AttackDefendLab is a modular cybersecurity simulation framework built in Python.
The project demonstrates how attacker behaviour generates telemetry, how real-time detections are triggered, and how threat hunting can uncover gaps, anomalies and repeat offenders.
It is designed to model the relationship between:
- adversary activity
- logging pipelines
- detection engineering
- historical analysis
- analyst decision making
- Simulate reconnaissance activity across multiple attacker profiles
- Generate realistic service telemetry
- Trigger real-time detections
- Identify detection blind spots
- Build behavioural baselines
- Track repeat offenders through reputation
- Translate analytics into investigation narratives
Attacker → Target → connections.log
↓
Defender → alerts.log
↓
Hunter → scoring, baselines, reputation, narrative, visualization
Multiple offensive behaviours are implemented:
- Fast scanner (burst activity)
- Slow scanner (low-and-slow evasion)
- Normal client (benign baseline traffic)
Each attacker can simulate a unique source identity.
The target simulates exposed services.
For every connection it:
- accepts the request
- attributes an actor/persona
- writes telemetry
- signals the defender
The defender represents a real-time detection engine.
It maintains short-term memory and applies threshold logic to identify bursts of suspicious behaviour.
Alerts are written to logs/alerts.log.
The hunting engine performs deeper analysis on collected telemetry.
Capabilities include:
- unique port analysis
- detection gap discovery
- risk scoring
- policy enforcement
- baseline vs current behaviour
- reputation growth across incidents
- automated incident narrative
- attack heatmap visualization
- Modular function-based architecture
- Separation between telemetry, detection and analytics
- Persistent memory via reputation system
- Time-aware investigations
- Multiple attacker personas
- Extensible design for future plugins
- Python
- TCP sockets
- Multithreading
- File-based telemetry
- Data analysis & visualization (matplotlib, numpy)
Start components from the project root.
python defender\detector.py
python target\server.py
python attacker/normal_client.py
python attacker/scanner.py
python attacker/slow_scanner.py
python hunter/analyze.py
- Demonstrate why alerts alone are insufficient
- Show how attackers evade thresholds
- Validate detection coverage
- Explain baseline drift
- Illustrate reputation accumulation
- Teach SOC & threat hunting workflows
This lab shows the practical interaction between:
- offensive tradecraft
- defensive monitoring
- detection engineering
- analytical reasoning
It aims to simulate how real security teams move from signals → to context → to decisions.
Planned expansions include:
- pluggable detection modules
- service fingerprinting
- anomaly modelling improvements
- timeline reconstruction
- multi-host simulation
- enrichment data
This project is for educational and research purposes only.
Elias Security Enthusiast