Active development

Generated network-observable PCAP dataset packages for detection engineering.

Request or select a scenario. NetMetria generates the packet-capture package and delivers the completed files to your NetMetria account.

Ready-to-use files

Ground truth included

Scenario material included

No lab buildout

No C2 operation

No malware handling

Request early access View planned delivery model

Dataset Package

authoritative.pcap

ground-truth manifest

scenario + campaign files

environment definition

README + checksums

You receive generated artifacts, not the NetMetria engine.

Definition

What NetMetria is

NetMetria generates network-observable datasets for adversary-style traffic. You receive a dataset package containing PCAP, ground truth, scenario material, and supporting files.

The NetMetria engine uses structured definitions that describe the scenario, campaign, actors, environment, selected ATT&CK-aligned behaviors, and observation points.

The engine is used to produce the files. You receive the generated dataset package.

The goal is to give your team usable packet evidence without requiring you to build the lab that would normally be needed to produce it.

Current state

NetMetria is in active development. The generation engine is being built and validated.

Dataset package delivery, account-based downloads, and scenario ordering are planned, but they are not publicly available yet.

This site shows the direction of the project and collects early feedback from detection engineers, analysts, researchers, instructors, and security vendors.

Why we are building this

Repeatable packet evidence is hard to get

Detection teams often need PCAP datasets that are repeatable, labeled, and tied to known behavior.

Building those datasets through labs, ranges, replay captures, or manual traffic generation can be slow, fragile, and difficult to maintain.

NetMetria is being built to make that process simpler: request a scenario, receive a generated dataset package, and use it to inspect or test detection behavior.

The practical goal

Give your team controlled PCAP data with supporting ground truth, without requiring your team to build the lab that produced it.

Request a scenario. Receive the files. Test detections.

Network-observable scope

NetMetria generates network evidence, not endpoint telemetry

NetMetria focuses on behavior that can be represented through network traffic. That means packets, flows, protocols, source and destination addresses, ports, timing, and sensor visibility.

The dataset package is built around what can be observed on the network. It does not include endpoint execution traces, EDR process trees, Windows event logs, file system artifacts, registry changes, shell history, or malware runtime behavior.

If an ATT&CK technique has no meaningful network-observable expression, it does not belong in a NetMetria PCAP package unless it contributes to traffic that can be represented honestly.

What network-observable means

PacketsSerialized network evidence in PCAP form.

FlowsWho talked to whom, when, and over which protocol.

TimingDeterministic timestamps and packet order.

VisibilityWhat a defined network sensor would see.

Example packet evidence

What a generated PCAP can look like

This excerpt shows the kind of network-observable evidence a generated package can contain: ordered packets, deterministic timing, endpoints, protocols, ports, packet lengths, and packet roles.

This table shows a compact packet-list view similar to what a detection engineer would inspect in Wireshark.

This is an illustrative excerpt. Published sample packages will include the actual PCAP, ground-truth manifest, scenario files, README, and checksums.

