VECTR Satellite is here!

Get VECTR

Download from Azure Marketplace

VECTR Enterprise Test Plans

The 2026 Threat Index is free for everyone. VECTR Enterprise users can get access to other premium Purple Teams test plans focused on specific technologies and environments.

2026 Threat Index

Learn More

Download the Threat Index Here

Ransomware Threat Index

Learn More

Active Directory Threat Index

Learn More

Entra ID Threat Index

Learn More

Kubernetes (K8) Threat Index

Learn More

Linux Threat Index

Learn More

AWS Cloud Threat Index

Learn More

Azure Cloud Threat Index

Learn More

AI/LLM Threat Index

Learn More

GCP Threat Index

Learn More

Mac OSX Threat Index

Use Contact Form

Operational Technology (OT) Threat Index

Use Contact Form

ESXi Threat Index

Use Contact Form

2026 Threat Index

Benchmark and Trend Your Security Posture 2-4x per Year

 

SRA develops a new Threat Index annually with 120+ global organizations’ threat intel, blue, red and purple team leads. The 2026 Threat Index includes attack simulations which map to current threat actors and malware families, and core technique detection that all organizations should practice.

Test Plan 55 test cases spanning across and prioritizing MITRE ATT&CK alignment
Highlights Initial access attacks such as proxied cloned sign-in pages, Credential access methods such as pass-the-ticket and PAC data extraction, foray of IaaS IAM attacks

Ideal for Organizations:

  • Running a first time Purple Team exercise
  • Looking for tangible industry threat actor readiness benchmarks
  • Wanting a technical, detection and response-oriented table-top exercise
  • Seeking a higher-value substitute for an internal pen test, or more detection feedback than a red team provides

 

Back to Top

Ransomware

Evaluate Ransomware Prevention and Detection Controls

 

SRA maintains the Ransomware Purple Team test plan based on threat intelligence for prominent ransomware families and campaigns featuring those families. Test cases are based on Lockbit, ALPHV / BlackCat, Vice, and Royal. The test plan also includes general use TTPs attributed to ransomware deployment and execution.

Test Plan 50 test cases covering initial access via RDP / Email attacks, system disablement attacks such as file encryption, and shadow deletion
Highlights Local and remote file encryption, crypto-mining attempts; domain / network discovery via Bloodhound / ADfind

Ideal for Organizations:

  • Who have identified ransomware and extortion as key business risks with senior visibility
  • Who process sensitive data that might be targeted by adversaries for monetization
  • Who have implemented hardening and ransomware controls and wish to independently test their efficacy

 

Back to Top

Active Directory

Deep Dive in Advanced Active Directory Attacks

 

SRA maintains the Active Directory test plan based on known, priority AD weaknesses and risky configurations. The AD test plan includes attacks simulations such as password sprays, enumeration, Kerberos attacks, coercion and privilege escalation.

Test Plan 27 test cases from both unauthenticated and privileged perspectives
Highlights Credential access attacks such as DCSync, Kerberos golden tickets and direct attacks via ntdsutil.exe, APT-style attacks like Kerberoasting and UnPAC-the-Hash

Ideal for Organizations:

  • Where a recent pen test or red team showed AD weaknesses
  • Where AD/IAM admins have not previously been engaged in security testing activities
  • Wanting a supplement to the 2025 Threat Index with a further deep dive on Active Directory attack detection

 

Back to Top

Entra ID

Deep Dive in Entra ID Attacks

 

SRA maintains the Entra ID test plan based on known, priority Entra weaknesses and risky configurations. Entra ID has a wide attack surface because of its role in domain management, device management, RBAC, AD integrations. This test plan identifies gaps in auditing, logging and alerting that can make the difference in timely detection of intruders.

Test Plan 24 test cases spanning direct password attacks, application management and cloud  on-prem attacks
Highlights Adding a new federated domain to perform Golden SAML attacks, creating secondary credentials for privileged Oauth applications

Ideal for Organizations:

  • Who integrated Entra ID as part of an Active Directory migration
  • Where a recent pen test or red team showed Entra ID weaknesses
  • Wanting a supplement to the 2025 Threat Index with a further deep dive on Entra ID attack detection

 

Back to Top

Kubernetes

Evaluate Detection in K8’s Complex Deployments

 

SRA maintains the Kubernetes test plan to help organizations identify platform vulnerabilities and misconfiguration. The plan includes simulated attacks on the entire Kubernetes ecosystem, covering control plane issues and container-level attacks. Test cases are design to evaluate preventative and detective controls.

