Cisco Talos Releases EvidenceForge: Open-Source Tool Generates Realistic Synthetic Security Logs
Cisco Talos has open-sourced EvidenceForge, a synthetic log generator that produces causally consistent, multi-format security datasets for training threat hunters and validating detection logic.
Cisco Talos has released EvidenceForge, an open-source tool designed to generate realistic synthetic security logs that overcome the limitations of stale or anonymized public datasets. Announced on May 27, 2026, the tool addresses a persistent challenge for security teams: obtaining high-quality, labeled telemetry to train threat hunters, validate detection rules, and develop machine learning models without the cost and complexity of real infrastructure or manual attack simulations.
Unlike existing synthetic generators that produce events independently for each log format, EvidenceForge uses a single canonical SecurityEvent object that ensures causal and temporal consistency across all outputs. Every piece of evidence—whether a Windows Security Event, Sysmon entry, Linux syslog, Zeek connection, or Snort alert—flows from the same underlying event model. This shared state means that a process ID, logon ID, or network connection appears identically across formats, eliminating the disjointed seams that make synthetic data obvious to experienced analysts.
The tool supports over 20 log formats, including 30 Windows Security Event IDs, 10 Sysmon event IDs, EDR/XDR telemetry, Linux syslog, bash history, Zeek JSON logs, Snort IDS alerts, firewall logs, and web server logs. It also incorporates realistic background noise and "red herrings" to simulate the complexity of real environments. A scenario configuration file in YAML defines the environment—hosts, users, network topology—and an optional attack storyline, which the engine uses to produce a fully correlated dataset with ground truth documentation and an analyst briefing.
EvidenceForge is designed for multiple use cases: teaching threat hunters and incident responders with datasets that have known ground truth, validating that detections fire on the right activity without false positives, and training ML models that need labeled, balanced, multi-source telemetry at scale. Cisco Talos notes that no purely synthetic dataset will fool a seasoned analyst in every case, but the goal is fidelity good enough to be useful, not indistinguishable from production data.
The release comes as security teams increasingly rely on data-driven approaches to combat sophisticated threats. Existing options—such as anonymized public datasets like LANL or OpTC, or manual attack simulations using frameworks like Atomic Red Team or MITRE Caldera—are often stale, narrow, or resource-intensive. EvidenceForge aims to fill this gap by providing a scalable, open-source alternative that produces correlated, multi-source datasets with minimal setup.
Cisco Talos has made EvidenceForge available as an open-source project, inviting community contributions and feedback. The tool is expected to be particularly valuable for organizations building detection engineering pipelines, conducting red team exercises, or developing AI-based security analytics. By lowering the barrier to high-quality synthetic data, EvidenceForge could accelerate the development and validation of security tools across the industry.