Illustrative packet excerpt

No.  Time        Source          Destination     Proto  Len  Info
---  ----------  --------------  --------------  -----  ---  ---------------------------------------------------------------
1    0.000000    192.168.1.10    192.168.1.20    TCP    54   40000 → 80 [SYN] Seq=0 Win=64240 Len=0
2    0.000001    192.168.1.20    192.168.1.10    TCP    54   80 → 40000 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0
3    0.000002    192.168.1.10    192.168.1.20    TCP    54   40000 → 80 [RST, ACK] Seq=1 Ack=1 Win=64240 Len=0
4    120.000100  192.168.1.10    192.168.1.20    TCP    54   40257 → 445 [SYN] Seq=0 Win=64240 Len=0
5    120.000101  192.168.1.20    192.168.1.10    TCP    54   445 → 40257 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0
6    120.000102  192.168.1.10    192.168.1.20    TCP    54   40257 → 445 [ACK] Seq=1 Ack=1 Win=64240 Len=0
7    120.000103  192.168.1.10    192.168.1.20    NBSS   106  NBSS Continuation Message
8    240.000200  192.168.1.10    192.168.1.20    TCP    54   40514 → 445 [SYN] Seq=0 Win=64240 Len=0
9    240.000201  192.168.1.20    192.168.1.10    TCP    54   445 → 40514 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0
10   240.000202  192.168.1.10    192.168.1.20    TCP    54   40514 → 445 [ACK] Seq=1 Ack=1 Win=64240 Len=0
11   240.000203  192.168.1.10    192.168.1.20    NBSS   120  NBSS Continuation Message
12   240.000204  192.168.1.20    192.168.1.10    TCP    54   445 → 40514 [ACK] Seq=1 Ack=67 Win=64240 Len=0
13   360.000300  192.168.1.10    192.168.1.20    TCP    54   40771 → 8080 [SYN] Seq=0 Win=64240 Len=0
14   360.000301  192.168.1.20    192.168.1.10    TCP    54   8080 → 40771 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0
15   360.000302  192.168.1.10    192.168.1.20    TCP    54   40771 → 8080 [ACK] Seq=1 Ack=1 Win=64240 Len=0
16   360.000303  192.168.1.10    192.168.1.20    HTTP   150  GET /nmx/channel HTTP/1.1
17   360.000304  192.168.1.20    192.168.1.10    HTTP   182  HTTP/1.1 200 OK
18   360.000305  192.168.1.10    192.168.1.20    TCP    54   40771 → 8080 [ACK] Seq=97 Ack=129 Win=64240 Len=0
19   480.000400  192.168.1.10    192.168.1.20    TCP    54   41028 → 8080 [SYN] Seq=0 Win=64240 Len=0
20   480.000401  192.168.1.20    192.168.1.10    TCP    54   8080 → 41028 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0
21   480.000402  192.168.1.10    192.168.1.20    TCP    54   41028 → 8080 [ACK] Seq=1 Ack=1 Win=64240 Len=0
22   480.000403  192.168.1.10    192.168.1.20    TCP    166  41028 → 8080 [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=112 [TCP segment]
23   480.000404  192.168.1.10    192.168.1.20    HTTP   214  POST /nmx/exfil HTTP/1.1
24   480.000405  192.168.1.20    192.168.1.10    HTTP   150  HTTP/1.1 200 OK Continuation
25   480.000406  192.168.1.10    192.168.1.20    TCP    54   41028 → 8080 [ACK] Seq=273 Ack=97 Win=64240 Len=0

Timing note: The gaps between packet groups reflect when network-observable events occur in the scenario. NetMetria does not currently add background traffic, idle chatter, or unrelated enterprise noise. This example is part of active development and is shown to illustrate the packet-level output style.

Scrollable excerpt. This is illustrative; published packages will include actual generated files and checksums.

Delivered product

What you receive

Your order produces a downloadable network-evidence dataset package for inspection, validation, testing, and repeatable detection work.

Open the PCAP, inspect the ground truth, review the scenario material, and test your detection stack.

Each package is designed to make clear what traffic was generated, which behavior it represents, and how the packets map back to the scenario.

PCAP

Authoritative PCAP

Generated packet evidence intended for tools such as Wireshark, Zeek, Suricata, IDS platforms, NDR tools, SIEM pipelines, and custom detection workflows.

Ground-Truth Manifest

A machine-readable record that maps packets back to flows, campaign steps, behaviors, ATT&CK techniques, and actors.

DOC

Supporting Material

Scenario, campaign, environment, README, checksums, and optional observed sensor outputs when included in the package.

Ground-truth lineage

packet-> flow-> campaign step-> behavior-> ATT&CK technique-> actor

Order flow

How delivery is intended to work

You request or select a scenario, NetMetria generates the dataset, and the finished package is uploaded to your online NetMetria account.

You do not need to run the NetMetria engine, build a range, operate C2 infrastructure, or manage packet capture workflows.

As the service matures, NetMetria is planned to support online accounts where you can request scenarios, purchase dataset packages, track generation status, and download prior orders.

