Author: Mauro Risonho de Paula Assumpção | Version: 1.0.0-RC1 | Date: 2026-01-07
# Clone the repository
git clone https://github.com/firebitsbr/PurpleOPS.git
cd PurpleOPS
# Build (choose one option)
./scripts/simple-build.sh # Option 1: Script with feedback (Recommended)
docker compose build # Option 2: Direct Docker Compose
make build # Option 3: Makefile
# Start
docker compose up -d
# Access
open http://localhost:8090 # Frontend
open http://localhost:3000 # Backend API📖 Complete documentation:
- Getting Started: QUICKSTART.md | BUILD.md
- Project Status: docs/status/STATUS_REPORT.md
- Architecture: docs/ARCHITECTURE.md
- Project Structure: docs/project-info/PROJECT_STRUCTURE.md
- Implementation Details: docs/project-info/
PurpleOPS BAS is a complete Purple Team platform developed in Clojure to validate security controls and Blue Team detection/response capabilities through controlled and safe simulations.
- No Real Exploits: Never generates exploits, malicious payloads, malware, or backdoors
- Mandatory Authorization: Every execution requires Scope Allowlist + Proof-of-Authorization + Lead Approval
- Lab-Only: Execution restricted to controlled environments (lab/CTF/staging)
- Complete Audit: All commands and actions are logged and audited
- Fail-Safe: Automatic blocking of out-of-scope actions
purpleops-bas/
├── backend/ # Ring + Reitit + Integrant + JWT + RBAC
├── frontend/ # ClojureScript + Reagent + re-frame
├── orchestrator/ # Core.async engine (Planner→Executor→Critic→Reporter)
├── connectors/ # Telemetry importers (SIEM, EDR, Logs)
├── playbooks/ # BAS scenarios in EDN format
├── infra/ # Docker Compose + configurations
├── migrations/ # Migratus (Postgres)
└── docs/ # Technical documentation
- Exercise CRUD with objectives, execution windows, allowlists
- Scenario library with low-risk templates
- Authorization and scope validation
- Connectors for SIEM, EDR, logs
- Detection Assertions per scenario
- Telemetry gap analysis
- Detection Rate (% of detected events)
- Time to Detect (TTD)
- Time to Contain (TTC)
- Coverage Score
- Evidence Completeness
- Results summarization
- Event correlation
- Tuning/hardening recommendations
- No offensive suggestions
- Executive summary
- Technical details
- Re-run plan
- PDF export
PurpleOPS now includes fintech-specific breach scenarios with complete offense-to-defense mapping and the AEGIS Framework integrating 10 major security frameworks:
- Wire Fraud: Phishing → Credential Theft → Wire Transfer
- Insider Threat: Privilege Escalation → Data Exfiltration
- Ransomware: Malware → Persistence → Encryption
- API Abuse: Credential Stuffing → Account Takeover
- Phishing emails and fake banking portals
- Pretexting and credential harvesting
- QR code phishing, USB drops
- Supply chain compromise, LinkedIn OSINT
Complete guide connecting adversary actions to:
- Detections (expected rules + confidence)
- Response Playbooks (step-by-step procedures)
- Training (role-based exercises)
- Metrics (MTTD, MTTR, training effectiveness)
AEGIS (All-Encompassing Guardian of Integrated Security) integrates:
- MITRE DEFEND - 5 categories, 13 defense techniques
- NIST SP 800-115 - Technical security testing framework
- MITRE ATT&CK - Mapping ATT&CK → DEFEND → Kill Chain → NIST
- Cyber Kill Chain - 7-phase attack framework
- Intelligence Disciplines - 12 collection types (OSINT through TECHINT)
- Cyber Threat Intelligence (CTI) - Threat actor profiling, IOC management
- SEAF - Social Engineering Analysis Framework
- OPSEC - Operational Security 5-phase framework
- Counterintelligence - Defense against intelligence collection
- Cross-Framework Integration - All frameworks work together
📖 Read:
- docs/AEGIS-FRAMEWORKS.md - Complete AEGIS reference
- examples/aegis-integration-example.clj - Full integration example
- docs/RED-TEAM-FEATURES.md | docs/OFFENSE-DEFENSE-MAPPING.md
- Docker 24+ with Compose V2
- 4GB RAM minimum
- Available ports: 3000 (API), 8090 (UI), 5432 (Postgres)
# Clone the repository
cd /home/test/Downloads/github/PurpleOPS
# Start all services
docker compose up --build
# Wait ~60s for complete initialization
# API: http://localhost:3000
# UI: http://localhost:8080- Admin:
admin@purpleops.local/PurpleOPS2026!Admin - Purple Team Lead:
lead@purpleops.local/PurpleOPS2026!Lead - Analyst:
analyst@purpleops.local/PurpleOPS2026!Analyst
Validates whether basic telemetry is being collected correctly (process creation, network connections, file access).
