All reports

11/2024 - 11/2024

Enterprise Advanced Security (EDR): Coro – EDR – PROTECTION

Testing protection against fully featured attacks

Early Protection Systems

Testing protection against fully featured attacks

There are many opportunities to spot and stop attackers. Products can detect them when attackers send phishing emails to targets. Or later, when other emails contain links to malicious code. Some kick into action when malware enters the system. Others sit up and notice when the attackers exhibit bad behaviour on the network.

Regardless of which stages your security takes effect, you probably want it to detect and prevent before the breach runs to its conclusion in the press. Our Enterprise Advanced Security test is unique, in that we test products by running a full attack. We follow every step of a breach attempt to ensure that the test is as realistic as possible.

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download

Testing protection against fully featured attacks

Our Enterprise Advanced Security test is unique, in that we test products by running a full attack. We follow every step of a breach attempt to ensure that the test is as realistic as possible. This is important because different products can detect and prevent threats differently. In this report we look at how Coro – EDR handled full breach attempts. At which stages did it detect and protect? And did it allow business as usual, or mis-handle legitimate applications?

Choose your reports and reviews carefully

We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.

All reports

07/2024 - 09/2024

Enterprise Advanced Security (EDR): Enterprise 2024 Q3 – DETECTION

Endpoint security products

Endpoint Detection Compared

We compare endpoint security products directly using real, major threats

Welcome to the third edition of the Enterprise Advanced Security test, where we directly compare various endpoint security products. This report examines how these products tackle major threats faced by businesses of all sizes from the Global 100 down to medium enterprises, and likely small businesses too. While we provide an overall score, we also delve into the specific details that matter most to your security team, outlining the different levels of protection these products offer.


Endpoint Detection and Response (EDR) solutions go beyond traditional antivirus software, requiring more advanced testing methods. To truly evaluate EDR capabilities, testers need to act like real attackers, meticulously replicating each step of an attack.

It might be tempting to take shortcuts during testing, but to genuinely assess an EDR product’s effectiveness, it’s crucial to execute every stage of an attack. And each of these stages needs to be realistic; you can’t just guess what cybercriminals might do. That’s why SE Labs carefully tracks real-world cybercriminal behaviour and designs tests based on their tactics.

Thankfully, the MITRE organization has outlined these steps through its ATT&CK framework. While this framework doesn’t provide a precise guide for every attack scenario, it offers a valuable structure that testers, security vendors, and customers (like you!) can use to conduct tests and interpret results.

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download

How we test endpoint security products

We tested a variety of Endpoint Detection and Response products against a range of hacking attacks
designed to compromise systems and penetrate target networks in the same way criminals and other attackers breach systems and networks.


Full chains of attack were used, meaning that testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.

Choose your reports and reviews carefully

We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.

All reports

09/2024 - 09/2024

Enterprise Advanced Security (EAS): Acronis Cyber Protect Cloud with Advanced Security + XDR Pack

Endpoint Detection and Response is more than anti-virus

Endpoint Detection and Response is more than anti-virus

Gain insights into cyber security testing through transparent threat intelligence

An Endpoint Detection and Response (EDR) product is much more than anti-virus which is why it requires more sophisticated testing. This involves testers mimicking real attackers and following every step of an attack.

How we test the effectiveness of Endpoint Detection and Response products

While shortcuts might seem tempting, fully executing each phase of an attack is crucial to truly evaluate the effectiveness of EDR products.

Moreover, each step must reflect real-world scenarios. You can’t just guess what cybercriminals might do and hope it’s accurate. That’s why SE Labs tracks the actual behaviour of cybercriminals and designs tests based on how attackers attempt to compromise their targets.

The cyber security industry refers to this sequence of steps as the ‘attack chain.’ The MITRE organization has documented these stages in its ATT&CK framework.

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download

How we tested Acronis Cyber Protect Cloud with Advanced Security + XDR Pack

We tested Acronis Cyber Protect Cloud with Advanced Security + XDR Pack against a range of hacking attacks designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks. Full chains of attack were used, meaning that testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/ attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.

Choose your reports and reviews carefully

We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. This report has gone through the AMTSO certification process to ensure that we say what we’re going to do; do it; and can prove it. Our results help vendors improve their products and buyers choose the best for their own needs.

All reports

05/2024 - 05/2024

Enterprise Advanced Security (EAS): Acronis Cyber Protect Cloud with Advanced Security pack + EDR – DETECTION

Understand cyber security testing with visible threat intelligence

Understand cyber security testing


An Endpoint Detection and Response (EDR) product is more than antivirus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack. While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand cyber security testing and the capabilities of EDR security products.


