ATT&CK Evaluations

Enterprise 2025 results are now live. This year marks a major milestone for ATT&CK Evaluations: 🔹 our first cloud-native adversary scenario, codenamed Demeter, emulating Scattered Spider’s identity-first tradecraft. 🔹 our PRC adversary scenario, codenamed Hermes, emulating Mustang Panda's LOTL and custom malware tradecraft. Modern intrusions rarely start—or stay—on the endpoint. 🔗 Enterprise 2025 Results: https://lnkd.in/e-tpPrqq 🔗 Technical Analysis Blog: https://lnkd.in/ejmbR-XR A huge thank-you to all participating vendors for engaging in our most complex scenario yet and for helping push the industry forward toward identity-centric, cloud-aware detection. More to come for 2026. #MITRE #ATTACK #ATTACKEvaluations #CloudSecurity #DetectionEngineering #Enterprise2025

ATT&CK Evaluations has intentionally Initial blind runs. No scenario hints. No pre-tuning. Just the product, as-is, in a real enterprise environment. ...and Configuration Change runs where everything shifts. A chance to learn about the adversary behaviors, configure/tighten logic, and experiment to see how far their product can go to push detection logic toward “100% visibility.” This is where research meets reality. You learn not only what a product can detect, but how it grows when given engineering focus. It’s one of the most valuable aspects of the evaluation. See how in 2 days. https://lnkd.in/e-tpPrqq

Attackers don’t always need to compromise a managed device first to compromise an enterprise. They can compromise identity...from anywhere. This is why visibility must shift toward identity, session, and cloud signals. MITRE ATT&CK Reconnaissance Techniques were in play. ATT&CK Evaluations constructed an emulation plan that had unmanaged endpoints → SSO → managed endpoints → cloud actions this round making the boundary challenge impossible to ignore. Find out more in 3 days. https://lnkd.in/e-tpPrqq

Block adversaries before damage occurs Protections testing this year was redesigned around pivotal attack stages, each defined by: 🔹 Entry Vector — where the adversary first gains access (assumed or initial) 🔹 Impact Zone — the stage where meaningful damage would occur The question became simple: Did participating vendors demonstrate clear malicious intent before our new Impact Zone? Find out in 4 days. https://lnkd.in/e-tpPrqq

Detection Quality > Detection Quantity Our Financially-Motivated Cybercriminal Collective threat scenario really honed in on the use of correlation of multiple endpoints to prove malicious activity. Not “Did you alert?” But “Did you understand?” No single log source tells the whole story. This round required connecting the dots. Find out how in 5 days. https://lnkd.in/e-tpPrqq

False Positives Get Their Own Spotlight. ATT&CK Evaluations has done false positive testing for a few rounds now both in Detections and Protections - This year we made sure to have a sole protection test of just that. 🔹 Nine admin steps. 🔹 Zero malicious behavior. Find out in 6 days. https://lnkd.in/e-tpPrqq

Scaling to Reality - This year ATT&CK Evaluations environment had 🔹 14 subnets. 🔹 45 endpoints. 🔹 Redirectors. Private DNS. Traffic Mirroring. 🔹 AWS access, realistic network topology. Enterprise-scale testing is here. https://lnkd.in/e-tpPrqq 7 days until Dec 10th.

Cloud Is No Longer Optional AWS Console, Systems Manager, CloudShell, S3 exfil. Cloud-native signals dominated this year. https://lnkd.in/e-tpPrqq 8 days till Dec 10th.

SSO. MFA. Device trust. ATT&CK Evaluations Participants handled it effortlessly. 9 days till Dec 10th. https://lnkd.in/e-tpPrqq #EnterpriseSecurity #ATTACKEvaluations

Cloud, identity, and hybrid infrastructure are no longer optional. Modern adversaries don’t care where your tools live. Neither do we. This year’s ATT&CK Evaluations pushed detection into places the industry has avoided for too long...SSO, identity, cloud APIs, integrations, and cross-platform correlation. 10 days till Dec 10. https://lnkd.in/e-tpPrqq #CloudSecurity #IdentitySecurity