MITRE ATT&CK Evaluation Showcases the Effectiveness of SentinelOne’s Autonomous Agent Platform

SentinelOne Automatically Caught, Prevented, and Remediated MITRE’S APT Attacks at All 20 Stages of the Replicated Attack

Mountain View, Calif. – November 30, 2018 – SentinelOne, the autonomous endpoint protection company, today released its results from the MITRE ATT&CK Endpoint Protection Product Evaluation. SentinelOne’s autonomous agent saw zero “delayed” detections which further validates that SentinelOne’s patented platform can autonomously accomplish what many thought only humans in the SOC are capable of addressing. MITRE’s ATT&CK-based evaluations provide an assessment on the effectiveness of detecting specific tactics and techniques, as captured in the ATT&CK knowledgebase.  

For the evaluation, MITRE tested two full attacks and both were reported as threats immediately on execution by the SentinelOne platform:

  • The first attack started with an executable zero-day file unknown to any intelligence source landing on disk. SentinelOne’s Static AI identified this file as malicious when it was written to disk and SentinelOne’s Behavioral AI engine flagged and started tracking the active attack as soon as the file was executed.  
  • The second attack started as a VBScript file, also unknown, that on execution loaded the “Empire” stager into memory. SentinelOne’s Behavioral AI flagged an active attack as soon as the script code was executed.

SentinelOne’s Behavioral AI was able to track every stage of both attacks and automatically correlate the data into a single comprehensive story for each attack that was updated in real time.  This unique ability of the autonomous agent is highlighted in the test output by MITRE’s use of the “Telemetry, Tainted” term. MITRE describes “tainted associations” as alerts that were generated but had to describe, by group ID or threat story link, where visual identifiers were not present. Additionally, SentinelOne would have autonomously and automatically detected, prevented, and remediated the attack at every single stage of the 20-stage attack. Had this APT actor been targeting a SentinelOne-protected infrastructure, the attack would have failed at every stage of the attack, every single time.

“SentinelOne is focused on delivering a best-in-class EDR solution converged with EPP and IT Operations capabilities, and this commitment made us jump at the opportunity to participate in the MITRE ATT&CK evaluation,” said Jared Phipps, Vice President Worldwide Sales Engineering, SentinelOne. “The MITRE framework, and its thorough threat context, is fully integrated into SentinelOne allowing our unique autonomous agent to accomplish SOC-level tasks automatically, which saves our customers considerable and valuable time.”

Earlier this month, SentinelOne announced the integration of MITRE ATT&CK within their next-gen endpoint solution. This integration allows SentinelOne to autonomously map attacks in real time to the MITRE ATT&CK framework, providing users immediate in-product indicators and attack technique context. The framework enhances SentinelOne’s active EDR capabilities, surfacing relevant indicators for SOC teams, and then providing in-product automated responses.

“We’re very pleased with the participation in our first round of ATT&CK-based evaluations,” said Frank Duff, lead engineer for the evaluations program. “Effective cybersecurity can’t be done alone. We look forward to continued collaboration with industry to help vendors understand their capabilities against known adversary behaviors, and empower customers to more effectively buy and deploy these security solutions.”

To learn more or to download a copy of the MITRE ATT&CK report, visit

About SentinelOne

SentinelOne delivers autonomous endpoint protection through a single agent that successfully prevents, detects and responds to attacks across all major vectors. Designed for extreme ease of use, the S1 platform saves customers time by applying AI to automatically eliminate threats in real time for both on premise and cloud environments and is the only solution to provide full visibility across networks directly from the endpoint. To learn more visit or follow us at @SentinelOne, on LinkedIn or Facebook.


Eric Searle
fama PR for SentinelOne
[email protected]