AttackIQ Integration Guide
Overview
The AttackIQ integration connects NINA workflows to the AttackIQ FireDrill breach and attack simulation (BAS) platform. It allows you to orchestrate security control validation — running assessments, tracking results, browsing attack scenarios, and managing assets — directly from your workflows.
Supported resources:
- Assessment — Create, run, stop, delete, and monitor assessments; retrieve results and schedules
- Assessment Template — Browse and search available assessment templates by name, category, or TTP
- Asset — List and search machines registered as test targets by hostname or IP
- Asset Group — Query asset groups used to organize machines under test
- Scenario — Browse individual attack scenarios (MITRE ATT&CK techniques and custom scenarios)
- Scenario Tag — Query tags associated with scenarios (MITRE ATT&CK technique IDs, custom labels)
- Test — Run, stop, and query individual tests within an assessment; retrieve per-test results
- Test Scenario — Query test-scenario associations (which scenarios are linked to which tests)
- User — List and look up platform users
- Validation Result — Query historical execution results per scenario or per asset
Authentication uses an Account Token (Private Token) passed with the Token prefix in the Authorization header (Authorization: Token <value>). The Account Token does not expire, making it the only supported method for integrations. All resources share the same credential.
Credential Configuration
Authentication
| Field | Description | Default |
|---|---|---|
| API Token | Your AttackIQ Account Token (Authorization: Token <value>) | — |
| Base URL | API endpoint | https://firedrill.attackiq.com/api/v1 |
How to Get Your AttackIQ Account Token
- Log in to your AttackIQ FireDrill instance (e.g.,
https://firedrill.attackiq.com) - Navigate to User → Account
- Copy the Private Token value displayed on that page
- Keep it secure — the token grants full API access under your user account and does not expire unless manually revoked
Note: The base URL varies by tenant. If your organization uses a custom FireDrill domain, override the Base URL field in the credential with your instance's API endpoint (e.g., https://yourcompany.firedrill.attackiq.com/api/v1). Do not use a JWT token — JWTs expire and are not supported by this integration.
Creating a Credential in NINA
- Navigate to Credentials → Add New Credential
- Select integration service: AttackIQ
- Auth type: API Key
- Fill in your API Token and optionally override the Base URL
- Click Test Connection then Save
Supported Resources and Operations
Assessment
Create, manage, and execute AttackIQ assessments. An assessment groups a set of tests targeting specific assets and is the primary unit of work in the BAS workflow.
| Operation | Name | HTTP | Description |
|---|---|---|---|
list | List Assessments | GET /assessments | List all assessments with optional search filter and pagination |
get | Get Assessment | GET /assessments/{assessment_id} | Retrieve a specific assessment by ID |
create | Create Assessment | POST /assessments | Create a new assessment, optionally from a template |
delete | Delete Assessment | DELETE /assessments/{assessment_id} | Delete an assessment |
run | Run Assessment | POST /assessments/{assessment_id}/run_all_tests | Trigger all tests in the assessment |
stop | Stop Assessment | POST /assessments/{assessment_id}/stop_all_tests | Stop all running tests in the assessment |
getStatus | Get Assessment Status | GET /assessments/{assessment_id}/status | Check the current execution status and progress |
getResults | Get Assessment Results | GET /results?assessment=... | Retrieve test results for an assessment with filtering |
getScheduleList | Get Schedule List | GET /assessments/schedule_list | Retrieve all periodic tasks for scheduled assessment runs |
Key parameters:
list:
search— filter by name or descriptionpage/page_size— pagination
create:
name(required) — name for the new assessmenttemplate_id— base the assessment on an existing template (useassessment_template.listto browse)
getResults:
assessment— assessment ID to filter results byscenario— filter results by scenario IDoutcome_filter— filter by outcome:Passed,Failed,Erroredshow_last_result— boolean; return only the most recent result per testpage/page_size— pagination
Assessment Template
Browse available assessment templates. Templates are pre-configured test plans provided by AttackIQ or your organization.
