CrowdStrike Achieves 100% Detection, 100% Protection, and Zero False Positives in 2025 MITRE ATT&CK® Enterprise Evaluations

The CrowdStrike Falcon® platform delivered flawless 100% detection, 100% protection, and zero false positives in the 2025 MITRE ATT&CK® Enterprise Evaluations, the industry's most demanding and comprehensive cross-domain security assessment to date.

CrowdStrike's results demonstrate the precision and real-world effectiveness of the AI-native Falcon platform, which excelled in MITRE's expanded evaluation — now spanning endpoint, identity, and cloud security across hybrid environments. We delivered 100% technique-level detail, which identifies adversary activity at the ATT&CK Technique or Sub-Technique level and provides analysts with critical context on execution, impact, and adversary behavior. 

CrowdStrike provided all of this detail with zero false positives while achieving 100% detection and 100% protection, including real-time cloud prevention.

Achieving both perfect detection and perfect protection without generating false positives or flooding security teams with unnecessary alerts is extremely challenging. Achieving this in a single pane of glass, delivered through one platform, across a cross-domain attack demonstrates the power of the Falcon platform.

The Industry's Most Demanding Cross-Domain Evaluation Yet

This year’s assessment used the observed tactics and techniques of both cybercriminal and state-sponsored groups to create a comprehensive cross-domain evaluation. Cloud-based attack tradecraft was introduced for the first time, marking a significant expansion in scope. Also new for 2025 was the inclusion of the MITRE ATT&CK Reconnaissance tactic, which assessed vendors’ ability to detect adversary activity at the earliest information gathering stages, before a targeted attack can inflict significant damage. 

The Falcon platform delivered complete coverage against sophisticated adversary tradecraft spanning endpoint, identity, and cloud environments, demonstrating the value of its key innovations. These include Falcon endpoint security modules for detecting living-off-the-land and dual-use tool abuse, CrowdStrike Falcon® Next-Gen Identity Security for stopping credential abuse and lateral movement from unmanaged hosts, CrowdStrike Falcon® Cloud Security for protecting cloud control planes in real time, and CrowdStrike Falcon® Next-Gen SIEM for critical correlation and seamless case management for unifying detections and AI insights for analyst collaboration when every second counts.

Throughout both detection and protection scenarios, the Falcon platform achieved perfect coverage while maintaining the high-fidelity, no-noise alerting that security teams demand. Alert fatigue can easily overwhelm defenders, which can potentially lead to missing real threats. On Protection Test 6 in particular, CrowdStrike was successful in not reporting on any benign activity. It is important to note that a “Reported” label indicates the vendor reported a false positive on the noise test, which is what customers should expect. Protection Test 2 was discarded by MITRE for all vendors.

These results validate CrowdStrike's approach to unified, cross-domain security in an era where threats seamlessly traverse security domain boundaries. The evaluation's inclusion of alert efficiency and detection accuracy metrics showcase the Falcon platform’s delivery of contextual, actionable information while minimizing noise and benign alert activity. This supports the ability for security teams to operate effectively in today's complex threat landscape.

Confronting Modern Cross-Domain Tradecraft

The 2025 evaluation emulated two distinct adversaries representing the evolving threat landscape organizations face today. 

The first detection scenario involved eCrime adversary SCATTERED SPIDER executing a hybrid intrusion involving social engineering, identity abuse, and cloud exploitation. This emulated attack employed sophisticated techniques including MFA bypass, credential theft, and remote access tools, highlighting the critical need for unified visibility and protection across identity and cloud environments.

The second detection scenario involved the People's Republic of China (PRC) state-sponsored espionage group known as MUSTANG PANDA conducting a sophisticated, long-dwell attack featuring legitimate tool abuse and custom malware. This emulated attack demonstrated stealthy persistence and living-off-the-land techniques, which require advanced behavioral detection and cross-domain correlation capabilities.

The emulated tradecraft reflected the complexity of modern threats, including:

• Cross-domain attack chains spanning endpoint, identity, and cloud
• Valid account abuse across hybrid identity environments
• Cloud control plane infiltration targeting APIs and cloud services
• Dual-use tool exploitation leveraging legitimate remote management and monitoring (RMM) software and living-off-the-land binaries (LOLbins)
• Advanced evasion techniques designed to bypass traditional security controls 

These scenarios pushed the boundaries of what traditional security solutions can handle but were no match for the Falcon platform.

Inside the Attack Scenarios: Advanced Tradecraft Meets AI-Powered Defense

Identity Security 

One of the most challenging scenarios involved SCATTERED SPIDER's sophisticated use of compromised credentials to move laterally across hybrid environments while employing MFA bypass techniques and leveraging legitimate remote access tools to maintain persistence. The adversary's approach was designed to blend in with normal business activities, making detection particularly difficult for traditional solutions. 

Falcon Next-Gen Identity Security, integrated with Falcon Next-Gen SIEM third-party log ingest, identified anomalous authentication patterns and flagged the compromised accounts. Falcon endpoint security modules correlated this activity with endpoint behaviors to provide complete attack context. A key element of the protection evaluation involved accessing systems via an unmanaged host in an attempt to evade detection, which Falcon Next-Gen Identity Security was easily able to prevent. The Falcon platform's ability to see across identity and endpoint domains enabled rapid detection and response, stopping the attack before the adversary could achieve their objectives.

