For detection teams and AI SOC agents

Synthetic security logs with ground truth built in.

Okta System Log streams with attacks, false-positive noise, and a realistic benign baseline. Deterministically generated, so every stream ships with the answer key: which alerts are real, which are noise, and what actually happened.

No forms. Write tim@aginor.ai and the full 42-scenario catalog comes back by reply.

The catalog

42 scenarios across four categories, each mapped to MITRE ATT&CK.

42scenario catalog
33false-positive patterns
9external data sources

Each scenario generates a full stream, not a snippet: a benign baseline of everyday auth traffic, false positives layered in, and the attack itself a sliver of the volume. Multi-phase kill chains like Scattered Spider and insider threat escalation run end to end today, and the password spray scenario runs with three MFA-path variants. The rest of the catalog is configuration on the same pattern engine, which works from the full Okta event type catalog of 1,025 types.

Categories
Direct Okta attacks (18) SSO-visible downstream (12) Absence detection (7) Multi-phase kill chains (5)
Example scenarios
Password spray MFA fatigue Help desk social engineering Federation backdoor AWS role escalation via SSO Golden SAML bypass Ghost sessions Scattered Spider full chain Insider threat escalation
What makes it hard

Your agent can't pattern-match its way through.

Attacks are needles, not haystacks

In a default stream the malicious handful sits inside tens of thousands of ordinary logins, MFA checks, and admin routine. Stream size and attack share are config values, so you decide how deep the needle is buried.

A quarter of the volume looks like an attack

33 false-positive patterns mimic every attack category: travel failures, push-deny-then-approve, help desk resets, VPN IP hops. Same event types as the real thing. The difference is always contextual.

No structural tells

Attack events share the same structure, IDs, and transaction shapes as benign events. No round-number timestamps, no obviously evil names, and attacker IPs overlap legitimate infrastructure. If your agent finds the attack, it found it the way an analyst would.

Sometimes the signal is absence

Seven scenarios have no attack events to find. Golden SAML, token replay, ghost sessions: the tell is that expected Okta events are missing. Systems that only look at what's present can't solve these.

Ground truth
Exhibit · what ships with every stream

The answer key comes with the logs: which alerts are real, which are noise, and why.

Events per scenario~50,000
Attack share of total volumeunder 0.2%
False-positive noise share~25%
Investigation questions per kill chain, answers included25 to 40
Adjustable These are defaults, not limits. Every value above is a config setting.

Generation is deterministically seeded. The same scenario re-runs identically, so you can score a new model, a rule change, or a prompt tweak against the exact same stream and know precisely what moved. No labeling step and no analyst time spent building answer keys, because the generator placed every event and wrote the answers in the same pass.

External sources

Okta logs alone can't answer every question. Nine other sources can.

Real investigations cross systems: is the user still active in Workday, was the access ticketed in ServiceNow, does the AWS role match the SSO target, is that service account suspended in the NHI registry. The catalog pairs each scenario with profiles from the external systems that can confirm or deny it, so multi-source reasoning is testable, not just single-log anomaly spotting. Nine sources ship today and new ones get added on request, so if your playbooks cross a system that isn't here, ask for it.

Sources
Workday ServiceNow AWS IAM GitHub Enterprise Jira Slack Google Workspace Salesforce NHI registry
How it works

Pick scenarios

Choose from the catalog: direct attacks, SSO-visible downstream, absence detection, or full kill chains. We match them to what you're testing, whether that's detection rules, playbooks, or an AI agent.

The engine generates the stream

Config-driven, deterministic, pattern-based generation. Benign baseline, false-positive noise, and the attack, all with consistent structure. Ground truth comes out in the same pass.

You score, then re-run forever

Grade your agent or rules against the answer key. Same seed means the same stream, so every model upgrade and rule change is measured against a fixed corpus.

Start with one scenario.

Email me and the full 42-scenario catalog comes back by reply: categories, MITRE mappings, and which external sources matter for each. Pick the one that matches what you're testing and we go from there.

Email for the catalog

Not on Okta? The pattern engine isn't Okta-specific, so ask about your source. Or write tim@aginor.ai directly.