Sophos XDR detected all simulated attacker actions in the MITRE ATT&CK Enterprise 2025 Evaluation, covering two different cyberattack scenarios tested by the independent framework.
The cybersecurity solutions provider said Sophos XDR achieved 100% detection coverage across 90 adversary sub-steps in scenarios based on Scattered Spider and Mustang Panda. Scattered Spider activity involved Windows, Linux, and Amazon Web Services cloud environments, while Mustang Panda focused on Windows systems only.
MITRE ATT&CK Evaluations are designed to test how well security tools can spot real-world attack techniques. Rather than ranking vendors, the tests show what each product can detect and how clearly it explains attacker behavior.
In the latest evaluation, Sophos XDR also received the highest possible “Technique” rating for 86 of the 90 sub-steps. This rating indicates that the system provided detailed information on how attacks were carried out, what systems were affected, and what actions were taken by the attackers.
For the Scattered Spider scenario, which included identity abuse, cloud misuse, and data theft, Sophos XDR earned the top rating in 61 of 62 sub-steps.
“Scattered Spider and Mustang Panda represent distinct threat profiles that challenge defenders in very different ways,” said Simon Reed, chief research and scientific officer of Sophos. “Achieving full detection coverage against both validates the accuracy and depth of Sophos’ analytics and demonstrates how the company’s AI-native XDR platform converts complex telemetry into clear, actionable intelligence, helping security teams detect, understand, and stop advanced attacks with confidence,” he said.
Scattered Spider, tracked by Sophos X-Ops as GOLD HARVEST, is a financially motivated cybercrime group active since at least 2022. The group is known for social engineering tactics that allow attackers to trick employees into giving access to systems. Despite arrests in recent years, the group continues to target organizations in the United Kingdom and the United States, sometimes working with ransomware groups.
Mustang Panda, tracked as BRONZE PRESIDENT, is a long-running espionage group linked to China. Sophos X-Ops said the group carries out intelligence-focused operations aligned with Chinese state interests. Recent activity has included attacks on Tibetan groups and intrusions into Thai government and military networks during periods of regional tension.
Sophos said its detection results are supported by the large volume of data processed daily through its platform. The company processes more than 223 terabytes of security data each day in Sophos Central, generating over 34 million detections and automatically blocking more than 11 million threats.
The MITRE ATT&CK Enterprise 2025 Evaluation marks the seventh enterprise-focused test conducted by MITRE. The assessment is intended to help organizations understand how endpoint detection and response and extended detection and response tools perform against complex, multi-stage attacks.
Sophos advised organizations to review MITRE ATT&CK results alongside other independent tests when choosing security tools, noting that the evaluations provide insight into detection depth and clarity rather than overall product rankings.