ATT&CK Evaluations


ATT&CK Evaluations

Since MITRE introduced ATT&CK® in May 2015, the practitioner community has come to rely on it to enable better communications and management around cybersecurity. Our ATT&CK Evaluations provide vendors with an assessment of their ability to defend against specific adversary tactics and techniques. We emulate known adversary behavior to ensure the evaluation is threat-informed, and carefully select adversaries that allow us to exercise common ATT&CK techniques, as well as push the market to more effectively secure the world’s networks. We openly publish the results to provide industry end-users of these cybersecurity products with the information they need to make good decisions about what is best for their organizations.

Our evaluations are not a competitive analysis. There are no scores, rankings, or ratings. Instead, we show how each vendor approaches threat detection in the context of the ATT&CK knowledge base. By strategically selecting adversaries to inspire our evaluation methodology, and freely publishing results, we are able to provide an unbiased assessment of detection and protection capabilities, as well as highlight potential gaps to drive industry forward.


About the Offerings

Enterprise: Wizard Spider and Sandworm Call for Participation (Closed)

The next round of ATT&CK Evaluations will focus on emulating Wizard Spider and Sandworm. These two notorious groups are well known for their use of the ATT&CK technique Data Encrypted for Impact. Their impact has been felt globally and at incredible scale. MITRE Engenuity will work with vendors to articulate how their capabilities can detect adversary behavior, which will help organizations defend against future attacks.

To discuss your evaluation needs with the ATT&CK Evaluations team, contact

ICS: TRITON Evaluation Release

MITRE Engenuity released the results of the first ATT&CK Evaluations expansion into operational technology and industrial control systems, beginning with ICS detection platforms. MITRE Engenuity emulated the tactics, techniques, and procedures of the TRITON malware framework used by TEMP.Veles/XENOTIME in a testbed simulating the environment from that attack. MITRE Engenuity evaluated each participant’s ability to identify the emulated behaviors by reporting on the degree these actions are detected and contextualized to the end user.

To view results of this evaluation visit the ATT&CK Evaluations site, and to discuss feedback or interest in participating in ATT&CK Evaluations for ICS, contact