Tooling

Red Team C2 — Sliver, Mythic, Havoc

Modern command-and-control frameworks for authorised red-team ops.

A C2 framework gives an operator interactive control over compromised hosts. Cobalt Strike defined the category; the 2024–26 OSS landscape has matured to where Sliver, Mythic, and Havoc are credible alternatives — and detection vendors actively flag all of them. For broader exploitation see Exploitation Frameworks. For AD-specific post-ex see Active Directory Pentesting. For defender side see EDR / OSQuery and Detection (Sigma / YARA / ATT&CK).

Open-source C2 — modern reference picks

  • ★ ★ Sliver (BishopFox) — Go; mTLS / WireGuard / HTTPS / DNS transports; per-implant dynamic compilation; Linux / macOS / Windows; multi-operator console + GUI clients. The mainstream FOSS Cobalt-Strike alternative 2024–26. Free.
  • Mythic (its-a-feature) — agnostic C2 platform; Docker-deployed; many community agents — Apollo (.NET), Athena (.NET), Poseidon (Go), Medusa (Python), Tetanus (Rust), Freyja (Go), Thanatos (Rust). Free.
  • Havoc (C5pider) — C++ / Qt; Cobalt-Strike-shaped UX; "Demon" agent; growing community; popular among learners and operators. Free.
  • AdaptixC2 — newer open C2 (2024+); pluggable extender model.
  • NimPlant (Cas van Cooten) — Nim implants; small footprint; learning-focused; C2 by similar.
  • Empire / Starkiller (BC-Security fork) — PowerShell + Python framework; Starkiller is the web UI. Free; older but maintained.
  • Covenant — .NET-based; less active 2024+.
  • Merlin — Go; HTTP/2 C2; less active.
  • PoshC2 — PowerShell; legacy but works.
  • Manjaro Tactical / OST community editions.

Commercial C2 (paid)

  • Cobalt Strike (Fortra) — ~$5,900/seat/yr; Beacon implant; Malleable C2 profiles; the long-time industry default. Heavily fingerprinted by EDR.
  • Brute Ratel C4 (Chetan Nayak) — ~$2,500/yr; modern; EDR-evasion focused.
  • Outflank Security Tooling (OST) — paid; curated red-team kits.

Implant / loader / payload helpers

  • donut — generate position-independent shellcode from a .NET / EXE.
  • PEzor / scarecrow / freeze — modern payload obfuscation; expect detection.
  • inceptor — payload-builder.
  • MalDev Academy / Maldev community — research toolkits.
  • freeze.rs / donut-rs — Rust ports.

Profiles / OPSEC

  • Malleable C2 profiles (Cobalt Strike / Sliver / Havoc) — disguise traffic shape.
  • TLS cert / SNI matching, JA3/JA4 spoofing — see Network IDS (Suricata / Zeek) for the defender side.
  • Domain fronting — mostly dead in 2024–26 (Cloudflare / Fastly / Azure all blocked it); CDN-based redirector chains still common.
  • Redirector / decoy traffic — Apache mod_rewrite or nginx redirector + cdn.
  • See Active Directory Pentesting — BloodHound CE, NetExec, Impacket, Rubeus.
  • Most C2s expose .NET / BOF execution to run those tools in-implant.

Engagement-tracking

  • Ghostwriter (SpecterOps) — engagement project + reporting; pairs naturally; see Pentest Reporting.
  • MITRE CALDERA — automated adversary emulation; not strictly a C2 but adjacent.
  • PurpleSharp / Stratus Red Team — for purple-team validation; see Detection (Sigma / YARA / ATT&CK).

Realistic expectations 2026

  • Cobalt Strike Beacon — heavily flagged; vendors detect even custom Malleable profiles. Operators move to in-memory loaders / Brute Ratel / Sliver.
  • Sliver default config — also flagged; tweaks (HTTP profile, custom mTLS certs, packer) buy time.
  • Modern EDR (CrowdStrike / SentinelOne / Defender) — detect injection, AMSI, ETW patches, beacon traffic shape; expect detection unless you tune carefully.
  • OSS C2 + custom tradecraft outperforms "stock Cobalt Strike from a torrent."

Legality / OPSEC reminders

  • ★ Get a signed Statement of Work / RoE before touching anything.
  • Whitelist your C2 IPs / domains with the customer.
  • Don't run public bug-bounty C2 ops — always against an engagement.
  • Some C2s (Cobalt Strike Beacon, Brute Ratel) are flagged by AV / IDS just by config presence — be ready.

Pick this if…

  • Default OSS modern C2 2026: Sliver.
  • Need many language agents / extreme flexibility: Mythic.
  • Cobalt-Strike-like UX, FOSS: Havoc.
  • Mature paid red-team program: Cobalt Strike or Brute Ratel.
  • PowerShell-native legacy: Empire / Starkiller.
  • Validate detections: Stratus Red Team / Atomic Red Team / CALDERA.
  • Engagement project tracking: Ghostwriter.

On this page