Release the monkey! How Infection Monkey tests network security

This free, open source penetration testing tool uses real attacks and real techniques to try and exploit its way into a network.

CSO > breakthrough / penetration testing / sledgehammer breaking through a binary wall
Okea / Mapichai / Getty Images

Companies these days spend millions on cybersecurity defenses to protect their networks. The average enterprise is bristling with every kind of protection platform available. And yet, breaches are still happening, and are even on the rise.

Once a breach occurs, the long process of fixing the problem and figuring out why it happened begins. Perhaps the defensive platform had some vulnerabilities or wasn’t installed correctly. Maybe there was a network configuration error that allowed an attacker to pass through undetected or a valid user had their credentials compromised. Whatever the reason, finding out after the fact can be a painful and expensive process, and that’s not even accounting for whatever damage the attacker did while they had access to the network.

In a perfect world, finding those vulnerabilities and cybersecurity shortcomings before a breach would be ideal. This could be accomplished with either human penetration testing or automated breach simulation tools. But both options can be expensive, and companies might be reluctant to invest the time and money into a tool or effort that might or might not bear fruit.

GuardiCore has created another option. You might know Guardicore from a review CSO conducted of the GuardiCore Centra product back in 2017 when micro segmentation was just beginning to take off in cybersecurity. GuardiCore has always been a pioneer in the micro segmentation field, and today the company is leading the charge in the implementation of zero trust networking, which is an offshoot of the segmentation concept. Initially, GuardiCore was working on a new product that would enable them to test their own security platforms, but instead decided to a free, open source tool that anyone could use to get a detailed look at their own network, regardless of its composition or what security tools they were using.

Infection Monkey was born from that effort. The Infection Monkey program is available for download from and the source code can be found, also for free, on GitHub. Anyone is free to modify the code if they want for their own purposes.

Infection Monkey Download CSO

The Infection Monkey program is available as a free download from and the Python-based source code can be found, also for free, on GitHub.

At its core, Infection Monkey is a penetration testing tool. It’s loaded with lots of advanced exploits as well as the ability to check for common security mistakes like weak passwords. It can be deployed to hunt for general cybersecurity issues, but also recently got the ability to examine whether zero-trust networking is configured correctly in enterprises that have implemented it.

It’s available for Windows, Linux, OpenStack, vSphere, Amazon Web Services, Azure, and Google Cloud Platform networks. And because the Python-based source code is also provided, users can configure it to work in proprietary or unique environments.

For our evaluation, Infection Monkey was downloaded onto a virtualized network consisting of several clients, a database server, a load balancer and a few web servers. The client where the program is based is designated Monkey Island by the platform and acts as the host for the user interface. Infection Monkey can be run right away using its default settings, but is also highly configurable. You can control exactly what exploits the platform should try and use, what assets it should attack or avoid, or simply let the monkey run wild and try to find any and all exploitable paths in the target network, just like a hacker.

Infection Monkey Configure CSO

Although Infection Monkey can be used right away, it’s also possible to tightly control exactly what tests it performs, where it goes and places in the network that it should avoid.

Infection Monkey uses real attacks and real techniques to try and exploit its way into a network, so this is not technically an attack simulation. The only difference between what the monkey does and what a real attacker would do is the fact that the monkey doesn’t deliver any malicious payloads or steal any data. For example, the monkey might create a new user on a machine that it has compromised and then try to use that user’s credentials to get farther into a network. But once the test is over, Infection Monkey cleans up after itself and removes any trace that it was there, other than within its detailed infection report.

Depending on the size and type of network, running Infection Monkey can take anywhere from a few minutes to a few hours. The program is designed not to hog system resources or bog down network connectivity when it’s running. Once finished, it generates a report with multiple levels of detail.

Infection Monkey Report CSO

Once the monkey runs across a network, a two tiered report is generated. The first part shows generalizations about what happened and is suitable for a boardroom type presentation.

At the highest level, Infection Monkey shows how many systems failed security checks. This is indicated using the standard red, yellow and green color scheme found in most cybersecurity reports. More red means more problems. You can also look at specific aspects of the report, such as how well the tested network aligns with the zero trust extended framework of best practices.

While the high-level report is good for getting an idea about the scope of the problem, the real meat for cybersecurity professionals comes in the deeper details. Infection Monkey is great about recording everything that it did while trying to compromise a network — things like how it was able to access critical assets from public areas, what exploits it found in existing defenses and what information it was able to access. This includes a full account of IP addresses and the paths the monkey took to get around existing defenses. Using this data, a skilled security team could close some of those loopholes and then run Infection Monkey again at a later time to check their work.

Infection Monkey Specific CSO

The second part of the Infection Monkey report shows an extremely detailed view of what assets were breached and how it happened. The report can also be read by machines for ingestion into other defensive tools.

The report is also valuable because it shows what attacks were thwarted and why. For example, in one instance, it was not able to create a new user on a specific asset because the ability to do that had been removed from a server. In another case, it did create a new user, but then could not do anything about it because the zero trust networking infrastructure meant that the new user was not allowed to access any information. Armed with this report, network security teams could check to see if attacks are being blocked because of the way they have their network configured, due to infrastructure defenses like firewalls, or because they are running some kind of effective cybersecurity protection platform.

Infection Monkey Pass Why CSO

In addition to showing how some defenses failed, the program will also detail why other attacks were stopped. That way you can see if a valid defense is based on permissions, network configuration or active protections provided by a security tool.

It’s surprising to find an attack simulation platform this useful that is available for free, with the modifiable source code also provided. Adding the ability for Infection Monkey to check for zero trust networking issues is even more helpful, as this is a relatively new protection scheme that is difficult to implement correctly. As such, Infection Monkey could be used to access overall security as a starting point to making improvements, or as a way to check existing defenses to ensure they are operating as intended with no shortcomings or oversights.