Cloud
Trend Vision One™ Stacks Up Against Scattered Spider and Mustang Panda in 2025 MITRE ATT&CK® Evaluations
Enterprise 2025 introduces the first full cloud adversary emulation and expanded multi-platform testing, focusing on two advanced threat areas: Scattered Spider’s cloud-centric attacks and Mustang Panda’s long-term espionage operations.
Save to Folio
The 2025 MITRE ATT&CK® Evaluations once again put the world’s leading cybersecurity platforms to the test, and Trend Vision One accepted the challenge.
This year’s evaluation, the Enterprise Round 7 (ER7), introduced the most complex and realistic test environment to date, simulating multi-stage, hybrid attacks spanning on-premises systems, cloud workloads, and containerised applications.
In an evaluation that demanded autonomous, correlated detections and real-time protection, we believe Trend Vision One delivered exceptional performance across all phases of the attack chain. In our view, this reinforces our position as a trusted leader in detection and response innovation, providing you with reliable, real-time threat detection and response to strengthen security and operational efficiency.
This cycle included 11 participating vendors. As always, MITRE does not rank or score solutions. Instead, it provides transparent data that organisations can interpret based on their own operational requirements. That said, organisations should focus on the data most relevant to their environment, including detection coverage, alert fidelity, protection performance, and cloud visibility.
A new era of testing: What’s new in MITRE ATT&CK Evaluations ER7 (2025)
The 2025 evaluation marked a significant evolution in MITRE’s approach. Unlike previous years, this round now includes both on-premises and cloud-based attacks, as well as the Reconnaissance tactic. This not only simulates hybrid environments that real SOC teams defend against today but also highlights the necessity for SOC teams to rely on effective enterprise tools. This enables you to identify and stop threats in motion, providing central visibility for both preventive and detection methodologies.
Specifically, to mirror modern enterprise stacks, MITRE added AWS workloads, identity and access management (IAM) manipulation, and Docker-based applications (GitLab, Airbyte, AuthenTik, WeKan).
This directly tested whether solutions can:
- Identify early attacker behaviours and prevent activities where possible
- Surface high-fidelity alerts without excessive noise, while correlating low-signal events
- Detect activities related to identity probing on the endpoint as it affects cloud-based assets
The emulations this year specifically featured two advanced adversaries.
Scenario 1: Emulation inspired by “Scattered Spider.”
This financially motivated threat group is known for:
- Unified social engineering and MFA bypass techniques
- Session hijacking
- Identity abuse in cloud environments
- Lateral movement using cloud-native tools
- Rapid exploitation of cloud console permissions
This scenario placed heavy pressure on cloud detection as well as ingesting and logging from AWS services, an area where we believe Trend Vision One demonstrated strong analytics capabilities.
Scenario 2: Emulation inspired by “Mustang Panda.”
This People’s Republic of China state-sponsored espionage group focused on:
- Stealth and long-term persistence
- Custom implants
- Multi-stage intrusion across platforms
- Covert command-and-control
- Data staging and exfiltration
This tested high-fidelity behavioural analytics and the ability to surface subtle signals without high false-positive rates.
Highlights from the 2025 MITRE ATT&CK® Evaluations results
In our opinion, this year’s evaluation validated the progress Trend Vision One made towards a unified security operations platform, delivering strong performance across detection, protection, cloud visibility, and analytic precision.
Key outcomes after configuration change include:
- 100% analytic coverage across all major attack steps
- 100% protection across all evaluated attack opportunities
- 100% cloud layer coverage, including both detection and protection
In our view, these results demonstrate consistent visibility from initial access through impact across modern hybrid attack surfaces, including endpoints, servers, network traffic, cloud control planes, and containerised applications. We believe these outcomes reflect several core enhancements delivered over the past year, particularly in behavioural detection, identity-aware detection, cloud-native analytics, and protection logic across Linux, Microsoft Windows, and AWS environments. Further, we see ER7 as showing the commitment of Trend Vision One in balancing alert volume and visibility by significantly reducing the number of alerts produced by Trend Vision One compared to Enterprise 2024 (ER6).
