Working with Activities
Activities are the core unit of work in RAPTR. This page covers everything you can do with activities and activity groups.
Activity Table Views
RAPTR offers two ways to browse activities within an assessment:
- Grouped view: Activities are organized under their activity groups, with collapsible sections
- Flat view: All activities are displayed in a single list regardless of grouping
You can toggle between these views from the assessment toolbar. Both views support filtering by state, priority, visibility, and tags.
Activity table views
Add or remove columns
You can add or remove columns from the activity table by clicking the Columns button. This allows you to customize the view to your needs.
Creating an Activity
- Open an assessment
- Click the + Create Activity button
- Provide a name and MITRE ATT&CK mapping (tactic and technique)
- The activity is created in the Pending state
After creation, open the activity to fill in the remaining details.
Creating an activity
Default Group
When creating an activity, it is automatically assigned to the default group. Currently it is not possible to directly assign an activity to a group during creation. You can move the activity to a different group after creation.
Deleting and Restoring Activities
Activities are soft deleted. This means that they are not permanently deleted, but instead marked as deleted and can be restored later.
Deleting and restoring an activity
Duplicating an Activity
Admins and Red Team members can duplicate an activity to create a copy with all its properties. This is useful when you need a similar activity with small variations.
Duplicating an activity
Bulk Operations
Select multiple activities to perform bulk actions:
- Bulk Delete: Soft-delete multiple activities at once
- Bulk Toggle Visibility: Show or hide multiple activities
- Bulk Move to Group: Assign multiple activities to a group
Toggle visibility in bulk
Activity Detail View (Form View)
Clicking an activity opens the detail view with a sidebar listing all activities and a main panel showing the activity form.
Sidebar
The sidebar offers a quick overview and access to all activities and activity groups in the assessment. The sidebar is:
- Filterable and sortable
- Resizable
- Searchable
- Supports flat and grouped views
- Indicates the state of an activity by color coded icons
- Indicates visibility of activities and activity groups by
Activity sidebar
Inherited Visibility
The UI does currently not calculate the inherited visibility. The visibility icon shown on the activity level indicate only if the current activity is hidden or visible. It does not indicate if the activity is hidden or visible due to the visibility of its parent activity group.
Main Sections
Header
The activity header shows the name and current state. Admins and Red Team members can change the state from the header. Blue Team members can only toggle between Waiting Blue and Waiting Red (when the activity is in one of those states).
Admins and Red Teamers can also access the Knowledge Base and History sections from the header.
General Information
This General section has three main purposes:
- It defines the activity (the what, the why and the prerequisites)
- It defines the expected outcome of the activity (the expected result)
- It defines the status of the activity (state, visibility and tags)
Definition
- Name: The activity name
- MITRE Tactic: The ATT&CK tactic (e.g., Execution, Persistence)
- MITRE Technique: The specific technique or sub-technique (e.g., T1204.001 - User Execution: Malicious Link)
- Priority: Use this field to indicate the importance of this activity. How important is it for the Blue Team to detect this activity?
- Activity Group: Which activity group this activity belongs to. You can change the group through this dropdown. The position of the activity in the new group will be at the end
- Rationale: Explain why this activity is tested. Supports Markdown
- Requirements: Explain environmental prerequisites that must be in place before execution, see overcoming requirements hell. Supports Markdown
Strict MITRE mapping
Currently the MITRE mapping is not strictly enforced in the backend. It is possible to create an activity with a MITRE mapping that is not valid. This will lead to the activity not being displayed in the MITRE ATT&CK Heatmap or in the MITRE ATT&CK Navigator export. The frontend enforces a strict mapping by only allowing or filtering techniques based on the chosen tactics, and vice versa.
Expected Outcomes
This section is used to set the expected outcomes of the activity. The settings here will have direct consequences on the static evaluation questions.
- Expected Severity: Set the expected severity for the expected alert and stakeholder notification
- Expected Logging: Set whether the activity is expected to be logged
- Expected Prevention: Set whether the activity is expected to be automatically prevented
- Expected Alerting: Set whether the activity is expected to trigger an alert
- Expected Stakeholder Notification: Set whether the activity is expected to trigger a stakeholder notification
Alert and Stakeholder Notification terminology
The term Alert is used in RAPTR for any kind of automatic generated information that the Blue Team receives from the security stack. This can be a SIEM alert, an EDR alert, a firewall alert, etc.
Stakeholder Notification refers to any kind of notification sent to stakeholders. This term originates from the fact that we often test external MSSPs/SOCs on behalf of the customer, without informing the Blue Team about the test. As well as the SOC's detection capabilities, the customer is also interested in testing whether the SOC adheres to defined processes and procedures. For example, SLAs and escalation through defined channels. Using the evaluation templates, you can define any metric for stakeholder notifications. E.g. quality and correctness of the notification etc.
Only one expected severity
Currently there is only one expected severity for alerts and stakeholder notification. The assumption is that both notifications should have the same severity level.
States
- State: The current state of the activity
- Visibility: Whether the activity is visible to Blue Team and Spectators
- Tags: Colored labels for categorization
Toggle visibility in form
Add tags
Activity Details Section
This section is for documenting the execution of the activity.
