NetMetria-X | Controlled Network Evidence for Detection Validation

Community MVP pre-release validation

Generate the evidence, not the lab.

NetMetria-X Community is in pre-release validation. It compiles declared scenario intent into ATT&CK-aligned network evidence bundles for detection engineers, traffic analysts, and security vendors.

The output is packet evidence of the declared scenario, with context that explains what the traffic represents. It is not evidence of a real compromise or live attack execution.

Request early reviewer access Why it matters

Why it matters

Detection validation gets expensive when test traffic needs infrastructure

Detection teams need traffic that exercises specific behaviors and enough context to judge whether a rule, parser, sensor, or analyst workflow behaved correctly.

Creating that traffic often means assembling lab networks, endpoint images, services, sensors, routing, cleanup procedures, and documentation. That work costs time and money before the detection test even starts.

NetMetria-X Community is designed to reduce that burden by generating controlled packet evidence as an offline dataset bundle. The value is not only the PCAP. The value is usable detection evidence with known context.

Validation value

Avoid standing up disposable traffic infrastructure

Inspect packet evidence in standard tools

Compare detections against known context

Train analysts without real victim data

Review ATT&CK-aligned network behavior safely

Scenario-first model

Define the network evidence you want represented

Traditional validation traffic usually starts with infrastructure. Teams build hosts, configure services, set routing and firewall paths, run tools, place sensors, capture packets, and then debug why the expected traffic did or did not appear.

NetMetria-X uses a different model. The scenario declares the network-observable behavior to represent, and NetMetria-X generates the corresponding evidence bundle.

There are no live endpoints to configure, no services to fail, no firewall paths to debug, no command infrastructure to operate, and no packet replay system involved in creating the dataset.

The generated PCAP shows network evidence consistent with the declared scenario behavior. It does not claim that a real endpoint changed state, that a real control failed, or that any live attack occurred.

Traditional lab pathBuild and configure systems until the desired traffic is produced and captured from the chosen point of view.

NetMetria-X pathDeclare the scenario and observation context, then generate a bundle containing PCAP output and ground-truth context.

Detection objectiveUse the generated evidence to evaluate whether sensors, rules, parsers, and analyst workflows recognize the represented behavior.

Benefits

Built to reduce cost, risk, and ambiguity in validation traffic

LAB

No traffic lab buildout

Produce controlled packet evidence without building and maintaining a physical or virtual environment only to create validation traffic.

Ground truth included

Dataset context identifies the scenario, ATT&CK technique coverage, traffic purpose, timing, and intended interpretation.

SAFE

Safe by design

No malware execution, no compromised hosts, no live command infrastructure, no endpoint agents, and no production network activity.

TOOL

Works with standard tools

PCAP output can be inspected with standard packet and detection tools such as Wireshark, tshark, tcpdump, Zeek, Suricata, Snort, NDR tooling, SIEM pipelines, and custom workflows.

ATTK

ATT&CK-aligned scope

Community focuses on a bounded MVP set of network-observable ATT&CK-aligned behaviors instead of claiming broad offensive simulation.

DET

Deterministic generation

The same declared scenario input produces the same generated bundle. This supports verification and controlled comparison during development and reviewer evaluation.

Use cases

Built for teams that inspect, test, and explain network detections

ENG

Detection engineers

Evaluate IDS, SIEM, and NDR logic against controlled network-observable evidence with known ground truth.

ANL

Traffic analysts

Review packets, conversations, alerts, and scenario context without relying on sensitive production captures or real victim data.

VND

Security vendors

Exercise parsers, sensors, rules, and detection pipelines against documented packet evidence with known behavior context.

TRN

Training teams

Teach packet analysis and detection workflows without distributing sensitive captures or running live attack tools.

LAB

Labs and research

Use controlled network evidence for experiments, comparisons, and classroom exercises where known answers matter.

GRC

Coverage review

Review specific network-observable behaviors without staging a real compromise.

