Spaces:
Sleeping
Sleeping
Threat Models
Scenario Catalog
| Scenario | Early Phase | Mid Phase | Late Phase |
|---|---|---|---|
port_scan_exploit_c2 |
rapid probing | exploit delivery | command/control + exfil |
credential_stuffing_lateral |
auth pressure | lateral movement | persistence |
supply_chain_compromise |
stealth foothold | trusted-channel abuse | disguised exfiltration |
low_and_slow_apt |
sparse reconnaissance | long dwell C2 | slow extraction |
ddos_amplification |
reflection probes | traffic amplification | flood stage |
Adaptation Behavior
- Repeated blocking increases attacker detection count.
- Detected attackers can switch to stealth mode and alter feature distributions.
- Attackers terminate when repeatedly blocked, time out, or complete exfiltration.
- Threat engine exposes per-attacker outcomes (
active,stopped,succeeded) for analysis and credit assignment.
Threat generation and lifecycle are implemented in server/threat_engine.py.