Sophos has delivered its strongest performance to date in the 2025 MITRE ATT&CK Enterprise Evaluation, with Sophos XDR achieving full detection coverage across two demanding, real-world attack simulations that mirror the tactics of some of today’s most dangerous threat actors.
In the latest evaluation conducted by MITRE, Sophos XDR detected 100 percent of adversary behaviors across all 90 tested sub-steps. The assessment simulated two complex campaigns: Scattered Spider, tracked by Sophos X-Ops as GOLD HARVEST, a financially motivated cybercriminal collective, and Mustang Panda, tracked as BRONZE PRESIDENT, a long-running China-aligned espionage group.
The Scattered Spider scenario spanned Windows, Linux, and AWS cloud environments, while Mustang Panda focused on Windows-based attacks.
Beyond complete coverage, Sophos stood out for the quality and depth of its detections. The platform earned the highest possible “Technique” rating for 86 of the 90 sub-steps, reflecting high-fidelity alerts that clearly articulated how attacks unfolded, what systems were affected, and why the activity mattered.
In the Scattered Spider simulation alone, Sophos achieved top ratings for 61 of 62 sub-steps, including identity abuse, cloud exploitation, and data exfiltration techniques that are notoriously difficult to spot.
According to Simon Reed, chief research and scientific officer at Sophos, the results validate the strength of the company’s analytics across very different threat profiles. He noted that Scattered Spider’s aggressive social engineering tactics and Mustang Panda’s stealthy, intelligence-driven operations pose distinct challenges for defenders, and achieving full detection against both underscores how Sophos’ AI-native XDR turns vast volumes of telemetry into clear, actionable intelligence for security teams.
The evaluation results also reflect the scale at which Sophos operates globally. Each day, the company processes more than 223 terabytes of telemetry through Sophos Central, generating over 34 million detections and automatically blocking more than 11 million threats.
This continuous stream of real-world data allows Sophos to constantly test, refine, and strengthen its detection logic, translating directly into improved protection for customers worldwide.
Sophos X-Ops has been tracking GOLD HARVEST since 2022, observing a loosely connected network of cybercriminals driven by profit and underground notoriety. Despite arrests in recent years, the group remains active in high-profile attacks across the United Kingdom and the United States, often collaborating with Russian-speaking ransomware syndicates.
Their success against well-defended organizations highlights the need for strong behavioral detection rather than reliance on static indicators.
BRONZE PRESIDENT, meanwhile, represents a very different threat model. The group has operated for years as a persistent espionage actor aligned with the strategic interests of China’s Ministry of State Security.
Recent campaigns have targeted Tibetan communities linked to the Dalai Lama’s 90th birthday, as well as Thai government and military entities during periods of regional tension, reinforcing its reputation as one of the most active state-aligned groups in operation today.
MITRE ATT&CK Enterprise Evaluations are widely regarded as among the most rigorous independent tests in cybersecurity. Rather than ranking vendors, the assessments emulate real adversaries to show how security platforms detect, analyze, and communicate malicious activity using a common framework.
The 2025 exercise marks the seventh Enterprise evaluation and is designed to help organizations better understand how EDR and XDR solutions perform against multi-stage, modern attacks.
Sophos advises organizations to view MITRE results alongside other independent validations. In 2025, Sophos was named a Leader in the IDC MarketScape for Worldwide XDR Software, recognized as a Leader in G2’s Fall reports for both EDR and XDR, selected as a Gartner Peer Insights “Customers’ Choice” for XDR, and positioned as a Leader for the 16th consecutive year in the Gartner Magic Quadrant for Endpoint Protection Platforms.
More details on Sophos’ performance in the MITRE ATT&CK Enterprise 2025 Evaluation are available at sophos.com/mitre.