Introducing Cobalt Strike Research Labs

This is a joint blog written by Stan Hegt, Pieter Ceelen, and Will Burgess.

Today, we’re launching Cobalt Strike Research Labs (CS:RL), a new Fortra offering that unites the research expertise of the Cobalt Strike and Outflank teams. CS:RL delivers cutting-edge, ready-to-use research tooling for Cobalt Strike, including custom UDRLs, Sleep Masks, UDC2 channels, and post-exploitation capabilities. Most importantly, it provides the Cobalt Strike team with a platform to deliver experimental beta features, test ideas, and gather feedback before moving proven features into the main product.

CS:RL is available now as part of Fortra’s Red Team Suite and the Offensive Security Suite. We are releasing CS:RL in beta but this is just the beginning; we already have an exciting roadmap of features planned.

In this post, we’ll cover the rationale behind CS:RL, the problems it is designed to solve, and the capabilities it brings to operators.

Why Cobalt Strike Research Labs?

Cobalt Strike and Outflank Security Tooling (OST) have very different product philosophies. Cobalt Strike’s technical strategy is built around two core principles:

Flexibility and Modularity – Cobalt Strike offers limited ‘out-of-the-box’ evasion by design and this is not a goal of the product. Instead, it gives operators the flexibility to rapidly customize and reconfigure Beacon for use across different scenarios, ranging from Purple Teaming to full-scope Red Team operations. Through UDRLs such as CrystalKit, TitanLdr, AceLdr, and Eden, Beacon’s TTPs can be completely changed depending on the operator’s requirements. Furthermore, Cobalt Strike is designed to be highly modular and so supports the integration of tools/PoCs from the wider offensive eco system (i.e. BOFs).

Stable and fully offline framework – Cobalt Strike has a semi-annual release cycle with a strong emphasis on quality assurance and use in offline environments.

By contrast, OST is focused on a different but highly complementary set of priorities:

A broad set of offensive security tooling, ranging from initial access and lateral movement to credential dumping and cloud attacks.

A cloud native offering, which supports rapid updates and bi-weekly releases.

Out-of-the-box EDR evasion capabilities.

Taken together, these differences are exactly why we decided to create Cobalt Strike Research Labs. Cobalt Strike provides a stable, flexible foundation that enables deep operator-driven customization, while OST delivers fast access to new offensive research and implementations. CS:RL brings these strengths together: the research depth of the Outflank and Cobalt Strike teams, delivered in a form that helps operators put new tradecraft into practice faster.

This collaboration gives the Cobalt Strike team a new way to move faster and deliver more value to customers. Through CS:RL, the Cobalt Strike team can:

Experiment with novel research ideas, gather feedback, and iterate with a much shorter path from PoC to prod.

Demonstrate internal tooling and proof-of-concepts built on top of Cobalt Strike.

Deliver off-the-shelf tradecraft that operators can seamlessly integrate into existing Cobalt Strike workflows, reducing the need for internal R&D and customization.

Validate experimental features before integrating them into the core Cobalt Strike product.

The ambition of CS:RL is to support a broad range of use cases, including breach and attack simulation, detection engineering, and purple teaming/EDR evaluation. Additionally, for full-scope red team operations, we also see an opportunity to deliver capabilities that enable bypassing existing defensive controls. Outflank has already taken important steps in this direction with OST’s Beacon Booster functionality. Historically, however, Beacon Booster was built on undocumented interfaces. With deeper integration into Cobalt Strike, that work can become significantly more powerful.

Finally, looking further ahead, we also see an opportunity to move beyond Cobalt Strike’s current download infrastructure and take advantage of the capabilities offered by the OST platform, such as just-in-time compilation. This evolution will help us deliver even more advanced capabilities to Cobalt Strike customers. CS:RL is the first step in what we see as a much broader journey.

What’s in CS:RL Today?

Aof its release, CS:RL contains:

Access to Zero-Point Security’s dedicated Cobalt Strike training.

A major overhaul of OST’s existing Beacon Booster.

‘Lucky Strike’ 🍀: A custom loader with novel tradecraft developed by the Cobalt Strike team.

An overhaul of OST’s existing Beacon config updater.

A public profile checker which will automatically alert users to default or signatured Malleable C2 profiles.

A custom UDC2 channel that uses the Azure Service Bus to egress Beacon’s C2 traffic.

An experimental new process injection technique (‘Weaver’) to support post-exploitation activities.

We are currently releasing CS:RL in beta but this is just the beginning. We already have a roadmap for various tools and capabilities to be added in the near feature, such as additional Cobalt Strike specific tradecraft and better integration between CS:RL and the stand-alone Cobalt Strike product. Note, CS:RL is, and will remain, opt-in and will not be required to use the core Cobalt Strike product.

The demo below shows the updated Beacon Booster in action:

Fig 1: Beacon Booster in action!

What Does This Mean for Regular CS Users That Don’t Have Access to CS:RL?

There will be no changes to the product roadmap. Cobalt Strike remains committed to the same product philosophy and vision as pioneered by Raphael Mudge (and outlined above). Cobalt Strike’s ultimate goal is to improve security literacy, help security practitioners understand the value of our defensive ideas, and push meaningful change; we want to make things better and feed the security conversation.
The Cobalt Strike team has grown over the past years and so CS:RL does not affect Cobalt Strike release planning.
We remain committed to the journey of being a highly customisable and modular framework, enabling security researchers to flourish, and continue to support full offline customization and usage. All CSRL features are built with the same tooling we have made publicly available (UDRL-VS, UDC2-VS etc.).
CS:RL users may receive early access to beta Cobalt Strike features. However, once validated through user feedback and experimentation, these will be migrated to the core Cobalt Strike product.
We remain committed to supporting open-source tooling and the security conversation as demonstrated by the release of Eden, ICMP-UDC2 etc.

What Does This Mean for OST Users?

CS:RL does not change the overall OST roadmap. However, the Cobalt Strike team is now actively building on the underlying platform provided by OST, and together we are shaping the future direction.
We are jointly extending and improving Beacon Booster, enabling more advanced and more powerful capabilities to be developed with less effort.
Research collaboration between the Cobalt Strike and Outflank teams has been ongoing for several years (i.e. see our joint AI research here). While each team continues to maintain its own roadmap and trajectory, that close cooperation remains unchanged.

Next Steps

Cobalt Strike Research Labs is just the first step in a broader effort to bring the combined research expertise of the Cobalt Strike and Outflank teams directly to operators. By pairing cutting-edge tradecraft with practical delivery through OST, CS:RL gives users faster access to new capabilities while laying the groundwork for even deeper integration in the future. If you already have access to the Red Team Suite or the Offensive Security Suite, we encourage you to start exploring CS:RL today. If you do not yet have access, you can request a quote or schedule a demo here.

Lastly, we will be hosting a webinar where we will provide a technical overview and demo of CS:RL in action on April 14. You can register for this Webinar here.