Open-Awesome
CategoriesAlternativesStacksSelf-HostedExplore
Open-Awesome

© 2026 Open-Awesome. Curated for the developer elite.

TermsPrivacyAboutGitHubRSS
  1. Home
  2. Suricata
  3. Leonidas

Leonidas

MITPython

A framework for executing and detecting cloud attacker TTPs via YAML definitions, generating APIs, Sigma rules, and documentation.

GitHubGitHub
616 stars72 forks0 contributors

What is Leonidas?

Leonidas is a framework for automated attack simulation in cloud environments that executes predefined attacker tactics, techniques, and procedures (TTPs). It allows security teams to validate their detection capabilities by simulating real-world attacks and automatically generating corresponding detection rules and documentation. The framework uses YAML definitions to describe attacker actions across AWS and Kubernetes platforms.

Target Audience

Cloud security engineers, detection engineers, and red/blue teams working in AWS or Kubernetes environments who need to test and improve their security monitoring capabilities.

Value Proposition

Leonidas provides a structured, repeatable approach to cloud attack simulation with built-in detection generation, eliminating manual correlation between attacks and detection logic. Its YAML-based definition system makes TTPs portable and version-controllable, while supporting both AWS and Kubernetes environments.

Overview

Automated Attack Simulation in the Cloud, complete with detection use cases.

Use Cases

Best For

  • Validating cloud security monitoring and detection rules
  • Building automated attack simulation pipelines for AWS environments
  • Generating Sigma rules from documented attacker TTPs
  • Creating security documentation and playbooks from attack definitions
  • Testing Kubernetes cluster security controls and detection capabilities
  • Training security teams on cloud attacker techniques and detection methods

Not Ideal For

  • Teams operating exclusively in cloud environments other than AWS or Kubernetes, such as Azure or Google Cloud
  • Organizations looking for lightweight, ad-hoc penetration testing tools without API deployment or YAML management
  • Security teams with mature, custom detection pipelines that don't require automated Sigma rule generation

Pros & Cons

Pros

Standardized TTP Definitions

Uses a YAML-based format for defining attacker actions, making them portable and version-controllable, as shown in the example snippet with fields like name, description, and mitre_ids.

Automated Detection Generation

Compiles definitions into Sigma rules for integration with security monitoring systems, with commands like 'poetry run ./generator.py sigma' to generate outputs in ./output/sigma.

Multi-Platform Execution

Supports both AWS and Kubernetes environments, evidenced by architecture diagrams and deployment instructions for AWS CI/CD pipelines and K8S manifests in the documentation.

Documentation and Playbook Creation

Generates markdown or HTML documentation from definitions, enabling security playbooks, with steps like 'poetry run ./generator.py docs' and mkdocs build for HTML output.

Cons

Limited Cloud Provider Support

Primarily designed for AWS and recently extended to Kubernetes, lacking native support for other major clouds like Azure or GCP, which restricts use in multi-cloud environments.

Deployment Complexity

Requires setting up AWS-native CI/CD pipelines or Kubernetes manifests, which can be non-trivial and time-consuming, as indicated in the 'Deploying Leonidas' documentation.

Experimental Detection Status

Some detection rules in YAML definitions are marked as experimental (e.g., status: experimental in the example), suggesting potential instability or immaturity in generated Sigma rules.

Frequently Asked Questions

Quick Stats

Stars616
Forks72
Contributors0
Open Issues2
Last commit1 year ago
CreatedSince 2020

Tags

#aws-security#sigma-rules#security-automation#mitre-attack#attack-simulation#kubernetes-security#detection-engineering#cloud-security#yaml-configuration

Built With

Y
YAML
A
AWS
K
Kubernetes
M
MkDocs
P
Poetry
P
Python

Included in

Suricata221
Auto-fetched 1 day ago
Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a projectStar on GitHub