Technology: Advanced Security
All reports
04/2025 - 05/2025
Advanced Security Test Report: Acronis Cyber Protect Cloud with Advanced Security + XDR Pack – EDR (Detection)
Endpoint Detection and Response is more than anti-virus
Acronis Cyber Protect Cloud with Advanced Security + XDR Pack Detection test results by SE LABS (Threat Series: 11).
SE LABS tested Acronis Cyber Protect Cloud with Advanced Security + XDR Pack against a range of hacking attacks designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks.
Full chains of attack were used, meaning that testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.
Loading…
Reload document 
Open in new tab 
An Endpoint Detection and Response (EDR) product goes beyond traditional antivirus software, which is why it requires more sophisticated testing. This involves testers mimicking real attackers and following every step of an attack.
While shortcuts might seem tempting, fully executing each phase of an attack is crucial to truly evaluate the effectiveness of EDR products.
Moreover, each step must reflect real-world scenarios; you can’t just guess what cyber criminals might do and hope it’s accurate. That’s why SE Labs tracks the actual behaviour of cyber criminals and designs tests based on how attackers attempt to compromise their targets.
The cyber security industry refers to this sequence of steps as the ‘attack chain.’ The MITRE organization has documented these stages in its ATT&CK framework.
While this framework doesn’t provide an exact blueprint for real-world attacks, it offers a structured guide that testers, security vendors, and customers (like you!) can use to conduct tests and interpret the results.
Acronis Cyber Protect Cloud with Advanced Security + XDR Pack Detection test results
SE Labs’ Advanced Security tests are based on real attacker behaviour, and we present our findings using a MITRE ATT&CK-style format.
You can see how the ATT&CK framework outlines each step of an attack and how we apply it to our testing in section 4. Threat Intelligence, starting on page 12. This approach offers two key benefits: confidence that our tests are both realistic and relevant, and familiarity with the way cyber attacks are illustrated.
Check out this in-depth report on Acronis Cyber Protect Cloud with Advanced Security + XDR Pack.
All reports
03/2025 - 04/2025
Advanced Security Test Report: Symantec Endpoint Security Complete – EDR (Protection)
Ransomware vs. Endpoint Security
This is the most comprehensive test that shows how effective security products are when faced with the whole range of threats posed by ransomware itself and the criminal groups operating in the shadows.
In this report we have taken two main approaches to assessing how well products can detect and protect against ransomware.
Loading…
Ransomware is the most visible, most easily understood cyber threat affecting businesses today. Paralysed computer systems mean stalled business and loss of earnings. On top of that, a ransom demand provides a clear, countable value to a threat. A demand for “one million dollars!” is easier to quantify than the possible leak of intellectual property to a competitor.
One reason why ransomware is so ‘popular’ is that the attackers don’t have to produce their own. They outsource the production of ransomware to others, who provide Ransomware as a Service (RAAS).
Attackers then usually trick targets into running it, or at least into providing a route for the attackers to run it for them. Artificial intelligence systems make the creation of such social engineering attacks easier, cheaper and more effective than ever before.
Given the global interest and terror around ransomware, we have created a comprehensive test that shows how effective security products are when faced with the whole range of threats posed by ransomware itself and the criminal groups operating in the shadows.
In this report we have taken two main approaches to assessing how well products can detect and protect against ransomware.
Ransomware Deep Attacks
For the first part of this test, we analysed the common tactics of ransomware gangs and created two custom gangs that use a wider variety of methods. In all cases we run the attack from the very start, including attempting to access targets with stolen credentials or other means. We then move through the system and sometimes the network, before deploying the ransomware as the final payload.
In the first two attacks for each group, we gain access and deploy ransomware onto the target immediately. In the third, fourth and fifth attacks we move through the network and deploy ransomware on a target deeper into the network.
The ransomware payloads used in this part of the report were known files from all of the families listed in Attack Details on page 8. This test shows a product’s ability to track the movement of the attacker through the entire attack chain. We disable the product’s protection features and rely on its detection mode for this part of the test. The results demonstrate how incident response teams can use the product to gain visibility on ransomware attacks.
Ransomware Direct Attacks
The second part of the test takes a wide distribution of known malware and adds variations designed to evade detection. We’ve listed the ransomware families used in Attack Details on page 8. We sent each of these ransomware payloads directly to target systems using realistic techniques, such as through email social engineering attacks. This is a full but short attack chain. In this part of the test, we ensure any protection features are enabled in the product.
If products can detect and protect against the known version of each of these files, all well and good. But if they also detect and block each ransomware’s two variations then we can conclude that the protection available is more proactive than simply reacting to yesterday’s unlucky victims.
Ransomware vs. Endpoint Security
This is the most comprehensive test that shows how effective security products are when faced with the whole range of threats posed by ransomware itself and the criminal groups operating in the shadows.
