Sophos has delivered its strongest performance to date in the latest MITRE ATT&CK Enterprise 2025 Evaluation, with Sophos XDR achieving 100 per cent detection coverage across all tested adversary behaviours.
Sophos XDR detected 100 per cent of adversary sub-steps across two complex attack scenarios used in the evaluation: Scattered Spider, tracked by Sophos X-Ops as GOLD HARVEST, and Mustang Panda, tracked as BRONZE PRESIDENT. The Scattered Spider scenario included activity across Windows, Linux and AWS cloud environments, while the Mustang Panda scenario focused on Windows systems.
In addition to full detection coverage, Sophos achieved the highest possible “Technique”-level rating for 86 of the 90 adversary sub-steps evaluated. The company also recorded top-tier ratings for 61 of 62 sub-steps in the Scattered Spider scenario, which involved identity abuse, cloud exploitation and data exfiltration.
Sophos chief research and scientific officer Simon Reed said the two threat actors represented very different challenges for defenders, making the results particularly significant.
“Scattered Spider and Mustang Panda represent distinct threat profiles that challenge defenders in very different ways,” Reed said. “Achieving full detection coverage against both validates the accuracy and depth of Sophos’ analytics and demonstrates how the company’s AI-native XDR platform converts complex telemetry into clear, actionable intelligence.”
Reed said Sophos’ consistent performance in the MITRE evaluations reflected years of ongoing investment in detection and response capabilities, with improvements translating into stronger results for customers.
Sophos said the evaluation results highlight the scale and effectiveness of its XDR platform, which processes more than 223 terabytes of telemetry each day through Sophos Central. That data generates more than 34 million detections daily and automatically blocks over 11 million threats, providing continuous feedback to refine and improve protection.
Sophos X-Ops has tracked the GOLD HARVEST group since 2022, identifying it as a loosely affiliated cybercriminal collective motivated by financial gain and reputation-building within underground forums. Despite multiple arrests, the group continues to carry out high-profile attacks in the United Kingdom and United States, often using advanced social engineering techniques and at times collaborating with major ransomware groups.
BRONZE PRESIDENT, also known as , has been monitored by Sophos for many years and is assessed as a long-running People’s Republic of China-aligned espionage group. The group conducts intelligence-driven operations linked to Chinese state priorities, with recent activity including targeting Tibetan communities and intrusions into Thai government and military networks.
MITRE ATT&CK Evaluations are regarded as one of the most rigorous independent assessments of security products, emulating real-world adversary tactics, techniques and procedures to test detection and analysis capabilities. The 2025 evaluation marked the seventh MITRE Enterprise ATT&CK Evaluation and is designed to help organisations understand how platforms such as Sophos EDR and Sophos XDR perform against sophisticated, multi-stage cyberattacks.