Evidence bundle

PCAP output with context, not proof of real compromise

Live captures are valuable, but they are often noisy, sensitive, difficult to share, and hard to label with certainty. Unlabeled PCAP collections rarely tell an engineer what should have been detected.

NetMetria-X Community is designed to produce focused packet evidence for detection validation, paired with ground-truth context that explains the declared scenario behavior represented by the traffic.

Use live captures to understand production reality. Use NetMetria-X when you need controlled scenario evidence with known answers.

PCAP

Packet evidence

Generated PCAP output for standard packet and detection tools.

CTX

Ground-truth context

Scenario, ATT&CK, actor, timing, and traffic-purpose context for validation and review.

OBS

Observation perspective

Where enabled, sensor-visible outputs help reviewers compare complete ground truth against what a sensor would observe.

Community MVP is intentionally bounded. It is not claiming full ATT&CK coverage, full protocol coverage, or live-network indistinguishability across every scenario.

Early reviewers are being asked to evaluate whether the generated evidence is useful, explainable, and realistic enough for detection-validation workflows.

Dataset qualities

PCAP output declared scenario evidence known ground truth ATT&CK-aligned offline generated synthetic evidence detection-focused

Community preview scope

Clean scenario traffic, not mixed enterprise background traffic

Current NetMetria-X Community preview datasets are intentionally clean. They contain generated ATT&CK-aligned network evidence for the selected scenario, without unrelated background enterprise traffic.

This is an MVP scope decision, not a claim that real networks are clean. The first reviewer bundles are designed to make the generated behavior easier to inspect, label, and validate.

Background browsing traffic, unrelated service chatter, user activity noise, and larger mixed-traffic datasets are outside the current Community preview scope.

Included nowGenerated network evidence tied to the selected ATT&CK-aligned scenario.

Not included nowAmbient enterprise traffic, unrelated user browsing, general service noise, or synthetic background chatter.

Why this mattersReviewers can focus on PCAP realism, labeling, ground-truth context, and detection workflow usefulness without sorting through unrelated traffic.

Boundaries

Declared scenario evidence without offensive execution

NetMetria-X is intentionally not a breach simulator, malware framework, command-and-control platform, cyber range, endpoint emulator, PCAP replay tool, or live traffic injection system.

It produces packet evidence and ground-truth context for detection engineering. If traffic appears in the PCAP, it means the declared scenario includes that network-observable behavior. It does not mean a real attack occurred.

NetMetria-X is for evidence generation and validation workflows, not operational attack execution.

Scenario evidenceThe PCAP represents declared network behavior, not a real breach or live compromise.

No malwareNo implants, payload execution, or malicious tooling.

No live command infrastructureNo live command-and-control, operator control, callbacks, or attacker services.

No endpoint emulationNo process trees, shell history, registry changes, or OS runtime state.

No live injectionNetMetria-X generates datasets; it does not transmit packets onto your network.

No mystery capturesThe value is not unlabeled PCAP collection. The value is known, usable detection evidence.

Early reviewer access

Help validate whether NetMetria-X Community is useful for real detection work

Community MVP pre-release

We are looking for serious packet reviewers

We are collecting input from detection engineers, traffic analysts, IDS/SIEM content developers, security vendors, instructors, and researchers who can evaluate generated network evidence before the first public Community release.

Detection workflow IDS rules, SIEM logic, NDR validation, packet analysis, training, vendor testing, or parser review.

Evidence review PCAP realism, protocol plausibility, ATT&CK labeling, ground-truth usefulness, or sensor perspective.

Blunt feedback Where the evidence helps, where it falls short, and what would make it more useful for real validation work.

Controlled network evidence

Request early reviewer access

Use this form to describe the detection workflow, traffic type, or validation problem you want to evaluate.

Name *

Email *

Company or organization

Role

What do you want to evaluate?

Tools, techniques, protocols, or traffic types

Tool names, ATT&CK IDs, protocols, or plain-language traffic goals are all useful.

What would make NetMetria-X useful to you?

We will use your submission only to follow up about NetMetria-X, early reviewer access, and dataset requirements. We will not publish your information.