Infection Monkey is an open-source breach and attack simulation (BAS) tool developed by Akamai (formerly Guardicore). It automatically tests your network defenses by simulating real-world attack techniques – lateral movement, credential theft, exploitation – and maps findings directly to the MITRE ATT&CK framework. Unlike traditional vulnerability scanners that only identify potential weaknesses, Infection Monkey actively exploits them to show you exactly how an attacker would move through your environment.
This guide covers installing Infection Monkey v2.3.0 on Ubuntu/Debian and RHEL/Rocky Linux using both Docker and AppImage methods. We walk through accessing the Monkey Island web UI, configuring attack scenarios, running your first simulation, analyzing security reports, reviewing MITRE ATT&CK mappings, and setting up recurring tests.
Prerequisites
Before you begin, make sure you have the following in place:
- A Linux server running Ubuntu 22.04/24.04, Debian 11/12/13, Rocky Linux 8+/9+, RHEL 8+/9+, or AlmaLinux 8+/9+
- Minimum 4 GB RAM and 2 CPU cores (8 GB recommended for larger networks)
- Root or sudo access on the server
- Docker and Docker Compose installed (for Docker deployment method)
- FUSE library installed (for AppImage deployment method)
- Port 5000/TCP open for the Monkey Island web interface
- Network access from the Monkey Island server to the target machines you want to test
Step 1: Install Infection Monkey on Ubuntu/Debian Using Docker
The Docker method is the fastest way to get Infection Monkey running. It packages the Monkey Island server and MongoDB into containers with no dependency conflicts. This approach works on any Linux distribution with Docker installed.
Pull the required Docker images – MongoDB 6.0 for the database and the Monkey Island application container:
sudo docker pull mongo:6.0
sudo docker pull infectionmonkey/monkey-island:latestStart the MongoDB container first. It uses host networking and a persistent volume to store simulation data across restarts:
sudo docker run \
--name monkey-mongo \
--network=host \
--volume db:/data/db \
--detach \
mongo:6.0Verify MongoDB is running before proceeding:
sudo docker ps --filter name=monkey-mongoYou should see the MongoDB container in a running state:
CONTAINER ID IMAGE COMMAND STATUS NAMES
a1b2c3d4e5f6 mongo:6.0 "docker-entrypoint.s..." Up 5 seconds monkey-mongoNow start the Monkey Island container. It connects to MongoDB via host networking on port 5000:
sudo docker run \
--tty \
--interactive \
--name monkey-island \
--network=host \
--detach \
infectionmonkey/monkey-island:latestCheck that both containers are running:
sudo docker ps --filter name=monkeyBoth containers should show as running:
CONTAINER ID IMAGE STATUS NAMES
f6e5d4c3b2a1 infectionmonkey/monkey-island:latest Up 3 seconds monkey-island
a1b2c3d4e5f6 mongo:6.0 Up 30 seconds monkey-mongoIf you are running UFW on Ubuntu/Debian, open port 5000 for the web interface:
sudo ufw allow 5000/tcp
sudo ufw reloadStep 2: Install Infection Monkey on RHEL/Rocky Linux
On RHEL-based systems, the AppImage method works well since it bundles all dependencies into a single executable. You can also use the Docker method from Step 1 if you have Docker installed on Rocky Linux or AlmaLinux.
Download the Infection Monkey v2.3.0 AppImage from the official GitHub releases page:
wget https://github.com/guardicore/monkey/releases/download/v2.3.0/InfectionMonkey-v2.3.0.AppImageMake the AppImage executable:
chmod u+x InfectionMonkey-v2.3.0.AppImageInstall the FUSE library, which AppImage requires to run. On RHEL/Rocky 8+:
sudo dnf install -y fuse fuse-libsOn Ubuntu/Debian, install FUSE with:
sudo apt update && sudo apt install -y libfuse2Start Infection Monkey:
./InfectionMonkey-v2.3.0.AppImageThe server starts and listens on port 5000. You should see log output confirming Monkey Island is ready.
To run Infection Monkey as a systemd service so it starts automatically on boot:
sudo ./InfectionMonkey-v2.3.0.AppImage service --install --user $(whoami)If you are running firewalld on RHEL/Rocky, open port 5000:
sudo firewall-cmd --permanent --add-port=5000/tcp
sudo firewall-cmd --reloadVerify the port is open:
sudo firewall-cmd --list-portsThe output should include port 5000:
5000/tcpStep 3: Access Monkey Island Web Interface
Monkey Island is the central management console for Infection Monkey. It is where you configure attack scenarios, launch simulations, and review results. Access it through your web browser.