MITRE also introduced new Docker-based application scenarios, expanding the scope of testing this year. Trend Vision One maintained a strong correlation and detection across the portions of the telemetry that were observable within our current architecture.
While this evaluation did not yet leverage Trend Vision One™ Agentic SIEM, we believe these results create a strong baseline for what your team can expect moving forward. Across the Trend Vision One AI-powered enterprise cybersecurity platform, we are delivering enhancements that include expanded third-party log ingestion, improved HTTPS and encrypted-session inspection, stronger behavioural analytics, and deeper cross-layer correlation. These improvements provide your team with clearer visibility, more accurate detections, and enhanced protection across hybrid environments.
In our opinion, these outcomes reflect our continued progress towards more unified and efficient security operations. They highlight the strength of our platform today, while also laying the groundwork for the broader automation, correlation, and analyst-assist capabilities. This is delivered with cloud detection and response (CDR) and agentic SIEM, as well as the next generation of Trend Vision One. Our direction remains focused on giving defenders clearer visibility, faster insight, and stronger protection across every stage of the attack chain, regardless of where threats emerge.
What this year’s evaluation means for security teams
This year, ER7 raised expectations and moved beyond endpoint-only testing. It reinforced the current need for platforms to automatically correlate telemetry into meaningful alerts across hybrid environments, particularly when multiple data sources must come together to explain details about a significant event.
We believe our results this year align strongly with these shifts. In our view, Trend Vision One took a more operationally realistic approach, producing a balanced set of high-confidence alerts across all major attack steps, enough to ensure full visibility without overwhelming analysts or masking key attacker activity. To us, this balance reflects years of investment in multi-layer detection, cloud-aware analytics, identity correlation, and protection that works consistently across hybrid environments.
As with every round, we believe MITRE’s detailed breakdown offers valuable insights that help guide our solution improvements. Many of these areas align with the enhancements already underway across the Trend Vision One platform, and this year’s evaluation highlighted opportunities for your team to further strengthen:
- Coverage for third-party cloud and application logs
- Detection of encrypted session misuse, such as stolen cookie behaviour
- Continued refinement of alert clarity through correlation and consolidation
You benefit from a continually evolving platform with broader telemetry coverage and stronger analytics.
These areas are already part of our ongoing development priorities, and we will continue strengthening them across the Trend Vision One platform. Our focus remains on expanding telemetry coverage, deepening behavioural analytics, and improving detection precision across hybrid environments. Above all, we are committed to transparent, continuous improvement, ensuring your team benefits from a platform that evolves with modern threats.
This expanded telemetry coverage and deeper behavioural analytics enable your team to improve detection precision across hybrid environments and ensure continuous improvement and transparent security enhancements.
About Trend Micro
Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information between people, governments, and enterprises.
Trend leverages security expertise and AI to protect more than 500,000 enterprises and millions of individuals across clouds, networks, endpoints, and devices worldwide.
At the core is Trend Vision One™, the only AI-powered enterprise cybersecurity platform that centralises cyber risk exposure management and security operations, delivering layered protection across on-premises, hybrid, and multi-cloud environments.
The unmatched threat intelligence delivered by Trend empowers organisations to proactively defend against hundreds of millions of threats every day.
Proactive security starts here. TrendMicro.com
About MITRE ATT&CK® Evaluations
ATT&CK® Evaluations is built on MITRE’s conflict-free, objective methodology.
Cybersecurity vendors participate to gain insights into their products and provide defenders with greater transparency into solution capabilities.
Using a collaborative, threat-informed, purple-teaming approach, MITRE evaluates each product’s ability to detect and protect against known adversary behaviours within the ATT&CK framework.
All results are publicly available at attackevals.mitre-engenuity.org