| Operation | Name | HTTP | Description |
|---|---|---|---|
list | List Assessment Templates | GET /assessment_templates | List all assessment templates with optional search and filtering |
get | Get Assessment Template | GET /assessment_templates/{template_id} | Retrieve a specific template by ID |
Key parameters for list:
search— search by template name (supports TTP IDs likeT1059)category— filter by category (e.g.MITRE)template_name— filter by exact template namepage/page_size— pagination
Asset
Assets are the machines registered in AttackIQ as test targets — servers, workstations, or cloud instances where the FireDrill agent is installed.
| Operation | Name | HTTP | Description |
|---|---|---|---|
list | List Assets | GET /assets | List all registered assets with search, hostname, and IP filtering |
get | Get Asset | GET /assets/{asset_id} | Retrieve a specific asset by ID |
Key parameters for list:
search— search assets by hostname or IPhostname— filter by exact hostnameipv4_address— filter by IPv4 addresspage/page_size— pagination
Asset Group
Asset groups organize assets (machines under test) into logical collections for easier management and targeted assessments.
| Operation | Name | HTTP | Description |
|---|---|---|---|
list | List Asset Groups | GET /asset_groups | List all asset groups with optional search and name filtering |
get | Get Asset Group | GET /asset_groups/{asset_group_id} | Retrieve a specific asset group by ID |
Key parameters for list:
search— search groups by name or descriptionname— filter by exact group namepage/page_size— pagination
Scenario
Attack scenarios represent individual attack techniques — typically mapped to MITRE ATT&CK. Browse them to understand what is available in your AttackIQ library before building assessments.
| Operation | Name | HTTP | Description |
|---|---|---|---|
list | List Scenarios | GET /scenarios | List all available attack scenarios with optional search |
get | Get Scenario | GET /scenarios/{scenario_id} | Retrieve a specific scenario by ID |
Key parameters for list:
search— filter by name, description, or tag names (e.g.,"lateral movement","T1059")page/page_size— pagination
Scenario Tag
Scenario tags categorize attack scenarios — typically MITRE ATT&CK technique IDs (e.g., T1059), tactic names (e.g., Execution), or custom labels. Use them to resolve tag names to UUIDs for filtering.
| Operation | Name | HTTP | Description |
|---|---|---|---|
list | List Scenario Tags | GET /scenario_tags | List all scenario tags with optional search |
get | Get Scenario Tag | GET /scenario_tags/{scenario_tag_id} | Retrieve a specific tag by ID |
Key parameters for list:
search— search by tag name (e.g.,T1059,APT29)scenario— filter tags by scenario IDtag— filter by tag UUIDpage/page_size— pagination
Test
Tests are the individual attack scenario executions within an assessment. You can run, stop, and query them independently.
| Operation | Name | HTTP | Description |
|---|---|---|---|
list | List Tests | GET /tests | List all tests with optional search, pagination, and assessment filtering |
get | Get Test | GET /tests/{test_id} | Retrieve a specific test by ID |
run | Run Test | POST /tests/{test_id}/run_test | Execute a specific test |
stop | Stop Test | POST /tests/{test_id}/stop_test | Stop a running test |
getStatus | Get Test Status | GET /tests/{test_id}/get_status | Check the execution status of a test |
getResults | Get Test Results | GET /results?test=... | Retrieve results for a specific test |
Key parameters:
list:
search— filter by name or descriptionassessment— filter tests by assessment IDpage/page_size— pagination
getResults:
test— test ID to filter results byscenario— filter results by scenario IDoutcome_filter— filter by outcome:Passed,Failed,Erroredshow_last_result— boolean; return only the most recent resultpage/page_size— pagination
Test Scenario
Test-scenario associations link tests to their underlying attack scenarios. Query them to discover which scenarios are included in which tests.
| Operation | Name | HTTP | Description |
|---|---|---|---|
list | List Test Scenarios | GET /test_scenarios | List all test-scenario associations |
get | Get Test Scenario | GET /test_scenarios/{test_scenario_id} | Retrieve a specific test-scenario association by ID |
Key parameters for list:
page/page_size— pagination
User
Look up users registered on the AttackIQ platform. Useful for auditing or resolving user references in other responses.
