Active development

Network-observable PCAP dataset packages for detection engineering.

NetMetria delivers ATT&CK-aligned PCAP datasets built around network-observable evidence: packets, flows, protocols, timing, endpoints, and sensor perspective. Packages can be focused and low-noise when the goal is to isolate behavior for detection testing.

NetMetria is in active development. 2026 availability is planned, with release timing driven by validation quality.

PCAP output

Ground truth included

ATT&CK-aligned scenarios

Network-observable evidence

Scenario material included

Built for validation

Request early access See what is delivered

Dataset Package

authoritative.pcap

ground-truth manifest

scenario + campaign material

environment definition

README + checksums

Request a scenario. Receive the files. Test detections.

Delivered product

What a dataset package includes

A NetMetria package is designed to give your team files it can inspect directly: packet captures, ground truth, scenario context, and repeatability material.

Open the PCAP, inspect the manifest, review the scenario material, and test your detection stack against known traffic with known ground truth.

Each emitted packet is intended to be traceable back to the scenario behavior, ATT&CK technique, flow, and actor represented in the package.

The delivered files are the product: a repeatable dataset package with packet-level evidence, ATT&CK context, and supporting material your team can inspect directly.

PCAP

Authoritative PCAP

Generated packet evidence intended for Wireshark, Zeek, Suricata, IDS platforms, NDR tools, SIEM pipelines, and custom detection workflows.

Ground-truth manifest

A machine-readable record that maps packets back to flows, campaign steps, behaviors, ATT&CK techniques, and actors.

DOC

Supporting material

Scenario definition, campaign definition, environment definition, README, checksums, and optional observation outputs.

Ground-truth lineage

packet→ flow→ campaign step→ behavior→ ATT&CK technique→ actor

Why it matters

Why detection teams care

REP

Repeatable testing

Use the same dataset against rule changes, parser changes, sensor updates, and tool upgrades without changing the evidence under test.

MAP

Ground-truth validation

Trace packets back to flows, behaviors, ATT&CK techniques, and actors so missed detections can be investigated with context.

CMP

Tool comparison

Run the same package through IDS, NDR, SIEM, packet analysis, and custom tooling to compare what each tool sees.

Noise-controlled datasets

Some detection work needs focused traffic instead of full enterprise noise. NetMetria packages can be prepared as low-noise datasets when the goal is to isolate a behavior, validate a rule, test a parser, or train an analyst on specific network-observable activity.

Low-noise does not mean more realistic. It means more controlled. Background traffic can be omitted when unrelated noise would make the test less useful.

Generated vs. live captures

How NetMetria PCAPs differ from live captures

Live PCAP captures are records of traffic observed from a real or lab environment. They can be valuable, but they often include unrelated noise, missing context, unclear intent, and limited ground truth.

NetMetria-generated PCAPs are different. They are built from defined scenarios, so the package can include the PCAP, ground-truth manifest, ATT&CK mapping, scenario material, and repeatability data.

NetMetria does not try to replace every live capture. It focuses on controlled, network-observable datasets where the behavior, packet lineage, scenario context, and noise level are known from the start.

Purpose-built evidence

network-observable only defined scenario known ground truth repeatable output noise-controlled output ATT&CK mapping

Live PCAP captures Record traffic after it happened. They may include unrelated noise, incomplete context, limited ground truth, and environment-specific artifacts that are hard to reproduce exactly.

NetMetria-generated PCAPs Built from defined scenarios. They are designed for repeatable packet output, ground-truth lineage, ATT&CK alignment, and detection validation workflows.

Noise-controlled datasets When useful, packages can omit unrelated background traffic so the behavior under test is easier to inspect, validate, and compare across tools.

Network-observable boundary The generated evidence is packet and flow based. NetMetria does not generate endpoint telemetry, process trees, Windows event logs, registry changes, or malware runtime behavior.

Network-observable scope

Built around traffic that can be observed on the network

NetMetria focuses on network-observable evidence: packets, flows, protocols, ports, timing, endpoints, and sensor visibility.

NetMetria does not generate endpoint execution traces, EDR process trees, Windows event logs, registry changes, shell history, or malware runtime behavior.

For endpoint-heavy ATT&CK techniques, NetMetria represents only the network-visible consequences that can be shown honestly in PCAP.

IncludedPackets, flows, protocols, ports, timing, source and destination addresses, packet ordering, and sensor perspective.

Noise controlBackground traffic can be omitted when a focused, low-noise dataset is more useful for validation, training, or tool comparison.

Not includedEndpoint telemetry, EDR process trees, Windows logs, file system artifacts, registry changes, shell history, or malware execution traces.

Why it mattersThe package is designed for detection teams working with PCAPs, IDS/NDR tooling, protocol analysis, and ground-truth validation.

ATT&CK alignment

Current ATT&CK technique coverage

Current coverage represents ATT&CK techniques NetMetria can produce as network-observable dataset behavior. Public packages are released only after validation.

Supported means the technique has a defined behavior path for generated network-observable output.

T1018Remote System Discovery

T1049System Network Connections Discovery

T1087Account Discovery

T1046Network Service Discovery

T1021Remote Services

T1059Command and Scripting Interpreter

T1570Lateral Tool Transfer

T1569.002Service Execution

T1048Exfiltration Over Alternative Protocol

T1095Non-Application Layer Protocol

T1573Encrypted Channel

T1020Automated Exfiltration

T1105Ingress Tool Transfer

T1071Application Layer Protocol

T1041Exfiltration Over C2 Channel

Packet-level evidence

Example packet evidence

Illustrative multi-technique packet excerpt

This excerpt shows the kind of network-observable evidence a generated package can contain: ordered packets, deterministic timing, endpoints, protocols, ports, packet lengths, and packet roles.

