Sophos has recorded its strongest performance to date in the latest MITRE ATT&CK® Enterprise 2025 Evaluation, with Sophos XDR achieving 100% detection coverage across all adversary behaviors tested. The results highlight the platform’s ability to identify and contextualize sophisticated cyberattacks spanning Windows, Linux, and AWS cloud environments.
The independent evaluation tested Sophos XDR against two complex and contrasting threat scenarios: Scattered Spider, a financially motivated cybercriminal group, and Mustang Panda, a long-running state-sponsored espionage actor linked to China. Across 90 adversary sub-steps, Sophos XDR successfully detected every activity, demonstrating comprehensive visibility across endpoint, identity, and cloud attack surfaces.
“Achieving full detection coverage against both cybercriminal and state-sponsored threats validates the depth and accuracy of our XDR analytics.”
— Simon Reed, Chief Research and Scientific Officer, Sophos
Beyond full coverage, Sophos achieved the highest possible “Technique”-level rating for 86 of the 90 sub-steps, reflecting the platform’s ability to deliver high-fidelity detections with detailed insight into attacker behavior, execution paths, and impact. In the Scattered Spider scenario—known for identity abuse, cloud exploitation, and data exfiltration—Sophos recorded top-tier ratings for 61 out of 62 sub-steps, underscoring its strength in detecting modern, identity-centric attacks.
According to Sophos, these results are driven by the scale of its telemetry and threat intelligence operations. The company processes more than 223 terabytes of security telemetry daily, generating over 34 million detections and automatically blocking 11 million threats across its global customer base. This continuous stream of real-world data enables Sophos to refine detections and improve security outcomes for organizations worldwide.
MITRE ATT&CK Evaluations are regarded as one of the most rigorous independent benchmarks for security operations platforms, simulating real-world attacker tactics, techniques, and procedures. Sophos’ performance in the 2025 evaluation reinforces its position as a leading XDR and EDR provider, complementing recent recognition from IDC, Gartner Peer Insights, G2, and the Gartner Magic Quadrant for Endpoint Protection Platforms.