Leonidas is a framework for executing attacker actions in the cloud. It provides a YAML-based format for defining cloud attacker tactics, techniques and procedures (TTPs) and their associated detection properties. These definitions can then be compiled into:

• A web API exposing each test case as an individual endpoint
• Sigma rules (https://github.com/Neo23x0/sigma) for detection
• Documentation - see http://detectioninthe.cloud/ for an example

The project was originally designed for use in AWS environments, with the following architecture:

In 2024, Leonidas was extended to support Kubernetes environments. Its resources can be deployed within the target cluster, as per the following architecture: