NewRansomware Outbreak scenario is live

The purple-team
cyber range that runs itself.

One click provisions an isolated cloud lab of attacker and defender machines — right in your browser. Every action is mapped to MITRE ATT&CK, correlated with your detections, and turned into a finished report.

Default-deny isolationSpot-priced computeNothing to install
app.tyrian.io

Ransomware Outbreak

Ready

tenant: acme-soc · 5 hosts · session #A7F3

$0.42/hr
$0.42 / $8.00 cap
Topology10.13.0.0/24
⃠ internetKaliattackerRedirectorC2 relayDC01AD domainWKSTN-07Windows 11WazuhSIEM / EDR
Live ATT&CK feed
  • T1566.001

    Spearphishing attachment opened

    12:04:41

  • T1059.001

    PowerShell stager executed

    12:05:12

  • T1548.002

    UAC bypass — privilege escalation

    12:06:58

  • T1021.002

    Lateral movement via SMB (DC01)

    12:08:20

  • T1486

    Data encrypted for impact

    12:09:03

Aligned with the frameworks your assessors already use

MITRE ATT&CKNIST CSF 2.0ISO 27001NCA ECCDORA
The platform

Attack, detect, and report — in one loop

Tyrian closes the gap between red and blue. The same session that runs the attack captures the defense and produces the evidence.

One click, a whole network

Provision an AD domain, workstations, Linux servers, an attacker node, and a SIEM/EDR stack — pre-wired and isolated. Ready in under two minutes.

Contained by design

Default-deny egress, in-lab-only C2, and simulated internet. Nothing routes out.

40+ offensive tools, pre-wired

Sliver, Metasploit, BloodHound, Impacket, NetExec, and the full kit — installed and configured on the attacker node.

A defender stack that sees everything

Wazuh SIEM, Velociraptor, Sysmon, Zeek, and Suricata capture the telemetry your team learns to hunt on.

Reports write themselves

Red, Blue, and Purple reports assembled from what actually happened — 80% done before you type a word.

Priced to run all day

Spot compute, auto-suspend on idle, and a hard per-session budget cap. You never get a surprise bill.

Automated evidence capture

The engagement documents itself

A capture agent watches the whole kill chain and screenshots every milestone the moment it happens — beacon received, privilege gained, data staged, alert fired. Each frame is tagged with the technique, timestamp, and session.

  • Auto-screenshots at every ATT&CK milestone
  • Tagged with technique ID, stage, and tenant
  • Timeline scrubber for annotation and review
  • Feeds straight into report generation
See how evidence flows into reports
Evidence timeline
4 milestones auto-captured
  1. Beacon received

    T1059.00112:05:12
  2. Privilege escalation

    T1548.00212:06:58
  3. Lateral movement

    T1021.00212:08:20
  4. Data encrypted

    T148612:09:03
12:08
Automated reports

Finished reports, not blank templates

Every report is assembled from session data: the attack narrative from the ATT&CK event sequence, the evidence gallery from captured milestones, detection coverage and mean-time-to-detect from the event bus. You add the narrative — the facts are already there.

  • Red, Blue, and Purple team reports
  • Executive summary with readiness score & trend
  • Compliance coverage: NIST, ISO 27001, NCA ECC, DORA
  • Export to PDF, DOCX, JSON, and ATT&CK Navigator
Purple Team Joint Report
72%
Readiness
+8 vs last run
TechniqueMTTD · Outcome
  • Initial Access

    T1566.001

    0:00Detected
  • Execution

    T1059.001

    0:31Detected
  • Privilege Esc

    T1548.002

    1:46Partial
  • Lateral Movement

    T1021.002

    Missed
  • Impact

    T1486

    0:12Detected
ATT&CK readiness

Know exactly where detection breaks down

Every offensive action emits a structured, ATT&CK-tagged event. Tyrian correlates it against your detections in real time and scores coverage per tactic — so you can see, technique by technique, what was caught, what was partial, and what slipped through.

  • Per-technique outcome: Detected / Partial / Missed
  • Mean-time-to-detect from event-bus timestamps
  • Readiness score per tactic, trended over time
  • Prioritized gap-closure recommendations
Explore the scenario library
ATT&CK coverage
DetectedPartialMissed
Initial Access
Execution
Persistence
Priv Esc
Defense Evasion
Cred Access
Discovery
Lateral Move
Collection
Exfiltration
Impact
How it works

From idea to report in four steps

No infrastructure to stand up, no tools to install, no teardown to remember. Tyrian handles the range so your team can focus on the exercise.

