What it is

MITRE Caldera is an open-source adversary emulation platform designed to automate and orchestrate red team activities using a structured model: agents execute abilities (atomic actions) as part of operations driven by adversary profiles. Morgana Arsenal extends this model specifically for Merlino workflows, prioritizing clean integration, repeatability, and measurable outcomes that can be consumed directly by Merlino’s reporting and coverage analytics.

Why Merlino uses Morgana Arsenal

Merlino’s methodology is built on validation, not assumptions. Morgana Arsenal provides the controlled execution environment that turns technique mapping and test planning into real-world evidence. Instead of manual, one-off testing, you can run consistent emulation campaigns and track results over time.

• Execution at scale: automate tests and run them consistently across targets and environments.
• Repeatable validation: re-run the same operations after patching or control changes to measure improvement.
• Structured evidence: outcomes are produced as operational telemetry that can be synchronized back into Merlino.
• Controlled simulation: emulate realistic attacker behavior in a safe, managed way.

Core building blocks

Agents

Agents are lightweight components deployed to target machines. They execute abilities and return results back to Morgana Arsenal. In Merlino workflows, agents represent your execution footprint and are monitored for activity, stability, and responsiveness.

Abilities

Abilities are atomic actions that implement parts of a technique (for example discovery, credential access steps, lateral movement primitives). Abilities can be mapped to TTPs and organized for operational reuse. This creates a modular library that supports repeatability and coverage mapping.

Adversaries (profiles)

Adversaries are structured profiles that chain abilities into realistic sequences, representing attacker behavior patterns. They can model a threat group playbook, a campaign flow, or a specific validation scenario aligned to a technique set.

Operations

Operations are the executable runs. They bind an adversary profile to targets, schedule execution, track progress, and produce results. Operations are the unit of evidence: they record what ran, where it ran, when it ran, and what the outcomes were.

Operational configuration and governance

Morgana Arsenal includes the configuration layer required to run controlled red team activity in a professional way: objectives, schedules, fact sources, team settings, tagging, and operational parameters that keep activity organized and auditable.

• Schedules: run emulation at defined times or windows to support repeatable testing cycles.
• Objectives: drive operations toward specific goals aligned to validation and measurement.
• Fact sources: manage known context used during operations (environment details, preconditions, discovered facts).
• Tags and organization: keep campaigns, entities, and events structured for traceability.

Integration with Merlino

Morgana Arsenal is designed to be consumed by Merlino. Merlino can use Morgana Arsenal as the execution backend while remaining the primary operational workspace for modelling, mapping, and reporting. Execution outcomes are synchronized back into Merlino so results directly affect validation metrics, coverage confidence, and dashboards.

• Bidirectional workflow: Merlino plans and organizes testing; Morgana Arsenal executes and returns evidence.
• Operational synchronization: operations, abilities, agents, and outcomes are reflected in Merlino reporting views.
• Evidence-driven statistics: success/failure and reliability data feeds Merlino posture metrics over time.
• Controlled adoption: Morgana Arsenal can be run by the professional as a managed service or deployed within the customer environment.

Typical uses

• Purple Team validation: emulate relevant techniques and measure detection and response effectiveness.
• Patch and hardening verification: confirm whether remediation removed exploitation conditions.
• Detection engineering support: create predictable emulation signals to tune telemetry and detections.
• Continuous testing: schedule recurring operations to detect regression and maintain assurance over time.

Note: Morgana Arsenal is the execution layer; Merlino is the methodology and operational workspace. Together they provide a complete loop: threat-driven planning → controlled emulation → measurable results → evidence-backed reporting and improvement.