StealthCup: Realistic, Multi-Stage, Evasion-Focused CTF for Benchmarking IDS

TL;DR

StealthCup introduces a realistic, multi-stage, evasion-focused CTF framework for benchmarking IDS, revealing significant detection gaps and providing a reproducible, attacker-aligned evaluation methodology.

Contribution

This paper presents StealthCup, a novel multi-stage attack benchmarking approach that simulates realistic adversary behavior to evaluate IDS effectiveness more accurately.

Findings

11 out of 32 attack techniques went undetected by all IDS configurations.

Open-source IDS systems had false positives >90%.

Commercial IDS missed more attacks but had fewer false positives.

Abstract

Intrusion Detection Systems (IDS) are critical to defending enterprise and industrial control environments, yet evaluating their effectiveness under realistic conditions remains an open challenge. Existing benchmarks rely on synthetic datasets (e.g., NSL-KDD, CICIDS2017) or scripted replay frameworks, which fail to capture adaptive adversary behavior. Even MITRE ATT&CK Evaluations, while influential, are host-centric and assume malware-driven compromise, thereby under-representing stealthy, multi-stage intrusions across IT and OT domains. We present StealthCup, a novel evaluation methodology that operationalizes IDS benchmarking as an evasion-focused Capture-the-Flag competition. Professional penetration testers engaged in multi-stage attack chains on a realistic IT/OT testbed, with scoring penalizing IDS detections. The event generated structured attacker writeups, validated detections, and PCAPs, host logs, and alerts. Our results reveal that out of 32 exercised attack techniques, 11 were not detected by any IDS configuration. Open-source systems (Wazuh, Suricata) produced high false-positive rates >90%, while commercial tools generated fewer false positives but also missed more attacks. Comparison with the Volt Typhoon APT advisory confirmed strong realism: all 28 applicable techniques were exercised, 19 appeared in writeups, and 9 in forensic traces. These findings demonstrate that StealthCup elicits attacker behavior closely aligned with state-sponsored TTPs, while exposing blind spots across both open-source and commercial IDS. The resulting datasets and methodology provide a reproducible foundation for future stealth-focused IDS evaluation.