The 2026 release for our Threat Simulation Index is now available for download: https://vectr.io/download-index/.

The 2026 Threat Simulation Index (“Threat Index” or TSI) is a Threat-Driven Test Plan built annually with 100+ organizations across sectors. It changes annually so that it can reflect updated threat groups, software, and active TTPs used by adversaries. The Threat Index includes 55 test cases, applicable to any industry, and can be used to establish a common ground and prioritization for alignment with MITRE ATT&CK and to measure threat resilience against an industry benchmark.

The included threat/software groups are:

• APT29
• Lumma
• Akira
• ShinyHunters
• Storm-2603
• MuddyWater
• Cephalus
• Qilin
• Play
• Famous Chollima
• Vidar
• XWorm
• RansomHub
• SocGholish
• Gootloader
• UNC1549
• Scattered Spider

New in 2026

New in 2026 are more on-premise Active Directory tests, namely for SCCM and ADCS, both of which have seen significant public attack research in recent years. Also added are endpoint network tampering tests for the local firewall and endpoint security tool connectivity.

Gone in 2026

Gone in 2026 are the Infrastructure-as-a-Service (IaaS) tests for Azure and AWS. While these were good test cases, our testing experience in 2025 showed that most organizations were not ready to run those tests in the same timeframe as the core Index tests, and therefore they often did not get executed. Removing IaaS test cases however represents a significant decrease in the logistical complexity for performing the Index (i.e., accounts/access, tools). We found that many organizations with cloud detections top of mind used SRA’s full AWS, GCP and Azure test plans in their VECTR instances.

Other cuts were typically a result of not being featured in recent intelligence reports, such as modifying Conditional Access Policies and creating inbox rules.  Organizations who ran the 2025 Index will still have strong content for these areas if they choose to repeat those tests in 2026.

ALLCAPS

Starting in 2025, we began using our open-source ALLCAPS framework (https://github.com/SecurityRiskAdvisors/ALLCAPS) for Index projects (and all other Purple Teams / Threat Emulations, for that matter). We now use ALLCAPS-generated payloads in place of commodity/native methods like “LOLBins” as this allows for more behavior-centric testing and helps highlight robustness issues in block/detection criteria. The 2026 Index will continue to provide command and operator guidance that features commodity execution methods, but we encourage users of the Index to consider more behavior-centric approaches like ALLCAPS.

Refer to our dedicated post about ALLCAPS for more information as well as our presentation at BSides Philly 2025:

• Blog: Enhancing Purple Team Testing with ALLCAPS: A Capability-Based Approach to Execution
• Conference talk: https://github.com/SecurityRiskAdvisors/public-assets/blob/main/BSides%20Philly%202025/Screaming%20About%20Detection%20Coverage%20in%20ALLCAPS.pdf (Recordings will be posted at https://www.youtube.com/@bsidesphilly in the future)

If you want help with the Threat Index and an independent benchmark for your organization don’t hesitate to contact us from the form below.