| Operation | Name | HTTP | Description |
|---|---|---|---|
list | List Users | GET /users | List all platform users with pagination |
get | Get User | GET /users/{user_id} | Retrieve a specific user by ID |
Validation Result
Query historical execution results and validation data. Useful for checking whether scenarios have been executed and reviewing per-asset or per-scenario summaries over a configurable lookback window.
| Operation | Name | HTTP | Description |
|---|---|---|---|
list | List Validation Results | GET /validation_results | Per-scenario summary of execution results within a lookback window |
getScenarioExecutions | Get Scenario Executions | GET /validation_results/scenario/{scenario_id}/executions | Per-asset execution history for a specific scenario |
getByAsset | Get By Asset | GET /validation_results/by_asset | Per-asset summary of validation results |
getAssetExecutions | Get Asset Executions | GET /validation_results/asset/{asset_id}/executions | Per-scenario execution history for a specific asset |
Key parameters:
list:
days— lookback window in days (1–90)project_ids— comma-separated assessment UUIDspage/page_size— pagination (0-indexed, max 200)
getScenarioExecutions:
scenario_id(required) — the scenario IDdays— lookback window in days (1–90)
getByAsset:
days— lookback window in days (1–90)page/page_size— pagination (0-indexed, max 200)
getAssetExecutions:
asset_id(required) — the asset IDdays— lookback window in days (1–90)project_ids— comma-separated assessment UUIDs
Examples
List Assessments
{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "list",
"parameters": {
"page": 1,
"page_size": 25
}
}
Search Assessments by Name
{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "list",
"parameters": {
"search": "quarterly validation",
"page_size": 10
}
}
Create an Assessment from a Template
{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "create",
"parameters": {
"name": "Q2 2026 – Endpoint Validation",
"template_id": "tmpl-abc-123"
}
}
Run an Assessment
{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "run",
"parameters": {
"assessment_id": "assess-abc-123"
}
}
Check Assessment Status
{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "getStatus",
"parameters": {
"assessment_id": "assess-abc-123"
}
}
Get Assessment Results (Failed Only)
{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "getResults",
"parameters": {
"assessment": "assess-abc-123",
"outcome_filter": "Failed",
"show_last_result": true,
"page_size": 50
}
}
Stop an Assessment
{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "stop",
"parameters": {
"assessment_id": "assess-abc-123"
}
}
Search Templates by TTP
{
"integration_service": "attack-iq",
"resource": "assessment_template",
"operation": "list",
"parameters": {
"search": "T1059",
"page_size": 10
}
}
Search Templates by Category
{
"integration_service": "attack-iq",
"resource": "assessment_template",
"operation": "list",
"parameters": {
"category": "MITRE",
"page_size": 20
}
}
List Assessment Templates
{
"integration_service": "attack-iq",
"resource": "assessment_template",
"operation": "list",
"parameters": {}
}
Search for Attack Scenarios
{
"integration_service": "attack-iq",
"resource": "scenario",
"operation": "list",
"parameters": {
"search": "credential dumping",
"page_size": 20
}
}
Run a Specific Test
{
"integration_service": "attack-iq",
"resource": "test",
"operation": "run",
"parameters": {
"test_id": "test-xyz-456"
}
}
Get Test Results
{
"integration_service": "attack-iq",
"resource": "test",
"operation": "getResults",
"parameters": {
"test": "test-xyz-456",
"show_last_result": true
}
}
Find Assets by Hostname
{
"integration_service": "attack-iq",
"resource": "asset",
"operation": "list",
"parameters": {
"hostname": "CXB0054576"
}
}
Find Assets by IP
{
"integration_service": "attack-iq",
"resource": "asset",
"operation": "list",
"parameters": {
"ipv4_address": "10.122.208.149"
}
}
List Assets
{
"integration_service": "attack-iq",
"resource": "asset",
"operation": "list",
"parameters": {
"page_size": 100
}
}
Get Validation Results (Last 30 Days)
{
"integration_service": "attack-iq",
"resource": "validation_result",
"operation": "list",
"parameters": {
"days": 30,
"page_size": 50
}
}
Get Scenario Execution History
{
"integration_service": "attack-iq",
"resource": "validation_result",
"operation": "getScenarioExecutions",
"parameters": {
"scenario_id": "scen-abc-123",