01

Pick a scenario

Choose from the library or describe what you want in plain language. The YAML lab definition is generated and validated for you.

02

Tyrian builds the lab

An isolated VPC of attacker and defender machines spins up from golden images — AD, workstations, C2, and the full SIEM/EDR stack — in under two minutes.

03

Run the engagement

Connect through your browser. Drive the attack, hunt the telemetry, or let automation run the chain while your blue team defends.

04

Get the report

Evidence, ATT&CK mapping, detection coverage, and readiness score are already assembled. Add narrative and export.

Scenario library

A living library of real attacks

Each scenario is a full, instrumented kill chain with mandatory ATT&CK mapping and expected detections. New scenarios track CISA KEV and current ransomware TTPs.

Browse all scenarios
FlagshipLive

Ransomware Outbreak

Phishing delivery through AD privilege escalation to domain-wide encryption. The full kill chain, instrumented end to end.

Initial AccessPrivilege EscalationImpact
Scenario 2Beta

Insider Threat

A trusted operator stages and exfiltrates data over a contained channel. Tests behavioural and DLP detection.

CollectionExfiltration
Scenario 3Beta

Cloud IAM Escalation

Misconfigured roles and over-broad policies chained into a full cloud takeover path.

Privilege EscalationPersistence
Scenario 4Soon

Web App Compromise

External foothold via an exposed application, pivoting inward to internal services.

Initial AccessLateral Movement
Scenario 5Soon

Supply Chain / CI-CD

A poisoned build pipeline delivers implanted artifacts to production. Tests pipeline integrity monitoring.

Initial AccessPersistence
Scenario 6Soon

AD Vulnerability Selector

Compose a bespoke Active Directory weakness set — Kerberoasting, ADCS, delegation — and hunt it.

Credential AccessPrivilege Escalation
Security & isolation

Offensive tooling, contained by default

A range preloaded with C2 and exploitation tooling is a serious responsibility. Containment isn't a feature we added — it's the foundation everything else is built on.

Default-deny egress

Every lab subnet blocks outbound internet at the VPC level. Only an explicit allowlist — OS mirrors, tool updates, the control plane — is permitted.

Contained C2 only

Sliver and Metasploit callbacks resolve exclusively to in-lab redirectors. C2 never listens on or dials the public internet.

Simulated internet

Scenarios that need 'the internet' get INetSim / FakeNet or a curated local mirror — never live egress.

Tenant isolation from day one

Every session, VM, subnet, and evidence object is scoped to a tenant. One customer's lab can never reach or read another's.

Authorization gate

Operators attest they will only target lab-owned assets before launch. Consent is logged with identity and timestamp.

Immutable audit trail

Every provision, connect, snapshot, and destroy is logged. Guacamole sessions are recorded for evidence and audit.

Platform RBAC + enterprise SSO. Org admin, team lead, operator, and read-only roles, with SAML / OIDC single sign-on and least-privilege IAM on the AWS side.

Cost architecture

Enterprise range, credit-friendly bill

Cost isn't an afterthought — it's engineered in. Spot compute, aggressive auto-suspend, and a mandatory per-session cap mean you get the capability without the runaway bill.

60–70%
Spot savings

Attacker nodes and disposable targets run on Spot; the telemetry stack stays stable on-demand.

$0
While suspended

15 minutes idle triggers a memory snapshot and suspend. Compute billing stops; resume in under 60s.

< 2 min
To a live lab

Golden AMIs with copy-on-write overlays mean sessions clone instead of provisioning from scratch.

Session budget Auto-teardown armed
$1.34
spent this session
$8.00
hard cap
Attacker node (Spot t3.medium)$0.019/hr
Wazuh SIEM (on-demand t3.large)$0.083/hr
AD + workstation (Spot)$0.042/hr
Platform margin (+25%)passthrough

Compute billed at actual Spot cost plus a transparent margin. The subscription covers the software layer only.

Compliance evidence

Map every exercise to the control that matters

Tyrian turns engagement outcomes into control-coverage evidence — with per-control references your assessors can follow — across the frameworks that govern Gulf, EU, and global security programs.

NIST CSF 2.0

Function & category coverage

ISO 27001:2022

Annex A control evidence

NCA ECC

Gulf-priority, first-class mapping

DORA

Financial-sector resilience

Compliance reports are framed as control-coverage evidence to support an assessment. They are not a certification and do not constitute a formal audit result.

Run your first engagement today

Spin up an isolated range in minutes. No infrastructure, no teardown, and a report waiting when you're done.