Vyrox Simulator provides deterministic, redacted alert payload generation for integration testing and demos of the Vyrox ingestion and triage pipeline without touching production tenants. Pure shell scripts -- no Python, no Lua, no dependencies beyond bash, openssl, and curl.
Website: vyrox.dev. General enquiries: hello@vyrox.dev
You cannot run realistic SOC integration tests against a real production CrowdStrike tenant every time someone changes a parser or confidence threshold. At best you get inconsistent results. At worst you generate a real incident while trying to test a fake one.
The simulator solves that by producing stable payloads that match real-world alert structure closely enough to exercise normalization, heuristic pattern matching, queueing, and surfacing to the operational console. It is boring by design, which is ideal for regression testing.
[Shell Scenario]
| mimikatz.sh
v
[simulate.sh]
| sources scenario, builds JSON payload
| signs with HMAC-SHA256
v
[POST /webhook/<source>]
| local ingestion endpoint
v
[202 Accepted]
Simulated payload coverage includes both CrowdStrike and SentinelOne alerts, defined as pure shell scripts with build_payload() functions.
Prerequisites:
- bash 4+
- openssl (for HMAC signing)
- curl (for HTTP requests)
- A local Vyrox ingestion service running on
http://localhost:8001 - Shared webhook secret matching your local ingestion config
Run a simulation scenario:
# Run the Mimikatz scenario
./simulate.sh mimikatz \
--url http://localhost:8001/webhook \
--secret replace-with-64-hex-characters
# Dry run - see the payload without sending
./simulate.sh mimikatz --dry-run
# Multi-stage attack - run all 8 stages
./simulate.sh lateral --all-stages
# Multi-stage attack - run a single stage
./simulate.sh lateral --stage 5
# Multi-tenancy testing
VYROX_TENANT_ID=acme-corp ./simulate.sh mimikatz| Scenario | Source | Severity | Description |
|---|---|---|---|
mimikatz |
CrowdStrike | CRITICAL | Credential dumping via LSASS memory |
lateral |
CrowdStrike | Mixed | 8-stage attack chain: Initial Access through Exfiltration |
ransomware |
CrowdStrike | CRITICAL | File encryption behavior |
sentinelone_lateral |
SentinelOne | HIGH | Lateral movement via PsExec |
benign |
CrowdStrike | LOW | Scheduled backup job (false positive test) |
powershell_encoded |
CrowdStrike | HIGH | Encoded PowerShell download cradle |
New scenarios are shell scripts in scenarios/ with a .sh extension. Each must:
- Define
SCENARIO_NAME,SCENARIO_SOURCE,SCENARIO_SEVERITY,SCENARIO_TACTIC,SCENARIO_TECHNIQUE - Implement a
build_payload()function that takestenant_idas its first argument - Output valid JSON to stdout
Multi-stage scenarios use the naming convention <prefix>_stage<N>.sh (e.g., lateral_stage1.sh).
Example:
#!/usr/bin/env bash
SCENARIO_NAME="my_scenario"
SCENARIO_SOURCE="crowdstrike"
SCENARIO_SEVERITY="HIGH"
SCENARIO_TACTIC="Execution"
SCENARIO_TECHNIQUE="T1059"
build_payload() {
local tenant_id="${1:-default-tenant}"
cat <<EOF
{
"detect_id": "cs-$(date +%s)",
"customer_id": "${tenant_id}",
"timestamp": $(date +%s),
"sensor": { "hostname": "test-host" },
"process": {
"user_name": "testuser",
"file_name": "suspicious.exe",
"command_line": "suspicious.exe --malicious",
"sha256": "0000000000000000000000000000000000000000000000000000000000000000"
},
"tactic": "${SCENARIO_TACTIC}",
"technique": "${SCENARIO_TECHNIQUE}",
"severity": "${SCENARIO_SEVERITY}"
}
EOF
}| Variable | Required | Default | Description |
|---|---|---|---|
VYROX_URL |
No | http://localhost:8001/webhook |
Ingestion webhook base URL |
VYROX_HMAC_SECRET |
No | replace-with-64-hex-characters |
HMAC signing secret |
VYROX_TENANT_ID |
No | default-tenant |
Tenant identifier for multi-tenancy |
Contributions are welcome for new simulation scripts, edge-case payloads, and test scenarios. Reproducible false-positive and false-negative simulation cases are particularly useful.
Do not submit raw production customer payloads, unredacted host/user identifiers, or fixtures that cannot be legally shared. Do not add scripts that execute containment actions; this repo simulates alerts only.
See CONTRIBUTING.md for contribution workflow and required review expectations.
Security contact: security@vyrox.dev
This repository is released under the MIT License. See LICENSE for details.