SafeBreach Visual Attack Studio

Develop SafeBreach custom attacks in VS Code with full IDE support including IntelliSense, linting, and one-click deployment.

New to this extension? Open the interactive walkthrough: Command Palette (Cmd+Shift+P) → Welcome: Open Walkthrough → Get Started with SafeBreach

Attack Resource Manager IntelliSense Deploy

Features

Quick Start Workflows

Import and Edit an Existing Attack

Open the Attack Resource Manager in the sidebar
Find your attack and click Import
Edit target.py in VS Code with full IntelliSense
Click Deploy to push changes to SafeBreach
Click Run to test on connected simulators

Create a New Attack from Scratch

Click + in the Attack Resource Manager toolbar
Choose attack type: Host, Exfiltration, Infiltration, or Lateral Movement
Set OS constraint (Windows/Linux/Mac/All) and description
Write your attack code with SafeBreach framework autocomplete
Deploy and run when ready

Clone and Customize an Attack

Right-click any attack → Clone Attack
Enter a new name for the cloned attack
Modify the code to fit your needs
Deploy as a new custom attack

Add or Remove Parameters

Right-click on an attack folder → Add Simple Parameter or Add File Parameter
Enter parameter name, type, and default values
Code snippets are auto-inserted for easy access
To remove: Right-click → Delete Parameter

Attack Resource Manager

Browse all SafeBreach custom attacks (Draft and Published)
Filter by status and search by name or description
Visual indicators: attack type badges, sync status, local changes
Bulk operations: import or deploy multiple attacks at once
Context menu: Deploy, Re-import, Clone, Run, Lint, Copy Attack ID

Workspace Dashboard

Overview: Total attacks, imported locally, pending changes
Quick Access: List of attacks with local changes ready to deploy
Sync History: Last 50 sync operations with timestamps
Navigation: One-click to open any attack folder

Development Workflow

Edit: Full IDE with IntelliSense for SafeBreach framework functions
Lint: Real-time code validation on save and before run/deploy
Deploy: Push local changes to SafeBreach console (Draft attacks only)
Run: Execute on connected simulators with progress tracking
Analyze: View structured results in runs/{test_id}/ folder
Commit: Version control your changes with Git

Parameter Management

Simple Parameters (PARAM): Text values with multiple options
File Parameters (FEED): Binary files stored in SafeBreach feeds
Validation: Automatic checks with errors in Problems panel
Context Menu: Add, delete, and manage parameters easily

Git Integration

Standard Git workflow: branch, commit, push, pull request
Attack files organized in attacks/{id}-{name}/ folders
Pre-configured .gitignore for SafeBreach workspaces
Full version control over your attack code and parameters

Source of Truth: This extension enables a code-first workflow where your Git repository becomes the authoritative source for attack development—not just the code, but also metadata and parameters. This enables collaboration, code review, and full audit trails for your custom attacks.

Requirements

VS Code 1.106.0 or higher
Python 3.9 or higher
SafeBreach Account with API access
Pylance Extension (recommended for best IntelliSense experience)

Getting Started

1. First Launch

On first activation, the extension automatically:

Creates a Python virtual environment
Installs required dependencies
Starts the backend service

This takes 30-90 seconds on first run. Subsequent launches start in just a few seconds.

Note: If Python 3.9+ is not found, you'll be prompted to install it.

2. Connect to SafeBreach

On first launch, you'll see a welcome prompt to connect. Click "Connect Now" and enter:

Base URL: Your SafeBreach console URL (e.g., https://yourcompany.safebreach.com)
API Token: Your SafeBreach API token (requires administrator role)
Account ID: Your SafeBreach account ID

3. Open a Workspace

Open a folder in VS Code where you want to store your attacks
The extension will initialize a SafeBreach workspace automatically
Use the Attack Resource Manager in the sidebar to browse and import attacks

Extension Settings

Setting	Description
`safebreach.baseUrl`	SafeBreach console base URL
`safebreach.apiToken`	SafeBreach API token for authentication
`safebreach.accountId`	SafeBreach account ID
`safebreach.lintOnSave`	Automatically lint attack code when saving (default: true)
`safebreach.lintBeforeRun`	Lint before running attacks (default: true)
`safebreach.lintBeforeDeploy`	Lint before deploying attacks (default: true)
`safebreach.validateParametersOnSave`	Validate parameters.json on save (default: true)

Commands

Access these commands via the Command Palette (Cmd+Shift+P / Ctrl+Shift+P):

Command	Description
SafeBreach: Configure Connection	Set up SafeBreach console connection
SafeBreach: Import Attack	Import an attack from SafeBreach to local workspace
SafeBreach: Create Attack	Create a new custom attack from template
SafeBreach: Deploy Attack	Deploy local attack to SafeBreach console
SafeBreach: Run Attack	Execute attack locally for testing
SafeBreach: Lint Attack	Run SafeBreach linting on attack code

Workspace Structure

When you import attacks, they are organized as follows:

your-project/
├── .safebreach/
│   ├── workspace.json       # Workspace configuration
│   └── encryption_key.bin   # Local encryption key (DO NOT COMMIT)
└── attacks/
    └── {id}-{name}/         # One folder per attack
        ├── target.py        # Target-side attack code
        ├── attacker.py      # Attacker-side code (if applicable)
        ├── metadata.json    # Attack metadata
        ├── parameters.json  # Attack parameters (optional)
        ├── resources/       # Binary files for FEED parameters
        │   └── {param}/     # Files organized by parameter name
        │       ├── file.enc        # Encrypted backup (EDR-safe)
        │       ├── file.enc.meta   # File metadata
        │       └── payload.bin     # Decrypted file (may be flagged by EDR)
        └── runs/            # Execution results (auto-generated)
            └── {test_id}/
                └── summary.json

Git Recommendations

Commit to source control:

attacks/*/target.py, attacker.py - Your attack code
attacks/*/metadata.json - Attack configuration
attacks/*/parameters.json - Parameter definitions
attacks/*/resources/*/*.enc - Encrypted binary files (EDR-safe)
attacks/*/resources/*/*.enc.meta - Binary metadata

Do NOT commit:

.safebreach/encryption_key.bin - Local encryption key (auto-excluded)
attacks/*/runs/ - Execution results (local only)
attacks/*/resources/* (decrypted files) - May trigger EDR alerts

Note: The extension auto-creates a .gitignore in .safebreach/ to protect sensitive files.

Security

API tokens are stored securely using VS Code's SecretStorage API
No credentials are stored in plain text
All communication with SafeBreach uses HTTPS
This extension is for authorized SafeBreach customers only

Support

For issues and feature requests, please visit our GitHub Issues.

For SafeBreach platform support, contact your SafeBreach representative or visit SafeBreach Support.

License

BSD 3-Clause License - see LICENSE for details.

SafeBreach Visual Attack Studio is developed by SafeBreach.