What an operation is

An Operation is a controlled adversary emulation run. It defines what will be executed (the adversary profile and its ordered ability chain), where it will run (target agents/hosts), and how it should be orchestrated (execution logic, objectives, scheduling, and configuration). During execution, each ability produces outcomes (success, failure, timing, outputs) that can be reviewed and used as validation evidence.

Automatic creation by Merlino

Merlino automates the hardest part of adversary emulation: turning intelligence and technique scope into a runnable execution plan. Instead of manually assembling operations in Caldera, Merlino generates operations from the workbook context—selected technique sets, attack chains, priorities, and scenario structure—then publishes them into Morgana Arsenal already linked to the correct adversaries.

• Chain-to-operation conversion: Merlino converts ATT&CK chains into executable operation runs.
• Adversary linkage: operations are automatically associated to the generated adversary profiles.
• Technique traceability: operations retain the technique IDs (Tcodes) so every execution maps back to TTP scope.
• Agent-ready: operations are prepared to run against onboarded agents without manual rework.
• Consistent naming and structure: operations are created with standardized metadata for reuse and reporting.

From Merlino analysis to multi-stage emulation

Because Merlino can generate complete chains (not just single abilities), you can simulate realistic multi-stage scenarios quickly. This supports campaign-style emulation where the operation reflects a coherent attacker flow—initial steps, expansion, and impact—rather than disconnected one-off tests.

• Campaign simulation: generate operations that represent a full scenario aligned to a campaign narrative.
• APT-style multi-stage runs: execute chained abilities across phases to emulate complex attacker behavior patterns.
• Multiple operations per scenario: split large chains into operations for control, stability, and iterative testing.
• Rapid iteration: regenerate and re-run operations quickly as scope, priorities, or environment context changes.

Execution visibility and evidence

Morgana Arsenal provides detailed operation visibility: state, start times, agent linkage, and per-ability execution outcomes. This lets you verify exactly what ran, where it ran, and how it behaved. When used together with Merlino’s monitoring dashboards, operational quality and evidence become measurable.

• Operation state: track whether a run is planned, running, paused, or finished.
• Per-ability results: success/failure, timing, and outputs per executed ability.
• Target confirmation: ensure the right agents and hosts were used for the simulation.
• Traceable TTP scope: keep a clear link between execution and ATT&CK technique identifiers.

Why this matters (advantages)

Manual adversary emulation is slow and inconsistent: operations get built differently by different people, chains are incomplete, and evidence is hard to compare over time. Merlino removes the manual assembly phase and standardizes execution, which enables faster delivery and repeatable measurement.

• Speed: move from technique scope to runnable operations in minutes.
• Consistency: standardized operation structures across teams and customers.
• Repeatability: re-run the same operation after fixes to measure improvement and regression.
• Traceability: every operation is linked to techniques, chains, and adversaries for defensible reporting.
• Evidence-driven posture: outcomes can be synchronized back into Merlino to support validated coverage metrics.

Typical workflow

1. Model and prioritize in Merlino: select technique scope and generate attack chains based on your data and context.
2. Auto-generate adversaries: Merlino publishes the required adversary profiles into Morgana Arsenal.
3. Auto-generate operations: Merlino creates runnable operations and links them to adversaries and targets.
4. Execute: run operations in Morgana Arsenal (or from Merlino’s Tests & Operations module).
5. Measure and improve: review outcomes, fix gaps, and re-run to confirm uplift.

Note: Operations created by Merlino are designed for controlled, repeatable emulation. They can be used to validate detections, confirm patching and hardening effectiveness, and produce comparable evidence across repeated runs and environments.