Attack Range Documentation

The Splunk Attack Range builds instrumented cloud environments (AWS, Azure, GCP), simulates attacks, and forwards data into Splunk for detection development and testing.

The preferred way to run Attack Range is Docker Compose, which starts the web app and API (and optionally the CLI) without installing Python, Ansible, or Terraform locally.

Contents

• Getting Started
  • Prerequisites
  • Running with Docker Compose (recommended)
  • Using the Web App
  • Using the API
  • Using the CLI
  • Two-phase build (VPN then lab)
  • Next steps
• Configuration
  • Config file structure
  • General section
  • Provider sections
  • Attack range (servers)
  • Where configs live
  • Creating a config from a template
  • Environment and credentials
• Networking
  • Overview
  • Two-phase build and VPN
  • WireGuard VPN
  • Connecting
  • Using the range over VPN
  • Sharing access (multiple users)
  • Firewall and IP whitelist
  • Troubleshooting
• Sharing
  • How sharing works
  • When you can share
  • Using the app
  • Using the API
  • Using the CLI
  • Passing the config to others
  • Revocation
  • Summary
• Templates
  • Where templates live
  • Built-in templates (by provider)
  • Template structure
  • Listing and fetching templates
  • Creating a custom template
• Ansible Roles
  • Using any Ansible Galaxy role in a template
  • How roles are installed and run
  • Summary

Quick links

• Getting Started — Docker Compose, web app, API, and CLI.

• Configuration — Config file structure and provider options.

• Networking — Two-phase build and connectivity; includes a WireGuard VPN section (why WireGuard, server/client, config storage, official clients, sharing).

• Sharing — Giving others access with additional WireGuard configs.

• Templates — Built-in templates and custom template layout.

• Ansible Roles — Bundled roles (Atomic Red Team, CAP Attack, data replay, PurpleSharp) and how they are used.