Home
Detection simulation engine for Palo Alto Networks Cortex
Controlled, high-fidelity signal generation for Cortex XDR / XSIAM / Cloud / AI / Browser detection validation.
CortexSim is the detection quality-assurance engine for Palo Alto Networks Domain Consultants. It generates controlled, high-fidelity signals into customer Cortex environments — XSIAM, XDR, Cortex Cloud, AI Access Security, AI Runtime Security, Prisma Browser — to validate that detections, BIOCs, analytics rules and correlation logic fire as designed.
Think MITRE Caldera's opinionated nephew: not a red-team C2, but a detection assurance rig with strict identity harnessing, MITRE-mapped expected detections per step, and a feedback loop that times mean-time-to-detect against your tenant.
This wiki is the canonical catalogue of every detection CortexSim ships. It is regenerated from the scenario YAMLs in scenarios/ — the source of truth.
| Plane | Engine | Scenarios | Detections | Page |
|---|---|---|---|---|
| EDR | Cortex XDR Agent | 5 | 47 | Plane-EDR |
| CDR | Cortex Cloud / Prisma Cloud Compute | 5 | 45 | Plane-CDR |
| NDR | Cortex Network Security / NGFW Analytics | 5 | 23 | Plane-NDR |
| AI_ACCESS | Cortex AI Access Security | 5 | 24 | Plane-AI_ACCESS |
| AIRS | Cortex AI Runtime Security | 5 | 25 | Plane-AIRS |
| BROWSER | Prisma Browser | 5 | 24 | Plane-BROWSER |
| KOI | KOI (agentic-endpoint plane) | 5 | 29 | Plane-KOI |
| ANALYTICS | XSIAM Correlation Engine | 4 | 43 | Plane-ANALYTICS |
- ATT-CK-Coverage — full tactic × technique map across every scenario
- ATT-CK-Navigator-Export — drop-in JSON layer for ATT&CK Navigator
flowchart LR
A[DC selects scenario] --> B[SimCore creates Run]
B --> C[Auto-seed Result rows from expected_detections]
C --> D{Execution mode}
D -->|pull| E[Agent polls SimCore, executes via identity harness]
D -->|push| F[DC downloads bash bundle, executes offline]
E --> G[Signals land in Cortex]
F --> G
G --> H[DC validates Result rows in UI]
H --> I[MTTD computed: observed_at − executed_at]
I --> J[POV report exported as Markdown / ATT&CK Navigator JSON]
Detailed walkthrough: Validation-Workflow.
# Bootstrap the full stack (Docker Compose: SimCore + agent + Postgres + Redis)
./install.sh
# Or run SimCore standalone
docker compose up -d --buildUI at http://localhost:8888, API docs at http://localhost:8888/docs.
Full install guide: Installation · Architecture: Architecture · API reference: API-Reference.
| What it does | Source | |
|---|---|---|
| SimCore | FastAPI orchestrator, scenario loader, push/pull dispatch, POV report generator | core/ |
| cortexsim-agent | Go pull-model beacon with identity harness | agent/ |
| React UI | Three-column scenario console, MITRE heatmap, results validator, EAL simulator | ui/ |
| EAL plugins | Egress Abstraction Layer — LLM, browser, agentic, network primitives | core/eal_simulator/plugins/ |
| Plane validators |
cortex-vulnerable-llm, cortex-prompt-attacker, cortex-browser-attacker, cortex-malicious-agentic-pack
|
sources/ |
- Analytics rules — 167 expected detections (XSIAM correlation, XDR analytics)
- BIOC rules — 87 expected detections (behavioural IOC, runtime model)
- IOC matches — 6 expected detections (signature, hash, indicator feed)
- No wrapper code around external tools. SimCore calls real binaries with their native CLI flags. The Tool Instantiation Layer is a process manager, not a translation layer.
-
Scenarios are YAML source-of-truth. The database stores run history only. Every scenario in this wiki is regenerated from
scenarios/<plane>/*.yml. -
Strict identity harnessing. Every step runs under a service account (
www-data,postgres,nobody,node,svc-backup) to produce realistic process causality. - Push bundles are self-contained. Execute on clean Ubuntu 22.04 with no SimCore dependency at runtime.
- All API responses are structured JSON — including errors.
| Phase 1 (FastAPI core, scenarios, agent, UI) | ✅ shipped |
| Phase 2 (cortex-vulnerable-llm + AIRS scenarios) | ✅ shipped |
| Phase 3 (IaC generator — AWS providers complete) | ✅ shipped |
| Phase 4 (AI Access Security plane) | ✅ shipped |
| Phase 5 (KOI agentic endpoint plane) | ✅ shipped |
| Phase 6 (Prisma Browser plane) | ✅ shipped |
| Phase 7 (EAL Simulator console + Validation Wizard) | ✅ shipped |
| Phase 8 (POV report generator + ATT&CK Navigator export) | ✅ shipped |
| Phase 9 (XSIAM tenant integration — closed-loop validation) | 🚧 design |
This wiki regenerates from scenarios/. Edits made here will be overwritten on the next sync.