In this report we have taken two main approaches to assessing how well products can detect and protect against ransomware.
Loading…
Ransomware is the most visible, most easily understood cyber threat affecting businesses today. Paralysed computer systems mean stalled business and loss of earnings. On top of that, a ransom demand provides a clear, countable value to a threat. A demand for “one million dollars!” is easier to quantify than the possible leak of intellectual property to a competitor.
One reason why ransomware is so ‘popular’ is that the attackers don’t have to produce their own. They outsource the production of ransomware to others, who provide Ransomware as a Service (RAAS).
Attackers then usually trick targets into running it, or at least into providing a route for the attackers to run it for them. Artificial intelligence systems make the creation of such social engineering attacks easier, cheaper and more effective than ever before.
Given the global interest and terror around ransomware, we have created a comprehensive test that shows how effective security products are when faced with the whole range of threats posed by ransomware itself and the criminal groups operating in the shadows.
In this report we have taken two main approaches to assessing how well products can detect and protect against ransomware.
Ransomware Deep Attacks
For the first part of this test, we analysed the common tactics of ransomware gangs and created two custom gangs that use a wider variety of methods. In all cases we run the attack from the very start, including attempting to access targets with stolen credentials or other means. We then move through the system and sometimes the network, before deploying the ransomware as the final payload.
In the first two attacks for each group, we gain access and deploy ransomware onto the target immediately. In the third, fourth and fifth attacks we move through the network and deploy ransomware on a target deeper into the network.
The ransomware payloads used in this part of the report were known files from all of the families listed in Attack Details on page 8. This test shows a product’s ability to track the movement of the attacker through the entire attack chain. We disable the product’s protection features and rely on its detection mode for this part of the test. The results demonstrate how incident response teams can use the product to gain visibility on ransomware attacks.
Ransomware Direct Attacks
The second part of the test takes a wide distribution of known malware and adds variations designed to evade detection. We’ve listed the ransomware families used in Attack Details on page 8. We sent each of these ransomware payloads directly to target systems using realistic techniques, such as through email social engineering attacks. This is a full but short attack chain. In this part of the test, we ensure any protection features are enabled in the product.
If products can detect and protect against the known version of each of these files, all well and good. But if they also detect and block each ransomware’s two variations then we can conclude that the protection available is more proactive than simply reacting to yesterday’s unlucky victims.
All reports
02/2025 - 02/2025
Advanced Security Test Report: Cisco Secure Firewall 4225 – NDR (Protection)
Testing protection against fully featured attacks
Our Advanced Security test is unique, in that we test products by running a full attack. We follow every step of a breach attempt to ensure that the test is as realistic as possible. In this test we assess the capabilities of the Cisco Secure Firewall 4225.
Loading…
Early Protection Systems
There are many opportunities to spot and stop attackers. Products can detect them when attackers send phishing emails to targets. Or later, when other emails contain links to malicious code. Some kick into action when malware enters the system. Others sit up and notice when the attackers exhibit bad behaviour on the network.
Regardless of which stages your security takes effect, you probably want it to detect and prevent before the breach runs to its conclusion in the press.
Our Advanced Security test is unique, in that we test products by running a full attack. We follow every step of a breach attempt to ensure that the test is as realistic as possible.
This is important because different products can detect and prevent threats differently.
Ultimately you want your chosen security product to prevent a breach one way or another, but it’s more ideal to stop a threat early, rather than watch as it wreaks havoc before stopping it and trying to clean up.
Some products are designed solely to watch and inform, while others can also get involved and remove threats either as soon as they appear or after they start causing damage.
For the ‘watchers’ we run the Advanced Security test in Detection mode. For ‘stoppers’ like Cisco Secure Firewall 4225 we can demonstrate effectiveness by testing in Protection Mode.
In this report we look at how Cisco Secure Firewall 4225 handled full breach attempts. At which stages did it detect and protect? And did it allow business as usual, or mis-handle legitimate applications?
Understanding the capabilities of different security products is always better achieved before you need to use them in a live scenario. SE Labs’ Advanced Security test reports help you assess which are the best for your own organisation.
How we test the Cisco Secure Firewall 4225
SE LABS tested Cisco Secure Firewall 4225 against targeted attacks based on Threat Series: 9
These attacks are designed to compromise systems and penetrate target networks in the same way as the advanced persistent hacking groups known as Scattered Spider and APT29 operate to breach systems and networks.
Full chains of attack were used, meaning that testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.
Choose your reports and reviews carefully
All reports
02/2025 - 02/2025
Advanced Security Test Report: VMware vDefend Advanced Threat Prevention – NDR (Protection)
Testing protection against fully featured attacks
Our Advanced Security test is unique, in that we test products by running a full attack. We follow every step of a breach attempt to ensure that the test is as realistic as possible.
Loading…