Simulates suspicious authentication patterns (multiple attempts, unusual times) to validate detection alerts.
See docs/SCENARIOS.md for complete guide.
Exemplo básico:
{:scenario/id "custom-test-001"
:scenario/name "Custom Test Scenario"
:scenario/description "Description"
:scenario/risk-level :low
:scenario/phases
[{:phase/id "recon"
:phase/actions
[{:action/type :validate-telemetry
:action/target :dns-logs
:action/assertions
[{:expected-event "DNS query logged"
:evidence-fields [:timestamp :query :response]}]}]}]
:scenario/expected-detections
[{:detection/rule "DNS query to external resolver"
:detection/min-confidence 0.8}]}See docs/CONNECTORS.md for implementation of new telemetry connectors.
- control-plane: API, UI, Postgres (isolated)
- lab-net: Scenario execution (separate)
- Based on Alpine Linux
- Multi-stage builds
- Non-root users
- Read-only filesystem where possible
- Minimal capabilities
- Healthchecks
- Resource limits
- admin: Full management
- purple-lead: Approve and execute exercises
- analyst: View results
- viewer: Read-only access
All events are logged in audit_log:
- Who executed
- What was executed
- When
- Result
- Evidence
POST /auth/login
POST /auth/logout
GET /auth/me
GET /exercises
POST /exercises
GET /exercises/:id
PUT /exercises/:id
DELETE /exercises/:id
POST /exercises/:id/approve
POST /exercises/:id/start
GET /scenarios
GET /scenarios/:id
GET /runs
GET /runs/:id
POST /runs/:id/stop
GET /runs/:id/detections
GET /detections
GET /detections/:id
GET /scores/summary
GET /scores/trends
GET /reports/:run-id
POST /reports/:run-id/export-pdf
GET /audit-log
Complete 0trace integration in pure Clojure:
- Namespace:
purpleops-bas.backend.tools.zerotrace - Functionality: TCP traceroute within existing connections
- Bypass: Stateful firewalls via in-band signaling
- API Endpoint:
POST /api/tools/zerotrace
# Execute trace via API
curl -X POST http://localhost:3000/api/tools/zerotrace \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"interface": "eth0",
"target_ip": "192.168.1.100",
"target_port": 443,
"max_hops": 20
}'BAS Scenario: network-trace-stealth-001.yml
- Network topology discovery
- Segmentation mapping
- Intermediate firewall identification
cd backend
clj -M:dev
# REPL on port 7888cd frontend
npm install
npm run watch
# http://localhost:8280# Backend
cd backend
clj -M:test
# Frontend
cd frontend
npm test- Logs:
docker compose logs -f <service> - Health:
curl http://localhost:3000/health - Metrics: Prometheus endpoint at
/metrics(optional)
docker compose down -v
docker compose up --build --force-recreate# Check if Postgres is healthy
docker compose ps
docker compose logs postgresCheck frontend/public/config.js - should point to http://localhost:3000
- Fork the project
- Create a branch:
git checkout -b feature/my-feature - Commit:
git commit -m 'Add: new feature' - Push:
git push origin feature/my-feature - Open a Pull Request
MIT License - veja LICENSE
** Use responsibly. Always obtain explicit authorization before executing any simulation.**