MITRE ATT&CK® Enterprise Evaluations 2025

WithSecure delivers strong performance in modern IT environments

In the 2025 round of MITRE testing, WithSecure delivered strong performance in the area of detection-to-alert. In plain terms, this means that our XDR solution ensured accurate and early detection in modern IT environment across endpoints and cloud platforms without unnecessary noise caused through irrelevant alerts.

WithSecure is one of only two vendors to have participated in every MITRE ATT&CK Enterprise evaluation. WithSecure also actively contributes to European cooperation on threat intelligence, reinforcing the value of cross-border collaboration in cybersecurity.

What is MITRE?

MITRE is a not-for-profit organization that supports R&D across both the private and public sectors. MITRE is widely recognized for its contributions to advancing cybersecurity standards and practices, making its evaluations highly regarded within the industry.

The MITRE ATT&CK Enterprise Evaluations were created to evaluate the detection performance of EDR, or more recently Extended Detection and Response (XDR) products, under specific attack scenarios simulated under similar, controlled conditions. These evaluations can help organizations make informed decisions about cybersecurity investments.

The evaluations don’t produce a simple winner or ranking. What they do is show how products detect threats — which matters as much as whether they detect them at all.

Why should I care?

Although EDR requirements differ — ranging from large security operations teams performing manual threat hunting with extensive raw telemetry to smaller teams needing automation and low-noise alerting capabilities — these evaluations can help organizations of all sizes make informed decisions about cybersecurity investments when choosing their EDR or XDR technology.

Smaller organizations with limited resources using cloud infrastructure as part of their modern IT environments may benefit more from an outsourced 24/7 Managed Detection and Response service than managing XDR technology themselves.

Why is this year different?

If you’re evaluating XDR or EDR solutions, MITRE results for 2025 and 2024 are worth understanding. Not just because of where WithSecure landed, but because this round of testing was meaningfully different from anything MITRE has done before.

This 7th round of MITRE ATT&CK Enterprise evaluations in 2025 represents a new era of XDR product evaluation. It marks the first time XDR products are evaluated in modern IT environments, involving cloud infrastructure. The 2025 evaluation included two distinct adversary focus areas, simulating both financially motivated cyber criminals and state-sponsored espionage groups. It featured multi-faceted intrusions, including social engineering, cloud exploitation, identity abuse, and “living off the land” techniques.

For the second time, MITRE also measured alert volumes and false positive rates. This is a critical addition. A product that generates thousands of alerts a day might technically “detect” everything, but if your team can’t act on the signal because of the noise, the detection isn’t worth much. For organizations with limited security resources, the ratio of actionable alerts to total alerts is often the difference between a team that stays on top of threats and one that’s permanently overwhelmed.

Where WithSecure stood out

WithSecure’s focus in this evaluation was detection-to-alert performance: ensuring that when a threat was detected, it surfaced as a clear, actionable alert — not buried in raw telemetry or diluted by false positives.

Alert volume tells you something important about a product that detection rates alone don’t. In the 2025 evaluation, WithSecure Elements XDR produced 4 high or critical alerts across the test period. Some vendors in the same evaluation produced hundreds — one reached 990. The difference isn’t just operational comfort. When teams are buried in alerts, real attacks get missed. High-fidelity detection isn’t a nice-to-have for resource-constrained organizations; it’s the whole point.

In practical terms, this means security teams — whether in-house or working with a managed detection and response (MDR) service — can act faster and with more confidence. Less time chasing noise. More time responding to what’s real.

Leszek Tasiemski, VP of R&D Elements Cloud at WithSecure, sums up the approach:

WithSecure’s continued focus on actionable detection, low noise, and transparency ensures that organizations with limited resources can make informed cybersecurity investments without overburdening their teams.

WithSecure is also one of only two vendors to have participated in every MITRE ATT&CK® Enterprise Evaluation since the evaluations began — a commitment to transparency and independent scrutiny that matters when you’re choosing a long-term security partner.

WithSecure also actively contributes to European cooperation on threat intelligence, reinforcing the value of cross-border collaboration in detecting and understanding the threats being tested here.

What this means depending on your situation

MITRE evaluations don’t have a one-size-fits-all interpretation. How you read the results depends on what your security operations actually look like.

If you have a large in-house security team, you may prioritize raw telemetry depth and manual threat hunting capability — the ability to dig into every signal yourself.

If you have a lean IT team or limited security resources, low-noise alerting and actionable detection matter far more. You need a product — or a managed service built on one — that surfaces the right alerts, not every alert.

If you’re running cloud infrastructure alongside your endpoints, this year’s evaluation is the first to reflect that reality. Results from previous years simply didn’t cover cloud environments.

For organizations in that second or third category — midmarket companies, businesses without a dedicated SOC, teams that rely on a managed detection and response service — WithSecure’s results in this evaluation are directly relevant to your day-to-day operations.

A note on protection testing

MITRE does include some protection scenarios in its evaluations, but organizations like AV-TEST offer more comprehensive real-world protection testing. WithSecure’s AV-TEST Best Protection Award — won seven times — remains the stronger reference point for endpoint protection performance specifically.