Purple Team adversarial validation suite for Electronic Warfare detection capabilities on Linux.
The name EW-Verify stands for Electronic Warfare Verify β it validates whether a Linux system can detect, report, or survive electronic attack scenarios. The "EW" prefix signals a departure from pure host forensics into the electromagnetic and wireless domain, while "Verify" preserves the adversarial validation DNA inherited from K-Verify.
Where K-Verify tests memory-level attack detection (RWX, process hiding, ASLR bypass), EW-Verify tests the RF and wireless attack surface: jamming, spoofing, deauthentication, and spectrum manipulation.
EW-Verify is a Purple Team adversarial validation tool built to stress-test the detection layer for Electronic Warfare attack scenarios on Linux systems.
It runs controlled adversarial actions in the wireless and electromagnetic spectrum, then cross-references each one against the kernel and RF interfaces that detection tools rely on. Every scenario maps to a MITRE ATT&CK technique or an EW taxonomy classification, and the final report includes a Detection Gap Analysis that points out blind spots nobody's covering.
The tool covers several core areas. It launches deauthentication attacks against test networks and checks whether the kernel's wireless stack (nl80211/cfg80211) reports them. It attempts GPS spoofing and assesses system-side detection (if GPS hardware is present). It floods Bluetooth and Wi-Fi channels and monitors for kernel-level interference signals. It checks RFkill state, wireless regulatory domain constraints, and spectrum congestion indicators. When live detection tools are available (like Wireshark, aircrack-ng suite, or custom SDR-based sensors), it can invoke them for true end-to-end validation. Every scenario is tagged with its MITRE ATT&CK technique ID or EW category, and the detection gap analysis counts how many scenarios no tool covers.
EW-Verify comes with ten adversarial scenarios across the electromagnetic spectrum. You get wireless deauthentication testing via --deauth that sends 802.11 deauth frames and checks kernel detection. GPS spoofing simulation with --gps-spoof validates whether the system or connected applications detect forged NMEA data. Bluetooth attack scenarios with --bt-attack test for flood and pairing-based attacks. Spectrum congestion analysis with --spectrum reads RF signal density indicators. RFkill state verification with --rfkill checks whether the kernel's RF kill switch is engaged. Wi-Fi regulatory domain assessment with --regulatory validates country code and channel restrictions. Aireplay-ng integration with --aireplay runs actual aireplay-ng attacks and checks for detection. There's an SDR readiness check with --sdr that validates whether RTL-SDR or HackRF devices are available and functional. Output goes to a color-coded Purple Team validation matrix on the terminal, and you can also export structured JSON or CSV for your reporting pipeline. The Detection Gap Analysis calls out blind spots where no tool provides coverage. MITRE ATT&CK and EW taxonomy IDs show up in terminal output, JSON, and CSV. There's a Silent JSON mode (--json) that suppresses the banner entirely for CI/CD pipelines. The engine is modular C99 β each scenario lives in its own source file. There's an automated unit test suite via make test, a CI/CD pipeline through GitHub Actions, a read-only verification phase that assesses system state without running any attacks, and full child process lifecycle management with a cleanup mode.
Every scenario is mapped to a real MITRE ATT&CK technique or Electronic Warfare category:
| Scenario | ID | Description |
|---|---|---|
| DEAUTH_ATTACK | T1562.001 | Impair Defenses: Disable or Modify Tools |
| GPS_SPOOF | T1557 | Adversary-in-the-Middle |
| BT_FLOOD | T1498 | Network Denial of Service |
| SPECTRUM_SCAN | EW-ES-001 | Electronic Support β Spectrum Monitoring |
| RFKILL_STATE | EW-EP-001 | Electronic Protection β RF Kill Assessment |
| REGULATORY_CHECK | EW-EP-002 | Electronic Protection β Regulatory Compliance |
| AIREPLAY_ATTACK | T1562.001 | Impair Defenses: Disable or Modify Tools |
| SDR_READINESS | EW-ES-002 | Electronic Support β SDR Capability |
| WIFI_JAM | T1498 | Network Denial of Service |
| CHANNEL_HOP | EW-EA-001 | Electronic Attack β Channel Hopping |
Technique IDs are embedded in terminal output, JSON exports, and CSV reports.
