MITRE ATT&CK® Evaluations are among the world’s most rigorous independent security tests. They emulate the tactics, techniques, and procedures (TTPs) used by real-world adversaries to assess each participating vendor’s ability to detect, analyze, and articulate threats in alignment with the MITRE ATT&CK® Framework. These evaluations continually strengthen our capabilities, for the benefit of the organizations we protect.
**The results are in — drum roll, please! **
MITRE has released the results of the latest ATT&CK® Evaluation for enterprise security solutions, assessing how participating EDR and XDR products, including Sophos XDR, detect and report the complex tactics of advan…
MITRE ATT&CK® Evaluations are among the world’s most rigorous independent security tests. They emulate the tactics, techniques, and procedures (TTPs) used by real-world adversaries to assess each participating vendor’s ability to detect, analyze, and articulate threats in alignment with the MITRE ATT&CK® Framework. These evaluations continually strengthen our capabilities, for the benefit of the organizations we protect.
**The results are in — drum roll, please! **
MITRE has released the results of the latest ATT&CK® Evaluation for enterprise security solutions, assessing how participating EDR and XDR products, including Sophos XDR, detect and report the complex tactics of advanced threat groups.
We’re excited to share that we achieved our best-ever results in this evaluation round. Sophos’ consistently strong performance in these evaluations — year after year — continues to demonstrate the power and precision of our threat detection and response capabilities. In the Enterprise 2025 Evaluation, Sophos XDR:
- Successfully detected all 16 attack steps and 90 sub-steps, demonstrating the power of our open AI-native platform to defend against sophisticated cyber threats.
- 100% detection1: Sophos detected and provided actionable threat detections for all adversary activities — zero misses.
- Highest possible scores: Sophos generated full Technique-level detections for 86 of the 90 adversary activities evaluated.
Watch this short video for an overview of the evaluation, then read on for a closer look at the results:
Evaluation overview
This was the seventh round of the “Enterprise” ATT&CK Evaluation — MITRE’s product-focused assessment — designed to help organizations better understand how security operations solutions like Sophos EDR and Sophos XDR can help them defend against sophisticated, multi-stage attacks.
The evaluation focused on behaviors inspired by the following threat groups:
-
Scattered Spider: A financially motivated cybercriminal collective The MITRE team emulated this group’s use of social engineering to steal credentials, deploy remote access tools, and bypass multi-factor authentication — targeting cloud resources to establish footholds and access sensitive systems and data. The scenario included Windows and Linux devices and, for the first time, AWS cloud infrastructure.
-
Mustang Panda: People’s Republic of China (PRC) espionage group A PRC state-sponsored cyber espionage group known for using social engineering and legitimate tools to deploy custom malware. The MITRE team emulated its tactics and tools, reflecting behaviors commonly seen across the broader PRC cyber operations ecosystem.
Results in more detail
In this evaluation, MITRE executed two discrete attack scenarios — one for Scattered Spider and one for Mustang Panda — comprising a total of 16 steps and 90 sub-steps. Sophos delivered impressive results in both scenarios.
Attack scenario 1: Scattered Spider**
**
Summary:* A complex hybrid intrusion involving social engineering, cloud exploitation, identity abuse, and living-off-the-land techniques. The adversary uses spear phishing to steal credentials and gain remote access, then performs network discovery, accesses the victim’s AWS environment, evades defenses, and exfiltrates data to their own S3 bucket using native AWS tools.* This attack scenario comprised 7 steps with 62 sub-steps across Windows, Linux, and AWS.
- **100% of sub-steps detected1. Zero misses. **
- Actionable threat detections generated for every sub-step.
- Highest possible Technique-level ratings achieved for 61 out of 62 sub-steps.** **
**Attack scenario 2: Mustang Panda
**
Summary:* An evasive intrusion demonstrating the adversary’s use of social engineering, legitimate tools, persistence, and custom malware to evade detection. It begins with a phishing email carrying a malicious DOCX that provides access to a Windows workstation and connects to a C2 server. The attacker discovers key systems, exfiltrates data, and removes their tooling to cover their tracks.* This attack scenario comprised 9 steps with 28 sub-steps on Windows devices.