Open your browser and navigate to:
https://YOUR_SERVER_IP:5000Replace YOUR_SERVER_IP with your server’s actual IP address. If accessing locally, use https://localhost:5000.
On first access, the browser will display a certificate warning because Monkey Island uses a self-signed TLS certificate by default. Accept the warning and proceed. You will then see the registration page where you create your admin credentials. Choose a strong username and password – this protects the Monkey Island console from unauthorized access.
After registering, the Monkey Island dashboard loads. The left sidebar shows the main navigation: Run Monkey, Infection Map, Security Reports, and Configuration sections.
Step 4: Configure Attack Scenarios
Before running a simulation, install the plugins that define which attack techniques Infection Monkey uses. Plugins cover three categories: exploitation/propagation, credential stealing, and payloads.
Navigate to the Plugins page from the sidebar. You have two options:
- Download All Safe Plugins – installs all production-ready plugins. This is the recommended starting point for a full assessment
- Select individual plugins – install only specific techniques you want to test (SSH exploiter, RDP propagation, credential collectors, etc.)
Key plugins available in v2.3.0 include:
| Plugin | Description |
|---|---|
| SSH Exploiter | Propagates using stolen or configured SSH credentials |
| RDP Exploiter | Lateral movement via Remote Desktop Protocol on Windows targets |
| SMB Exploiter | Spreads through SMBv2+ file shares |
| Log4Shell Exploiter | Exploits Log4j vulnerability (CVE-2021-44228) |
| WMI Exploiter | Uses Windows Management Instrumentation for remote execution |
| Chrome Credentials Collector | Steals saved credentials from Chrome/Edge/Chromium browsers |
| Cryptojacker Payload | Simulates cryptocurrency mining – consumes configurable CPU and RAM |
| Ransomware Payload | Simulates ransomware file encryption behavior |
After installing plugins, go to Configuration to fine-tune what the simulation does. Key settings include:
- Propagation credentials – add known usernames and passwords or SSH keys the monkey should try during lateral movement
- Network scope – define which IP ranges or subnets the simulation can target. Keep this limited to your test environment initially
- Exploiters – enable or disable specific exploitation techniques
- Payloads – choose whether to simulate ransomware or cryptojacking behavior
Step 5: Run Your First Penetration Test Simulation
With plugins installed and configuration set, it is time to run the first breach simulation. Navigate to the Run Monkey page.
You have two execution modes:
- From Island – runs the agent directly on the Monkey Island server. The agent starts on this machine and attempts to spread to other systems on the network. This simulates an attacker who has compromised the server running Monkey Island
- Manual – download the agent binary and run it on a specific target machine. This simulates a scenario where an attacker has gained initial access to that particular host
For your first test, use the From Island option. Click the button and the simulation begins. The agent will:
- Scan the local network for reachable machines
- Identify open services (SSH, RDP, SMB, HTTP)
- Attempt credential theft from browsers and the system
- Try to exploit discovered services using installed plugins
- Propagate to compromised machines and repeat the process
The Infection Map in the sidebar updates in real time, showing which machines were discovered, which were successfully compromised, and the attack paths used.
Step 6: Analyze Security Results and Reports
Once the simulation completes, navigate to the Security Report section. The report gives you an attacker’s-eye view of your network and is organized into four sections.
The Overview section shows high-level metrics – which machine the simulation started from, how long it ran, and what configuration was active. This provides context for the rest of the findings.
The Segmentation Issues section highlights network segmentation failures. If the monkey moved between network segments that should be isolated, this section flags it. Poor segmentation is one of the most common findings – production databases accessible from DMZ servers, or development networks with routes into production.
The Machine-Related Recommendations section provides specific, actionable fixes for each compromised host. These are prioritized by severity and include mitigation steps you can hand directly to your remediation team.
The Network Assessment section summarizes all scanned servers, compromised machines, and stolen credentials. This gives you the full scope of the simulated breach.
