// the find
uber-common/metta
An information security preparedness tool to do adversarial simulation.
Metta is a purple team simulation tool that replays MITRE ATT&CK techniques against Vagrant VMs to test host-based detection. It queues shell commands via Celery/Redis and fires them at Windows, Linux, or macOS vagrants — the idea being that you run the attack, then check whether your EDR/SIEM caught it. Squarely aimed at security teams who want to validate their detection coverage without coordinating a full red team engagement.
The MITRE ATT&CK folder structure is the genuinely useful part — actions are organized by tactic (Discovery, Credential_Access, Lateral_Movement, etc.) and named clearly, so finding the right simulation for a given ATT&CK technique is straightforward. YAML-based action definitions mean adding new techniques doesn't require touching Python. Celery queuing gives you sequential, non-interactive execution without babysitting a shell session. The inclusion of real attacker tool invocations (Mimikatz, wevtutil, bitsadmin) rather than synthetic payloads makes the detections more realistic.
Last commit was April 2019 — this is effectively abandoned. The ATT&CK framework has had three major versions since then, and the technique IDs and sub-techniques in these YAMLs are stale. Vagrant + VirtualBox is a heavy, slow setup that Atomic Red Team (which has largely superseded this) handles with no VM dependency at all. There's no result collection or pass/fail assertion — you run commands and then manually check your SIEM, which means the tool is a command dispatcher, not a testing framework. The Lateral_Movement and Persistence folders are nearly empty (.gitkeep only in some), so coverage has obvious gaps that were never filled.