Test Plan 23 test cases covering container execution, services / application management and RBAC control
Highlights Executing commands in a container from the Admin API, Persistence via user certificates and service account tokens

Ideal for Organizations:

  • Who have Kubernetes deployments and wish to test their expected hardening and alerting configurations
  • New to Kubernetes deployments who wish to establish standards and a baseline for security alerting and monitoring

 

Back to Top

Linux

Evaluate Detection in GNU/Linux Server Environments

 

SRA maintains the Linux Purple Team test plan to evaluate GNU/Linux server security alerting capability in production and development contexts. SRA has found that many organizations do not have the same depth of security tooling in their GNU/Linux so this testing can help to raise baseline security.

Test Plan 41 test cases covering GNU/Linux system compromise via containers, to GNU/Linux to Windows compromise
Highlights Hijacking control plane services such as SSH, root-level persistence techniques and dynamic library loading (preloading)

Ideal for Organizations:

  • Who have use GNU/Linux server infrastructure and wish to test their expected hardening and alerting configurations
  • Who use GNU/Linux for app development and wish to establish a baseline for security alerting and monitoring

 

Back to Top

AWS Cloud

Improve Detection Capability in the AWS Control Plane

 

SRA maintains the AWS test plan based on known, priority AWS weaknesses and misconfigurations.  The test plan focuses on AWS control plan services misconfiguration, identity and access management (IAM) issues, anomalous sign-ins and suspicious service use.

Test Plan 50 test cases covering good practices in detection for popular services such as EC2 and S3, with KMS and GuardDuty
Highlights Backdooring Lambda layers, compromising application credentials (EC2/Lambda), modifying trust relationships for IAM roles

Ideal for Organizations:

  • Who rely on AWS for business-critical and other production applications
  • Migrated or combined AWS accounts as part of M&A activity
  • Are Cloud-only/Cloud-focused with cloud-native applications
  • Have limited security tooling in the AWS environment

 

Back to Top

Azure Cloud

Improve Detection Capability in the Azure Control Plane

 

SRA maintains the Azure test plan based on known, priority Azure weaknesses and misconfigurations. The test plan focuses on Azure IaaS services and their complex RBAC controls. Testing also includes detecting attacks against user-facing endpoints like the Azure console.

Test Plan 43 test cases covering critical security services such as Azure Managed Identity along with customer facing services such as Azure VM
Highlights Compromising an Azure VM credential, granting access to external or managed identities to entire resource groups

Ideal for Organizations:

  • Who rely on Azure for business-critical and other production applications
  • Migrated or combined Azure accounts as part of M&A activity
  • Are Cloud-only/Cloud-focused with cloud-native applications
  • Have limited security tooling in the Azure environment

 

Back to Top

AI / LLM

Evaluate AI and LLM Application Controls

 

SRA built the AI and LLM test plan based on new and emerging threats with public AI applications (such as ChatGPT) as well as threats with building AI/LLM applications internally with access to organization sensitive data, including intellectual property. AI interfaces (such as AI chat) can inadvertently give access to sensitive data via the interface.

Test Plan 12 test cases internal and external AI applications, as well as DLP type AI products such as CoPilot.
Highlights Extracting passwords via the AI interface, Extract sensitive data (SSN/PAN) via the AI interface

Ideal for Organizations:

  • Who are building AI-enabled applications or integrating AI technologies into existing applications.
  • Who are integrating third-party AI-enabled applications (such as Copilot or Gemini) with their own data stores (such as SharePoint).
  • Who want to build their own fine-tuned models as part of an AI strategy.

 

Back to Top

Google Cloud Platform (GCP)

Improve Detection Capability in the GCP Control Plane

 

SRA maintains the GCP test plan based on known, priority GCP weaknesses and misconfigurations. The test plan focuses on GCP control plane services misconfiguration, permissive role assignment issues, and defense evasion through suspicious security configuration changes.

Test Plan 40 test cases covering critical GCP services such as IAM, Compute, VPC and Cloud Storage
Highlights Impersonating a service account, assigning role trust relationships, exposing private resources through network modifications

Ideal for Organizations:

  • Who rely on GCP for business-critical and other production applications
  • Migrated or combined GCP organizations as part of M&A activity
  • Are Cloud-only/Cloud-focused with cloud-native applications
  • Have limited security tooling in the GCP environment

 

Back to Top