linux servers, an attacker node, and a SIEM/EDR stack — pre-wired and isolated. Ready in under two minutes.
Contained by design
Default-deny egress, in-lab-only C2, and simulated internet. Nothing routes out.
40+ offensive tools, pre-wired
Sliver, Metasploit, BloodHound, Impacket, NetExec, and the full kit — installed and configured on the attacker node.
A defender stack that sees everything
Wazuh SIEM, Velociraptor, Sysmon, Zeek, and Suricata capture the telemetry your team learns to hunt on.
Reports write themselves
Red, Blue, and Purple reports assembled from what actually happened — 80% done before you type a word.
Priced to run all day
Spot compute, auto-suspend on idle, and a hard per-session budget cap. You never get a surprise bill.
The engagement documents itself
A capture agent watches the whole kill chain and screenshots every milestone the moment it happens — beacon received, privilege gained, data staged, alert fired. Each frame is tagged with the technique, timestamp, and session.
- Auto-screenshots at every ATT&CK milestone
- Tagged with technique ID, stage, and tenant
- Timeline scrubber for annotation and review
- Feeds straight into report generation
Beacon received
T1059.00112:05:12Privilege escalation
T1548.00212:06:58Lateral movement
T1021.00212:08:20Data encrypted
T148612:09:03
Finished reports, not blank templates
Every report is assembled from session data: the attack narrative from the ATT&CK event sequence, the evidence gallery from captured milestones, detection coverage and mean-time-to-detect from the event bus. You add the narrative — the facts are already there.
- Red, Blue, and Purple team reports
- Executive summary with readiness score & trend
- Compliance coverage: NIST, ISO 27001, NCA ECC, DORA
- Export to PDF, DOCX, JSON, and ATT&CK Navigator
Initial Access
T1566.001
0:00DetectedExecution
T1059.001
0:31DetectedPrivilege Esc
T1548.002
1:46PartialLateral Movement
T1021.002
—MissedImpact
T1486
0:12Detected
Know exactly where detection breaks down
Every offensive action emits a structured, ATT&CK-tagged event. Tyrian correlates it against your detections in real time and scores coverage per tactic — so you can see, technique by technique, what was caught, what was partial, and what slipped through.
- Per-technique outcome: Detected / Partial / Missed
- Mean-time-to-detect from event-bus timestamps
- Readiness score per tactic, trended over time
- Prioritized gap-closure recommendations
From idea to report in four steps
No infrastructure to stand up, no tools to install, no teardown to remember. Tyrian handles the range so your team can focus on the exercise.
Pick a scenario
Choose from the library or describe what you want in plain language. The YAML lab definition is generated and validated for you.
Tyrian builds the lab
An isolated VPC of attacker and defender machines spins up from golden images — AD, workstations, C2, and the full SIEM/EDR stack — in under two minutes.
Run the engagement
Connect through your browser. Drive the attack, hunt the telemetry, or let automation run the chain while your blue team defends.
Get the report
Evidence, ATT&CK mapping, detection coverage, and readiness score are already assembled. Add narrative and export.
A living library of real attacks
Each scenario is a full, instrumented kill chain with mandatory ATT&CK mapping and expected detections. New scenarios track CISA KEV and current ransomware TTPs.
Ransomware Outbreak
Phishing delivery through AD privilege escalation to domain-wide encryption. The full kill chain, instrumented end to end.
Insider Threat
A trusted operator stages and exfiltrates data over a contained channel. Tests behavioural and DLP detection.
Cloud IAM Escalation
Misconfigured roles and over-broad policies chained into a full cloud takeover path.
Web App Compromise
External foothold via an exposed application, pivoting inward to internal services.
Supply Chain / CI-CD
A poisoned build pipeline delivers implanted artifacts to production. Tests pipeline integrity monitoring.
AD Vulnerability Selector
Compose a bespoke Active Directory weakness set — Kerberoasting, ADCS, delegation — and hunt it.
Offensive tooling, contained by default
A range preloaded with C2 and exploitation tooling is a serious responsibility. Containment isn't a feature we added — it's the foundation everything else is built on.
Default-deny egress
Every lab subnet blocks outbound internet at the VPC level. Only an explicit allowlist — OS mirrors, tool updates, the control plane — is permitted.
Contained C2 only
Sliver and Metasploit callbacks resolve exclusively to in-lab redirectors. C2 never listens on or dials the public internet.
Simulated internet
Scenarios that need 'the internet' get INetSim / FakeNet or a curated local mirror — never live egress.
Tenant isolation from day one
Every session, VM, subnet, and evidence object is scoped to a tenant. One customer's lab can never reach or read another's.
Authorization gate
Operators attest they will only target lab-owned assets before launch. Consent is logged with identity and timestamp.
Immutable audit trail
Every provision, connect, snapshot, and destroy is logged. Guacamole sessions are recorded for evidence and audit.
Platform RBAC + enterprise SSO. Org admin, team lead, operator, and read-only roles, with SAML / OIDC single sign-on and least-privilege IAM on the AWS side.
Enterprise range, credit-friendly bill
Cost isn't an afterthought — it's engineered in. Spot compute, aggressive auto-suspend, and a mandatory per-session cap mean you get the capability without the runaway bill.
Attacker nodes and disposable targets run on Spot; the telemetry stack stays stable on-demand.
15 minutes idle triggers a memory snapshot and suspend. Compute billing stops; resume in under 60s.
Golden AMIs with copy-on-write overlays mean sessions clone instead of provisioning from scratch.
Compute billed at actual Spot cost plus a transparent margin. The subscription covers the software layer only.
Map every exercise to the control that matters
Tyrian turns engagement outcomes into control-coverage evidence — with per-control references your assessors can follow — across the frameworks that govern Gulf, EU, and global security programs.
NIST CSF 2.0
Function & category coverage
ISO 27001:2022
Annex A control evidence
NCA ECC
Gulf-priority, first-class mapping
DORA
Financial-sector resilience
Compliance reports are framed as control-coverage evidence to support an assessment. They are not a certification and do not constitute a formal audit result.
Run your first engagement today
Spin up an isolated range in minutes. No infrastructure, no teardown, and a report waiting when you're done.