Note: IDs prefixed with
EW-ES,EW-EP, andEW-EAare extended taxonomy specific to EW-Verify β not official MITRE ATT&CK identifiers. They cover electromagnetic spectrum scenarios (Electronic Support, Electronic Protection, Electronic Attack) that MITRE does not currently address. Scenarios with standard MITRE IDs (e.g., T1562.001) map directly to ATT&CK for Enterprise or ICS.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β EW-Verify | Purple Team - Electronic Warfare β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RUN SEQUENCE INITIATED
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[01/10] DEAUTH_ATTACK PASS [EW:β KS:β] T1562.001
[02/10] GPS_SPOOF SKIP (no GPS device)
[03/10] BT_FLOOD WARN (BT not powered)
[04/10] SPECTRUM_SCAN WARN (no wireless interfaces)
[05/10] RFKILL_STATE SKIP (rfkill not available)
[06/10] REGULATORY_CHECK WARN (no regulatory info)
[07/10] AIREPLAY_ATTACK SKIP (aireplay-ng not found)
[08/10] SDR_READINESS PASS (SDR tools found, no device) [EW:β KS:β] EW-ES-002
[09/10] WIFI_JAM SKIP (no jamming tools found)
[10/10] CHANNEL_HOP SKIP (no wireless interface)
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RESULTS
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[01/10] DEAUTH_ATTACK PASS [EW:β KS:β] T1562.001
[02/10] GPS_SPOOF SKIP [EW:β KS:β] T1557
[03/10] BT_FLOOD WARN [EW:β KS:β] T1498
[04/10] SPECTRUM_SCAN WARN [EW:β KS:β] EW-ES-001
[05/10] RFKILL_STATE SKIP [EW:β KS:β] EW-EP-001
[06/10] REGULATORY_CHECK WARN [EW:β KS:β] EW-EP-002
[07/10] AIREPLAY_ATTACK SKIP [EW:β KS:β] T1562.001
[08/10] SDR_READINESS PASS [EW:β KS:β] EW-ES-002
[09/10] WIFI_JAM SKIP [EW:β KS:β] T1498
[10/10] CHANNEL_HOP SKIP [EW:β KS:β] EW-EA-001
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
FINAL ASSESSMENT
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
[ββββββββββ] 5/10 (50%) adversarial actions succeeded
[ββββββββββ] 2/10 (20%) detected by EW-Sensor
[ββββββββββ] 0/10 (0%) detected by Kernel
[ββββββββββ] 8/10 (80%) unmonitored gaps (no EW or KS coverage)
STATUS: Purple Team Validation Complete
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
EW-Verify runs in three phases.
Each scenario executes a controlled electronic attack or measurement. DEAUTH_ATTACK sends 802.11 deauthentication frames using iw or aireplay-ng. GPS_SPOOF injects forged NMEA sentences into the GPS device stream. BT_FLOOD floods Bluetooth L2CAP packets. SPECTRUM_SCAN reads signal level indicators from /proc/net/wireless or iw dev. RFKILL_STATE queries /sys/class/rfkill/*. REGULATORY_CHECK reads iw reg get. AIREPLAY_ATTACK runs aireplay-ng in test mode. SDR_READINESS probes for RTL-SDR or HackRF devices via USB. WIFI_JAM floods a target channel with noise frames. CHANNEL_HOP rapidly cycles through Wi-Fi channels while measuring signal changes.
For every scenario, EW-Verify queries the same kernel and RF interfaces a detection tool would read. On the kernel path, it checks /sys/class/rfkill/, /proc/net/wireless, iw event traces, and dmesg for wireless driver alerts. On the EW sensor path, it checks for spectrum analyzer output, SDR sample captures, or external detector logs. You don't need any external detection tools installed to run EW-Verify. The detection logic is baked directly into EW-Verify's source code: it reads the same interfaces they would and predicts whether they'd fire. If you pass --live, it optionally invokes actual tools (Wireshark, aircrack-ng, custom SDR detectors) for real validation.
Results come out as a validation matrix. You get to see whether the adversarial action succeeded, whether each detection tool would detect it, and the MITRE ATT&CK or EW taxonomy ID. There's a summary with progress bars for adversarial success rate, detection coverage, and unmonitored gaps.
The final assessment includes a metric called unmonitored gaps β scenarios where no detection tool provides coverage. Those are your highest-risk blind spots in the electromagnetic domain.
# Clone the repository
git clone https://github.com/jeffersoncesarantunes/EW-Verify.git
cd EW-Verify
# Build the project
make
# (Optional) Clean rebuild from scratch
make clean && make
# Run the test suite
make test
# Run all scenarios with default terminal output
sudo ./ewverify
# Run all scenarios with silent JSON export (no banner, CI/CD ready)
sudo ./ewverify --json
# Export results to CSV
sudo ./ewverify --csv
# Run a specific module
sudo ./ewverify --deauth
sudo ./ewverify --gps-spoof
sudo ./ewverify --bt-attack
sudo ./ewverify --spectrum
sudo ./ewverify --rfkill
sudo ./ewverify --regulatory
sudo ./ewverify --aireplay
sudo ./ewverify --sdr
sudo ./ewverify --wifi-jam
sudo ./ewverify --channel-hop
# Run with live detection tool integration
sudo ./ewverify --live
# Read-only verification (no adversarial actions)
sudo ./ewverify --verify-only
# Clean up any remaining child processes
sudo ./ewverify --cleanup
# Check available hardware and tools before running
sudo ./ewverify --check-reqSome scenarios require optional tools. The tool handles missing dependencies gracefully (SKIP), but installing them enables more scenarios:
| Tool | Required by | Install (Arch) | Install (Debian/Ubuntu) |
|---|---|---|---|
iw |
deauth, regulatory, channel-hop, wifi-jam | sudo pacman -S iw |
sudo apt install iw |
rfkill |
rfkill | sudo pacman -S rfkill |
sudo apt install rfkill |
bluetoothctl |
bt-attack | sudo pacman -S bluez bluez-utils |
sudo apt install bluez bluez-tools |
aireplay-ng |
aireplay, deauth | sudo pacman -S aircrack-ng |
sudo apt install aircrack-ng |
mdk4 / mdk3 |
wifi-jam | yay -S mdk4 (AUR) |
sudo apt install mdk4 |
gpsd |
gps-spoof | sudo pacman -S gpsd |
sudo apt install gpsd |
rtl_test |
sdr | sudo pacman -S rtl-sdr |
sudo apt install rtl-sdr |
hackrf_info |
sdr | sudo pacman -S hackrf |
sudo apt install hackrf |
π‘ Run
sudo ./ewverify --check-reqbefore executing scenarios to see which tools and hardware are available on your system.