"days": 30
}
}
Get Validation Results by Asset
{
"integration_service": "attack-iq",
"resource": "validation_result",
"operation": "getByAsset",
"parameters": {
"days": 30,
"page_size": 50
}
}
Get Asset Execution History
{
"integration_service": "attack-iq",
"resource": "validation_result",
"operation": "getAssetExecutions",
"parameters": {
"asset_id": "asset-abc-123",
"days": 30
}
}
List Assessment Schedules
{
"integration_service": "attack-iq",
"resource": "assessment",
"operation": "getScheduleList",
"parameters": {}
}
List Asset Groups
{
"integration_service": "attack-iq",
"resource": "asset_group",
"operation": "list",
"parameters": {
"search": "production",
"page_size": 50
}
}
Search Scenario Tags by TTP
{
"integration_service": "attack-iq",
"resource": "scenario_tag",
"operation": "list",
"parameters": {
"search": "T1059",
"page_size": 20
}
}
List Test Scenarios
{
"integration_service": "attack-iq",
"resource": "test_scenario",
"operation": "list",
"parameters": {
"page_size": 50
}
}
Common Workflow Patterns
Run an Assessment and Collect Failures
assessment.run— trigger the assessmentassessment.getStatus— poll until status is complete (loop with delay node)assessment.getResults— fetch results withoutcome_filter: "Failed"andshow_last_result: true- Branch on result count — trigger alerting or ticketing if failures exist
Build and Run a New Assessment
assessment_template.list— browse available templatesassessment.create— create a new assessment with the chosen template ID and a descriptive nameassessment.run— start the assessmentassessment.getStatus— wait for completionassessment.getResults— retrieve results
Investigate a Specific Control Failure
assessment.getResults— get failed results for an assessmenttest.get— retrieve full details for a specific failing test (extracttest_idfrom results)scenario.get— look up the scenario associated with the test for MITRE technique contextasset.get— inspect the asset where the failure occurred
Search for Scenarios by Technique
scenario.listwithsearch: "T1059"— find scenarios mapped to a MITRE ATT&CK technique- Use the scenario IDs to identify which tests in your assessments cover that technique
test.getResults— check whether those tests are passing or failing
Troubleshooting
| Issue | Resolution |
|---|---|
| 401 Unauthorized | Verify your token is an Account Token (Private Token from User → Account), not a JWT. If the error persists, regenerate the token in the AttackIQ UI and update the NINA credential |
| 403 Forbidden | Your user account lacks permission for this operation — check role assignments in AttackIQ |
| 404 Not Found | The assessment_id, test_id, asset_id, or scenario_id does not exist — verify with a list operation first |
Empty results on getResults | Assessment may still be running — check status with getStatus and wait for completion |
run returns no error but tests don't start | Assessment may have no assets assigned or no enabled tests — verify assessment configuration in the UI |
| Missing path parameter error | Ensure assessment_id, test_id, asset_id, etc. are included in the parameters object |
| Wrong base URL | If your tenant uses a custom domain, override the Base URL in the credential to match your FireDrill instance |
| 429 Too Many Requests | Rate limit hit — reduce request frequency and add delays between polling calls |
Security Considerations
- Protect API Tokens: Store exclusively through NINA credential management — never in workflow parameters or logs
- Destructive Operations:
assessment.run,test.run, andassessment.deletecause immediate action on production assets — gate these behind approval steps in workflows intended for production environments - Scope API Access: Where possible, use a dedicated service account with the minimum role needed; avoid using personal admin tokens
- Token Management: Account Tokens do not expire automatically. Revoke and regenerate them periodically per your organization's policy; revoke immediately if compromised
- Result Data Sensitivity: Assessment results may contain information about security control gaps — treat them as sensitive and restrict workflow output accordingly
Additional Resources
- AttackIQ FireDrill Platform
- AttackIQ API Documentation
- MITRE ATT&CK Framework — used to categorize AttackIQ scenarios
- AttackIQ Academy — free training on BAS concepts and platform usage
Updated: 2026-06-01