Planned delivery flow

Choose or request a scenario

NetMetria generates the dataset

Files are packaged with ground truth

Package is uploaded to your account

Download and test detections

No lab buildout required

Get usable PCAP datasets without building the lab

Traditional PCAP generation can require virtual machines, vulnerable hosts, domain controllers, scripted tools, packet capture setup, cleanup, and reset work.

NetMetria removes that burden. The dataset is generated and packaged before delivery.

You get the PCAP, ground-truth manifest, scenario material, optional observation outputs, README, and checksums without operating the environment that produced the dataset.

What you do not have to operate

No VM lab

No cloud range

No vulnerable hosts

No domain controller setup

No C2 infrastructure

No reset cycle

No packet capture workflow

No malware handling

Downloadable artifacts

Sample dataset packages

NetMetria is best understood by inspecting the artifacts. As stable samples become available, this section will provide downloadable dataset packages containing PCAP, ground-truth manifests, scenario definitions, and observation outputs.

These samples are not hand-built packet captures. They are generated by the NetMetria production pipeline from structured definitions.

The first public sample package will be published only after the PCAP, manifest, packet lineage, and checksums pass repeatability checks.

Samples will be published only after they are stable enough to represent the project honestly.

Planned first package

ATT&CK T1046 - Network Service Discovery

authoritative.pcap

manifest output

scenario.yaml

campaign.yaml

environment.yaml

observed sensor outputs

checksums.sha256

README.md

Sample package planned

ATT&CK alignment

Current ATT&CK technique coverage

NetMetria supports dataset generation around selected ATT&CK techniques with clear network-observable behavior. These techniques form the initial coverage set for generated PCAP dataset packages.

Supported means the technique has a defined NetMetria behavior path for generated network-observable output.

Public dataset packages are released only after validation. For endpoint-heavy techniques, NetMetria represents only the network-visible consequences.

T1018Remote System Discovery

T1049System Network Connections Discovery

T1087Account Discovery

T1046Network Service Discovery

T1021Remote Services

T1059Command and Scripting Interpreter

T1570Lateral Tool Transfer

T1569.002Service Execution

T1048Exfiltration Over Alternative Protocol

T1095Non-Application Layer Protocol

T1573Encrypted Channel

T1020Automated Exfiltration

T1105Ingress Tool Transfer

T1071Application Layer Protocol

T1041Exfiltration Over C2 Channel

Build status

Current development focus

NetMetria is still under development. The early implementation is focused on building the dataset generation pipeline correctly before expanding the scenario and technique library too aggressively.

The first public offering is planned around generated dataset packages delivered to online accounts. The engine itself is not being sold or distributed.

Technique coverage will grow, but not at the cost of weak traffic, unclear lineage, or non-repeatable output.

Dataset package model	In development
Scenario request model	Planned
Account-based delivery	Planned
Scenario model	In development
Campaign model	In development
Environment model	In development
Planner	Working foundation
Flow engine	Working foundation
Packet engine	Working foundation
PCAP output	Working foundation
Ground-truth manifest	Working foundation, evolving format
Technique library	15 techniques supported

Early access

Request early access

Interest signal

Help shape the first dataset packages

NetMetria is still in active development. We are especially interested in which PCAP datasets would be useful for detection testing, which ATT&CK techniques matter to your workflow, and what ground-truth fields your team would need.

Detection workflow IDS rules, SIEM logic, NDR validation, packet analysis, training, or vendor testing.

Traffic interests ATT&CK techniques, protocols, scenario types, or sensor perspectives you care about.

Ground truth needs What you need to prove, inspect, trace, or compare when testing detections.

Generated PCAP dataset packages

Tell us what you would want to download

Use this form to request early access or describe the dataset package that would be useful to your team. Early dataset requests may help guide which scenario packages are built first.

Name *

Email *

Company or organization

Role

Primary interest

ATT&CK techniques, protocols, or traffic types

Exact ATT&CK technique IDs are useful, but plain language is fine.

What would make the package useful?