* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Announcement](https://origin-researchcenter.paloaltonetworks.com/blog/category/announcement/)
* Cortex XDR: Best Combined...

# Cortex XDR: Best Combined Prevention and Detection in MITRE Round 3

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2021%2F04%2Fmitre-round-3-protecting-against-carbanak%2F)  
[](https://twitter.com/share?text=Cortex+XDR%3A+Best+Combined+Prevention+and+Detection+in+MITRE+Round+3&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2021%2F04%2Fmitre-round-3-protecting-against-carbanak%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2021%2F04%2Fmitre-round-3-protecting-against-carbanak%2F&title=Cortex+XDR%3A+Best+Combined+Prevention+and+Detection+in+MITRE+Round+3&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2021/04/mitre-round-3-protecting-against-carbanak/&ts=markdown)  
\[\](mailto:?subject=Cortex XDR: Best Combined Prevention and Detection in MITRE Round 3)  
Link copied  
By [Peter Havens](https://www.paloaltonetworks.com/blog/author/peter-havens/?ts=markdown "Posts by Peter Havens")  
Apr 21, 2021  
5 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)  
[Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[MITRE](https://www.paloaltonetworks.com/blog/tag/mitre/?ts=markdown)  
[third-party validation](https://www.paloaltonetworks.com/blog/tag/third-party-validation/?ts=markdown)

This post is also available in: [简体中文 (Chinese (Simplified))](https://origin-researchcenter.paloaltonetworks.com/blog/2021/05/mitre-round-3-protecting-against-carbanak/?lang=zh-hans "Switch to Chinese (Simplified)(简体中文)")

*In the MITRE ATT\&CK round 3 evaluation, Cortex XDR delivered 100% threat protection and 97%+ detection visibility. The MITRE ATT\&CK evaluations test the detection capabilities of leading security solutions by emulating the real-world attack sequences of the world's most sophisticated advanced persistent threat (APT) groups.*

## Diving Into MITRE ATT\&CK Round 3 Results

The 2021 MITRE ATT\&CK results are out! Yesterday, [MITRE Engenuity](https://attackevals.mitre-engenuity.org/enterprise/carbanak_fin7/) published the third round of the MITRE ATT\&CK evaluations, which tested 29 participants' ability to defend against the tactics, techniques and procedures (TTPs) leveraged by the [Carbanak](https://attack.mitre.org/groups/G0008/) and [FIN7](https://attack.mitre.org/groups/G0046/) threat groups. We are thrilled to announce that Cortex XDR has once again delivered outstanding results in the face of these advanced threat actors.

#### MITRE ATT\&CK Round 3 Detection Scoring

Focused on analyzing how detections occur, rather than assigning scores to vendor capabilities, MITRE categorizes each detection and capture and organizes detections [according to each attack technique](https://attackevals.mitre-engenuity.org/enterprise/carbanak_fin7/detection-categories.html). Techniques may have more than one detection if a security solution detects a technique in different ways. All observed detections are included in the evaluation results.

#### Results of Cortex XDR Protecting Against Carbanak and FIN7

![Figure 1. Cortex XDR had the highest combined protection and detection results in the evaluation. \*Note: Data and charts based on MITRE results minus detections with a “Configuration Change” modifier.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/Figure-1-MITRE-3.png)
Figure 1. Cortex XDR had the highest combined protection and detection results in the evaluation.  
\*Note: Data and charts based on MITRE results minus detections with a "Configuration Change" modifier.

We're proud to build on our pattern of [strong results](https://www.paloaltonetworks.com/blog/2020/04/cortex-mitre/). Highlights of Cortex XDR's results against TTPs used by Carbanak and FIN7 include:

* **Blocked 100% of attacks** in the [protection evaluation](https://attackevals.mitre-engenuity.org/enterprise/participants/paloaltonetworks/results.html?adversary=carbanak_fin7&scenario=protections) on both Windows and Linux endpoints.
* **Achieved 97% visibility** of attack techniques.
  * The best detection rates of any solution that also got a perfect protection score.
* Of the attack techniques used, Cortex XDR identified **86% with an analytics detection, defined by MITRE as detections that provide additional context beyond telemetry.**
  * **80% of which had an associated technique-level detection**, the highest type of detection awarded in this evaluation.
* Achieved the **highest overall combined detection and protection rate** in the evaluation.

The ATT\&CK results reveal our dedication to preventing every possible threat and keeping our customers safe from the most nefarious adversaries. Because APT groups use existing apps and system tools to carry out their attacks, we have focused on accurately identifying and correlating malicious usage of these apps, without blocking legitimate activity.

