Insights Into the
2024 MITRE ATT&CK Evaluations: Enterprise
empowering you to make informed decisions.
Below you will find a series of charts built from the actual 2024 MITRE ATT&CK Evaluation: Enterprise result data.
Please visit the MITRE ATT&CK Evaluation Results webpage for direct access to full set of MITRE results data.
Protection Phase
In the charts that follow, we present the ratio blocked vs. tested for each vendor rather than the raw numbers due to the variation in steps tested. We also note (where appropriate) the number of blocked vs. tested for informational purposes.
Protection rate is the ratio of steps blocked to number of steps tested (steps blocked/steps tested).
CHART 1: Steps blocked (protection rate)
Prevention rate is the ratio of sub-steps blocked to number of sub-steps tested (sub-steps blocked/sub-steps tested).
CHART 2: Sub-steps blocked (prevention rate)
Mistakenly alerting on a benign activity was marked as a false positive alert.
CHART 3: False positive protections
Detection Phase
The first set of charts shows Detection Phase results before configuration changes.
Visibility measures how many of the malicious sub-steps tested were detected by the solution.
CHART 4: Sub steps detected - before config changes
MITRE categorizes each successful detection based on detection quality – the level of context provided. The best detection quality outcome is Technique-level information.
CHART 5: Technique-level detections - before config changes
Mistakenly alerting on a benign activity was marked as a false positive alert.
CHART 6: False positives - before config changes
The following set of charts show Detection Phase results after configuration changes.
Note: On the final day of testing, vendors were allowed to reconfigure their systems and given a second chance to detect the threat that was missed on the first day of testing. The results achieved are labeled after configuration changes.
Configuration changes shows the total number of configuration changes implemented by each vendor.
CHART 7:Number of configuration changes
Visibility measures how many of the malicious sub-steps tested were detected by the solution.
CHART 8: Sub steps detected - after config changes
MITRE categorizes each successful detection based on detection quality – the level of context provided. The best detection quality outcome is Technique-level information.
CHART 9: Technique-level detections - after config changes
Mistakenly alerting on a benign activity was marked as a false positive alert.
CHART 10: False positives - after config changes