Technology: Enterprise Advanced Security (EAS)

Ransomware vs. Endpoint Security
Ransomware vs. Endpoint Security – Results from the largest public ransomware test
In this report, we analyse ransomware vs. endpoint security. Ransomware is the most visible, most easily understood cyber threat affecting businesses today. Paralysed computer systems mean stalled business and loss of earnings. On top of that, a ransom demand provides a clear, countable value to a threat. A demand for “one million dollars!” is easier to quantify than the possible leak of intellectual property to a competitor.
Product factsheet:
In this report, we have taken two main approaches to assessing how well products can detect and protect against ransomware.
Ransomware Deep Attacks
For the first part of this test, we analysed the common tactics of ransomware gangs and created two custom gangs that use a wider variety of methods. In all cases, we run the attack from the very start, including attempting to access targets with stolen credentials or other means. We then move through the system and sometimes the network, before deploying the ransomware as the final payload.
Ransomware Direct Attacks
The second part of the test takes a wide distribution of known malware and adds variations designed to
evade detection. We’ve listed the ransomware families used in Hackers vs. Targets on page 9. We sent each of these ransomware payloads directly to target systems using realistic techniques, such as through
email social engineering attacks. This is a full but short attack chain. In this part of the test, we ensure any protection features are enabled in the product.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.
09/2023 - 09/2023
Enterprise Advanced Security (EDR): Cisco Secure Endpoint – PROTECTION

Cisco Secure Endpoint
Testing protection against fully featured attacks
SE Labs tested Cisco Secure Endpoint – Protection against targeted attacks based on the Turla threat. These attacks are designed to compromise systems and penetrate target networks in the same way as the advanced persistent hacking group known as Turla operates to breach systems and networks.
There are many opportunities to spot and stop attackers. Products can detect them when attackers send phishing emails to targets. Or later, when other emails contain links to malicious code. Some kick into action when malware enters the system. Others sit up and notice when the attackers exhibit bad behaviour on the network.
Ultimately you want your chosen security product to prevent a breach one way or another, but it’s more ideal to stop a threat early, rather than watch as it wreaks havoc before stopping it and trying to clean up.
Product factsheets:
Results
Cisco Secure Endpoint scored a 100% Protection Accuracy Rating for blocking every threat at the initial delivery stage. The product did not generate any false positives, meaning that it didn’t wrongly detect or hamper harmless, legitimate software.
It also prevented all of the malicious activities from running, incurring no penalties for allowing the full or partial execution of targeted attacks.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.

Cisco Secure Endpoint – DETECTION
Testing protection against fully featured attacks
SE Labs tested Cisco Secure Endpoint against targeted attacks based on the Turla threat. These attacks are designed to compromise systems and penetrate target networks in the same way as the advanced persistent hacking group known as Turla operates to breach systems and networks.
An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack. While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.
Product factsheets:
Results – Cisco Secure Endpoint (Detection)
Cisco scored a 100% Detection Accuracy Rating for detecting every element of the Turla attacks, starting from the delivery of the spear phishing attachment through to all the subsequent malicious activities in the attack chain. It also prevented all of the malicious activities from running, incurring no penalties for allowing the full or partial execution of targeted attacks. The product did not generate false positives, meaning that it didn’t wrongly detect or hamper harmless, legitimate software.
Read more of our reports here.

Endpoint Detection Compared
Endpoint Detection Compared
SE Labs tested and compared a variety of Endpoint Detection and Response products against a range of hacking attacks designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks. Full chains of attack were used, meaning that testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/ attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.
An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack. While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.
Each step of the attack must be realistic too. You can’t just make up what you think bad guys are doing and hope you’re right. This is why SE Labs tracks cyber criminal behaviour and builds tests based on how bad guys try to compromise victims. The cyber security industry is familiar with the concept of the ‘attack chain’, which is the combination of those attack steps.
Fortunately, the MITRE organisation has documented each step with its ATT&CK framework. While this doesn’t give an exact blueprint for realistic attacks, it does present a general structure that testers, security vendors and customers (you!) can use to run tests and understand test results.
Read more reports here.

Endpoint Detection and Response is more than anti-virus
Understand cyber security testing with visible threat intelligence
An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack.
Our reports help you choose the best enterprise security products that can protect you from ransomware and other types of attack. See the value of cybersecurity testing with visible threat intelligence.
Product factsheet:
Some EDR products are designed solely to watch and inform, while others can also get involved and remove threats either as soon as they appear or after they start causing damage.
For the ‘stoppers’ we run the Enterprise Advanced Security test in Protection mode. For ‘watchers’ like SenseOn we can demonstrate effectiveness by testing in Detection Mode.
An Endpoint Detection and Response (EDR) product is more than anti-virus
In this report we look at how SenseOn handled full breach attempts. At which stages did it detect? And did it allow business as usual, or alter wrongly against legitimate applications?
The targeted attacks used in this test replicate those used by the following attack groups in the real world:
- Turla
- Ke3chang
- Threat Group-3390
- Kimsuky
Read this SE Labs assessment and discover how SenseOn handles advanced targeted attacks. Find the value in early detection systems. We also describe in detail how each of the attack groups have worked in the past and how we’ve copied their tools and techniques to create a realistic test that reflects real-world security situations.
05/2023 - 05/2023
Enterprise Advanced Security (NGFW): Palo Alto Networks VM-Series Virtual Next-Generation Firewall – DETECTION

Detecting the Full Chain of Network Threats
Network security products detect threats at different security layers
Our reports help you choose the best enterprise security products that can protect you from ransomware and other types of attacks.
Understanding the capabilities of different security products is always better achieved before you need to use them in a live scenario. SE Labs’ Enterprise Advanced Security test reports help you assess which are the best for your own organisation.
Product factsheet:
There are many opportunities to spot and stop attackers. Products can detect them when attackers send phishing emails to targets. Or later, when other emails contain links to malicious code. Some kick into action when malware enters the system. Others sit up and notice when the attackers exhibit bad behaviour on the network.
Detecting the Full Chain of Network Threats
In this report we look at how Palo Alto Networks VM-Series Virtual Next-Generation Firewalls handled full breach attempts. At which stages did it detect? And did it allow business as usual, or mis-handle legitimate applications?
The targeted attacks used in this test replicate those used by the following attack groups in the real world:
- Wizard Spider
- Sandworm
- Dragonfly & Dragonfly 2.0
Read this SE Labs assessment and discover how Palo Alto Networks VM-Series Virtual Next-Generation Firewalls handle advanced targeted attacks. Find the value in deep detection systems. We also describe in detail how each of the attack groups have worked in the past and how we’ve copied their tools and techniques to create a realistic test that reflects real-world security situations.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.
05/2023 - 05/2023
Enterprise Advanced Security (EDR): Coronet Cybersecurity Coro Platform – PROTECTION

Early Protection Systems
Testing protection against fully featured attacks
There are many opportunities to spot and stop attackers. You probably want your security systems to detect and prevent breaches before they succeed and appear in press reports!
Our reports help you choose the best enterprise security products that can protect you from ransomware and other types of attack. See the value of early protection systems.
Product factsheets:
Some EDR products are designed solely to watch and inform, while others can also get involved and remove threats either as soon as they appear or after they start causing damage.
For the ‘watchers’ we run the Enterprise Advanced Security test in Detection mode. For ‘stoppers’ like the Coro Platform we can demonstrate effectiveness by testing in Protection Mode.
Early protection systems
In this report we look at how the Coro Platform handled full breach attempts. At which stages did it detect and protect? And did it allow business as usual, or mishandle legitimate applications?
The targeted attacks used in this test replicate those used by the following attack groups in the real world:
- Turla
- Ke3chang
- Threat Group-3390
- Kimsuky
Read this SE Labs assessment and discover how the Coro Platform handles advanced targeted attacks. Find the value in early protection systems. We also describe in detail how each of the attack groups have worked in the past and how we’ve copied their tools and techniques to create a realistic test that reflects real-world security situations.