Cloud Security

For the first time in the history of the MITRE ATT&CK evaluation, the emulation featured adversary exploitation of the cloud control plane. There were two key scenarios tested:

• Hybrid Detection: Using stolen credentials and session replay, an attack emulating SCATTERED SPIDER bypassed MFA via SSO and entered the AWS console, where they mapped IAM and S3 while probing defenses. They hid their activity with email rules, attempted firewall tampering, created a privileged backdoor, and launched a pivot EC2 instance — all of which enabled rerouting data flows to their controlled S3 bucket. They finished the operation with targeted file theft via a third-party tool while blending into normal activity. Falcon Cloud Security detected 100% of the techniques and automatically deployed a sensor on the EC2 instance, which provided complete visibility into the entire kill chain with telemetry from across the system level and the cloud control plane.
• Protection: The adversary used stolen credentials to gain access to an AWS console, establish an IAM role with administrative privileges, and launch an EC2 instance with that role attached. In just seconds, Falcon Cloud Security detected these suspicious cloud behaviors and based on the sequence of these events, took action to contain the attack in real-time. It then was able to deny further access to the compromised credentials and shut down the EC2 instance, while preserving the instance disk for forensic investigation.

With Falcon Cloud Security’s real-time cloud detection and response and Real-Time Cloud IOAs, analysts can gain instant visibility into cloud control plane activity and spot and stop adversaries early. Additionally, CrowdStrike takes a prevention-first approach with sensor-based runtime protection and automated, cloud-native responses working together to automatically contain threats across the cloud stack.

Threat Intelligence 

In the MUSTANG PANDA scenario, the adversary embedded encoded shellcode within their malware in an attempt to evade security products. The malware subsequently reflectively loaded and executed the shellcode. CrowdStrike’s static and dynamic analysis capabilities were used to quickly investigate files of interest and deliver precise intelligence that was automatically converted into detections and protections through CrowdStrike Falcon® Fusion SOAR — without analyst involvement. CrowdStrike Falcon® Adversary Intelligence’s integrated static analysis quickly triages files, extracts configurations, identifies code relationships, and correlates samples to known malware families. Dynamic sandbox detonations then provide rich behavioral intelligence by observing real execution, uncovering adversary command-and-control activity, persistence mechanisms, and evasion techniques. Together, these capabilities transform suspicious files into actionable intelligence and detections within seconds, enabling rapid triage, adversary attribution, and automated defense aligned to adversary TTPs.

Built into the Falcon Platform

Dual Use Tools: The adversary scenarios heavily featured the abuse of legitimate tools from remote management software to living-off-the-land techniques. This is particularly challenging because it involves the misuse of authorized software and system utilities that organizations depend on for legitimate business operations. The Falcon platform's AI-powered behavioral analysis successfully distinguished between legitimate and malicious use of these tools, achieving perfect detection without generating false positives on normal business activities. This precision is critical for organizations that rely on these tools for legitimate purposes and cannot afford to have their operations disrupted by false alarms.

Case Management: The 2025 evaluation also measured alert efficiency. MITRE uses an alert volume metric to measure the number of alerts that would require triage by a SOC analyst. Alert fatigue is a common challenge that can overwhelm defenders, leading to missed alerts and delayed responses. The Falcon platform’s case-centric approach to investigation and response proved to be critical for maximizing alert efficiency and minimizing noise from false or benign alerts, as highlighted in Protection Test 6 of the evaluations. Integrated case management empowers analysts to build or automate the creation of cases, either based on detections or from scratch, using pre-defined or customizable templates to guide triage and resolution. From there, they can assign tasks, track progress, visualize the investigation, and automate workflows via Falcon Fusion SOAR to take action, all within the unified Falcon platform.

Reconnaissance: The evaluation's inclusion of the Reconnaissance tactic for the first time in 2025 added another layer of complexity, as adversaries employed sophisticated information-gathering techniques to map target environments before launching their attacks. The Falcon platform's comprehensive visibility across all attack surfaces enabled detection of these early-stage activities. In a real-world scenario, this is critical for providing security teams with the early warning they need to prepare defenses and potentially prevent attacks before they fully develop.

Meeting the Moment for Cross-Domain Security

CrowdStrike's performance in the 2025 MITRE ATT&CK Enterprise Evaluations validates our vision of unified, AI-native security and demonstrates what modern defense looks like in an era where threats go beyond traditional security boundaries. The Falcon platform's ability to achieve 100% detection and 100% protection with zero false positives while maintaining high-fidelity alerting showcases how organizations don't have to choose between comprehensive coverage and operational efficiency to defeat modern adversaries.

The 2025 MITRE ATT&CK Enterprise Evaluations highlight the critical importance of not just detecting threats but responding to them quickly and effectively. As threats continue to evolve and span multiple domains, organizations need a platform that can see and stop attacks wherever they occur. The evaluations’ expanded scope this year reflects the reality that modern threats are now truly cross-domain. Our results demonstrate that the Falcon platform is engineered for this new reality, delivering the cross-domain protection, AI-powered precision, and unified visibility that organizations need to stop today's most sophisticated adversaries.

At CrowdStrike, we believe rigorous independent testing provides customers with the transparency and insight they need to make informed security decisions. Our results in the most demanding MITRE evaluation to date prove that with the Falcon platform, adversaries truly have nowhere to hide, whether they're targeting endpoints, identities, cloud infrastructure, or all three. We stop breaches by seeing everything, understanding everything, and acting faster than the adversary can adapt. 

Additional Resources

• Want to learn more? 5 Things to Know About the MITRE ATT&CK Evaluations: Enterprise 2025
• For full results and more information about the evaluations, visit here.
• Register now for the CrowdStrike CrowdCast on the MITRE ATT&CK® Enterprise Evaluations on December 18.