One of the cybersecurity industry’s most frequently cited “benchmarks” has once again made the rounds in slide decks and marketing brochures: MITRE has published the results of its 2025 ATT&CK Evaluations for enterprise security solutions.
This year’s evaluation cycle featured 11 vendors: Acronis, AhnLab, CrowdStrike, Cyberani, Cybereason, Cynet, ESET, Sophos, Trend Micro, WatchGuard, and WithSecure. MITRE ATT&CK Evaluations are positioned as an independent assessment designed to show how commercial products perform under conditions closely resembling real-world attacks, rather than artificial laboratory tests.
In 2025, MITRE experts modeled two sophisticated attack scenarios. The first was inspired by operations attributed to the cybercriminal group Scattered Spider, while the second drew on the tactics of the Chinese state-sponsored group Mustang Panda. Notably, the Scattered Spider scenario marked the first time ATT&CK Evaluations officially assessed how products respond to attacks targeting cloud infrastructure, rather than focusing solely on traditional enterprise networks. In addition, this cycle introduced a separate evaluation of vendors’ ability to detect adversary reconnaissance activity—when attackers are still gathering information and laying the groundwork for an intrusion.
MITRE emphasizes that the testing methodology itself has undergone a meaningful shift in focus. Greater weight has been placed on protection and containment: how effectively a solution can block adversary actions and isolate threats in real time. Detection capabilities remain part of the assessment, but increased importance is now given to high-fidelity alerts that provide clear context for SOC analysts and reduce fatigue caused by a flood of low-value notifications.
The full ATT&CK Evaluations 2025 results are available on MITRE’s website, with detailed breakdowns by technique, attack phase, and alert type. As is customary, MITRE stresses that the program does not rank vendors or declare winners. The purpose of the report is instead to provide organizations with transparent, evidence-based data so they can determine which solutions best align with their architecture, operational processes, and maturity level.
As in previous years, participating vendors were quick to highlight their accomplishments. In press releases and blog posts, manufacturers carefully avoid explicit claims such as “we ranked first,” yet prominently showcase areas where they achieved 100 percent detection or protection within specific parts of the evaluated scenarios.
At this point, it is worth recalling last year’s cautionary remarks from Forrester analyst Allie Mellen. She warned that claims like “we achieved 100 percent in MITRE tests” should be treated with skepticism. According to Mellen, such statements often indicate one or more of the following: selective presentation of only favorable portions of the report, reliance on overly aggressive configurations that are impractical in real-world environments, or an approach that turns participation into a marketing contest rather than an opportunity for genuine product improvement.
Adding another layer of intrigue to the 2025 results is the list of notable absentees. Major players such as Microsoft, Palo Alto Networks, and SentinelOne opted not to participate this cycle. Officially, they cited the substantial resource and personnel demands of the MITRE program, noting that other priorities took precedence. For customers, this means that up-to-date comparisons do not include several key market leaders—even as those vendors continue to reference earlier ATT&CK Evaluation cycles in their marketing materials.
