A Command & Control (C2) framework is the software the red team uses to communicate with implants on compromised hosts. Beacon on the endpoint, team server at the operator end, network protocols between them. This module covers the major C2 frameworks in 2026, the anatomy of a beacon, and the operational tradeoffs between them.
What a C2 framework provides
- Implant (beacon): the payload that runs on the victim; calls home periodically; executes tasks
- Team server: the control plane; operators connect to it to task beacons
- Transports: protocols beacons use to call home — HTTP/HTTPS, DNS, SMB named pipes, custom
- Malleable profiles: customize how traffic looks on the wire — User-Agent, URI patterns, staging responses
- Operator UI: CLI and/or GUI to run commands on beacons, upload/download files, pivot
- Built-in capabilities: port scanning, credential theft modules, lateral movement primitives, socks proxy for tunnelling
Major C2 frameworks in 2026
Cobalt Strike (commercial)
- Industry standard; $5,900/user/year as of 2025
- Powerful malleable C2 profiles
- Rich in-beacon features (BOFs — Beacon Object Files extend capability without touching the beacon)
- Widely detected by EDR out of the box; operators spend significant time customizing to evade
- Very well documented; extensive community
Sliver (open source)
- BishopFox-maintained. Go-based. Cross-platform implants (Linux/macOS/Windows)
- Multiple transports: mTLS, HTTP(S), DNS, WireGuard
- Active development; quickly catching up feature-wise
- Less detected than Cobalt Strike because usage is lower (attribution-wise), but growing
- Free — makes it the go-to for smaller engagements and internal purple-team work
Havoc (open source)
- Modern open-source C2 with a focus on evasion
- Written in C/C++ for the implant, Go for the team server
- Custom encryption, demon agent with good obfuscation out of the box
- Community-driven; less mature than Sliver but actively developed
Mythic (open source orchestrator)
- Not one C2 — a framework that runs multiple agents (Apollo, Apfell, Poseidon, Nim-based agents) under one operator UI
- Docker-compose deploy; adding new agents is a plugin architecture
- Favoured by researchers and teams that want to diversify their implants
Brute Ratel (commercial)
- High-end commercial competitor to Cobalt Strike; small team, vetted customer base
- Better default evasion; more expensive
- Used by real threat actors after a cracked copy leaked in 2022, which affected its reputation for legitimate use
Beacon anatomy
A typical Cobalt Strike HTTPS beacon, simplified:
sleep = 60s +- 20% jitter
get-uri = /api/v1/resources
user-agent = Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...
Every 60s (±12s):
1. HTTP GET https://c2-redirector.example.com/api/v1/resources
2. Server responds with 200 OK + task data (encrypted)
3. Beacon decrypts, executes task
4. Beacon HTTP POSTs results to /submit endpoint
5. Results encrypted in POST body; looks like normal API traffic
Transports — choose by environment
- HTTPS: most common. Blend in with normal web traffic. Easy to set up
- DNS: works when HTTP egress is blocked. Slow (limited to DNS response sizes), noisy at high volume
- SMB named pipes: for lateral beacons that don’t need internet. Beacon-to-beacon relay inside the network
- Custom over TLS: WireGuard-wrapped, mTLS — harder to fingerprint than plain HTTPS if blue team has TLS inspection
- Cloud fronting: C2 through a CDN (CloudFront, Fastly) so the hostname in SNI is a legitimate CDN. Increasingly blocked by providers
Malleable C2 profiles — camouflage
Out-of-box Cobalt Strike traffic is fingerprintable. Malleable profiles let you mimic a legitimate service — Amazon, Office365, Google. Example snippet:
🔐 Intermediate Module · Basic Tier
Continue reading with Basic tier (₹499/month)
You've read 33% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.
99+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
3 more sections locked below