{"id":10130,"date":"2025-12-10T17:02:59","date_gmt":"2025-12-10T16:02:59","guid":{"rendered":"https:\/\/testing.eight25sites.com\/en-us\/?p=10130"},"modified":"2025-12-11T08:18:50","modified_gmt":"2025-12-11T07:18:50","slug":"sophos-achieves-its-best-ever-results-in-the-mitre-attck-enterprise-2025-evaluation","status":"publish","type":"post","link":"https:\/\/testing.eight25sites.com\/en-us\/2025\/12\/products\/sophos-achieves-its-best-ever-results-in-the-mitre-attck-enterprise-2025-evaluation\/","title":{"rendered":"Sophos achieves its best-ever results in the MITRE ATT&#038;CK Enterprise 2025 Evaluation"},"content":{"rendered":"<p>MITRE ATT&amp;CK\u00ae Evaluations are among the world\u2019s most rigorous independent security tests. They emulate the tactics, techniques, and procedures (TTPs) used by real-world adversaries to assess each participating vendor\u2019s ability to detect, analyze, and articulate threats in alignment with the <a href=\"https:\/\/attack.mitre.org\/\" target=\"_blank\" rel=\"noopener\">MITRE ATT&amp;CK<sup>\u00ae<\/sup> Framework<\/a>. These evaluations continually strengthen our capabilities, for the benefit of the organizations we protect.<\/p>\n<h2><strong>The results are in \u2014 drum roll, please!<\/strong><\/h2>\n<p>MITRE has released the results of the latest ATT&amp;CK\u00ae Evaluation for enterprise security solutions, assessing how participating EDR and XDR products, including <a href=\"https:\/\/www.sophos.com\/en-us\/products\/extended-detection-and-response\" target=\"_blank\" rel=\"noopener\">Sophos XDR<\/a>, detect and report the complex tactics of advanced threat groups.<\/p>\n<p><strong>We\u2019re excited to share that we achieved our best-ever results in this evaluation round<\/strong>. Sophos\u2019 consistently strong performance in these evaluations \u2014 year after year \u2014 continues to demonstrate the power and precision of our threat detection and response capabilities. In the Enterprise 2025 Evaluation, Sophos XDR:<\/p>\n<ul>\n<li>Successfully detected <strong>all 16 attack steps and 90 sub-steps<\/strong>, demonstrating the power of our open AI-native platform to defend against sophisticated cyber threats.<\/li>\n<li><strong>100% detection<sup>1<\/sup><\/strong>: Sophos detected and provided actionable threat detections for all adversary activities \u2014 zero misses.<\/li>\n<li><strong>Highest possible scores:<\/strong> Sophos generated full Technique-level detections for 86 of the 90 adversary activities evaluated.<\/li>\n<\/ul>\n<p>Watch this short video for an overview of the evaluation, then read on for a closer look at the results:<br \/>\n<iframe loading=\"lazy\" title=\"YouTube video player\" src=\"https:\/\/www.youtube.com\/embed\/vRLDgmpidAI?si=Uj0xVHyrQAFAFDSh\" width=\"560\" height=\"315\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Evaluation overview<\/strong><\/h2>\n<p>This was the seventh round of the \u201cEnterprise\u201d ATT&amp;CK Evaluation \u2014 MITRE\u2019s product-focused assessment \u2014 designed to help organizations better understand how security operations solutions like <a href=\"https:\/\/www.sophos.com\/en-us\/products\/endpoint-security\/edr\" target=\"_blank\" rel=\"noopener\">Sophos EDR<\/a>\u00a0and\u00a0<a href=\"https:\/\/www.sophos.com\/en-us\/products\/extended-detection-and-response\" target=\"_blank\" rel=\"noopener\">Sophos XDR<\/a>\u00a0can help them defend against sophisticated, multi-stage attacks.<\/p>\n<p>The evaluation focused on behaviors inspired by the following threat groups:<\/p>\n<ul>\n<li><strong>Scattered Spider: A financially motivated cybercriminal collective<\/strong><br \/>\nThe MITRE team emulated this group\u2019s use of social engineering to steal credentials, deploy remote access tools, and bypass multi-factor authentication \u2014 targeting cloud resources to establish footholds and access sensitive systems and data. The scenario included Windows and Linux devices <strong>and, for the first time, AWS cloud infrastructure<\/strong>.