The MITRE ATT&CK Enterprise Evaluations, considered the most rigorous cybersecurity testing program, revealed significant protection gaps across the industry in its December 2025 Enterprise Round 7 results. Nine participating vendors achieved a maximum block rate of 31%, with CrowdStrike and Cybereason tying for the highest protection score. The remaining 69% of adversarial actions executed without being stopped, according to data published at https://evals.mitre.org.
More concerning were the zero-percent blocking rates against specific attack types. All nine vendors scored zero against identity attacks using Scattered Spider's techniques, the same methods responsible for the MGM Resorts and Caesars Entertainment breaches that caused hundreds of millions in losses. Cloud attack blocking rates ranged from 0% to 7.7% across the cohort, with five vendors blocking nothing against the first AWS adversary emulation in MITRE's history.
Three major vendors—Microsoft, SentinelOne, and Palo Alto Networks—withdrew from the evaluation before it began, citing various reasons including Microsoft's Secure Future Initiative and SentinelOne describing the evaluations as "PR-driven." This withdrawal trend represents a 63% decline in vendor participation from the 2022 peak, according to MITRE's historical participation records.
In response to these industry-wide gaps, VectorCertain LLC conducted its own evaluation using MITRE's ER7 methodology, extending the scope to include Volt Typhoon adversary techniques and additional governance dimensions. The company claims its SecureAgent platform achieved 100% protection across 14,208 tests against three adversary scenarios, though these are internal results not verified by MITRE.
VectorCertain attributes the industry's 31% ceiling to architectural limitations of platforms built for detection after execution rather than prevention before action. SecureAgent employs a four-gate governance pipeline that evaluates AI agent actions before they reach the environment. This approach addresses what VectorCertain identifies as the core problem: identity abuse doesn't generate endpoint telemetry that traditional detection systems can analyze.
The company has formally enrolled in MITRE's Enterprise Round 8 evaluation for independent verification. ER8 will introduce a standardized composite scoring framework, moving beyond binary detection flags toward holistic measurement of how completely platforms stop adversaries.
The protection gaps have significant economic implications. Global fraud and cybersecurity losses totaled $485.6 billion in 2023 according to Nasdaq Verafin's 2024 Global Financial Crime Report available at https://www.nasdaq.com/solutions/verafin, while AI-specific cyberattacks cost an estimated $15 billion in 2024. VectorCertain characterizes this as a "7% Global AI and Cybersecurity Tax" on organizations worldwide.
IBM's 2025 Cost of a Data Breach Report quantifies the average incident cost at $4.44 million globally, with U.S. organizations absorbing $10.22 million per breach. The same research found that organizations deploying AI in prevention workflows saved an average of $2.22 million per breach—the single largest cost-reduction factor in the study.