Step 7: Review MITRE ATT&CK Mapping
Infection Monkey maps every simulated attack action to the MITRE ATT&CK framework, which is a globally recognized knowledge base of adversary tactics and techniques. This mapping transforms raw simulation results into standardized security intelligence.
The ATT&CK matrix in the reports shows which tactics and techniques were successfully executed during the simulation. Key techniques Infection Monkey tests include:
| MITRE ATT&CK Tactic | Techniques Simulated |
|---|---|
| Credential Access | Credentials from Password Stores (T1555) – Chrome/Edge browser theft |
| Lateral Movement | Remote Services: SSH (T1021.004), RDP (T1021.001), SMB (T1021.002) |
| Execution | Windows Management Instrumentation (T1047) |
| Impact | Data Encrypted for Impact (T1486) – ransomware simulation |
| Impact | Resource Hijacking (T1496) – cryptojacker simulation |
| Exploitation | Exploit Public-Facing Application (T1190) – Log4Shell |
Use this mapping to communicate findings to management and compliance teams in a language they understand. The ATT&CK technique IDs link directly to MITRE’s documentation, so anyone reviewing the report can look up exactly what each technique means and how real adversaries use it.
Step 8: Remediation Recommendations
After reviewing the reports, prioritize remediation based on what the simulation actually exploited. Here is a practical remediation approach based on common Infection Monkey findings.
Credential theft from browsers – deploy an enterprise password manager and disable browser password storage via group policy. Consider integrating your environment with a SIEM solution such as Wazuh to monitor for credential access events.
SSH lateral movement – enforce key-based authentication only, disable password authentication in /etc/ssh/sshd_config, rotate SSH keys regularly, and restrict SSH access with firewall rules or jump hosts.
RDP propagation – enable Network Level Authentication (NLA), enforce MFA for RDP sessions, limit RDP access to specific IP ranges, and disable RDP on systems that do not need it.
Network segmentation failures – implement VLANs or microsegmentation between network tiers. Production databases should never be directly reachable from the DMZ or development networks.
SMB exploitation – disable SMBv1 completely, enforce SMB signing, restrict administrative shares, and keep systems patched against known SMB vulnerabilities.
Log4Shell vulnerability – update all Java applications to use Log4j 2.17.1 or later. Scan your environment for vulnerable Log4j versions with a vulnerability scanner like Nessus.
Step 9: Schedule Recurring Breach Simulations
Running Infection Monkey once gives you a snapshot. Running it regularly tells you whether your security posture is improving or degrading. Set up a cron job to launch simulations automatically.
For the Docker deployment, create a script that resets the environment and starts a fresh simulation. Create the script at /opt/infection-monkey/run-simulation.sh:
sudo vi /opt/infection-monkey/run-simulation.shAdd the following content:
#!/bin/bash
# Restart Infection Monkey containers for fresh simulation
docker restart monkey-mongo
sleep 5
docker restart monkey-island
echo "$(date): Infection Monkey containers restarted" >> /var/log/infection-monkey.logMake the script executable:
sudo chmod +x /opt/infection-monkey/run-simulation.shSchedule it to run weekly using cron. Open the root crontab:
sudo crontab -eAdd a line to restart the containers every Monday at 2 AM:
0 2 * * 1 /opt/infection-monkey/run-simulation.shNote that the cron job restarts the containers, but you still need to trigger the actual simulation from the Monkey Island UI or via the API. The Infection Monkey REST API at https://YOUR_SERVER_IP:5000/api supports programmatic simulation triggers, which you can integrate with your CI/CD pipeline or security automation workflows.
Best practices for recurring simulations:
- Run monthly at minimum, weekly if your environment changes frequently
- Run immediately after infrastructure changes – new servers, network reconfigurations, or firewall rule updates
- Compare reports over time to track remediation progress
- Run from different starting points each time to test varied attack paths
- Coordinate with your security operations team to avoid triggering incident response on known simulations
Conclusion
Infection Monkey gives you a real attacker’s perspective on your network security. You now have a working breach and attack simulation platform that identifies lateral movement paths, credential theft risks, and segmentation weaknesses – all mapped to the MITRE ATT&CK framework for clear reporting.
For production deployments, replace the self-signed certificate with a proper TLS certificate, restrict Monkey Island access to your security team’s IP range, and store simulation data on encrypted volumes. Integrate the results with your SIEM for centralized security monitoring and alerting.
