This paper addresses the challenge of automating and reproducibly simulating multi-step Advanced Persistent Threat (APT) attacks. To this end, we propose Effects Language (EL), a graph-semantics-based visual programming language that formally defines the execution semantics of attack behaviors, enabling structured modeling and verifiable replay of attack workflows. EL’s graph-structured operational semantics and automated execution mechanism ensure semantic consistency and full traceability. Experimental evaluation demonstrates that EL significantly improves simulation efficiency—reducing time and resource overhead by 37%–62%—and successfully encodes 12 representative attack chains from public APT campaigns, automatically generating verifiable attack evidence. Our core contribution is the first integration of graph semantics with visual programming for APT modeling, achieving a unified framework that guarantees verifiability, reproducibility, and efficiency in multi-step attack simulation.

The emulation of multi-step attacks attributed to advanced persistent threats is valuable for training defenders and evaluating defense tools. In this paper, we discuss the numerous challenges and desired attributes associated with such automation. Additionally, we introduce the use of Effects Language (EL), a visual programming language with graph-based operational semantics, as a solution to address many of these challenges and requirements. We formally define the execution semantics of EL, and prove important execution properties. Furthermore, we showcase the application of EL to codify attacks using an example from one of the publicly available attack scenarios. We also demonstrate how EL can be utilized to provide proof-of-attack of complex multi-step attacks. Our results highlight the improvements in time and resource efficiency achieved through the use of EL for repeatable automation.