The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.

Home  >  Managed Services Overview


Managed Services

Managed Services Evaluation 2022
Call for Participation
  • Call For Participation
  • Evaluating
  • Preparing
  • Published
ATT&CK Description

ATT&CK Evaluations for Managed Services will assess vendor participant capabilities (e.g., MDR and MSSP) in their ability to analyze and describe adversary behavior. Adversary activity emulated by the MITRE Engenuity red team, and correlating context provided by the participants will be mapped to the MITRE ATT&CK knowledge base. Participants will leverage a self-supplied toolset to enable their detection capabilities and provide the relevant analysis in the same format they provide to their customers. Examples include—but are not limited to—real-time alerts, daily roll-up reports, dashboard access, etc.

Scenario Characteristics

The Managed Services evaluations will employ a closed book version of adversary emulation, whereby the vendor participants will not know the emulated adversary until after the execution is complete, though it will be based upon publicly available threat intelligence. The emulation will be conducted in the Microsoft Azure Cloud, similar to the Enterprise evaluations. MITRE Engenuity will execute the emulation, and participants will provide their analysis as if MITRE Engenuity was a standard customer. The evaluation will be focused entirely on understanding adversary activity, and remediation/prevention is prohibited in this inaugural evaluation. During a post-mortem purple team, MITRE Engenuity will disclose the adversary emulated, all behavior performed, and disclose how MITRE Engenuity mapped participant provided analysis to that behavior. MITRE Engenuity will work with participants to enhance their detection capability during this period, as participants are encouraged to ask questions regarding the execution.


Figure 1: Managed Services 2022 Evaluation Environment

Additional application services and software may be deployed in the network environment. These applications/software may include, but are not limited to, web servers, SQL databases, file transfer services, Microsoft Office products, etc. These services are subject to change and more information will be provided as we get closer to the evaluation.

The evaluations will be performed in the Microsoft Azure Cloud. There will be a single victim organization, with Windows Defender disabled for certain portions of the evaluations. The network will contain domain joined machines, which may include:

  • Windows Server 2019
  • Windows 10 Pro
  • CentOS 7
  • CentOS 8
  • Ubuntu Server 20.04 LTS
  • Ubuntu Server 18.04 LTS

Additional Resources