No-lab ATT&CK-aligned PCAP datasets for detection validation.
NetMetria-X builds deterministic network evidence without requiring physical infrastructure, virtual lab networks, live services, endpoint agents, malware execution, or traffic replay. Given the same scenario input, it produces the same PCAP and manifest, so detection teams can validate logic against known ground truth instead of guessing what a capture represents.
What it produces
Network evidence generated directly from declared scenario intent
ground_truth.pcap
Generated packet evidence for standard tools such as Wireshark, tshark, tcpdump, Zeek, Suricata, Snort, NDR tooling, SIEM pipelines, and custom workflows without operating a traffic lab.
Manifest context
Authoritative ground truth describing the scenario, ATT&CK technique coverage, actor context, timing, and why the generated traffic exists.
Timeline and summary
Compact dataset inventory and ordered event context for reviewers who need to understand the capture before opening packet tools.
Bundle shape
Known evidence, not mystery traffic
NetMetria-X is useful when the reviewer needs controlled packet evidence and known answers without standing up hosts, services, routes, sensors, attack tools, or capture infrastructure just to create a dataset.
dataset_bundle/ ground_truth.pcap manifest.db summary.json timeline.json README.md observed/ # optional sensor-visible PCAPs observation/ # optional sensor visibility metadata
Who it helps
Built for people who inspect, test, and explain network detections
Detection engineers
Evaluate IDS, SIEM, and NDR logic against controlled network-observable evidence with known ground truth.
Traffic analysts
Review packets, conversations, alerts, and scenario context without relying on sensitive production captures or real victim data.
Security vendors
Exercise parsers, sensors, rules, and detection pipelines against documented packet evidence with known behavior context.
Training teams
Teach packet analysis and detection workflows without distributing sensitive captures or running live attack tools.
Labs and research
Use controlled network evidence for experiments, comparisons, and classroom exercises where known answers matter.
Content reviewers
Check whether a rule, parser, dashboard, workflow, or detection note behaves correctly against a declared scenario.
Why it is different
Generate the evidence without building the lab
Community coverage
Focused ATT&CK-aligned technique coverage
Community currently supports 15 ATT&CK-aligned techniques across discovery, remote access/lateral movement, execution-shaped evidence, command and control, and exfiltration.
The coverage page lists each supported technique, the dataset meaning, packet evidence count, tactic grouping, and official MITRE ATT&CK reference link.
Scope note
Network evidence only
NetMetria-X generates deterministic network evidence for detection validation. It does not execute malware, emulate endpoints, operate live C2 infrastructure, replay captured attacker traffic, transmit packets onto your network, or perform attacks.
Early review
Evaluate NetMetria-X Community against real detection workflows
Early reviewer access is handled on a dedicated page so the homepage stays focused on product positioning and dataset value.