Vendor: Palo Alto
04/2025 - 05/2025
Advanced Security Test Report: Palo Alto Networks Cortex XDR – EDR (Protection)
Ransomware vs. Endpoint Security
Palo Alto Networks Cortex XDR test results by SE Labs.
SE LABS tested Palo Alto Networks Cortex XDR against a range of ransomware attacks designed to extort victims. These attacks were realistic, using the same tactics and techniques as those used against victims in recent months.
We attacked target systems, protected by Cortex XDR, acting in the same way as we observe ransomware groups to behave.
Attacks were initiated from the start of the attack chain, using phishing email links and attachments, as just two examples. Each attack was run from the very start to its obvious conclusion, which means attempting to steal, encrypt and destroy sensitive data on the target systems.
Ransomware is the most visible, most easily understood cyber threat affecting businesses today. Paralysed computer systems mean stalled business and loss of earnings. On top of that, a ransom demand provides a clear, countable value to a threat. A demand for “one million dollars!” is easier to quantify than the possible leak of intellectual property to a competitor.
One reason why ransomware is so ‘popular’ is that the attackers don’t have to produce their own. They outsource the production of ransomware to others, who provide Ransomware as a Service (RAAS). Attackers then usually trick targets into running it, or at least into providing a route for the attackers to run it for them. Artificial intelligence systems make the creation of such social engineering attacks easier, cheaper and more effective than ever before.
Given the global interest and terror around ransomware, we have created a comprehensive test that shows how effective security products are when faced with the whole range of threats posed by ransomware itself and the criminal groups operating in the shadows.
In this report we have taken two main approaches to assessing how well products can detect and protect against ransomware.
Ransomware Deep Attacks
For the first part of this test, we analysed the common tactics of ransomware gangs and created two custom gangs that use a wider variety of methods. In all cases we run the attack from the very start, including attempting to access targets with stolen credentials or other means. We then move through the system and sometimes the network, before deploying the ransomware as the final payload.
In the first two attacks for each group, we gain access and deploy ransomware onto the target immediately. In the third, fourth and fifth attacks we move through the network and deploy ransomware on a target deeper into the network.
The ransomware payloads we used in this part of the report were known files from all of the families listed in Attack Details on page 8.
This test shows a product’s ability to track the movement of the attacker through the entire attack chain. We disable the product’s protection features and rely on its detection mode for this part of the test. The results demonstrate how incident response teams can use the product to gain visibility on ransomware attacks.
Ransomware Direct Attacks
The second part of the test takes a wide distribution of known malware and adds variations designed to evade detection. We’ve listed the ransomware families used in Attack Details on page 8. We sent each of these ransomware payloads directly to target systems. We used realistic techniques, such as through email social engineering attacks. This is a full but short attack chain.
In this part of the test, we ensure any protection features are enabled in the product.
If products like Palo Alto Networks Cortex XDR can detect and protect against the known version of each of these files, all well and good. But if they also detect and block each ransomware’s two variations, we can conclude that the protection available is more proactive than simply reacting to yesterday’s unlucky victims.
Holding Cyber Security to Account
It’s a phrase I hate: People are the weakest link in cyber security. Technology is supposed to serve humans, not the other way around. When we use computers in our personal and business lives, we have certain goals. Entertainment. Making money. Administering our energy bills, car insurance and any number of other important tasks. But our goals are probably not ‘security’.
You are not the weakest link
We should be able to rely confidently on the security products that everyone tells us we need. The endpoint protection products in this report have undergone the most strenuous testing available, and they’ve come out well. They’ll provide you with strong protection while you use your computer to do something useful, fun or both.
How we test
We tested a variety of anti-malware (aka ‘anti-virus’; aka ‘endpoint security’) products from a range of well-known vendors in an effort to judge which were the most effective. Each product was exposed to the same threats, which were a mixture of targeted attacks using well-established techniques and public email and web-based threats that were found to be live on the internet at the time of the test. The results indicate how effectively the products were at detecting and/or protecting against those threats in real-time.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. This report has gone through the AMTSO certification process to ensure that we say what we’re going to do; do it; and can prove it. Our results help vendors improve their products and buyers choose the best for their own needs.
05/2023 - 05/2023
Enterprise Advanced Security (NGFW): Palo Alto Networks VM-Series Virtual Next-Generation Firewall – DETECTION

Detecting the Full Chain of Network Threats
Network security products detect threats at different security layers
Our reports help you choose the best enterprise security products that can protect you from ransomware and other types of attacks.
Understanding the capabilities of different security products is always better achieved before you need to use them in a live scenario. SE Labs’ Enterprise Advanced Security test reports help you assess which are the best for your own organisation.
Product factsheet:
There are many opportunities to spot and stop attackers. Products can detect them when attackers send phishing emails to targets. Or later, when other emails contain links to malicious code. Some kick into action when malware enters the system. Others sit up and notice when the attackers exhibit bad behaviour on the network.
Detecting the Full Chain of Network Threats
In this report we look at how Palo Alto Networks VM-Series Virtual Next-Generation Firewalls handled full breach attempts. At which stages did it detect? And did it allow business as usual, or mis-handle legitimate applications?
The targeted attacks used in this test replicate those used by the following attack groups in the real world:
- Wizard Spider
- Sandworm
- Dragonfly & Dragonfly 2.0
Read this SE Labs assessment and discover how Palo Alto Networks VM-Series Virtual Next-Generation Firewalls handle advanced targeted attacks. Find the value in deep detection systems. We also describe in detail how each of the attack groups have worked in the past and how we’ve copied their tools and techniques to create a realistic test that reflects real-world security situations.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.