<\/li>\n<\/ul>\n<ul>\n<li><strong>Mustang Panda: People\u2019s Republic of China (PRC) espionage group<\/strong><br \/>\nA PRC state-sponsored cyber espionage group known for using social engineering and legitimate tools to deploy custom malware. The MITRE team emulated its tactics and tools, reflecting behaviors commonly seen across the broader PRC cyber operations ecosystem.<\/li>\n<\/ul>\n<h2><strong><br \/>\nResults in more detail<\/strong><\/h2>\n<p>In this evaluation, MITRE executed two discrete attack scenarios \u2014 one for Scattered Spider and one for Mustang Panda \u2014 comprising a total of 16 steps and 90 sub-steps. Sophos delivered impressive results in both scenarios.<\/p>\n<p><strong>Attack scenario 1:\u00a0Scattered Spider<\/strong><strong><br \/>\n<\/strong><br \/>\n<strong><em>Summary:<\/em><\/strong><em> A complex hybrid intrusion involving social engineering, cloud exploitation, identity abuse, and living-off-the-land techniques. The adversary uses spear phishing to steal credentials and gain remote access, then performs network discovery, accesses the victim\u2019s AWS environment, evades defenses, and exfiltrates data to their own S3 bucket using native AWS tools.<\/em><\/p>\n<p>This attack scenario comprised 7 steps with\u00a062\u00a0sub-steps across Windows, Linux, and AWS.<\/p>\n<ul>\n<li><strong>100% of sub-steps detected<sup>1<\/sup>. Zero misses. <\/strong><\/li>\n<li>Actionable threat detections generated for every sub-step.<\/li>\n<li>Highest possible Technique-level ratings achieved for 61 out of 62 sub-steps.<strong><br \/>\n<\/strong><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><strong>Attack scenario 2: Mustang Panda<br \/>\n<\/strong><br \/>\n<strong><em>Summary:<\/em><\/strong><em> An evasive intrusion demonstrating the adversary\u2019s use of social engineering, legitimate tools, persistence, and custom malware to evade detection. It begins with a phishing email carrying a malicious DOCX that provides access to a Windows workstation and connects to a C2 server. The attacker discovers key systems, exfiltrates data, and removes their tooling to cover their tracks.<\/em><\/p>\n<p>This attack scenario comprised 9 steps with 28 sub-steps on Windows devices.<\/p>\n<ul>\n<li><strong>100% of sub-steps detected<sup>1<\/sup>. Zero misses. <\/strong><\/li>\n<li>Actionable threat detections generated for every sub-step.<\/li>\n<li>Highest possible Technique-level ratings achieved for 25 out of 28 sub-steps.<\/li>\n<\/ul>\n<p><strong>Learn more at <\/strong><a href=\"https:\/\/www.sophos.com\/en-us\/content\/why-sophos\/mitre\" target=\"_blank\" rel=\"noopener\"><strong>sophos.com\/mitre<\/strong><\/a><strong> and explore the full results on the <\/strong><a href=\"https:\/\/evals.mitre.org\/enterprise\/er7\" target=\"_blank\" rel=\"noopener\"><strong>MITRE website<\/strong><\/a><strong>.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>What do the ratings mean?<\/strong><\/h2>\n<p>Each adversary activity (or \u201csub-step\u201d) emulated during the evaluation is assigned one of the following ratings by MITRE, reflecting the solution\u2019s ability to detect, analyze, and describe the behavior using the language and structure of the MITRE ATT&amp;CK\u00ae Framework:<\/p>\n<ul>\n<li><strong>Technique\u00a0(Highest fidelity detection)<\/strong><br \/>\nThe solution generated an alert that identifies the adversary activity at the ATT&amp;CK Technique or Sub-Technique level. The evidence includes details on execution, impact, and adversary behavior, providing clear <strong>who, what, when, where,\u00a0how, and why<\/strong>\u00a0insights.<\/p>\n<p data-pm-slice=\"1 1 []\">\u27a1\ufe0f <span style=\"font-size: 1em;\">Sophos achieved this (highest possible) rating for 86 out of 90 sub-steps.<\/span><\/p>\n<\/li>\n<li><strong>Tactic\u00a0(Partial detection with context)<\/strong><br \/>\nThe solution generated an alert that identifies the adversary activity at the Tactic level but lacks Technique-level classification. The evidence includes details on execution, impact, and adversary behavior, providing clear <strong>who, what, when, where, and\u00a0why<\/strong>\u00a0insights.<\/p>\n<p data-pm-slice=\"1 1 []\">\u27a1\ufe0f <span style=\"font-size: 1em;\">Sophos received this rating for 1 sub-step.