Microsoft Defender ATP evaluation lab breach & attack simulators are now available in public preview

Published May 20 2020 08:58 AM 17.7K Views

Update: this integration is now generally available as of June 2020. 


Microsoft Defender ATP has partnered with breach and attack simulation solutions, AttackIQ and SafeBreach, to give you convenient access to attack simulators right from the within the portal! These capabilities, now in public preview, are built into our evaluation lab, have no prerequisites, and we encourage you to check them out. 


Running threat simulations using third-party platforms is a good way to evaluate and experience Microsoft Defender ATP capabilities within the confines of a lab environment. It’s also a great way to verify that your environment is well configured and protected against advanced threats.  

When you enable the integration, every lab machine you create will have the chosen agent(s) installed, allowing you to run a wide variety of cool simulations. 


Running a simulation on a lab device just takes a couple of clicks – and you’ll be able to see results right away – all presented to you in the evaluation lab console as you can see in the image below. 





AttackIQ and SafeBreach simulations are easily accessible from within the simulations catalog in the simulations & tutorials section of evaluation lab. Each simulation comes with an in-depth description of the attack scenario, references to MITRE ATT&CK techniques and attack groups part of the simulation, as well as sample advanced hunting queries you can run. 






If you have preview features turned on in Microsoft Defender ATP, you can try out the new attack simulators in the evaluation lab today 


Already have a lab? Make sure to enable the new breach and attack simulators and have active machines. 


Need more machines in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team. 


For more information, see the Microsoft Defender ATP evaluation lab documentation. 





Great work, I really like this enhancement of the MDATP Evaluation lab. 

Regular Visitor

Great work, of great value to evaluate the service in more detail :D 

Occasional Contributor

This looks really interesting.  We are just starting to evaluate Defender ATP and other endpoint protection products. I just setup a trial so I could test this out.   However as I'm getting ready to create some of the test machine as described above, it sounds like you only get one opportunity to do this.  Like once the 48/72 hours expires, those machines will go away and you can never create another batch of test machines.  Am I reading that correctly?


I was initially hoping this would be a lab environment for evaluating different products.  Install one with Defender ATP, one with ESET, one with Sophos and run the same attack simulation against all machines and compare how they respond.  Is that possible?   Can I install other software in the VMs?


But I guess that leads back to my initial question - do I only have one opportunity to setup these test machine and evaluate them in the span of a couple days and then never again?





Hi @Jason Hartman!


To your first question - at the moment, lab devices are only available for the limited time you chose. (you can create one machine today, and one machine in a month from now, but each one of them will be limited by time)

That said, if you need more machines, please submit a support ticket and we will review the request.

I see your point on the need of having more lab devices available. We are considering such scenarios, we will share with lab users when possible.


Last but not least - other than the fact you can easily run simulations provided by MDATP partners, you have full RDP access to each lab machine (password shown in the device creation process) so yes - you may install anything you'd like :)


It'll be great to hear from you about your experience with the new lab capabilities, and with MDATP in general!

Occasional Contributor

Hi @Hadar Feldman Thanks so much for the additional info.


You said "you can create one machine today, and one machine in a month from now....".  How would I do that?  I only see 3 options when go to setup a new lab.  3, 4 or 8 devices.





@Jason Hartman  for example, the default option (3 machines for 72 hours), means 3 machines 72 hours each. From the moment you'll create a machine in your lab, it'll be available for the next 72 hours.

If you'll create another machine a month from now, it'll be available for 72 hours from creation.

We hope to add more granularity for these options soon.


New Contributor

Hi @Hadar Feldman, it is a great a very needed integration with BAS products! Are all capabilities and features offered by AttackIQ  and SafeBreach available from ATP Security Center portal with our already purchased E5 license or would buying the BAS product license provide access to all of them?

Are there license requirements to test this lab environment? 


Or this feature only for E5 customers? 

Version history
Last update:
‎Jun 25 2020 08:58 AM
Updated by: