Don’t miss your chance to learn about the latest developments in full attack chain simulation, ransomware testing, XDR, NGFW, the role of AI in defence and more…
The SE Labs Workshop 2025 is our biggest yet. With a full program delivered by our own specialists, it will help you understand how the changing threat landscape is impacting testing.
Packed with Hands-On Activities & Takeaways
Our specialists will walk you through the nuances and pitfalls of cyber security testing. You’ll gain a deeper understanding of the increasing complexities in endpoint testing, including varied attack types, a separation between business and consumer security needs, and MacOS-specific testing.
From Insight to Action – Fast
As more attackers shift their tradecraft to cloud infrastructures, the SE Labs Advanced Security department will showcase the cloud-centric techniques and protocols tailored to modern cloud security challenges. We’ll be sharing the latest additions to our ransomware testing arsenal, providing you with in-depth insight into our methodologies.
Real Skills. Real Results.
We’ll take you on a deep dive into advanced testing areas, including the challenges of XDR ecosystems and next-generation firewall (NGFW) testing. You’ll learn about our newly reworked methodology and the role of AI in both offensive and defensive testing. Knowledge that you’ll be able to put to good use back in the office.
Where Innovation Meets Recognition
Closing the event is the prestigious SE Labs Annual Awards ceremony, celebrating the year’s top-performing products and innovative solutions that are driving the industry forward.
We’re breaking boundaries. Join us.
Live in London or online wherever you are, join us on the 2nd July for a packed program on how to get the most out of your cyber security testing. By the end of the day, you’ll have a comprehensive view of the industry’s direction, practical insights from SE Labs’ recent testing advancements, and the opportunity to connect with leaders in cyber security testing.
We made our latest ransomware counter-measures testing our largest yet.
Ransomware is rarely out of the headlines. It’s probably the most visible, most easily understood cyber threat affecting businesses today. And yet it still finds victims. This is why in our latest public report of ransomware solutions testing we increased the number of attack scenarios used by over 25%.
These included attempts to compromise target systems using techniques deployed by 15 different threat groups. To determine which attacks to deploy, we used current threat intelligence to look at what the bad guys have been doing recently and copied them quite closely. This way we can test how well security products and services handle similar threats to those faced by global governments, financial institutions and national infrastructure every day.
Ransomware vs. Endpoint
One of the reasons why ransomware is so ‘popular’ is that the attackers don’t have to produce their own. They outsource the production of ransomware to others, who provide Ransomware as a Service (RAAS). Attackers then usually trick targets into running it, or at least into providing a route for the attackers to run it for them. AI is now making the creation of such social engineering attacks easier, cheaper and more effective than ever before.
Given the global interest and terror around ransomware, we created a comprehensive test that shows how effective security products are when faced with the whole range of threats posed by ransomware itself and the criminal groups operating in the shadows. We use two approaches to do so: deep attacks and direct attacks.
Ransomware Deep Attacks
This test shows a product’s ability to track the movement of the attacker through the entire attack chain. We disable the product’s protection features and rely on its detection mode for this part of the test. The results demonstrate how incident response teams can use the product to gain visibility on ransomware attacks.
In devising the test, we analysed the common tactics of ransomware gangs and created our own two gangs that use a wider variety of methods. In all cases, we ran the attack from the very start, including attempting to access targets with stolen credentials or other means. We then moved through the system and sometimes the network, before deploying the ransomware as the final payload.
In the first two attacks for each group, we gain access and deploy ransomware onto the target immediately. In the third, fourth and fifth attacks, we move through the network and deploy ransomware on a target deeper into the network. The ransomware payloads used in this part of the report are known files from the families, which are listed on the Attack Details page of each report.
The perfect product will detect all relevant elements of an attack. The term ‘relevant’ is important, because sometimes detecting one part of an attack means it’s not necessary to detect another. This kind of visibility can be a significant advantage for a security professional who is battling a persistent attacker in real time.
Ransomware Direct Attacks
The second part of the test takes a wide distribution of known malware and adds variations designed to evade detection. We sent each of these ransomware payloads directly to target systems using realistic techniques, such as through email social engineering attacks. This is a full but short attack chain. In this part of the test, we ensure any protection features are enabled in the product.
If products can detect and protect against the known version of each of these files, all well and good. But if they also detect and block each ransomware’s two variations, then we can conclude that the protection available is more proactive than simply reacting to yesterday’s unlucky victims.
Protecting Against Ransomware
Attackers used to rely on random and widespread ransomware deployment to extort payment from as many hapless victims as they could. Today’s ransomware attacks are much more targeted and persistent–aimed at large organisations that can pay in the millions of dollars.
While educating users is still vital in protecting your business, Endpoint Protection and Detection systems do a lot of the heavy lifting. Real-world testing the marketing claims of cyber security vendors is one of the reasons we devised this test. It doesn’t just provide you with details of products you can trust, but also informs vendors where their product doesn’t reach the standard to receive an AAA award from SE Labs, and can be improved.
In the end, it’s a win for everyone – except of course for the attackers.
You can see for free our latest ransomware tests on products from Symantec and Carbon Black that received an AAA rating, and don’t forget to look at the CrowdStrike report too from earlier this year.
Three themes stood out in discussions by global security leaders throughout the two days of The-C2 cyber threat intelligence:
The supply chain
AI
Cyber hygiene
CISOs may be pleased to hear no one had all the answers, but they did have some interesting points to consider. Here are five key takeaways for CISOs.
Key Takeaways for CISOs
1. Mitigate the risk of under-resourced, smaller suppliers
You’ve shored up your defences. You’re certain that, should something happen, you’re prepared – right down to the folding beds for those “all-nighter” moments.
But attackers don’t give up. They might go after the easier target – your suppliers. Especially attractive to attackers are the smaller organisations that don’t have the resources available to large corporations.
The attackers might not even have to use your supplier as a springboard into your network. Putting them out of action maybe all the disruption they need, if the goal is to take out a competitor.
And what happens if your supplier is breached? Do you hang them out to dry and void the contract? Or are you smart about it and recognise that if the issues are fixed now, they will probably be more secure and security conscious than the next supplier that comes along.
2. AI: Recognise the risks and take control
AI is still on the fringes of significant cyber threat but, with the latest developments, the landscape is changing rapidly. On one hand, it will allow the bad guys to get attacks up and running faster, using less code or other resources. On the other hand, security vendors are already exploring and implementing AI to increase defence and protection.
But there are other aspects about how AI is used in business that CISOs should start considering now. Undoubtably, when AI is used to write code it will introduce new security vulnerabilities. It already often suggests insecure code. And, of course, malefactors will attempt to poison the AI algorithms.
Users too will want to take advantage of the autonomy that AI provides, and perhaps give unwise permissions to the tool in order to achieve a task.
But, as so often happens with cybersecurity, many of the issues aren’t new, they just have a fancy ‘AI’ title in front of them. Shadow AI is the new name for Shadow IT, and many of the controls and mechanism used already share the same principles. Just as businesses had to deal with BYOD over a decade ago, now it’s BYOM (bring your own model).
3. Cyber Hygiene: Make it second nature, like washing your hands
Cyber hygiene should be ingrained into the organisation’s culture, not an annual training event with a phishing test at the end. Defence in depth has a major human element in it, and businesses should do more to change behaviours if they want to change the organisation’s culture.
Too often, employees see cyber security as a technology issue, not a risk to the entire business. The growing user demands for AI tools is a classic example. After all, what’s the harm in downloading something from Hugging Face? However, providing users with authorised tools, and raising the situational awareness of the dangers of others, can have a deep positive impact on overall security.
But getting the message through will involve other departments, such as HR. They can help develop programs that deliver key messages in a variety of formats to ensure they are “heard” by all of the workforce.
4. Use threat intelligence as an enabler
Threat intelligence is no longer just a defensive tool. It provides business risk insights that help organisations make smarter decisions.
Moving from a reactive to a proactive approach to threat intelligence enables organisations to anticipate attacks with more accuracy. This increases the window of opportunity to prevent the attack from happening and ultimately drives business resilience.
In addition, by aligning intelligence-driven security with board-level risk management, CISOs will be able to justify security investments with clear, data-backed insights.
5. Embed compliance into the security strategy
The cyber threat landscape is constantly shifting, and CISOs need to prepare for evolving compliance requirements. While regulations are struggling to keep up, it’s likely that different global regions are all pushing in similar directions.
One of the key areas will be stricter supply chain security mandates. This becomes increasingly likely as businesses start to use a multitude of AI tools, many of which rely on the cloud to move data around as it is processed through various third-party systems.
To stay ahead of the curve, CISOs should start to embed compliance using the principles of good practice and cyber hygiene into their security strategy rather than treating compliance as an afterthought.
Thanks and see you next year
As hosts of The-C2, SE Labs would like to thank all those who took part in these discussions. There are other key takeaways for CISOs available so, if you’d like more in-depth information about some of the discussions from The-C2, head over to LinkedIn for the latest articles.
To register your interest in attending The-C2 in 2026 visit https://the-c2.com/
Simulated or real attacks in cyber security testing?
There are many different ways to test cyber security products. Most of the common approaches are useful when evaluating a service or system, but they each have pros and cons. In this article we outline the basic differences and limitations. Can you achieve realistic cyber security testing?
Join SE Labs for in-depth discussions on cyber security testing
The SE Labs Workshop in Wimbledon on 2 July 2025 promises to be an important event for cyber security professionals focused on the future of security testing. Available to both in-person and virtual attendees, this one-day event brings together industry experts and security vendors to share insights on critical topics such as testing security for MSSPs, attack chain simulation, and a significant shift in endpoint protection with the transition to Windows 11.
Business vs. consumer cyber security needs
Attendees will gain a deeper understanding of the increasing complexities in endpoint testing, including varied attack types, a separation between business and consumer security needs, and MacOS-specific testing.
Ignore Business Email Compromise test cases at your peril
Good security testing is realistic, using the kinds of threats customers see in real life. This is why we put a lot of focus on Business Email Compromise (BEC) scenarios, rather than just more conventional threat types (like generic phishing and malware).
But do all endpoint security products now include next-generation anti-virus?
Cyber security protection has evolved and so, top-tier anti-virus solutions are undeniably ‘next-generation’. This term was introduced nearly a decade ago by newcomers to the industry: a marketing device designed to compete with almost unassailable anti-malware brands.
The demand for skilled cyber security professionals has never been higher. We recognised the need to prepare the next generation for this critical field and so we created SE Labs’ cyber security training programme, Level:Up. This comprehensive initiative was designed to equip key stage 4 and 5 students with the knowledge they need to excel in the dynamic realm of cyber security. Following the programme’s resounding success in 2022 and 2023, we expanded it this year to include adult learners. The third year of Level:Up took place last month, empowering even more individuals with the tools to excel in cyber security.
Tailored to adults of all levels interested in cyber security, the programme provided carefully crafted learning modules and practical exercises that mirror industry standards. Through these modules, participants not only gained insights into the fascinating world of cyber security but also learned to grasp the fundamental concepts needed to pursue a rewarding career in the field.
A Practical Approach to Learning
Traditionally, those interested in pursuing careers in cyber security have faced challenges in finding targeted educational resources. We identified this gap and stepped in with the Level:Up programme. Unlike conventional education pathways, Level:Up goes beyond theoretical knowledge, offering students a glimpse into the diverse roles and responsibilities within the industry. By bridging this information gap, the programme ensures that students are well-prepared to take their first steps toward a fulfilling cyber security career.
SE Labs’ cyber security training not only imparts knowledge but also opens doors. Many people interested in cyber security are unsure about the career paths available to them. Level:Up addresses this uncertainty by providing comprehensive information about various routes into the cyber security industry.
A Resounding Success
The third year of the Level:Up programme marked a milestone of achievement. Running for five days, the programme welcomed seven enthusiastic people, all eager to enhance their cyber security skills. The programme showcases SE Labs’ capabilities as a provider of cyber security training.
Join Us
Enterprise-level businesses and global cyber security vendors can use our cyber security training programme to strengthen their in-house knowledge. We help enterprises build security teams, and security vendors to improve product development.
If you are interested in levelling up your cyber security skills get in touch. SE Labs’ Level:Up cyber security education programme is more than just a curriculum; it’s a transformative experience that provides participants with the knowledge, skills, and confidence to thrive in the ever-evolving landscape of cyber security.
And are attackers using it to breach your network?
Artificial Intelligence is ruling the stock market and may be on the verge of ruling the world if you believe the business influencers. If it’s as powerful as some say, surely AI can protect your Windows systems from hackers?
The products our new EPS test almost certainly rely on AI-related technologies to detect and protect against attacks. These technologies have been running in the background for about 20 years. We can argue that not only does anti-virus/ endpoint protection use AI, but it’s been doing so for many years, and certainly before Cylance claimed to be the first.
But I did something sneaky there. I slid in the word ‘-related’. Because when people talk about ChatGPT and other popular ‘AI’ tools, they are usually talking about something else. They are amazed by the utility of Machine Learning (ML) systems, which appear to be able to mimic human thought in a rather magical way.
ML is a subset of AI, so it’s related to AI but it isn’t capable of thought. It cannot reason, in the way that we hope future AI systems will. It is great at recognising patterns, but it can make mistakes and it’s not very good at understanding why it makes those mistakes.
