Validate network detections with explainable adversary traffic.
NetMetria-X generates controlled, network-observable ATT&CK scenarios with packet evidence and a queryable Manifest database, so detection engineers, SOC teams, trainers, vendors, red teams, and audit teams can inspect behavior, timing, visibility, and attribution without running malware, agents, or live infrastructure.
Not a PCAP marketplace. Not a simulator. Not a replay tool.
Evidence bundle
Explainable packet evidence, not commodity PCAP files
NetMetria-X is not selling random capture files. It produces controlled adversary traffic with packet evidence and a Manifest database that explains behavior, timing, attribution, and sensor visibility.
The core offer is explainable detection validation: traffic you can inspect, context you can query, and scenario evidence you can use to evaluate rules, tools, and analyst workflows.
Each evidence bundle is built from declared campaign intent, resolved environment state, behavior mappings, generated flows, and compiled packets.
Packet evidence
Protocol-correct captures for Wireshark, Zeek, Suricata, IDS platforms, NDR tools, SIEM pipelines, and custom detection workflows.
Manifest database
A queryable Manifest database for packet lineage, behavior attribution, ATT&CK mapping, actors, timing, and observation visibility. Query it with nmx-query.
Packet lineage
Packet-to-flow-to-behavior attribution is attached during compilation. It is not guessed after the capture is generated.
ground_truth.pcap is the complete packet evidence generated from the compiled scenario.
The Manifest database is the queryable context record for the evidence bundle. It contains packet, flow, step, behavior, ATT&CK technique, actor, timing, and observation metadata. Users query it with nmx-query.
summary.json and timeline.json provide compact inspection views. observed/<sensor_id>.pcap contains the sensor-visible packet capture when observation output is enabled.
Compilation pipeline
Campaign intent becomes explainable packet evidence
A campaign describes adversary intent. It does not define packets, protocol logic, scripts, tools, or runtime behavior.
NetMetria-X resolves that campaign against a defined environment, plans behavior order, expands behavior into network flows, compiles flows into packets, and emits an evidence bundle users can inspect and query.
The runtime does not improvise. Identical inputs produce identical outputs, except allowed generation metadata such as artifact creation timestamps.
Who uses it
Network-observable evidence supports multiple validation workflows
Detection engineers
Validate IDS, SIEM, and NDR logic against controlled adversary traffic with queryable behavior context.
SOC analysts
Practice packet review, alert triage, and incident reasoning with network evidence that can be explained and reviewed.
Cybersecurity trainers
Build safe, repeatable labs around focused adversary traffic instead of relying on sensitive live captures.
Security vendors
Run the same packet evidence through sensors, parsers, and detection pipelines, then inspect attribution and visibility through the Manifest database.
Red teams
Understand how ATT&CK-aligned behavior appears in monitored network traffic without executing tools, malware, or live infrastructure.
Compliance and audit teams
Demonstrate network-observable detection coverage with controlled evidence, queryable attribution, and scenario-level traceability.
Low-noise does not mean fake. It means focused. NetMetria-X can omit unrelated background chatter when the goal is to isolate behavior, validate a parser, test a rule, train an analyst, compare detection results, or demonstrate coverage.
Generated vs. live captures
Generated traffic complements live captures
Live captures are valuable because they show production complexity. They are often noisy, sensitive, incomplete, and difficult to label with certainty.
NetMetria-X evidence bundles are valuable because they are controlled, labeled, deterministic, and safe to use in validation workflows.
Use live traffic to understand the world. Use NetMetria-X to validate specific detection expectations against explainable packet evidence.
Boundaries
Realistic packets without endpoint emulation
NetMetria-X does not execute malware, run agents, emulate operating systems, or interact with real infrastructure. It produces controlled network evidence from declared adversary intent.
Realism comes from protocol-correct packet construction, deterministic timing, environment-defined topology, and Network Profiles that shape wire-level appearance.
Behaviors explain why traffic exists. Network Profiles explain how traffic appears on the wire.
Early access
Tell us what validation scenario would be useful
Request early access
Use this form to describe the scenario, traffic, observation point, or validation workflow that would be useful to your team.