- Assets: Source, Destination and Tool assets can be selected here. See asset management for more information
- Start Time: The time when the activity was started used in static evaluations (Date and time field)
- End Time: The time when the activity was ended (Date and time field)
- Activity Actions: Step-by-step instructions on how the activity was executed. Supports Markdown
- Activity Notes: Additional context or observations. Supports Markdown
Add existing assets
Add new assets
Activity Detection Section
This section is for documenting the observed result of the activity.
| Category | What It Means |
|---|---|
| Activity Logged | The activity was captured in system logs (e.g., event logs, SIEM, EDR telemetry). This is the most basic level of detection — the activity left a trace. |
| Activity Prevented | A security control actively blocked the activity from succeeding (e.g., EDR quarantine, firewall rule, application whitelisting). |
| Activity Alerted | The activity triggered a security alert that would be seen by an analyst (e.g., SIEM correlation rule, EDR alert, IDS signature match). |
| Stakeholder Notification Created | A formal notification was sent to stakeholders or management about the activity (e.g., escalation to incident response, SOC notification to leadership). This measures the full detection-to-communication chain. |
For each category the Blue Team records whether the detection actually occurred along with the following additional data:
- Detection notes for each category the Blue Team can explain their observations in detail, regardless of whether the detection actually occurred. Supports Markdown
- Detection timestamp for each category a timestamp can be recorded to indicate when the detection occurred. This is used in the static evaluation. (Date and time field)
- Detection assets can be linked to show which systems (log sources, prevention sources, alert sources, stakeholder notification sources) were involved.
- Detection severity for Alert and Stakeholder Notification the occured severity can be recorded, this is used in the static evaluation
Evaluation Section
The evaluation section shows how the activity performed against expectations. It is split in two main parts:
- The static evaluation
- The dynamic evaluation
Static Evaluation Questions
The static evaluation section shows the following data:
- Overview of pass/fail/N/A for each detection category. Based on expected vs occured detection
- Activity Coverage Score shows a percentage value of checks that passed
- Timing evaluations for measuring the
Event to AlertandAlert to Stakeholdernotification time (auto-calculated) - Severity evaluations for measuring the occured severity for alert severity and stakeholder notification severity (auto-calculated)
Working with evaluation questions
Auto-calculated fields
The timing and severity static evaluation questions text is auto-calculated. Nevertheless these fields support Markdown. You can overwrite the fields. As long as the field ends in (auto-calculated) the field will be re-calculated on changes.
Dynamic Evaluation Questions
You can either add new evaluation template questions here or if you added them to the default evaluation questions on the assessment level they will appear here as well. The dynamic evaluation questions can be used for any kind of evaluation that is not covered by the static evalaution questions.
Working with dynamic evaluation questions
Attachments
Upload files as evidence or supporting documentation. Files are categorized as either Red (from the Red Team) or Blue (from the Blue Team). Supported file types include PNG, JPEG, JPG, and TXT.
File size restriction
Currently there is no file size limit.
File renaming
All text files will have the extension .txt appended to their name upon upload.
Markdown Fields
All free text fields in the activity form support Markdown formating. Furthermore it allows you to paste images directely from your clipboard.
Working with Markdown Fields
Markdown export in report
Both the HTML and DOCX report templates convert Markdown fields. However, not all Markdown syntax is appropriate for reports. For example, adding a heading at level 1 to a Markdown field will render it as a heading level 1 in the report. This may not be what you want.
Copy pasted images
Images that were uploaded via copy paste into a Markdown field will appear in the Attachments section of the activity. From there you can permanently delete them if you want to.
Date and Time Fields
You can change between UTC and your local time from the toolbar.
The format used to display time (24h or AM/PM) and date format (e.g. MM/DD/YYYY or DD/MM/YYYY) can be configured in your profile settings.
Use the calendar or the now button to set the date and time. You can also type a date and time directely into the field. RAPTR will do its best to parse the date and time you enter.
UTC in database
All date and time values are stored in UTC in the database.
Toggle between UTC and local time
Configure date and time format
Activity History
Each time an activity is saved, a versioned copy is stored in the database. Through the history function, administrators and Red Team members can view an activity's history. Everything except the attachments is preserved. Therefore, even if an asset is modified, the snapshot reflects its state at the time the activity was saved. The versioned copy is read only.
Activity History
Snapshots are not in assessment export
The versioned snapshots are not contained in the export of an assessment.
Conflict Resolution
When two users edit the same activity simultaneously, RAPTR detects the conflict and presents a 3-way merge dialog. You can review the differences between your changes and the other user's changes, then choose which version to keep or manually resolve conflicts.
Conflict Resolution
Activity Groups
Creating a Group
Admins and Red Team members can create activity groups from the assessment toolbar to organize related activities.
Create an activity group
Moving Activities to Groups
To move an activity to an activity group you have multiple options:
- From the activity table through the
...actions dialog of an activty - From the activtiy table via bulk operation
- From the activity detail General information section
- Through the reorder function
Move single activity
Move activities in bulk
Reordering
Both activity groups and activities within groups can be reordered using the reorder function.
Visibility
Groups can be toggled visible or hidden independently of their activities. Hiding a group hides all activities within it from Blue Team and Spectator users. See Visibility for more information.
Deleting and Restoring
Groups support soft delete — deleted groups can be restored. See Deletion for more information.