BIPI
BIPI

C2 Framework Choices for Red Teams: Cobalt Strike, Sliver, Mythic, Havoc

Cybersecurity

Picking a command and control framework is a strategic decision that affects detection, operator velocity, and report quality. This piece compares Cobalt Strike, Sliver, Mythic, and Havoc on real operational axes: protocol diversity, malleable profile depth, EDR evasion posture, and team collaboration.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 23, 2023 · 12 min read

#c2#cobalt-strike#sliver#mythic#red-team

The C2 decision matters

A C2 framework is not a binary, it is a platform. Choice affects how easily you build malleable profiles, how detectable your beacons are, how cleanly your operators collaborate, and how defensible your report is when a client asks how you did it.

Cobalt Strike

  • Industry standard with the deepest malleable C2 profile support.
  • Aggressor scripting for operator workflow extension.
  • Heavily fingerprinted by EDR vendors, requires significant tuning to survive.

Sliver

  • Open source, written in Go, multi-OS implants by default.
  • Native mTLS, WireGuard, HTTP, and DNS transports.
  • Excellent for teams that need a defensible licensing story.

Mythic

  • Modular agent ecosystem with Apollo, Apfell, and Athena.
  • Strong macOS and Linux story, often the gap in Cobalt-only shops.
  • Docker-based deployment that scales well across multiple operators.

Havoc

  • Modern open source framework with a clean operator GUI.
  • Indirect syscalls and sleep obfuscation built in.
  • Smaller community, but rapidly maturing.

Protocol diversity

Mix HTTPS over CDN, DNS over HTTPS, and SMB pivots inside the environment. A single transport is a single signature for the SOC to detect. Modern frameworks let you alternate at runtime, which dramatically raises the cost of detection.

Malleable profile depth

  • Cobalt Strike profiles support per-field rewriting and traffic shape control.
  • Mythic agents like Apollo expose similar controls through Python configuration.
  • Sliver and Havoc are catching up but require more manual work for traffic mimicry.

EDR evasion tradeoffs

  • Sleep obfuscation matters more than initial loader cleverness.
  • Indirect syscalls reduce ETW telemetry but trigger AMSI surface scans if misused.
  • AV bypass alone is not EDR bypass, behaviour signatures dominate now.

Team collaboration

  1. Cobalt Strike still has the smoothest team server experience.
  2. Mythic has the cleanest multi-operator UI for new teams.
  3. Sliver scripting via gRPC is excellent for tool builders.

Reporting

Whatever you pick, log every operator command with timestamp, target, and outcome. Mythic and Sliver export this natively. Cobalt Strike needs Aggressor or a sidecar logger. Without command-level logs, the client report is reconstruction, not evidence.

Recommendation

  • Default to a multi-framework posture: one commercial, one open source.
  • Match the framework to the engagement, not the operator preference.
  • Rotate frameworks quarterly so your infrastructure does not develop a fingerprint.
63%
Cobalt Strike fingerprint detections
57%
Sliver implants surviving 48h
+118%
Mythic adoption growth (2022-23)
A multi-framework team buys you the choice to disappear when one framework gets burned.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.