- **100% of sub-steps detected1. Zero misses. **
- Actionable threat detections generated for every sub-step.
- Highest possible Technique-level ratings achieved for 25 out of 28 sub-steps.
Learn more at sophos.com/mitre and explore the full results on the MITRE website.
What do the ratings mean?
Each adversary activity (or “sub-step”) emulated during the evaluation is assigned one of the following ratings by MITRE, reflecting the solution’s ability to detect, analyze, and describe the behavior using the language and structure of the MITRE ATT&CK® Framework:
-
Technique (Highest fidelity detection) The solution generated an alert that identifies the adversary activity at the ATT&CK Technique or Sub-Technique level. The evidence includes details on execution, impact, and adversary behavior, providing clear who, what, when, where, how, and why insights.
-
Sophos achieved this (highest possible) rating for 86 out of 90 sub-steps.
-
Tactic (Partial detection with context) The solution generated an alert that identifies the adversary activity at the Tactic level but lacks Technique-level classification. The evidence includes details on execution, impact, and adversary behavior, providing clear who, what, when, where, and why insights.
-
Sophos received this rating for 1 sub-step.
-
**General **The solution generated an alert that identifies the adversary activity as potentially suspicious or malicious. The evidence includes details on execution, impact, and adversary behavior, providing clear who, what, when, and where insights.
-
Sophos received this rating for 3 sub-steps.
-
**None (No detection, potential visibility) **Execution of the adversary activity was successful; however, the solution did not generate an alert, failing to identify adversary activity as potentially suspicious or malicious.
-
Sophos did not receive this rating for any sub-steps. Zero misses.
-
**Not Assessed (N/A) **The evaluation was not performed due to technical limitations, environmental constraints, or platform exclusions.
Detections classified as General, Tactic, or Technique are grouped under the definition of analytic coverage, which measures the solution’s ability to convert telemetry into actionable threat detections. ** **
Interpreting the results
There’s no single way to interpret the results of ATT&CK® Evaluations and MITRE does not rank or rate participants. The evaluations simply present what was observed — there are no “winners” or “leaders.”
Each vendor’s approach, tool design, and presentation of data differ, and your organization’s unique needs and workflows ultimately determine the best fit for your team.
Detection quality is key to giving analysts the insight they need to investigate and respond quickly. One of the most valuable ways to interpret the results of ATT&CK® Evaluations is by reviewing the number of sub-steps that produced rich, detailed detections of adversary behavior (analytic coverage) with those that achieved the highest fidelity “Technique”-level coverage.
Once again, Sophos delivered an exceptional performance in this evaluation.
Sophos’ consistently strong performance in these rigorous evaluations underscores the power and precision of our threat detection and response capabilities — and our commitment to stopping the world’s most sophisticated cyberthreats.
When considering an EDR or extended detection and response (XDR) solution, remember to review the results from MITRE ATT&CK Evaluations alongside other reputable independent proof points, including verified customer reviews and analyst evaluations.
Recent recognitions for Sophos EDR and Sophos XDR include:
- Sophos named a Leader in the IDC MarketScape: Worldwide Extended Detection and Response (XDR) Software 2025
- Sophos named a Leader in the G2 Fall 2025 Reports for both EDR and XDR
- Sophos named a 2025 Gartner® Peer Insights™ “Customers’ Choice” vendor for Extended Detection and Response (XDR)
- Sophos named a Leader for the 16th consecutive time in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms
**
Get started with Sophos XDR today**
Sophos’ consistent strong results MITRE ATT&CK Evaluations help to validate our position as an industry-leading provider of endpoint detection and response (EDR) and extended detection and response (XDR) capabilities to over 45,000 organizations worldwide.
To see how Sophos can streamline your security operations and drive superior outcomes for your organization, visit our website, start a free trial of Sophos XDR, or speak with an expert.
To learn more about the results of this evaluation, visit sophos.com/mitre.
1 In the “Configuration Change” run of the Enterprise 2025 Evaluation.