Defense, training, Blue Team Training Toolkit, BT3, computer network defense analysis training, create realistic computer attack scenario

Blue Team Training Toolkit (BT3) introduces improvements in current computer network defense analysis training. Based on adversary replication techniques, and with reusability in mind, BT3 allows individuals and organizations to create realistic computer attack scenarios, while reducing infrastructure costs, implementation time and risk.

BT3 v2.3 – New Features

Blue Team Training Toolkit version 2.3 includes several new features and improvements. Maligno module now supports DEBUG and PATCH HTTP methods. Pcapteller module now supports packet payload manipulation. New API commands have been implemented. Update routine now downloads and deploys new BT3 versions automatically. In addition, documentation updates and minor adjustments have been included.

Technical Details

Details about the most relevant features in this release are listed below:

  • DEBUG and PATCH HTTP methods
    Maligno is a BT3 module designed for attack simulations that require risk free / fictive malware infections, or targeted attacks with specific C&C communications. The module follows a client-server architecture, where the server component is hosted by the same computer where BT3 is running. The client component can be deployed on different machines if desired.

    Maligno now supports DEBUG and PATCH HTTP methods, which can be used by your malware indicator profiles. According to Microsoft, the HTTP DEBUG verb is used within ASP.NET applications to start and stop remote debugging sessions. This HTTP request is used to verify that the process of the application is running and to select the correct process to attach. The HTTP PATCH request method applies partial modifications to a resource.

  • Packet payload manipulation
    The BT3 module Pcapteller reads packets from a PCAP file, and it replays them into the network. The module allows packet manipulations prior to replay, so it is possible to customize the traffic with specific indicators that fit your environment.

    In earlier versions it was possible to customize MAC addresses and IP addresses. You can now customize the packets’ payload contents as well.

  • New API commands
    Blue Team Training Toolkit offers an optional content subscription via an online API, which includes realistic network traffic related to a wide range of network attacks, mock malware samples and important malware indicator profiles. The online library is growing constantly, and ensures a “plug and play” experience, when planning and preparing a training session.

    You can now delete your API account at any time by invoking “apidelete” while being authenticated with your user account. Beware any information associated with your user account, credit balance and licensed material will be lost once the command is completed. This operation cannot be reverted.

  • Improved update routine
    The BT3 application’s current version can be displayed by using the command “version”, while the command “bt3update” will check for new updates. The update mechanism is now able to download and deploy new updates on demand.

    Updates will be deployed in a new folder at the same directory level as the existing installation. This means that the existing installation will remain as it is without modifications, nor risk for inconsistencies or data loss.


Check out the BT3 user guide, or the Blue Team Training Toolkit Video Series for practical examples.

You can also download the new version of the Blue Team Training Toolkit and test it for yourself!