Round 3 of the MITRE ATT\&CK evaluations brought the optional addition of Linux endpoints and a "Protection" phase of the evaluation in which solutions were evaluated on their ability to block attacks on both Linux and Windows endpoints. Given our track record for excellent threat prevention and our extensive tooling for Linux endpoints, we opted in for both. Cortex XDR blocked all attacks across Linux and Windows while providing the highest detection rate and quality of detections of any vendor to do so.
![Figure 2. Cortex XDR blocked 100% of attacks in the protection phase against both Linux and Windows.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-35.png)
Figure 2. Cortex XDR blocked 100% of attacks in the protection phase against both Linux and Windows. ![Figure 3. Cortex XDR provided the second highest visibility overall and the highest of any vendor with a perfect protection score.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-36.png)
Figure 3. Cortex XDR provided the second highest visibility overall and the highest of any vendor with a perfect protection score. ![Figure 4. 80% of attacks identified with the highest possible technique-level detection score.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-37.png)
Figure 4. 80% of attacks identified with the highest possible technique-level detection score.

Cortex XDR not only blocked all attacks in the first-ever MITRE ATT\&CK protection tests, it also integrated log data from [Palo Alto Networks Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall) to increase detection fidelity. Detailed application, user and content information included in firewall logs enriched our analytics capabilities. Because Cortex XDR gathers and integrates network data with endpoint data, it provides deep visibility into application data.
![Figure 5. Cortex XDR stitches together network and endpoint data to provide additional details, such as the App-ID “msrpc-base” for a network connection shown above, so that analysts get a complete picture of an attack.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/04/word-image-38.png)
Figure 5. Cortex XDR stitches together network and endpoint data to provide additional details, such as the App-ID "msrpc-base" for a network connection shown above, so that analysts get a complete picture of an attack.

## Deep Visibility With Extended Detection and Response

While the latest MITRE ATT\&CK evaluation allowed participants to analyze network data, the evaluation focused on endpoint attacks. Real-life attacks often target managed endpoints, but they can also involve unmanaged endpoints, cloud applications or even [networking and security equipment](https://www.fbi.gov/news/pressrel/press-releases/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabilities-to-compromise-us-and-allied-networks). Therefore, security teams should consider a more holistic approach that extends beyond traditional endpoint detection and response (EDR) to provide enterprise-wide visibility.

Cortex XDR enables customers to stop modern attacks by applying AI and analytics to endpoint, network and cloud data. This combination of rich data and behavioral analytics not only contributed to Cortex XDR's stellar evaluation results, but it also allowed Cortex XDR to block attacks from [the SolarStorm group](https://www.paloaltonetworks.com/blog/2020/12/next-solarwinds-modernizing-cybersecurity/) and to detect post-intrusion activity from [the HAFNIUM group](https://www.paloaltonetworks.com/blog/security-operations/busted-by-xdr-detecting-microsoft-exchange-post-exploit-activity-in-february/) before the threat actors were publicly disclosed.

If you are interested in learning more about the attack scenarios emulated in this evaluation and the technologies that best protect and detect these techniques, sign up to view our on-demand webinar, "[Carbanak+FIN7: MITRE ATT\&CK Results Unpacked](https://register.paloaltonetworks.com/mitreround3resultsunpacked?utm_source=blog&utm_medium=social&utm_campaign=cortex_xdr_amer_mitre2blog&utm_content=&sfdcid=7014u000001sxtoAAA)."

Learn more about the Round 3 MITRE ATT\&CK Evaluation. [Read the eBook now.](https://www.paloaltonetworks.com/resources/ebooks/essential-guide-mitre-round-3)

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://www.paloaltonetworks.com/blog/category/unit42/?ts=markdown), [Web Security](https://www.paloaltonetworks.com/blog/category/web-security/?ts=markdown)

[#### Unit 42 Strikes Oil in MITRE Engenuity Managed Services Evaluation](https://origin-researchcenter.paloaltonetworks.com/blog/2022/11/unit-42-mitre-managedservices-2022/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Company \& Culture](https://www.paloaltonetworks.com/blog/category/company-culture/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### 2022 MITRE Engenuity ATT\&CK Evaluations Results](https://origin-researchcenter.paloaltonetworks.com/blog/2022/03/mitre-engenuity-evaluations-round-4-results/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### A Leader in the 2025 Gartner Magic Quadrant for EPP --- 3 Years Running](https://origin-researchcenter.paloaltonetworks.com/blog/2025/07/named-a-leader-gartner-magic-quadrant/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown)

[#### MITRE ATT\&CK Evaluations --- Cortex XDR Among Elite in Endpoint Security](https://origin-researchcenter.paloaltonetworks.com/blog/2025/02/mitre-attck-evaluations-cortex-xdr-among-elite-endpoint-security/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Palo Alto Networks Excels in MITRE Managed Services Evaluation](https://origin-researchcenter.paloaltonetworks.com/blog/2024/06/unit-42-mdr-in-mitre-managed-services-evaluation/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Forrester Names Palo Alto Networks a Leader in XDR](https://origin-researchcenter.paloaltonetworks.com/blog/2024/06/forrester-names-palo-alto-networks-a-leader-in-xdr/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language