ATT&CK Evaluations


ATT&CK Evaluations

Since MITRE introduced ATT&CK® in May 2015, the practitioner community has come to rely on it to enable better communications and management around cybersecurity. Our ATT&CK Evaluations provide vendors with an assessment of their ability to defend against specific adversary tactics and techniques. We emulate known adversary behavior to ensure the evaluation is threat-informed, and carefully select adversaries that allow us to exercise common ATT&CK techniques, as well as push the market to more effectively secure the world’s networks. We openly publish the results to provide industry end-users of these cybersecurity products with the information they need to make good decisions about what is best for their organizations.

Our evaluations are not a competitive analysis. There are no scores, rankings, or ratings. Instead, we show how each vendor approaches threat detection in the context of the ATT&CK knowledge base. By strategically selecting adversaries to inspire our evaluation methodology, and freely publishing results, we are able to provide an unbiased assessment of detection and protection capabilities, as well as highlight potential gaps to drive industry forward.


About the Offerings

Wizard Spider and Sandworm Call for Participation

The next round of ATT&CK Evaluations will focus on emulating Wizard Spider and Sandworm. These two notorious groups are well known for their use of the ATT&CK technique Data Encrypted for Impact. Their impact has been felt globally and at incredible scale. MITRE Engenuity will work with vendors to articulate how their capabilities can detect adversary behavior which will help organizations reduce future attacks.

To sign up for the next round of ATT&CK Evaluations, contact

ATT&CK Evaluations for ICS

MITRE Engenuity is also expanding ATT&CK Evaluations into operational technology and industrial control systems, beginning with ICS detection platforms. MITRE Engenuity will extract and emulate the tactics, techniques, and procedures of the TRITON malware framework used by TEMP.Veles/XENOTIME in a testbed simulating the environment from that attack. MITRE Engenuity will evaluate the ability of vendors products to identify the TTPs used by that adversary and will report for public consumption the degree to which these actions are detected and contextualized to the end user.

To receive a synopses or ask questions on ATT&CK Evaluations for ICS, contact

Frank Duff
Director, ATT&CK Evaluations