Sophos XDR delivers 100% detection coverage in the latest MITRE ATT&CK Evaluation

Sophos, a global leader of innovative security solutions for defeating cyberattacks, has announced its best-ever results in the MITRE ATT&CK Enterprise 2025 Evaluation.

Sophos XDR detected 100% of adversary behaviors (sub-steps)¹ across two complex attack scenarios: Scattered Spider, which Sophos X-Ops tracks as GOLD HARVEST, a financially motivated cybercriminal collective, and Mustang Panda, which Sophos X-Ops tracks as BRONZE PRESIDENT, a People’s Republic of China (PRC) espionage group.

The Scattered Spider scenario included activity across Windows, Linux, and AWS cloud environments, and the Mustang Panda scenario focused on Windows only.

Further, Sophos achieved the highest-possible “Technique”-level rating for 86 out of 90 total sub-steps in the evaluation, by generating high-fidelity detections with details on execution, impact, and adversary behavior, providing clear who, what, when, where, how, and why insights.

Sophos XDR achieved:

• 100% detection coverage¹ for all 90 adversary sub-steps across two complex attack scenarios across Windows, Linux, and AWS cloud environments
• Highest possible (“Technique”) ratings for 86 of 90 sub-steps, demonstrating deep visibility and actionable detections
• Highest possible (“Technique”) ratings for 61 out of 62 of sub-steps in the Scattered Spider scenario involving identity abuse, cloud exploitation, and data exfiltration

“Scattered Spider and Mustang Panda represent distinct threat profiles that challenge defenders in very different ways,” said Simon Reed, chief research and scientific officer, Sophos. “Achieving full detection coverage against both validates the accuracy and depth of Sophos’ analytics and demonstrates how the company’s AI-native XDR platform converts complex telemetry into clear, actionable intelligence, helping security teams detect, understand, and stop advanced attacks with confidence. Sophos’ consistently strong performance in these rigorous evaluations underscores the power and precision of our threat detection and response capabilities, and our commitment to stopping the world’s most sophisticated cyberthreats. Over the five years that Sophos has participated in ATT&CK Evaluations, we have continually invested in strengthening our platform, and that investment has translated into stronger results year after year – both in the evaluations, and in the security outcomes we deliver for our customers.”

These results demonstrate the power of the Sophos XDR platform to defend against sophisticated cyber threats. Every day, Sophos processes 223+ terabytes of telemetry in Sophos Central, generating 34+ million detections and automatically blocking 11+ million threats.

This scale of customer insights ensures that Sophos’ detections are being tested and improved to provide continuous protection while delivering stronger outcomes for organizations worldwide. 

Understanding The Threat Actors

Sophos X-Ops has tracked GOLD HARVEST (Scattered Spider) since 2022, observing a loosely affiliated cybercriminal collective driven by both financial motives and a desire to elevate their reputations on underground forums.

Despite several arrests, operators and associates continue to launch high-profile attacks across the U.K. and U.S., at times partnering with major Russian-speaking ransomware groups.

Their sophisticated social engineering capabilities enable them to compromise even well-defended organizations, underscoring the importance of strong behavioral detections within modern security operations.

In parallel, Sophos X-Ops has monitored BRONZE PRESIDENT (Mustang Panda) for many years.

This long-running PRC espionage group conducts intelligence-led operations that align closely with priorities of China’s Ministry of State Security. Recent targeting includes activity against Tibetan communities surrounding the Dalai Lama’s 90th birthday, as well as intrusions on Thai government and military offices during periods of heightened regional tension.

BRONZE PRESIDENT remains one of the most active and persistent state-aligned threat actors operating today.

MITRE ATT&CK Evaluations are among the world’s most rigorous independent security tests.

They emulate the tactics, techniques, and procedures (TTPs) used by real-world adversaries to assess each participating vendor’s ability to detect, analyze, and articulate threats in alignment with the MITRE ATT&CK Framework.

These evaluations continually strengthen Sophos’ capabilities for the benefit of the organizations it protects. This was the seventh round of MITRE’s “Enterprise” ATT&CK Evaluation, a product-focused assessment designed to help organizations better understand how security operations solutions like Sophos EDR and Sophos XDR can help them defend against sophisticated, multi-stage attacks.

When evaluating EDR or XDR solutions, Sophos recommends reviewing MITRE ATT&CK Evaluations alongside other independent proof points.