T1046 Network Service Discovery T1071 Application Layer Protocol T1041 Exfiltration Over C2 Channel

This is not presented as a single-technique package. It is an illustrative excerpt showing several network-observable behaviors that NetMetria can represent in PCAP form.

No.  Time        Source          Destination     Protocol  Length  Info
1    0.000000    192.168.1.10    192.168.1.20   TCP       54      40000 → 80 [SYN] Seq=0 Win=64240 Len=0
2    0.000001    192.168.1.20    192.168.1.10   TCP       54      80 → 40000 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0
3    0.000002    192.168.1.10    192.168.1.20   TCP       54      40000 → 80 [RST, ACK] Seq=1 Ack=1 Win=64240 Len=0
4    120.000100  192.168.1.10    192.168.1.20   TCP       54      40257 → 445 [SYN] Seq=0 Win=64240 Len=0
5    120.000101  192.168.1.20    192.168.1.10   TCP       54      445 → 40257 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0
6    120.000102  192.168.1.10    192.168.1.20   TCP       54      40257 → 445 [ACK] Seq=1 Ack=1 Win=64240 Len=0
7    120.000103  192.168.1.10    192.168.1.20   NBSS      106     NBSS Continuation Message
8    240.000200  192.168.1.10    192.168.1.20   TCP       54      40514 → 445 [SYN] Seq=0 Win=64240 Len=0
9    240.000201  192.168.1.20    192.168.1.10   TCP       54      445 → 40514 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0
10   240.000202  192.168.1.10    192.168.1.20   TCP       54      40514 → 445 [ACK] Seq=1 Ack=1 Win=64240 Len=0
11   240.000203  192.168.1.10    192.168.1.20   NBSS      120     NBSS Continuation Message
12   240.000204  192.168.1.20    192.168.1.10   TCP       54      445 → 40514 [ACK] Seq=1 Ack=67 Win=64240 Len=0
13   360.000300  192.168.1.10    192.168.1.20   TCP       54      40771 → 8080 [SYN] Seq=0 Win=64240 Len=0
14   360.000301  192.168.1.20    192.168.1.10   TCP       54      8080 → 40771 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0
15   360.000302  192.168.1.10    192.168.1.20   TCP       54      40771 → 8080 [ACK] Seq=1 Ack=1 Win=64240 Len=0
16   360.000303  192.168.1.10    192.168.1.20   HTTP      150     GET /nmx/channel HTTP/1.1
17   360.000304  192.168.1.20    192.168.1.10   HTTP      182     HTTP/1.1 200 OK
18   360.000305  192.168.1.10    192.168.1.20   TCP       54      40771 → 8080 [ACK] Seq=97 Ack=129 Win=64240 Len=0
19   480.000400  192.168.1.10    192.168.1.20   TCP       54      41028 → 8080 [SYN] Seq=0 Win=64240 Len=0
20   480.000401  192.168.1.20    192.168.1.10   TCP       54      8080 → 41028 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0
21   480.000402  192.168.1.10    192.168.1.20   TCP       54      41028 → 8080 [ACK] Seq=1 Ack=1 Win=64240 Len=0
22   480.000403  192.168.1.10    192.168.1.20   TCP       166     41028 → 8080 [PSH, ACK] Seq=1 Ack=1 Win=64240 Len=112
23   480.000404  192.168.1.10    192.168.1.20   HTTP      214     POST /nmx/exfil HTTP/1.1
24   480.000405  192.168.1.20    192.168.1.10   HTTP      150     HTTP/1.1 200 OK Continuation
25   480.000406  192.168.1.10    192.168.1.20   TCP       54      41028 → 8080 [ACK] Seq=273 Ack=97 Win=64240 Len=0

Timing and noise note: The gaps between packet groups reflect when network-observable events occur in the scenario. This illustrative excerpt is intentionally low-noise: it does not include unrelated background traffic, idle chatter, or enterprise noise. Focused output is useful when the goal is to inspect behavior, validate rules, or compare detection results without extra noise.

Illustrative excerpt. Published packages will include generated files, ground-truth material, ATT&CK mapping, README, and checksums.

Availability

Current state

NetMetria is in active development. 2026 availability is planned, with release timing driven by validation quality rather than a fixed public date.

Dataset package format	In development
ATT&CK behavior coverage	15 techniques supported
Package validation workflow	In development
Initial sample packages	In preparation

Early access requests help us understand which scenarios, protocols, and ground-truth fields should be prioritized first.

Early access

Tell us what PCAP dataset package would be useful

Interest signal

Help shape the first packages

We are especially interested in scenario requests, ATT&CK techniques, protocols, detection workflows, and ground-truth requirements.

Detection workflow IDS rules, SIEM logic, NDR validation, packet analysis, training, or vendor testing.

Traffic interests ATT&CK techniques, protocols, scenario types, or sensor perspectives you care about.

Ground truth needs What you need to prove, inspect, trace, or compare when testing detections.

Generated PCAP dataset packages

Request early access

Use this form to describe the package, scenario, or validation workflow that would be useful to your team.

Name *

Email *

Company or organization

Role

Primary interest

ATT&CK techniques, protocols, or traffic types

Exact ATT&CK technique IDs are useful, but plain language is fine.

What would make the package useful?

We will use your submission only to follow up about NetMetria, early access, and dataset requirements. We will not publish your information.