Sophos today announced its best-ever performance in the MITRE ATT&CK® Enterprise 2025 Evaluation, with Sophos XDR detecting 100% of adversary behaviors across two complex attack scenarios, according to evaluation results.

The company reported that Sophos XDR achieved full detection coverage across all 90 adversary sub-steps tested during the evaluation. The scenarios included Scattered Spider, tracked by Sophos X-Ops as GOLD HARVEST, and Mustang Panda, tracked as BRONZE PRESIDENT. Activity spanned Windows, Linux, and AWS cloud environments, while the Mustang Panda scenario focused on Windows systems.

In addition, Sophos revealed it achieved the highest possible “Technique”-level rating for 86 out of 90 sub-steps. These detections provided detailed insights into execution methods, impact, and adversary behavior, delivering clear visibility into who, what, when, where, how, and why behind each attack.

Key evaluation outcomes included:

• 100% detection coverage across Windows, Linux, and AWS cloud environments
• Technique-level ratings for 86 of 90 sub-steps, showing deep visibility
• Technique-level ratings for 61 of 62 sub-steps in the Scattered Spider scenario involving identity abuse, cloud exploitation, and data exfiltration

“Scattered Spider and Mustang Panda represent distinct threat profiles that challenge defenders in different ways,” said Simon Reed, chief research and scientific officer at Sophos. He stated that achieving full detection coverage across both scenarios validates the accuracy of Sophos XDR analytics and highlights how the platform converts complex telemetry into actionable intelligence. Reed added that consistent investment in the platform over five years of participation in ATT&CK Evaluations has translated into stronger results and improved security outcomes for customers.

The results demonstrate the scale of Sophos XDR operations. Every day, Sophos processes more than 223 terabytes of telemetry through Sophos Central, generating over 34 million detections and automatically blocking more than 11 million threats. This volume of data helps refine detections and supports continuous protection for organizations worldwide.

Sophos X-Ops has tracked GOLD HARVEST since 2022, reporting that the financially motivated group continues to conduct high-profile attacks across the U.K. and U.S., despite several arrests. The group has also collaborated with Russian-speaking ransomware operators and relies heavily on social engineering techniques.

Meanwhile, Sophos X-Ops has monitored BRONZE PRESIDENT for several years. The PRC-aligned group has conducted intelligence-driven campaigns targeting Tibetan communities, as well as Thai government and military entities during periods of heightened regional tension. The group remains one of the most persistent state-aligned cyber threat actors.

MITRE ATT&CK Evaluations are widely recognized independent security assessments that simulate real-world adversary tactics and techniques. This was the seventh Enterprise-level evaluation, designed to help organizations assess how security operations solutions such as Sophos EDR and Sophos XDR can defend against sophisticated, multi-stage cyberattacks.

Related post

View all