Ransomware Detection Using Hardware
Ransomware Detection Using Hardware
Computer processors get the final word when running programs. Can they judge bad code from good?
SE Labs tested Intel’s hardware approach to ransomware detection, using a wide range of ransomware attacks designed to extort victims. These attacks were realistic, using the same tactics and techniques as those used against victims in recent months.
Target systems included Windows PC both Intel vPro-based hardware and alternative AMD platforms. All were attacked in the same way by testers acting as we observe ransomware groups to behave.
Attacks used original ransomware malware, as seen in the wild during recent months, as well as more advanced variations designed to evade detection. In all cases the ransomware’s goal was to steal, encrypt and destroy sensitive data on the target systems.
Product factsheet:
Attackers can disguise malware. In the same way you might try to slip past a security guard in thick glasses and a wig, hackers can take their regular code and make it look different. There are many ways to do this, but before it can achieve its ultimate goal, malware has to run, or execute. And at that stage it drops its disguise, at least as far as the hardware it runs on is concerned. As the code runs, its intentions become clear.
And this presents an opportunity for defenders – detect malware at the very last moment, just as it reveals itself while executing. The concept of ‘security on a chip’ has been around for a long time but now Intel claims that it has introduced anti-malware to its vPro hardware platform. By monitoring code as it executes, it hopes to detect malware and inform compatible security software when it does. It claims to do this by using pattern matching, via machine learning, to spot suspicious behaviour. The goal is to have a combination of security software and hardware working together to prevent infections.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.

Cyber Threat Intelligence
Annual Report 2023: Threat Intelligence for 2023
Welcome to the fourth annual report from SE Labs. This edition focuses on cyber threat intelligence.
Understanding threats is crucial when trying to defend against them. Knowing your enemy’s tactics helps clarify security planning.
We use threat intelligence when testing security products, to ensure our results are useful to companies facing real threats in the real world.
We’re sharing our insights here to help you build a strategy for success in the face of the global cyber threat.
What are the Threats?
We explore the current threats and explain why so many organisations remain vulnerable. There’s good news and bad news…
Ransomware
Learn about the very latest innovations in testing anti-ransomware security approaches.
Annual Security Awards
Our Annual Security Awards recognises security vendors that not only do well in our tests, but perform well in the real world with real customers. These awards are the only in the industry that recognise strong lab work combined with practical success.
How we work (and could work with you!)
Discover which types of tests we run and how we can work with you to improve your product or your choice of products.

Deep and direct ransomware testing
Deep and direct ransomware testing
We tested CrowdStrike Falcon against a range of ransomware attacks designed to extort victims. These attacks were realistic, using the same tactics and techniques that were used against victims in recent months.
Target systems, protected by CrowdStrike Falcon, were attacked by testers acting in the same way as we observe ransomware groups to behave.
Attacks were initiated from the start of the attack chain, using phishing email links and attachments, as just two examples. Each attack was run from the very start to its obvious conclusion, which means attempting to steal, encrypt and destroy sensitive data on the target systems.
Product factsheet:
Enterprise Advanced Security (Ransomware): CrowdStrike Falcon
Ransomware is the most visible, most easily understood cyber threat affecting businesses today. Paralysed computer systems mean stalled business and loss of earnings. On top of that, a ransom demand provides a clear, countable value to a threat. A demand for “one million dollars!” is easier to quantify than the possible leak of intellectual property to a competitor.
We have created a comprehensive test that shows how effective security products are when faced with the whole range of threats posed by ransomware itself and the criminal groups operating in the shadows.
In this report we have taken two main approaches to assessing how well products can detect and protect against ransomware.
Enterprise Advanced Security (Ransomware) Tested
This detailed report looks at ransomware detection during a full network attack; and protection against known ransomware attacks and their unknown variants. We include details about the different types of ransomware attacks, including the tactics used by different criminal groups.