Each step of the attack must be realistic too. You can’t just make up what you think bad guys are doing and hope you’re right. This is why SE Labs tracks cybercriminal behaviour and builds tests based on how bad guys try to compromise victims. The cybersecurity industry is familiar with the concept of the
‘attack chain’, which is the combination of those attack steps.


Fortunately, the MITRE organisation has documented each step with its ATT&CK framework. While this doesn’t give an exact blueprint for realistic attacks, it does present a general structure that testers, security vendors and customers (you!) can use to run tests and understand test results.



Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download

Understand cyber security testing

You can see how ATT&CK lists out the details of each attack, and how we represent the way we tested, in 4. Threat Intelligence, starting on page 13. This brings two main advantages: you can have confidence that the way we test is realistic and relevant; and you’re probably already familiar with this way of illustrating cyber attacks

Choose your reports and reviews carefully

We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.

All reports

11/2023 - 11/2023

Enterprise Advanced Security (Ransomware): CrowdStrike Falcon 2023

Ransomware vs. Endpoint Security

Ransomware vs. Endpoint Security

Ransomware vs. Endpoint Security – Results from the largest public ransomware test

In this report, we analyse ransomware vs. endpoint security. Ransomware is the most visible, most easily understood cyber threat affecting businesses today. Paralysed computer systems mean stalled business and loss of earnings. On top of that, a ransom demand provides a clear, countable value to a threat. A demand for “one million dollars!” is easier to quantify than the possible leak of intellectual property to a competitor.

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download

Product factsheet:

In this report, we have taken two main approaches to assessing how well products can detect and protect against ransomware.

Ransomware Deep Attacks

For the first part of this test, we analysed the common tactics of ransomware gangs and created two custom gangs that use a wider variety of methods. In all cases, we run the attack from the very start, including attempting to access targets with stolen credentials or other means. We then move through the system and sometimes the network, before deploying the ransomware as the final payload.

Ransomware Direct Attacks

The second part of the test takes a wide distribution of known malware and adds variations designed to
evade detection. We’ve listed the ransomware families used in Hackers vs. Targets on page 9. We sent each of these ransomware payloads directly to target systems using realistic techniques, such as through
email social engineering attacks. This is a full but short attack chain. In this part of the test, we ensure any protection features are enabled in the product.


Choose your reports and reviews carefully

We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.

All reports

09/2023 - 09/2023

Enterprise Advanced Security (EDR): Cisco Secure Endpoint – PROTECTION

Cisco Secure Endpoint - PROTECTION

Cisco Secure Endpoint

Testing protection against fully featured attacks

SE Labs tested Cisco Secure Endpoint – Protection against targeted attacks based on the Turla threat. These attacks are designed to compromise systems and penetrate target networks in the same way as the advanced persistent hacking group known as Turla operates to breach systems and networks.

There are many opportunities to spot and stop attackers. Products can detect them when attackers send phishing emails to targets. Or later, when other emails contain links to malicious code. Some kick into action when malware enters the system. Others sit up and notice when the attackers exhibit bad behaviour on the network.

Ultimately you want your chosen security product to prevent a breach one way or another, but it’s more ideal to stop a threat early, rather than watch as it wreaks havoc before stopping it and trying to clean up.

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download

Results

Cisco Secure Endpoint scored a 100% Protection Accuracy Rating for blocking every threat at the initial delivery stage. The product did not generate any false positives, meaning that it didn’t wrongly detect or hamper harmless, legitimate software.

It also prevented all of the malicious activities from running, incurring no penalties for allowing the full or partial execution of targeted attacks.

Choose your reports and reviews carefully

We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.

All reports

09/2023 - 09/2023

Enterprise Advanced Security (EDR): Cisco Secure Endpoint – DETECTION

Cisco Secure Endpoint - DETECTION

Cisco Secure Endpoint – DETECTION

Testing protection against fully featured attacks

SE Labs tested Cisco Secure Endpoint against targeted attacks based on the Turla threat. These attacks are designed to compromise systems and penetrate target networks in the same way as the advanced persistent hacking group known as Turla operates to breach systems and networks.

