An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.


What is MAPL? What is PEMR?

MAPL (Malicious Playground) is the 90th Cyberspace Operation Squadron's Premiere PEMR (Persistent Environment for Malware Replication) tool to support malware training.

Namely, MAPL is a Malware control platform, a suite of customizable plugins, and a Persistent Environment for Malware Replication (PEMR). MAPL is unclassified and available free of charge to any elements in the USAF or other cooperating organizations who would like to simplify their malware training process.

In fact, it's so unclassified, the source code for the control platform is available on the public internet -

MAPL provides an easy turn-key solution to spinning up the persistent environment for malware replication. Your organization will receive an archive file and with one command, you will be running the MAPL PEMR in no time.MAPL/PEMR is a completely USAF owned tool -which means it can be customized and delivered to meet your needs.
Malicious Playground Image
Do you have a specific scenario or plugin needed in a malware training environment? We can help.
Do you need MAPL/PEMR to be run in a specific environment?
We can help.

Moreover, USAF and other partners can request changes and customization of MAPL/PEMR.

What is the goal of MAPL/PEMR?

MAPL is provided to support developing and assessing the skills of those tasked with identifying malware. Our mission is to provide the tools necessary for CPTs and other customers be successful in their malware training and skill evaluations.

Where is MAPL going with PEMR possibilities?

In the immediate future, we will be adding more authentic initial exploits to the environment. Moving beyond implants that are auto-magically on host, we are working to create a more authentic training environment. (We will still provide implants auto-magically on host as requested.)

Current directions include:
  • on-demand sandbox level access to dozens of malware families in a target representative environment
  • on-demand situational simulations following defined TTPs.
  • continued additions of authentic TTPs executed by authentic malware
  • expanded deployment options for bare-metal or hypervisor environments.
  • incorporation of benign false positive or benign true positive host/network artifacts during the intended simulation.