SafeBreach Visual Attack Studio

Develop SafeBreach custom attacks in VS Code with full IDE support including IntelliSense, linting, and one-click deployment. Easily incorporate SafeBreach into your CI/CD pipeline for Detection as Code.

New to this extension? Open the interactive walkthrough: Command Palette (Cmd+Shift+P) → Welcome: Open Walkthrough → Get Started with SafeBreach

Attack Resource Manager IntelliSense Deploy

Features

Quick Start Workflows

Import and Edit an Existing Attack

Open the Attack Resource Manager in the sidebar
Find your attack and click Import
Edit target.py in VS Code with full IntelliSense
Click Deploy to push changes to SafeBreach
Click Run to test on connected simulators

Create a New Attack from Scratch

Click + in the Attack Resource Manager toolbar
Choose attack type: Host, Exfiltration, Infiltration, or Lateral Movement
Set OS constraint (Windows/Linux/Mac/All) and description
Write your attack code with SafeBreach framework autocomplete
Deploy and run when ready

Clone and Customize an Attack

Right-click any attack → Clone Attack
Enter a new name for the cloned attack
Modify the code to fit your needs
Deploy as a new custom attack

Manage Parameters

Click parameters.json in any attack folder to open the Parameter Manager
Add, edit, or delete parameters with inline editing and type-specific value controls
Supports all 7 types: Text, Key-Value, Port, File, URL, Protocol, and Secret
Toggle to embedded Monaco Editor for raw JSON editing with syntax highlighting

Git Integration

Standard Git workflow: branch, commit, push, pull request
Attack files organized in attacks/{id}-{name}/ folders
Pre-configured .gitignore for SafeBreach workspaces
Full version control over your attack code and parameters

Source of Truth: This extension enables a code-first workflow where your Git repository becomes the authoritative source for attack development—not just the code, but also metadata and parameters. This enables collaboration, code review, and full audit trails for your custom attacks.

Attack Resource Manager

Browse all SafeBreach custom attacks (Draft and Published)
Filter by status (including Running tests) and search by name or description
Visual indicators: attack type badges, sync status, local changes, running state
Bulk operations: import, deploy, or run multiple attacks at once
Context menu: Deploy, Re-import, Clone, Run, Cancel, Lint, Copy Attack ID

Workspace Dashboard

Overview: Total attacks, imported locally, pending changes
Quick Access: List of attacks with local changes ready to deploy
Sync History: Last 50 sync operations with timestamps
Navigation: One-click to open any attack folder

Development Workflow

Edit: Full IDE with IntelliSense for SafeBreach framework functions
Lint: Real-time code validation on save and before run/deploy
Deploy: Push local changes to SafeBreach console (Draft attacks only)
Run: Execute on connected simulators with real-time notifications
Analyze: View structured results in runs/{test_id}/ folder
Commit: Version control your changes with Git

Async Test Execution

Concurrent Tests: Run multiple attacks simultaneously (one test per attack)
Bulk Run: Select multiple attacks and run them all with one click
Real-time Notifications: See simulation results as they complete
Persistent State: Running tests survive VS Code restarts - just reconnect
Running Filter: Filter Attack Resource Manager to show only running tests
Cancel Anytime: Stop running tests via inline button or context menu

Parameter Manager

Visual Editor: Click parameters.json to open a dedicated Parameter Manager with inline editing, sorting, filtering, and search
All Parameter Types: Text, Key-Value, Port, File, URL, Protocol, and Secret
Dual View: Toggle between visual table and embedded Monaco Editor (JSON with syntax highlighting, validation, and search/replace)
Validation: Automatic checks with errors in Problems panel (SB010–SB068)

Requirements

VS Code 1.106.0 or higher
Python 3.9 or higher
SafeBreach Account with API access
Pylance Extension (recommended for best IntelliSense experience)

Getting Started

1. First Launch

On first activation, the extension automatically:

Creates a Python virtual environment
Installs required dependencies
Starts the backend service

This takes 30-90 seconds on first run. Subsequent launches start in just a few seconds.

Note: If Python 3.9+ is not found, you'll be prompted to install it.

2. Connect to SafeBreach

On first launch, you'll see a welcome prompt to connect. Click "Connect Now" and enter:

Base URL: Your SafeBreach console URL (e.g., https://yourcompany.safebreach.com)
API Token: Your SafeBreach API token (requires administrator role)
Account ID: Your SafeBreach account ID

3. Open a Workspace

Open a folder in VS Code where you want to store your attacks
The extension will initialize a SafeBreach workspace automatically
Use the Attack Resource Manager in the sidebar to browse and import attacks

Extension Settings

Setting	Description
`safebreach.baseUrl`	SafeBreach console base URL
`safebreach.apiToken`	SafeBreach API token for authentication
`safebreach.accountId`	SafeBreach account ID
`safebreach.lintOnSave`	Automatically lint attack code when saving (default: true)
`safebreach.lintBeforeRun`	Lint before running attacks (default: true)
`safebreach.lintBeforeDeploy`	Lint before deploying attacks (default: true)
`safebreach.validateParametersOnSave`	Validate parameters.json on save (default: true)

Commands

Access these commands via the Command Palette (Cmd+Shift+P / Ctrl+Shift+P):

Command	Description
SafeBreach: Configure Connection	Set up SafeBreach console connection
SafeBreach: Import Attack	Import an attack from SafeBreach to local workspace
SafeBreach: Create Attack	Create a new custom attack from template
SafeBreach: Deploy Attack	Deploy local attack to SafeBreach console
SafeBreach: Run Attack	Execute attack locally for testing
SafeBreach: Lint Attack	Run SafeBreach linting on attack code

Workspace Structure

When you import attacks, they are organized as follows:

your-project/
├── .safebreach/
│   ├── workspace.json       # Workspace configuration
│   └── encryption_key.bin   # Local encryption key (DO NOT COMMIT)
└── attacks/
    └── {id}-{name}/         # One folder per attack
        ├── target.py        # Target-side attack code
        ├── attacker.py      # Attacker-side code (if applicable)
        ├── metadata.json    # Attack metadata
        ├── parameters.json  # Attack parameters (optional)
        ├── resources/       # Binary files for FEED parameters
        │   └── {param}/     # Files organized by parameter name
        │       ├── file.enc        # Encrypted backup (EDR-safe)
        │       ├── file.enc.meta   # File metadata
        │       └── payload.bin     # Decrypted file (may be flagged by EDR)
        └── runs/            # Execution results (auto-generated)
            └── {test_id}/
                └── summary.json

Git Recommendations

Commit to source control:

attacks/*/target.py, attacker.py - Your attack code
attacks/*/metadata.json - Attack configuration
attacks/*/parameters.json - Parameter definitions
attacks/*/resources/*/*.enc - Encrypted binary files (EDR-safe)
attacks/*/resources/*/*.enc.meta - Binary metadata

Do NOT commit:

.safebreach/encryption_key.bin - Local encryption key (auto-excluded)
attacks/*/runs/ - Execution results (local only)
attacks/*/resources/* (decrypted files) - May trigger EDR alerts

Note: The extension auto-creates a .gitignore in .safebreach/ to protect sensitive files.

Security

API tokens are stored securely using VS Code's SecretStorage API
No credentials are stored in plain text
All communication with SafeBreach uses HTTPS
This extension is for authorized SafeBreach customers only

Support

For issues and feature requests, please visit our GitHub Issues.

For SafeBreach platform support, contact your SafeBreach representative or visit SafeBreach Support.

License

BSD 3-Clause License - see LICENSE for details.

SafeBreach Visual Attack Studio is developed by SafeBreach.