When --json is used alone, the tool skips the banner and terminal output entirely and writes only the JSON report file. This is meant for automated pipelines, cron jobs, and CI/CD integration.
Once reports are generated, you can inspect them right from the terminal:
# View aligned and formatted CSV results (top 15 results)
column -t -s ',' ewverify-report.csv | head -n 16
# Quickly inspect the structured JSON output header
cat ewverify-report.json | head -n 15Screenshots are reserved for a future visual walkthrough. The images directory contains assets that will be referenced here once the walkthrough is finalized.
EW-Verify is designed for controlled adversarial testing. All wireless attacks target test interfaces only β never production networks. Child processes are tracked and reaped. The --cleanup mode kills any remaining children. --verify-only does a read-only assessment. There are no persistent system modifications and no lateral movement. Every action is logged transparently. Use in isolated, authorized lab environments only.
You'll need a Linux kernel 5.x or newer, gcc, make, and root privileges for wireless interface access and RF tests. A wireless adapter supporting monitor mode helps for deauth and jamming scenarios. A UTF-8 compatible terminal is recommended. Optionally you'll want aircrack-ng for --aireplay, bluetoothctl for --bt-attack, and rtl-sdr/hackrf tools for --sdr.
βββ .github/workflows/
β βββ ci.yml
β βββ codeql.yml
βββ build/
β βββ obj/
βββ docs/
β βββ EW_SCENARIOS.md
β βββ EW_TAXONOMY.md
β βββ EW_VALIDATION_PROTOCOL.md
βββ Images/
β βββ ewverify1.png
β βββ ewverify2.png
β βββ ewverify3.png
βββ include/
β βββ colors.h
β βββ ewverify.h
β βββ modules.h
βββ reports/
βββ scenarios/
β βββ deauth.c
β βββ gps_spoof.c
β βββ bt_attack.c
β βββ spectrum.c
β βββ rfkill.c
β βββ regulatory.c
β βββ aireplay.c
β βββ sdr_check.c
β βββ wifi_jam.c
β βββ channel_hop.c
βββ src/
β βββ main.c
β βββ utils.c
β βββ verify.c
βββ tests/
β βββ .gitkeep
β βββ test_utils.c
βββ .clang-format
βββ .gitignore
βββ LICENSE
βββ Makefile
βββ README.md
Purple Team validation matrix with MITRE ATT&CK and EW taxonomy references.
Spectrum congestion and RF signal density assessment output.
Detection Gap Analysis with cross-referenced blind spots in the electromagnetic domain.
The language is C99. Data sources are /sys, /proc, iw, rfkill, and USB device enumeration. The build tool is GNU Make. The test framework is a custom C test harness. Target platforms are Linux Kernel 5.x and 6.x with wireless and Bluetooth support.
- Modular C99 engine with deauth, gps, bt, and spectrum modules
- Verification engine cross-referencing EW sensor and kernel interfaces
- Color-coded terminal validation matrix
- JSON/CSV structured export with MITRE ATT&CK and EW taxonomy IDs
- Detection Gap Analysis (unmonitored blind spots)
- Silent JSON mode for CI/CD pipelines
-
--verify-onlyread-only assessment mode - RFkill-based detection validation (
--rfkill) - Regulatory domain enforcement validation (
--regulatory) - SDR device readiness check (
--sdr) - Wi-Fi channel hopping detection (
--channel-hop) - Automated test suite (
make test) - CI/CD pipeline (GitHub Actions)
- Hardware requirements check (
--check-req) - Centralized hardware detection (has_wireless, has_bt, has_gps, has_sdr)
- Live tool integration (
--live) - Scenario-level automated tests with interface mocking (
/proc,/sys,iw) - Map extended taxonomy (EW-ES/EP/EA) to real MITRE ATT&CK for ICS
- Container-aware scenario execution
- eBPF-based wireless syscall telemetry