<\/span><\/p>\n<\/li>\n<li><strong>General<br \/>\n<\/strong>The solution generated an alert that identifies the adversary activity as potentially suspicious or malicious. The evidence includes details on execution, impact, and adversary behavior, providing clear <strong>who, what, when, and where<\/strong> insights.<\/p>\n<p data-pm-slice=\"1 1 []\">\u27a1\ufe0f <span style=\"font-size: 1em;\">Sophos received this rating for 3 sub-steps.<\/span><\/p>\n<\/li>\n<li><strong>None (No detection, potential visibility)<br \/>\n<\/strong>Execution of the adversary activity was successful; however, the solution did not generate an alert, failing to identify adversary activity as potentially suspicious or malicious.<\/p>\n<p data-pm-slice=\"1 1 []\">\u27a1\ufe0f <span style=\"font-size: 1em;\">Sophos did not receive this rating for any sub-steps. Zero misses.<\/span><\/p>\n<\/li>\n<li><strong>Not Assessed (N\/A)<br \/>\n<\/strong>The evaluation was not performed due to technical limitations, environmental constraints, or platform exclusions.<\/li>\n<\/ul>\n<p>Detections classified as General, Tactic, or Technique are grouped under the definition of\u00a0<strong>analytic coverage<\/strong>, which measures the solution\u2019s ability to convert telemetry into actionable threat detections.<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Interpreting the results<\/strong><\/h2>\n<p>There\u2019s no single way to interpret the results of ATT&amp;CK\u00ae Evaluations and MITRE does not rank or rate participants. The evaluations simply present what was observed \u2014 there are no \u201cwinners\u201d or \u201cleaders.\u201d<\/p>\n<p>Each vendor\u2019s approach, tool design, and presentation of data differ, and your organization\u2019s unique needs and workflows ultimately determine the best fit for your team.<\/p>\n<p>Detection quality is key to giving analysts the insight they need to investigate and respond quickly. One of the most valuable ways to interpret the results of ATT&amp;CK\u00ae Evaluations is by reviewing the number of sub-steps that produced rich, detailed detections of adversary behavior (analytic coverage) with those that achieved the highest fidelity \u201cTechnique\u201d-level coverage.<\/p>\n<p><strong>Once again, Sophos delivered an exceptional performance in this evaluation.<\/strong><\/p>\n<figure id=\"attachment_10136\" aria-describedby=\"caption-attachment-10136\" style=\"width: 624px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-10136 size-full\" src=\"https:\/\/testing.eight25sites.com\/en-us\/wp-content\/uploads\/sites\/3\/2025\/12\/mitre-attack-enterprise-2025-evaluation.png\" alt=\"\" width=\"624\" height=\"572\" \/><figcaption id=\"caption-attachment-10136\" class=\"wp-caption-text\">MITRE does not rank or rate participants of ATT&amp;CK Evaluations.<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>Sophos\u2019 consistently strong performance in these rigorous evaluations underscores the power and precision of our threat detection and response capabilities \u2014 and our commitment to stopping the world\u2019s most sophisticated cyberthreats.<\/p>\n<p>When considering an <a href=\"https:\/\/www.sophos.com\/en-us\/products\/endpoint-antivirus\/edr\" target=\"_blank\" rel=\"noopener\">EDR<\/a> or extended detection and response (<a href=\"https:\/\/www.sophos.com\/en-us\/products\/extended-detection-and-response\" target=\"_blank\" rel=\"noopener\">XDR<\/a>) solution, remember to review the results from MITRE ATT&amp;CK Evaluations alongside other reputable independent proof points, including\u00a0verified customer reviews and\u00a0analyst evaluations.