In today’s dynamic threat landscape, cybersecurity decision makers face constant pressure to balance budget constraints without sacrificing security efficacy. The MITRE ATT&CK Enterprise Evaluation stands out as an essential resource for IT and Security teams to navigate this challenge. Unlike other independent assessments, MITRE ATT&CK Evaluations simulate real-world threats to assess how competing cybersecurity solutions detect and respond in realistic scenarios, helping security leaders determine which solutions will deliver results before committing to onboarding new technology.
Join Cynet CTO Aviad Hasnis and Sr. Director of Product Marketing Matt Duench live on December 10th as they discuss how Cynet performed and answer your questions about this year’s MITRE ATT&CK Evaluation.
To prepare in the meantime, let’s examine what makes MITRE ATT&CK Evaluations unique, which adversaries are featured in this year’s Evaluation, and opportunities for cybersecurity leaders to leverage the upcoming results to reduce cyber risk.
How do the MITRE ATT&CK Evaluations work?
The MITRE ATT&CK Evaluations are rigorous, independent assessments that test how cybersecurity products detect, respond to, and report various attack techniques.
The Evaluation is based on the globally recognized MITRE ATT&CK framework, a comprehensive knowledge base categorizing adversary tactics, techniques, and procedures (TTPs). By organizing TTPs in stages, the framework gives organizations a structured, standardized way to understand potential threats, and to assess the performance of platforms for detecting and countering them.
During the Evaluation, attack scenarios are recreated in a controlled setting. This allows vendors to demonstrate their detection and prevention capabilities against emulated adversary behaviors across the attack lifecycle, from initial access to exfiltration.
For vendors, the results can reveal opportunities for product improvement. For security leaders and service providers, the Evaluation provides detailed data on how each solution responds to different TTPs, enabling them to identify which solutions may be worth considering as they strengthen their security tech stack.
What Differentiates the MITRE ATT&CK Evaluations?
Several key factors set MITRE ATT&CK Evaluations apart from other independent analyst assessments, making them particularly valuable for security leaders:
- Real-World Conditions: Unlike other assessments, MITRE ATT&CK Evaluations are based on simulated TTPs by specific threat actors. This helps leaders understand how well a security platform could perform in realistic scenarios.
- Transparent Results: The MITRE ATT&CK methodology allows cybersecurity leaders to see in detail how each platform reacts to various TTPs. MITRE doesn’t assign scores or rank vendors, encouraging security teams to determine which solution best meets their organization’s unique needs.
- Alignment with the MITRE ATT&CK Framework: Since the results align with the well-respected MITRE ATT&CK framework, security teams can easily integrate findings with their existing threat models. This continuity helps to find and fix potential detection or response capability gaps.
- Vendor Variety: Participating vendors range from brand-name industry incumbents to innovative up-and-comers, giving security leaders a diverse view of available options in today’s cybersecurity ecosystem.
What to expect for 2025?
“For the first time,” MITRE says, “ATT&CK Evaluations will include an assessment of cloud capabilities,” in addition to traditional on-premises environments. The 2025 round will also introduce the “the Reconnaissance tactic, which covers techniques outlining how adversaries gather crucial intelligence about their targets.”
The emulation uses two separate adversaries, each of which combines familiar methods with newer tactics to show how modern attackers continue to evolve.
The first adversary is a “Financially-Motivated Cybercriminal Collective” that exemplifies the quick-hitting, opportunistic smash-and-grab style of many profit-seeking threat actors. Described by MITRE as “an innovative group linked to a number of high-profile attacks,” they are known for targeting cloud assets for initial access before conducting network and directory recon to find and access sensitive data.
The second, a “People’s Republic of China (PRC) Cyber Espionage Group,” represents a longer-term strategic risk to organizations across sectors. The state-backed outfit has a reputation for breaching global targets through “well-planned social engineering tactics and the abuse of legitimate tools and services to deploy custom malware.”
Both adversaries combine old-school tricks of the trade with cutting-edge techniques to novel and devastating effect. By emulating their tactics, such as living off the land techniques, identity-based attacks, cloud exploits and customizable malware variants, MITRE will clarify how cybersecurity vendors perform against today’s top threats facing organizations worldwide.
How to Use MITRE Results
Methodological objectivity and applicability make the MITRE ATT&CK Evaluation an important piece of navigating the cybersecurity vendor landscape.
The ATT&CK Evaluation also reveals which vendors have continued to innovate as threat actor tactics have evolved. In the 2024 Evaluation, Cynet stood out as the only vendor to achieve 100% Protection and 100% Detection Visibility with no false positives or configuration changes.
Whether parsing the 2025 MITRE ATT&CK Evaluation themselves or watching expert guidance to interpret its results, IT and security teams would be wise to evaluate their security stack’s strengths and weaknesses, identify gaps in visibility coverage, and bolster their resilience against emerging threats.
