* [Blog](https://www.paloaltonetworks.com/blog) * [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/) * [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/) * 2022 MITRE Engenuity ATT\&... # 2022 MITRE Engenuity ATT\&CK Evaluations Results [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2022%2F03%2Fmitre-engenuity-evaluations-round-4-results%2F) [](https://twitter.com/share?text=2022+MITRE+Engenuity+ATT%26%23038%3BCK+Evaluations+Results&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2022%2F03%2Fmitre-engenuity-evaluations-round-4-results%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2022%2F03%2Fmitre-engenuity-evaluations-round-4-results%2F&title=2022+MITRE+Engenuity+ATT%26%23038%3BCK+Evaluations+Results&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2022/03/mitre-engenuity-evaluations-round-4-results/&ts=markdown) \[\](mailto:?subject=2022 MITRE Engenuity ATT\&CK Evaluations Results) Link copied By [Peter Havens](https://www.paloaltonetworks.com/blog/author/peter-havens/?ts=markdown "Posts by Peter Havens") Mar 31, 2022 7 minutes [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown) [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown) [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown) [EDR](https://www.paloaltonetworks.com/blog/tag/edr/?ts=markdown) [endpoint security](https://www.paloaltonetworks.com/blog/tag/endpoint-security/?ts=markdown) [MITRE](https://www.paloaltonetworks.com/blog/tag/mitre/?ts=markdown) [XDR](https://www.paloaltonetworks.com/blog/tag/xdr/?ts=markdown) ## Cortex XDR Delivers 100% Threat Protection for the 2nd Year in a Row and 100% Detection of All Attack Steps! ![Cortex XDR earned rating of 100% prevention and detection by MITRE Engenuity.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-89.png) Today, MITRE Engenuity published the fourth round of the MITRE ATT\&CK Evaluations, which tested 30 participants' ability to defend against the tactics, techniques and procedures (TTPs) leveraged by two very relevant and sophisticated threat groups -- Wizard Spider and Sandworm. For the second year in a row Cortex XDR delivered 100% threat protection and 100% detection of all attack steps! With the results released, now the fun begins! This is the time when nearly every participating vendor spins a tale about how their results represent your best bet to protect your business from being the next headline. Rest assured, the evaluation results are not complicated to understand if you stick to the simple data points the MITRE Engenuity team publishes. One of my favorite things about the MITRE Engenuity ATT\&CK Evaluations is the open and transparent nature of them. From the detailed publication of the attack scenarios and methodology, to the data-driven results that don't attempt to segregate vendors based on arbitrarily determined cutoff lines. ### **Results of Palo Alto Networks:** Just like [last year's Carbanak/Fin7 evaluation](https://www.paloaltonetworks.com/blog/2021/04/mitre-round-3-protecting-against-carbanak/?ts=markdown), this year had three phases. The first two days were focused on detection efficacy, requiring participating vendors to disable prevention mechanisms. Day one was focused on the emulation of [Wizard Spider](https://attack.mitre.org/groups/G0102/) with the endgame being [data encryption for impact](https://attack.mitre.org/techniques/T1486/) in the form of ransomware. Day two shifted the focus to the [Sandworm Team](https://attack.mitre.org/groups/G0034/) threat group with the intent of data encryption for impact, this time as a [destructive wiper](https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/). Day three combined the TTPs of both threat groups and evaluated the ability to prevent malicious activity. You can see all of our results on the MITRE Engenuity [results page for Palo Alto Networks](https://attackevals.mitre-engenuity.org/enterprise/participants/paloaltonetworks). ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-90.png) #### Cortex XDR Results: * **100% Prevention** in the Protection evaluation (10 of 10) * **100% Detection** of all attack steps (19 of 19) * **98.2% Analytic Coverage** (107 of 109 attack substeps) * **98.2% Technique-Level Detections** (107 of 109 attack substeps) * **98.2% Visibility** (107 of 109 attack substeps) For the 4th year in a row, Cortex XDR has delivered exceptional results in the annual MITRE Engenuity ATT\&CK Evaluations. These evaluations matter as they closely reflect the efficacy organizations can expect in the face of real-world threats. Cortex XDR blocked 100% of attacks in the protection evaluation and detected 100% of the 19 attack steps. The foundation for great threat prevention and detection is visibility into endpoint telemetry with the right context to drive machine learning and analytics detection algorithms to distinguish between normal and abnormal/malicious activity. In this round of the evaluation, Cortex XDR provided over 98% visibility into all malicious activity and enriched this data with the necessary execution context to precisely identify the tactic, technique and sub-technique being used. Importantly, **this resulted in the MITRE Engenuity team recognizing 100% of our visibility as technique-level detections** -- the most valuable detection type in this evaluation. ### **The Importance of Quality Detections:** It's important to note that not all detections are equal in these evaluations. MITRE Engenuity has designated several types of detections with significantly varying levels of context. The quality of a solution's detections will likely be the difference between telemetry logs that go unnoticed and actionable alerts that provide all the context needed to rapidly and completely remediate threats. ![Graph showing minimally processed data escalating to enriched detection with analytic coverage.