ShieldChecker is a comprehensive community solution that allows testing established detections with Microsoft Defender XDR end-to-end. Unlike traditional approaches that simply replay logs, ShieldChecker actually executes tests and verifies that expected detections are triggered, providing real-world validation of your security controls. More information can be found on the Homepage.
ShieldChecker is a comprehensive open-source security testing platform designed to validate Microsoft Defender XDR detections through real-world test execution. The platform combines:
- End-to-End Security Testing - Actually executes security tests rather than simply replaying logs
- Microsoft Defender XDR Validation - Verifies that expected detections are triggered in your environment
- Azure-Native Architecture - Built entirely on native Azure services and deployed in your own Azure tenant
- Cost-Effective Operation - Pay-as-you-go Azure pricing model with low monthly infrastructure costs (~$200 USD)
- Multi-Platform Support - Testing capabilities for both Windows and Linux environments
- Domain Controller Testing - Supports tests against domain controllers for comprehensive coverage
- Atomic Red Team Integration - Quick start with ability to import Atomic Red Team tests
- Automated Scheduling - Built-in scheduler for regular testing cycles without manual intervention
- Simplified Review Process - Streamlined error handling with dedicated RDP sessions for missed detections
- Production Isolation - Recommended deployment in dedicated test tenant to avoid interference with ML algorithms
- Microsoft 365 E5 Ready - One E5 subscription provides all necessary Defender XDR features
- Full Automation - Completely automated solution requiring minimal manual intervention
- Open Source - Available under GPL-3.0 license with community-driven development
The platform consists of several key components:
- Function App (
src/FunctionApp/) - Azure Functions for serverless execution of security tests - Web Application (
src/Webapp/) - Frontend interface for managing and viewing security assessments - Executor (
src/Executor/) - Core execution engine for running security validations - Bicep Templates (
src/Bicep/) - Infrastructure as Code for Azure deployment - VM DSC (
src/VmDsc/) - PowerShell Desired State Configuration for virtual machine setup - Scheduler (
Scheduler/) - Task scheduling and orchestration components
Check the Deployment page for detailed instructions regarding deployment.
The project provides several deployment scripts:
| Script | Purpose |
|---|---|
Invoke-Build.ps1 |
Build the solution locally |
Invoke-Deploy.ps1 |
Deploy to Azure infrastructure |
Invoke-UpdateWebAppAndSql.ps1 |
Update existing web app and database |
src/
├── Bicep/ # Infrastructure as Code templates
├── Executor/ # Core execution engine
├── FunctionApp/ # Azure Functions
├── VmDsc/ # PowerShell DSC configurations
└── Webapp/ # Web application frontend
Deploy/
└── Latest/ # Latest deployment artifacts
Scheduler/ # Task scheduling components
├── ImportTests/ # Test import functionality
SupportiveContent/ # Additional resources and documentation
- Homepage
- Deployment Guide - Detailed deployment instructions
- Documentation - Comprehensive project documentation
- Changelog - Version history and updates
- Fork the repository
- Create a feature branch
- Make your changes
- Run tests to ensure functionality by using Invoke-Build and followed by Invoke-Deploy.
- Submit a pull request
Please see our issue templates for bug reports and feature requests.
For issues and support:
- Check existing GitHub Issues
- Review the Documentation
- Consult the Deployment Guide
There is no support or guaranteed answer. The project is a community project and maintained as a hobby.
This project is licensed under the terms specified in the LICENSE file.