top of page

Introducing Cobalt Strike Traffic Simulation in Nemesis

Detecting command-and-control (C2) communications is critical for security operations, but most organizations struggle to validate whether their detection controls actually work. We've built a solution for this.


Close-up view of a network traffic analysis tool



What We've Built


Our new atomic accurately reproduces Cobalt Strike's network behavior without executing malicious payloads or performing any harmful activities. The simulation generates authentic HTTP(S)-based C2 traffic patterns using configurable Malleable C2 profiles, matching the packet structures, timing characteristics, and encryption patterns that defenders encounter in real incidents.


It's baked directly into Medusa, a core Nemesis component that is used also for testing various exfiltration techniques.


Key capabilities include:

  • Profile-based traffic generation using genuine Malleable C2 profiles (jQuery, Gmail, Slack, and more)

  • Configurable parameters for domain, timing intervals, jitter, and exercise duration

  • Unique session identifiers for each test run to support tracking and analysis

  • No actual malware execution—tasks and results are randomly generated for testing purposes only


Configurable options
Configurable options

What You Get


After each test run, Nemesis provides a detailed analysis report that gives security teams the data needed to validate detection and refine monitoring:


  • Session Details – Complete beacon information including simulated host details, process information, and unique session identifiers that correlate with network logs and SIEM events.

  • Cryptographic Artifacts – RSA keys, AES encryption keys, and HMAC values used in the session. These cryptographic fingerprints help validate whether security tools can identify encrypted C2 channels.

  • Network Indicators – Malleable C2 profile artifacts including cookie headers, user agents, and request patterns. Teams can verify whether their network sensors identify these indicators as malicious.

  • Command Activity – A breakdown of simulated commands (file listings, process enumeration, privilege checks) and callbacks. SOC teams can confirm that their detection logic identifies post-exploitation activity patterns.

This comprehensive reporting transforms testing from a pass/fail exercise into a diagnostic tool. Teams can pinpoint exactly which indicators their controls detect and which ones slip through.




Who Benefits


The Cobalt Strike C2 traffic simulation isn’t just theoretical; it has tangible applications for security teams. Here are a couple of impactful ways organizations can leverage this feature:


  1. SOC and Detection Engineering can validate that their SIEM rules, network sensors, and behavioral analytics actually trigger on C2 traffic patterns before a real incident occurs.

  2. Network Security Teams can test whether egress controls, TLS inspection policies, and DNS filtering effectively block or alert on C2 communications.

  3. Red Teams and Security Assessors can incorporate realistic C2 traffic into exercises without the operational and legal risks associated with deploying actual offensive frameworks.




Future Developments


At PSI, we remain committed to advancing our Nemesis platform continually. Following the launch of the Cobalt Strike simulation, we plan to introduce additional command-and-control simulations, including Sliver, in the near future. This expansion will not only enhance our platform’s capabilities but also provide security teams with an ever-broadening toolbox to counter sophisticated threats on the horizon.




Building a Stronger Defense


The introduction of our Cobalt Strike C2 traffic simulation represents a significant advancement in network detection testing. By offering a realistic and configurable approach to simulating C2 communications, we empower security teams to validate their defenses effectively.


As cyber threats grow increasingly complex, adopting the right tools is vital. With our Nemesis platform, your organization is better positioned to stay ahead of emerging challenges and enhance its security resilience.


For further details on implementing this feature to elevate your network detection capabilities, we invite you to contact our team.





Your detection controls need validation, not assumptions.

Test your C2 detection with authentic Cobalt Strike simulation.

Know your gaps before they matter.






Keep up with the news!

Subscribe to keep updated about the latest product features, technology news and resources.

Want to learn more about how Nemesis can help you?

Fill in the form and we will contact you shortly or you can always reach us out via: info@persistent-security.net

Schedule an appointment
Oct - Nov 2025
SunMonTueWedThuFriSat
Week starting Sunday, October 26
Time zone: Coordinated Universal Time (UTC)Online meeting
Tuesday, Oct 28
10:00 AM - 11:00 AM
11:00 AM - 12:00 PM
12:00 PM - 1:00 PM
1:00 PM - 2:00 PM
bottom of page