MITRE ATT&CK Evaluation Showcases the Effectiveness of SentinelOne’s Autonomous Agent Platform


SentinelOne Automatically Caught, Prevented, and Remediated MITRE’S
APT Attacks at All 20 Stages of the Replicated Attack

the autonomous endpoint protection company, today released its
results from the MITRE
ATT&CK Endpoint Protection Product Evaluation
. SentinelOne’s
autonomous agent saw zero “delayed” detections which further validates
that SentinelOne’s patented platform can autonomously accomplish what
many thought only humans in the SOC are capable of addressing. MITRE’s
ATT&CK-based evaluations provide an assessment on the effectiveness of
detecting specific tactics and techniques, as captured in the ATT&CK

For the evaluation, MITRE tested two full attacks and both were reported
as threats immediately on execution by the SentinelOne platform:

  • The first attack started with an executable zero-day file unknown to
    any intelligence source landing on disk. SentinelOne’s Static AI
    identified this file as malicious when it was written to disk and
    SentinelOne’s Behavioral AI engine flagged and started tracking the
    active attack as soon as the file was executed.
  • The second attack started as a VBScript file, also unknown, that on
    execution loaded the “Empire” stager into memory. SentinelOne’s
    Behavioral AI flagged an active attack as soon as the script code was

SentinelOne’s Behavioral AI was able to track every stage of both
attacks and automatically correlate the data into a single comprehensive
story for each attack that was updated in real time. This unique ability
of the autonomous agent is highlighted in the test output by MITRE’s use
of the “Telemetry, Tainted” term. MITRE describes “tainted associations”
as alerts that were generated but had to describe, by group ID or threat
story link, where visual identifiers were not present. Additionally,
SentinelOne would have autonomously and automatically detected,
prevented, and remediated the attack at every single stage of the
20-stage attack. Had this APT actor been targeting a
SentinelOne-protected infrastructure, the attack would have failed at
every stage of the attack, every single time.

“SentinelOne is focused on delivering a best-in-class EDR solution
converged with EPP and IT Operations capabilities, and this commitment
made us jump at the opportunity to participate in the MITRE ATT&CK
evaluation,” said Jared Phipps, Vice President Worldwide Sales
Engineering, SentinelOne. “The MITRE framework, and its thorough threat
context, is fully integrated into SentinelOne allowing our unique
autonomous agent to accomplish SOC-level tasks automatically, which
saves our customers considerable and valuable time.”

Earlier this month, SentinelOne
announced the integration of MITRE ATT&CK within their next-gen endpoint
. This integration allows SentinelOne to autonomously map
attacks in real time to the MITRE ATT&CK framework, providing users
immediate in-product indicators and attack technique context. The
framework enhances SentinelOne’s active EDR capabilities, surfacing
relevant indicators for SOC teams, and then providing in-product
automated responses.

“We’re very pleased with the participation in our first round of
ATT&CK-based evaluations,” said Frank Duff, lead engineer for the
evaluations program. “Effective cybersecurity can’t be done alone. We
look forward to continued collaboration with industry to help vendors
understand their capabilities against known adversary behaviors, and
empower customers to more effectively buy and deploy these security

To learn more or to download a copy of the MITRE ATT&CK report, visit

About SentinelOne
SentinelOne delivers autonomous endpoint
protection through a single agent that successfully prevents, detects
and responds to attacks across all major vectors. Designed for extreme
ease of use, the S1 platform saves customers time by applying AI to
automatically eliminate threats in real time for both on premise and
cloud environments and is the only solution to provide full visibility
across networks directly from the endpoint. To learn more visit or follow us at @SentinelOne,
on LinkedIn
or Facebook.


Eric Searle
fama PR for SentinelOne


Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *