Beacon
Malleable C2
Arsenal Kit
Customization
User Defined C2
Interoperability
Other Features
More Information
Beacon Overview
Beacon is Cobalt Strike’s signature payload, designed to model the behavior of advanced attackers to perform a number of post-exploitation activities during adversary simulations and red team engagements.
Malleable C2 Overview
A Malleable C2 profile that specifies how to transform data and store it in a transaction. The same process is used to extract and recover data from a transaction. The Malleable C2 profile is used to set various default values, such as how often Beacon checks in and what its memory footprint looks like.
Arsenal Kit Overview
The Cobalt Strike Arsenal Kit is a collection of customizable tools that help users simulate real-world adversary tactics and techniques. Teams can use each kit as-is or customize it to fit their engagement goals.
Customization
The Cobalt Strike REST API expands functionality through a language-agnostic interface, letting operators script and automate workflows in whatever programming language suits their needs. It provides structured command routes, task tracking that ties commands to their output, and server-side artifact storage that allows the whole team to use the same artifacts, like BOFS, assemblies, and payloads. The result is a foundation for custom clients, AI-assisted workflows via MCP, and tailored automation.
User Defined C2
User Defined Command and Control (UDC2) lets operators fully build custom C2 channels as BOFs, giving teams a way to egress Beacon traffic over whatever channel the engagement demands. The UDC2 BOF is patched in on payload creation and invoked by Beacon to proxy all traffic over the custom channel to Python based UDC2 server, which relays it to the UDC2 listener. UDC2-VS provides a template to enable rapid development and implementation.
Interoperability
Outflank Security Tooling (OST) is a curated set of offensive security tools that were developed with Cobalt Strike in mind. Outflank Security Tooling’s Payload Generator is ideal for enhancing the evasiveness of Cobalt Strike’s Beacon.
Core Impact is a centralized penetration testing tool from Core Security that enables security teams to conduct advanced, multi-phased penetration tests that can exploit numerous vectors, including network, client-side, and web applications.
“Cobalt Strike helped us run more realistic simulations and produce after-action reports our blue team trusted.”
– Director of Security Operations, Enterprise Software Company
Other Features
Payload Generation
Cobalt Strike can generate a wide variety of payloads that can be tailored to suit the needs of the engagement. Users are given control to create payloads that meet their specific requirements.
Community
Cobalt Strike’s roadmap is shaped by the operators who use it. User input plays a critical role in what gets built next. Additionally, the Community Kit, a central repository with both tools and scripts created and shared by Cobalt Strike users, is another example of the level of community input.
Collaboration
Cobalt Strike team servers allow red teams to communicate in real-time and control systems compromised during an engagement. In addition to shared sessions, team members can also share hosts, captured data, and download files.
Reporting
Cobalt Strike’s reports provide a timeline and a list of indicators from red team activity. These reports can be used to help security operations teams determine next steps after an engagement is completed. Cobalt Strike exports reports as both PDF and MS Word documents.
