Sophos achieves 100% detection in the MITRE ATT&CK® Enterprise 2025 Evaluation
MITRE ATT&CK® Evaluations measure how effectively security solutions like Sophos XDR detect, analyze, and communicate sophisticated multi-stage threats.
- Sophos successfully detected all 16 attack steps and 90 sub-steps, proving the power of our open AI-native XDR platform.
- 100% detection1: Sophos detected and provided actionable threat detections for all adversary activities — zero misses.
- Highest possible scores: Sophos generated full Technique-level detections for 86 of the 90 adversary activities evaluated.
Download evaluation briefLearn more about Sophos XDR
1 In the "Configuration Change" run of the Enterprise 2025 Evaluation.
Sophos Excels in the 2025 MITRE ATT&CK Evaluations: Enterprise (EDR/XDR)
MITRE ATT&CK® Evaluations: Enterprise 2025
MITRE ATT&CK® Evaluations are among the world’s most respected independent security tests. They emulate the tactics, techniques, and procedures (TTPs) leveraged by real-world adversarial groups and evaluate each participating vendor’s ability to detect, analyze, and describe threats, with output aligned to the language and structure of the MITRE ATT&CK® Framework.
The Enterprise 2025 evaluation included MITRE’s first-ever cloud adversary emulation and addressed the sophisticated, multi-platform threats organizations face from both financially motivated cyber criminals and state-sponsored espionage groups:
- Scattered Spider: A financially motivated cybercriminal syndicate
Known for their expertise in social engineering, this threat group persistently targets victims’ cloud resources to establish footholds, conduct reconnaissance, and access sensitive systems and data. - Mustang Panda: A People’s Republic of China (PRC) espionage group
An active PRC state-sponsored cyber espionage group that employs living-off-the-land techniques, custom malware, and cloud-hosted infrastructure.
Evaluation results
Sophos successfully detected and provided actionable alerts for 100% of sub-steps1 across two comprehensive attack scenarios:
Interpreting the ATT&CK Evaluations results
Understand the ratings and categorizations in this Enterprise round.
Interpreting the ATT&CK Evaluations results
For Enterprise 2025, detections are classified into five categories that emphasize providing detection, classification, and context-rich alerts to security teams. Each adversary activity (called a ‘sub-step’) emulated by MITRE receives a rating that indicates the solution’s ability to detect, analyze, and describe the activity, with output aligned to the language and structure of the MITRE ATT&CK® Framework.
- Technique(Highest fidelity detection)
The enterprise security solution generated an alert that identifies adversary activity at the ATT&CK Technique or Sub-Technique level pertaining to the behavior under test. The evidence includes details on execution, impact, and adversary behavior, providing clear who, what, when, where, how, and why insights.
- Tactic(Partial detection with context)
The enterprise security solution generated an alert that identifies adversary activity at the Tactic level pertaining to the behavior under test but lacks technique-level classification. The evidence includes details on execution, impact, and adversary behavior, providing clear who, what, when, where, and why insights.
- General (Weak detection, limited context)
The enterprise security solution generated an alert that identifies adversary activity as potentially suspicious or malicious but did not associate it with the Tactic or Technique under evaluation. The evidence includes details on execution, impact, and adversary behavior, providing clear who, what, when, and where insights.
- None (No detection, potential visibility)
Execution of the sub step was successful; however, the enterprise security solution did not generate an alert, failing to identify adversary activity as potentially suspicious or malicious.
- Not Assessed (N/A)
The evaluation was not performed due to technical limitations, environmental constraints, or platform exclusions.
Detections classified as General, Tactic, or Technique are grouped under the definition of Analytic Coverage, which measures the solution’s ability to convert telemetry into actionable threat detections.
Learn more about the detection categories on the MITRE website
Detection quality is critical for providing security analysts with the information to investigate and respond quickly and efficiently. This chart shows the number of sub-steps that generated a detection providing rich detail on the adversarial behaviors (analytic coverage) and the number of sub-steps that achieved full 'technique' level coverage, for each participating vendor.
Evaluation attack scenarios
Attack scenario 1: Scattered Spider (Windows, Linux, and AWS)
A sophisticated hybrid-environment intrusion combining social engineering, cloud exploitation, identity abuse, and living-off-the-land techniques. The adversary spear phishes for credentials, gains remote access, conducts discovery, evades defenses, and exploits the company’s AWS environment using native tools.
This scenario comprised 7 attack steps with 62 sub-steps across Windows, Linux, and AWS.
- 100% of sub-steps detected1. Zero misses.
- Actionable threat detections generated for every sub-step.
- Highest possible Technique-level ratings achieved for 61 out of 62 sub-steps.
Attack scenario 2: Mustang Panda (Windows)
An evasive intrusion showcasing the adversary’s skilled use of social engineering, legitimate application abuse, persistence mechanisms, and custom malware. The attack begins with a phishing email granting access to the victim’s Windows workstation. The adversary discovers key assets — including a file server, domain controller, and other workstations — exfiltrates data and removes their tools to cover their tracks.
This scenario comprised 9 attack steps with 28 sub-steps targeting Windows devices.
- 100% of sub-steps detected1. Zero misses.
- Actionable threat detections generated for every sub-step.
- Highest possible Technique-level ratings achieved for 25 out of 28 sub-steps.
Why we participate in MITRE ATT&CK® Evaluations
MITRE ATT&CK® Evaluations are among the world’s most rigorous independent security tests. Sophos is committed to participating in these evaluations alongside some of the best security vendors in the industry. As a community, we are united against a common enemy. These evaluations help make us better, individually and collectively, for the benefit of the organizations we defend.
11 EDR/XDR security vendors participated in the Enterprise 2025 evaluation:
Consistent strong performance
Sophos participates in ATT&CK® Evaluations for both enterprise security solutions and managed services, consistently delivering strong results. Explore our performance from previous evaluation rounds:
A market leader in detection and response solutions
Get started with Sophos XDR
See how Sophos can streamline your detection and response and drive superior outcomes for your organization.