An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack. While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download

Product factsheets:

Results – Cisco Secure Endpoint (Detection)

Cisco scored a 100% Detection Accuracy Rating for detecting every element of the Turla attacks, starting from the delivery of the spear phishing attachment through to all the subsequent malicious activities in the attack chain. It also prevented all of the malicious activities from running, incurring no penalties for allowing the full or partial execution of targeted attacks. The product did not generate false positives, meaning that it didn’t wrongly detect or hamper harmless, legitimate software.

Read more of our reports here.

All reports

04/2023 - 06/2023

Enterprise Advanced Security (EDR): Enterprise 2023 Q2 – DETECTION

Endpoint Detection Compared

Endpoint Detection Compared

Endpoint Detection Compared

SE Labs tested and compared a variety of Endpoint Detection and Response products against a range of hacking attacks designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks. Full chains of attack were used, meaning that testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/ attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download

An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack. While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.

Each step of the attack must be realistic too. You can’t just make up what you think bad guys are doing and hope you’re right. This is why SE Labs tracks cyber criminal behaviour and builds tests based on how bad guys try to compromise victims. The cyber security industry is familiar with the concept of the ‘attack chain’, which is the combination of those attack steps.

Fortunately, the MITRE organisation has documented each step with its ATT&CK framework. While this doesn’t give an exact blueprint for realistic attacks, it does present a general structure that testers, security vendors and customers (you!) can use to run tests and understand test results.

Read more reports here.

All reports

07/2023 - 07/2023

Enterprise Advanced Security (EDR): SenseOn – DETECTION

An Endpoint Detection and Response (EDR) product is more than anti-virus

Endpoint Detection and Response is more than anti-virus

Understand cyber security testing with visible threat intelligence

An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack.

Our reports help you choose the best enterprise security products that can protect you from ransomware and other types of attack. See the value of cybersecurity testing with visible threat intelligence.

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download

Product factsheet:

Some EDR products are designed solely to watch and inform, while others can also get involved and remove threats either as soon as they appear or after they start causing damage.

For the ‘stoppers’ we run the Enterprise Advanced Security test in Protection mode. For ‘watchers’ like SenseOn we can demonstrate effectiveness by testing in Detection Mode.

An Endpoint Detection and Response (EDR) product is more than anti-virus

In this report we look at how SenseOn handled full breach attempts. At which stages did it detect? And did it allow business as usual, or alter wrongly against legitimate applications?

The targeted attacks used in this test replicate those used by the following attack groups in the real world:

  • Turla
  • Ke3chang
  • Threat Group-3390
  • Kimsuky

Read this SE Labs assessment and discover how SenseOn handles advanced targeted attacks. Find the value in early detection systems. We also describe in detail how each of the attack groups have worked in the past and how we’ve copied their tools and techniques to create a realistic test that reflects real-world security situations.

All reports

05/2023 - 05/2023

Enterprise Advanced Security (NGFW): Palo Alto Networks VM-Series Virtual Next-Generation Firewall – DETECTION

Detecting the Full Chain of Network Threats

Detecting the Full Chain of Network Threats

Network security products detect threats at different security layers

Our reports help you choose the best enterprise security products that can protect you from ransomware and other types of attacks.

Understanding the capabilities of different security products is always better achieved before you need to use them in a live scenario. SE Labs’ Enterprise Advanced Security test reports help you assess which are the best for your own organisation.

Loader Loading…
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Download

There are many opportunities to spot and stop attackers. Products can detect them when attackers send phishing emails to targets. Or later, when other emails contain links to malicious code. Some kick into action when malware enters the system. Others sit up and notice when the attackers exhibit bad behaviour on the network.

Detecting the Full Chain of Network Threats

In this report we look at how Palo Alto Networks VM-Series Virtual Next-Generation Firewalls handled full breach attempts. At which stages did it detect? And did it allow business as usual, or mis-handle legitimate applications?

The targeted attacks used in this test replicate those used by the following attack groups in the real world:

  • Wizard Spider
  • Sandworm
  • Dragonfly & Dragonfly 2.0

Read this SE Labs assessment and discover how Palo Alto Networks VM-Series Virtual Next-Generation Firewalls handle advanced targeted attacks. Find the value in deep detection systems. We also describe in detail how each of the attack groups have worked in the past and how we’ve copied their tools and techniques to create a realistic test that reflects real-world security situations.

Choose your reports and reviews carefully

We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.

Contact us

Give us a few details about yourself and describe your inquiry. We will get back to you as soon as possible.

Get in touch

Feel free to reach out to us with any questions or inquiries

info@selabs.uk Connect with us Find us