MITRE ATT&CK Evaluations: Indispensable Resource for Global Cyber Defenders

For the past eight years, MITRE’s ATT&CK® Evaluations (Evals) program has partnered closely with the cybersecurity community to provide independent, evidence-based testing. Grounded in the globally recognized ATT&CK framework and MITRE’s deep technical expertise, it provides a transparent way to see how security solutions detect, respond to, and report real-world adversary behaviors. The goal isn’t just assessment; the goal is to help defenders, solution providers, and researchers learn together, and strengthen their defenses, while advancing shared progress across the industry.

ATT&CK Behind the Scenes

Cybersecurity is MITRE’s largest practice, with more than 1,000 professionals tackling the toughest problems in cyberspace. The ATT&CK® framework has become a cornerstone of the global cybersecurity commons, shaping how organizations understand, share, and counter adversary behavior. More than 130 of our cyber experts power ATT&CK in support of defensive operations, threat intelligence, adversary emulation, and assessments. They’re on the front lines, tracking adversaries, emulating their tactics, and helping the world detect and stop them.

Setting the Gold Standard

Several years ago, MITRE identified gaps in cyber product testing: methodologies varied, making results hard to compare, and the benefits to end users were not always clear. We launched ATT&CK Evals to introduce a threat-informed approach focused on consistency, transparency, and practical impact.

Vendors voluntarily submit their products for testing that emulates real-world adversary behaviors, using scenarios informed by public threat intelligence. Past evaluations have zeroed in on APT3, APT29, and FIN7.

The program’s methodology unfolds in several rigorous phases supported by MITRE experts in cyber threat intelligence, red teaming, detection engineering, infrastructure development, and threat hunting:

1. Understanding the Adversary: The cyber threat intelligence team starts each round with end users in mind. The team assesses common threats across the landscape, and analyzes threat intelligence, malware samples, and alerts to select the adversaries. From there, they break down the adversary’s playbook, including TTPs, tools, tradecraft, and infrastructure, and rebuild it into realistic intrusion scenarios that mirror not only how attackers operate, but why. By cataloging attacks and contextualizing them within the ATT&CK framework, the team creates a blueprint for how adversaries navigate actual cyberattacks—giving defenders a practical lens into what to look for and how to prepare.
2. Becoming the Adversary: The red development team operationalizes the threat intelligence by collaborating with the infrastructure team to create an end-to-end compromise of an emulated victim network. By implementing custom tooling and crafting the adversary emulation scenario, the team mimics specific adversary behaviors, from stealthy persistence to data exfiltration. Each step is designed to trigger system activity that security teams can monitor and investigate, ensuring emulations are both realistic and challenging.
3. Defending Against the Adversary: The detection engineering team analyzes the adversary’s footprint from start to finish, validating what should be detected, the supporting data, and how to reduce false alarms. By connecting the dots between behavior and visibility, the blue team equips analysts with the detection tools needed to act quickly and accurately.

This collaborative, threat-informed, purple-teaming approach brings together vendors and MITRE experts to evaluate solutions within the context of ATT&CK’s knowledge base of tactics, techniques, and procedures, providing organizations with detailed, actionable insights to improve their defenses and refine their strategies for finding adversarial behaviors in the future.

High Value for Vendors and Defenders

ATT&CK Evaluations delivers evidence-based results that enable organizations to choose cybersecurity solutions that best fit their needs. Instead of ranking products against one another, the program measures how each solution stands up to real-world adversary behaviors. This transparent, threat-focused approach gives defenders actionable insight into which tools best align with their unique environments and help close the gaps that matter most.

"Much like the certifications that builders or manufacturers earn to prove they meet high safety or quality standards, ATT&CK Evals sets a bar for cybersecurity tools, providing a globally recognized cybersecurity benchmark," says Wen Masters, vice president of cyber technologies. "It's a mark of readiness, not recognition."

Over the past eight years, Evals has delivered:

• Annual assessments involving dozens of leading cybersecurity vendors
• Transparent, third-party testing that provides industry benchmarks
• Actionable reports that help organizations strengthen their defenses
• Validation of battle-tested detection and defense mechanisms that benefit consumers

Evals technical lead Lex Crumpton emphasizes the value of defenders thinking like the adversary. "We’ve cultivated an approach over the years: How can you think like the adversary and track their behaviors? How do those behaviors show up in a detection environment?" she says. "This mindset is key to empowering defenders to anticipate, detect, and disrupt real-world threats more effectively."

Global Impact and Community Collaboration

MITRE's objectivity and public-interest mission underscore ATT&CK Evals. As adversaries grow more sophisticated, collaboration is critical for global cyber resilience. A bonus of the program's success is that it empowers commercial product development, ensuring organizations have access to the best security solutions possible.

The success of Evals hinges on mutual trust with industry partners and ongoing community feedback. With planning for Enterprise 2026 already underway, MITRE is inviting contributors to participate in forums and advisory councils to facilitate open dialogue and help shape the program's exercise design, testing objectives, and metrics. The Evals team is taking feedback from the community and vendors into consideration in their development of the next evaluation.

Looking Ahead and Defending Together

Participation in Evals varies from year to year, reflecting the natural tempo of the program and how vendors balance products and market needs. MITRE maintains collaborative relationships with vendors, working closely with them to ensure independent testing validates technology and provides transparent benchmarks that strengthen defenses across the globe.

The program's mission remains the same: To deliver independent evaluations rooted in threat intelligence and real adversary behavior. Our commitment—to transparency and to defenders—will continue, even as the threat landscape changes and the market evolves.

Three guiding principles for Enterprise 2026:

• Collaboration and Community Engagement – expanding dialogue with vendors and practitioners.
• Transparency, Consistency, and Rigor – maintaining the benchmark defenders trust.
• Continuous Evolution – adapting to emerging threats and technologies.

Get Involved

Companies across the industry are participating in Enterprise Evaluation 2025, with results slated for December publication. To learn more about ATT&CK Evals and what's new for 2026, visit evals.mitre.org. To share feedback or get involved, contact evals@mitre.org.