<\/p>\n<p>Recent recognitions for Sophos EDR and Sophos XDR include:<\/p>\n<ul>\n<li><a href=\"https:\/\/news.sophos.com\/en-us\/2025\/09\/29\/sophos-named-a-leader-in-the-idc-marketscape-worldwide-extended-detection-and-response-xdr-software-2025\/\" target=\"_blank\" rel=\"noopener\">Sophos named a Leader in the IDC MarketScape: Worldwide Extended Detection and Response (XDR) Software 2025<br \/>\n<\/a><\/li>\n<li><a href=\"https:\/\/news.sophos.com\/en-us\/2025\/09\/16\/sophos-tops-g2-fall-2025-reports-1-overall-in-mdr-and-firewall\/\" target=\"_blank\" rel=\"noopener\">Sophos named a Leader in the G2 Fall 2025 Reports for both EDR and XDR<br \/>\n<\/a><\/li>\n<li><a href=\"https:\/\/testing.eight25sites.com\/en-us\/2025\/06\/products\/sophos-named-a-2025-gartner-peer-insights-customers-choice-for-both-endpoint-protection-platforms-and-extended-detection-and-response\/\" target=\"_blank\" rel=\"noopener\">Sophos named a 2025 Gartner\u00ae Peer Insights\u2122 \u201cCustomers\u2019 Choice\u201d vendor for Extended Detection and Response (XDR)<br \/>\n<\/a><\/li>\n<li><a href=\"https:\/\/testing.eight25sites.com\/en-us\/2025\/07\/products\/sweet-16-sophos-named-a-leader-again-in-the-2025-gartner-magic-quadrant-for-endpoint-protection-platforms\/\" target=\"_blank\" rel=\"noopener\">Sophos named a Leader for the 16th consecutive time in the 2025 Gartner\u00ae Magic Quadrant\u2122 for Endpoint Protection Platforms<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><strong>Get started with Sophos XDR today<\/strong><\/h2>\n<p>Sophos\u2019 consistent strong results MITRE ATT&amp;CK Evaluations help to validate our position as an industry-leading provider of <a href=\"https:\/\/www.sophos.com\/en-us\/products\/endpoint-antivirus\/edr\" target=\"_blank\" rel=\"noopener\">endpoint detection and response (EDR)<\/a> and\u00a0<a href=\"https:\/\/www.sophos.com\/en-us\/products\/extended-detection-and-response\" target=\"_blank\" rel=\"noopener\">extended detection and response (XDR)<\/a>\u00a0capabilities to over 45,000 organizations worldwide.<\/p>\n<p>To see how Sophos can streamline your customers&#8217; security operations and drive superior outcomes for their organization, <a href=\"https:\/\/www.sophos.com\/en-us\/products\/extended-detection-and-response\">visit our website<\/a>, <a href=\"https:\/\/partners.sophos.com\/prm\/English\/c\/selling-sophos-xdr\" target=\"_blank\" rel=\"noopener\">download sales resources<\/a> from the Sophos Partner Portal, <a href=\"https:\/\/www.sophos.com\/en-us\/products\/extended-detection-and-response\/free-trial\">recommend a free trial of Sophos XDR<\/a>, or speak to your Sophos representative or distributor.<\/p>\n<p>To learn more about the results of this evaluation, visit <a href=\"https:\/\/www.sophos.com\/en-us\/content\/why-sophos\/mitre\" target=\"_blank\" rel=\"noopener\">sophos.com\/mitre<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<p><sup>1<\/sup> In the \u201cConfiguration Change\u201d run of the Enterprise 2025 Evaluation.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A major milestone: Sophos XDR delivers 100% detection coverage in the latest ATT&amp;CK Evaluation.<\/p>\n","protected":false},"author":8,"featured_media":30000010140,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[235,147],"coauthors":[251],"class_list":["post-10130","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-products","tag-mitre-attck","tag-sophos-xdr"],"_links":{"self":[{"href":"https:\/\/testing.eight25sites.com\/en-us\/wp-json\/wp\/v2\/posts\/10130","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.eight25sites.com\/en-us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.eight25sites.com\/en-us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.eight25sites.com\/en-us\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.eight25sites.com\/en-us\/wp-json\/wp\/v2\/comments?post=10130"}],"version-history":[{"count":8,"href":"https:\/\/testing.eight25sites.com\/en-us\/wp-json\/wp\/v2\/posts\/10130\/revisions"}],"predecessor-version":[{"id":10155,"href":"https:\/\/testing.eight25sites.com\/en-us\/wp-json\/wp\/v2\/posts\/10130\/revisions\/10155"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.eight25sites.com\/en-us\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/testing.eight25sites.com\/en-us\/wp-json\/wp\/v2\/media?parent=10130"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.eight25sites.com\/en-us\/wp-json\/wp\/v2\/categories?post=10130"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.eight25sites.com\/en-us\/wp-json\/wp\/v2\/tags?post=10130"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/testing.eight25sites.com\/en-us\/wp-json\/wp\/v2\/coauthors?post=10130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}