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/03/word-image-91.png) MITRE Engenuity Detection Categories classify detections by the amount of context they provide to the analyst. [MITRE Engenuity Detection Categories](https://attackevals.mitre-engenuity.org/enterprise/wizard-spider-and-sandworm/detection-categories) include: * None -- No telemetry collected related to the attack substep. * Telemetry -- Detection of this type are usually just basic logging of activity. * General -- Detections of this type leave the security analyst to investigate and determine what action was done and why. * Tactic -- Detections of this type assert why an action occurred, but again leave the security analyst to investigate what action or technique was taken. * Technique -- Detections of this caliber provide the context and details required to answer the questions of why an adversary performed an action and specifically what action they used to achieve their objective. The MITRE Engenuity results pages identify two types of coverage: Telemetry Coverage and Analytic Coverage. Telemetry Coverage is defined as the number of substeps where a solution produced a Telemetry detection as its highest value detection. Analytic Coverage is defined as the number of substeps that contain either a General, Tactic or Technique detection. Many vendors will tout their proportion of Analytic Coverage, but as you can see in the detection category definitions, detections of this nature can still leave the analyst with unclear information about what precisely was done and why it was done. Technique detections are the gold standard in this evaluation. They provide all the detail and context needed to understand what was done and why, empowering the security analyst to take action and remediate the threat. **100% of Cortex XDR's detections were Technique-Level detections!** Higher fidelity detections and more detailed data enables Security Analysts to respond more quickly and accurately to events while requiring less time to be spent in researching and enriching the events they receive. Higher fidelity means more of the enrichment work is done automatically for the analysts. ### **What You Should Look For:** As you navigate the plethora of vendor interpretations of the results, here are a few things to look for: 1. **Protection Evaluation Results** * As was the case last year, the protection evaluation this year was optional. * Prevention of known and unknown malware and malicious usage of legitimate software is critical to breach prevention as the adversary cannot establish a beachhead for further attack tactics and techniques. * Many vendors will only share their detection results either because they chose not to participate or their results were not competitive. 2. **Linux Results** * Just like the protection evaluation, participation on Linux was optional as it was last year. * If you have Linux in your environment, be sure to note whether the vendor you're considering opted in and performed well. 3. **Technique Detections** * Technique-level detections are the most valuable detection types identified by the MITRE Engenuity team in the evaluation. * Detections of this caliber identify not only what the attacker was attempting to do, but precisely how they were going about it. * They provide the necessary detail to empower full remediation of threats. 4. **High Number of Detection Modifiers** -- MITRE Engenuity has identified two detection modifiers that provide additional context to the nature of the detections observed. * ***Configuration Changes*** - Be wary of solutions that required a high number of configuration changes to produce their results. * ***Delayed Detections*** - Sometimes quality detections result from observing a chain of adversarial activity, and thus might be delayed. This should be the exception, as real-time detections mean faster response and less impact to your organization. ### **Why You Should Care About These Results** Security teams are facing unprecedented growth in the number and sophistication of attacks while struggling to attract and retain the people with the skills to defend against these threats. The MITRE Engenuity ATT\&CK Evaluations provide a transparent, objective verification of endpoint detection and response capabilities and are designed to help cyber defenders in the market for security solutions to verify the prevention and detection efficacy of security solutions against real-world adversaries and their techniques. These results continue a trend of industry leading validation for Cortex XDR in independent third-party endpoint security assessments, including the previous three rounds of the [MITRE Engenuity ATT\&CK Evaluations](https://www.paloaltonetworks.com/blog/2021/04/mitre-round-3-protecting-against-carbanak/?ts=markdown), as well as the [2020 and 2021 AV-Comparatives EPR Evaluations](https://www.paloaltonetworks.com/blog/2020/12/cortex-av-comparatives-epr-evaluation/?ts=markdown). Join our [Demystifying the 2022 MITRE ATT\&CK Evaluations](https://register.paloaltonetworks.com/demystifying2022mitreevaluations) webinar if you are interested in learning more about the results and how they stack up against the other participating solutions. For more details on the MITRE ATT\&CK Round 4 Evaluations, [download our e-Book](https://start.paloaltonetworks.com/Essential-Guide-MITRE-R4.html)**.** *** ** * ** *** ## Related Blogs ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Palo Alto Networks Excels in MITRE Managed Services Evaluation](https://www.paloaltonetworks.com/blog/2024/06/unit-42-mdr-in-mitre-managed-services-evaluation/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Forrester Names Palo Alto Networks a Leader in XDR](https://www.paloaltonetworks.com/blog/2024/06/forrester-names-palo-alto-networks-a-leader-in-xdr/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [#### Exploring Protection Tests in MITRE Round 4: Not All Prevention is Created Equal](https://www.paloaltonetworks.com/blog/security-operations/exploring-protection-tests-in-mitre-round-4-not-all-prevention-is-created-equal/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Cortex XDR and 2021/2022 Forrester Wave Results](https://www.paloaltonetworks.com/blog/security-operations/cortex-xdr-and-2021-2022-forrester-wave-results/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown) [#### A Leader in the 2025 Gartner Magic Quadrant for EPP --- 3 Years Running](https://www.paloaltonetworks.com/blog/2025/07/named-a-leader-gartner-magic-quadrant/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### New Cortex Detectors for macOS Address Stealers and Malicious AppleScript](https://www.paloaltonetworks.com/blog/security-operations/new-cortex-detectors-for-macos-address-stealers-and-malicious-applescript/) ### Subscribe to the Blog! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language