Test your defenses with realistic attack simulations
Run attacks from your local Kali VM against Windows targets on your network. Results sync to the cloud dashboard.
Graphical interface for browsing attacks, managing agents, and viewing detailed execution reports.
Every attack is mapped to MITRE ATT&CK techniques for clear categorization and reporting.
Track execution success rates, category breakdowns, and detailed command outputs.
Generate CSV and PDF reports of attack execution history for documentation.
All commands are harmless system queries - no actual exploits, malware, or destructive actions.
Your attack machine
Runs Web UI on :8080
Target VM
Listens on :8888
Downloads & Docs
API for results
Attacks run locally on your network. The Kali UI reports results to this dashboard for persistence and centralized viewing.
Download the components and set up your attack simulation environment
Complete standalone app with 86+ attacks. Download, extract, and double-click to run. Auto-opens browser, checks for updates, works 100% offline.
Version 1.2.0 | ~500KB | Requires Python 3
Complete GUI application for Windows target. Tracks received attacks, syncs with Kali, shows real-time status. Double-click to run!
Version 1.2.0 | Requires Python 3 + tkinter
MERSAD requires Python 3 on both machines. Download and install these before running the apps.
Kali Linux: Python 3 is pre-installed. Just run python3 --version to verify.
Windows: Download Python, run installer, check "Add to PATH" during install.
Download windows_agent.py to your Windows VM and run it. Note the IP address - the agent listens on port 8888 by default.
Download kali_attacker_ui.py to your Kali VM. Run: python3 kali_attacker_ui.py (works offline, no URL needed)
Open http://localhost:8080 in your browser on the Kali machine. You'll see the full attack dashboard.
In the Agents tab, enter the Windows VM's IP address and click Add. Test the connection to confirm it's working.
Go to the Execute tab, select your target agent, choose attacks from the library, and click Execute. Watch results in real-time!
A complete guide to setting up and using MERSAD for security testing. Learn what to expect, how both apps work together, and how to interpret results.
MERSAD is a cyber attack simulation platform designed for security professionals to test their defenses. It generates realistic attack patterns that mimic real-world threats, helping you evaluate how well your EDR, SIEM, and security tools detect malicious activity.
All attacks use benign commands - no real malware, no system damage. Commands are designed to trigger detection without causing harm.
Every attack maps to MITRE ATT&CK techniques, helping you understand coverage gaps in your security posture.
Works completely offline in air-gapped environments. No internet required after initial download.
When you run MERSAD attacks, here's what happens:
The Windows agent receives attack instructions and runs benign commands like tasklist, whoami, net user, etc. These are normal system commands that mimic attacker reconnaissance.
A properly configured EDR or SIEM should detect these patterns. If your security tools don't alert, you've found a gap in your detection coverage.
Both the Kali UI and Windows Agent track attack execution. Success/failure status syncs automatically so you can review results from either location.
Export CSV reports showing which attacks succeeded, their MITRE mappings, and recommended defenses. Use this to brief stakeholders on security posture.
The Kali Attacker UI is your command center. Here's what each tab does:
Live overview with charts showing attack distribution by category, success rates, and recent activity. Monitor your testing session at a glance.
Add and manage Windows targets. Enter IP:Port (e.g., 192.168.1.50:8888), test connection, and monitor agent status. Green = online, Red = offline.
Browse all 86+ attacks with filtering by category. Click any attack to see details: MITRE ID, commands, D3FEND countermeasures, and defensive recommendations.
Select a target agent, pick attacks (or click "Execute All"), and launch. Watch results stream in real-time. Each attack shows success/failure immediately.
Full log of all executed attacks with search, filter by status/category, and pagination. Click any entry to see command output and errors.
Generate CSV exports with all attack data, MITRE mappings, and security recommendations. Perfect for compliance reports and stakeholder briefings.
The Windows Agent runs on your target VM and receives attack commands. The GUI version provides visibility into what's happening:
Real-time counters showing Total, Successful, Failed, and Detected attacks
Full attack log with timestamps. Double-click any entry to see command output
Configure Kali URL in Settings to enable automatic result synchronization
The attack commands executed successfully. Your EDR should have detected this activity. If not, investigate why.
Commands returned errors (permission denied, not found, etc.). This may indicate security controls are working or prerequisites are missing.
Your security tools flagged this activity. This is the ideal outcome - it means your defenses are working properly.
Results have been synchronized between Windows agent and Kali attacker. Both apps show the same data.
Only run MERSAD on systems you own or have explicit written permission to test. Unauthorized testing is illegal.
Use dedicated test VMs, not production systems. While attacks are benign, they may trigger security alerts and automated responses.
Export CSV reports for each testing session. Include date, scope, and results in your security assessment documentation.
Use results to tune security tools, not as absolute truth. Some attacks may not apply to your environment or may require different detection rules.
Learn about the cybersecurity concepts and frameworks that MERSAD is built upon
EDR (Endpoint Detection and Response) is a cybersecurity technology that continuously monitors endpoints - devices like laptops, desktops, servers, and mobile phones - to detect, investigate, and respond to cyber threats in real time.
Traditional antivirus relies on known threat signatures; EDR detects novel attacks based on behavior. It provides real-time visibility and faster incident response, reducing dwell time before threats escalate into breaches.
NDR (Network Detection and Response) is a cybersecurity technology that continuously monitors network traffic in real-time to detect and respond to suspicious activities, anomalies, and cyber threats.
NDR uses non-signature-based techniques to identify threats that traditional security tools miss. It monitors both encrypted and unencrypted traffic, detects lateral movement, and provides comprehensive visibility across on-premises, cloud, and hybrid environments.
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a globally accessible knowledge base of cybercriminal tactics and techniques based on real-world observations. It provides a standardized language for understanding how cyberattacks unfold.
The matrix is organized with Tactics (columns) representing adversarial goals, and Techniques (rows) showing specific methods to achieve those goals.
Security teams use ATT&CK for threat intelligence, detection engineering, red team exercises, and incident response. MERSAD maps all attacks to ATT&CK techniques for clear categorization.
MITRE D3FEND (Detection, Denial, and Disruption Framework Empowering Network Defense) is the defensive counterpart to ATT&CK. It provides a standardized vocabulary and catalog of defensive cybersecurity techniques.
D3FEND links defensive techniques to ATT&CK offensive techniques, helping teams identify countermeasures for specific attack patterns.
The Cyber Kill Chain is a framework developed by Lockheed Martin in 2011 to map out the stages of a cyberattack. It helps security teams understand attacker methodology, detect threats early, and disrupt attacks before they succeed.
The Kill Chain enables early detection, layered defense at each phase, and structured incident response. MERSAD helps test your defenses at each stage of the attack lifecycle.