As I wrote this introduction, I asked ChatGPT for a fun fact about SE Labs. It claimed we had run a cyber security ‘bake-off’ that involved employees baking “virus-shaped cupcakes [and] firewall-layered cakes. That sounds fun, and maybe we should do it, but we haven’t, so it’s not a fact. Fun or otherwise.
(I corrected ChatGPT, which responded, “You’re right, I made that up in an attempt to be fun and creative.” Maybe tomorrow’s robot overlords will be “fun and creative” and it won’t be so bad if they take over.)
Being able to match patterns is incredibly useful for cyber security tools, because attackers behave in largely similar ways, with small variations. ML can often detect new variations. Attackers can use ML, as indeed does SE Labs when creating some new threats, to try to evade detection. It’s a cat-and-mouse game, with both sides using computer brainpower to detect or escape detection.
As we launch our first XDR security testing program, we’d like to explain how SE Labs tests XDR solutions. But first, what is XDR? The industry has various opinions!
Extended Detection and Response (XDR) is a combination of security products working together. Its goal is to provide defenders with a coherent response to attacks. This joined-up approach can help defenders identify different stages of each attack without scrambling around using many different tools.
XDR is supposed to make things simpler for defenders, providing a dashboard (a ‘single pane of glass’) that provides complete insight into a network’s security situation.
SE Labs has produced the first comprehensive method of testing XDR solutions. The components of an XDR solution under test can be sold by the same company or different security vendors.
For example, we can test a solution that combines a Cisco email security gateway with endpoint security from CrowdStrike. And we can test a Cisco email security gateway alongside Cisco’s own endpoint security.
An SE Labs XDR test can assess combinations of cloud services such as email and identity alongside on-site firewalls, endpoint protection and Internet of Things (IoT) security products. If there is an XDR integration available, we can test it.
XDR in detail
There are plenty of definitions of XDR in the market. At SE Labs we define an XDR solution as a combination of at least two products, each of different types.
The products deployed do not need to be from the same vendor.
They must either talk to each other or a third management system, which provides the overall dashboard for detection and response.
Here is a list of products that can make up an XDR solution. They can be variously installed on-site or in-cloud:
The SE Labs testing team behaves like a real customer, allowing security vendors to provide and configure their products exactly as they would in a production environment. The testing team then change roles, behaving as attackers. It runs attacks from the beginning to the end of the attack chain, while also monitoring the security system for detections and other behaviour.
As the testers know every stage of the attack in detail, they assess how completely the products (and, more importantly, the combination of products) detect the different parts of the attacks as well as the entire attack episode.
In this way, the SE Labs testing team tests like hackers and analyses like defenders. The results are useful and realistic.
Who should care?
The results are useful, but for whom?
There are two main groups that benefit from SE Labs XDR testing.
Security sellers
The first group comprises the security vendors themselves. They can identify areas where detection is weaker and needs improvement. They may also discover areas where integration between different products could be better. The SE Labs test provides a good opportunity to make changes and strengthen the products, which means stronger protection for their users.
When things work well, security vendors can use SE Labs’ test results to highlight their successes in the market.
Security buyers
Secondly, but no less importantly, security buyers can use either public or bespoke test results to help choose the most appropriate products for their own organisations. Having real test data, showing how products handle threats in the real world, reduces risk and improves value for money.
Not every product works equally well, and that applies not only to general security effectiveness but also integration with other products. Security testing results are always an important resource before investing in a product. They are doubly so when looking to buy or build an XDR solution.
XDR Examples
Here are some examples of XDR implementations. We’ve chosen vendors and products randomly, but sensibly. For example, it makes sense to combine endpoint and email security solutions with a central data repository like a SIEM. It also makes sense to combine products from different market-leading providers, or to use all of the products from a single one.
Infer no judgement about the suitability of specific vendors from this example list:
Microsoft Defender (endpoint); Microsoft Defender (email); Splunk Cloud Platform (SIEM)
In the first example we have combined the detections and other data from two Microsoft products (endpoint and email) and sent them to a cloud-based platform that claims to provide insight into all activity.
In the second example, a simple setup combines the detection capabilities of endpoint and email threat detection products from different vendors.
Thirdly, some security companies are able to provide products for many different areas, such as firewalls, endpoint, email and web security. In this example, one vendor provides and manages all the components of the detection system.
Contact us
Give us a few details about yourself and describe your inquiry.
We will get back to you as soon as possible.
Get in touch
Feel free to reach out to us with any questions or inquiries
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok
All posts
