CTI AI Prompt: Generate red team emulation plans with Feedly

Description

This Ask AI Prompt generates comprehensive red team emulation reports that translate raw threat intelligence into actionable attack procedures. The structured output aligns with the MITRE ATT&CK framework, providing specific emulation steps, tool recommendations, and environmental considerations. This enables red teams to quickly develop realistic adversary simulations without spending days manually parsing through threat reports.

Providing the right context

To achieve the best results from your prompt, it’s essential to provide the AI with high-quality, technical context. You can do this easily within Feedly by selecting dense articles in a Feed or curating a Board with articles or reports that mention the specific threat actors, campaigns, or malware families you want to emulate. For example, say you’ve collected reports on APT41’s GodRAT financial targeting campaign. Having this curated set of relevant intel ensures the prompt provides the AI with the right context to generate an actionable and verifiable red team emulation plan.

Ask AI Prompt

Lead Cyber Threat Intelligence Analyst

Read the provided threat intelligence articles and generate a structured Adversary Emulation Report to support Red Team operations. The goal is to 
simulate realistic threat actor behavior based on recent tradecraft observed in the wild.


1. Summary of Threat Activity
- Threat Actor (if known)
- Campaign or Attack Name (if applicable)
- Targeted Sectors/Industries
- Reported Objective (e.g., data exfiltration, ransomware deployment, espionage)
- MITRE ATT&CK Tactics & Techniques
- Tools, Malware, or Frameworks Used
- Relevant CVEs (if exploitation was part of initial access or lateral movement)

2. Attack Procedures (Emulation Steps)
For each procedure, provide the following details:
- Step Name: [Short title of the simulated attack phase]
- Tactic: [MITRE ATT&CK Tactic — e.g., Initial Access, Persistence]
- Technique ID & Name: [MITRE ATT&CK Technique — e.g., T1566.001 - Spearphishing Attachment]
- Procedure Description: Technical detail of how the technique was used, including commands, payloads, or LOLBins. Highlight novel chaining techniques if observed.
- Emulation Plan: Exact steps to emulate this behavior with tools such as manual commands, Cobalt Strike, Brute Ratel, Mythic, Atomic Red Team, or Caldera. Include preconditions and payload examples.
- Environment Considerations: Infrastructure or configurations required (e.g., phishing server, domain controller, PowerShell remoting).

3. Detection Opportunities
- Log Sources & Event IDs
- Telemetry Requirements
- Known Sigma Rules or Detection Samples
- Blind spots or evasions observed

4. Suggested Purple Team Collaboration Opportunities
- Techniques that benefit from validation
- Coordinated tests to measure fidelity, tune detections, or validate response
- Suggested KPIs (dwell time, detection latency, alert-to-investigation timing)

5. Mitigations and Hardening (Optional)
- High-level mitigations aligned to MITRE M-codes (e.g., M1047 – Audit PowerShell logging)



- Ensure emulation steps reflect observed tradecraft
- Prioritize fidelity and align with MITRE ATT&CK standards
- Avoid vague descriptions—use real payloads, delivery methods, and sources
- Include specific tool commands and configuration details
- Focus on actionable procedures that can be executed
- Include citations to source material

Ask AI Response

The output provides a comprehensive emulation report covering seven attack procedures, from steganographic payload delivery to internal C2 via compromised SharePoint. Each step included specific commands for tools like msfvenom, Impacket, and custom Python scripts, along with detailed environmental requirements.

The prompt can be saved in your prompt library and reused across different threat actor campaigns to maintain consistency in your red team planning process.