EDR Detection Validation 2025

After launching the pilot earlier this year, AV-Comparatives has now completed the 2025 round of the EDR Detection Validation Test. This independent evaluation put seven enterprise cybersecurity solutions to the test under advanced threat scenarios. The goal: to assess their ability to detect and report real-world attacks with precision and visibility.

The test includes a full attack scenario consisting of 12 steps and several sub-steps, as well as a Signal-to-Noise assessment. The tested products where configured in Detection Only mode to accurately assess its capabilities in identifying each technique used in the attack steps.

We are pleased to announce that a total of five solutions have achieved certification so far — four in the recent 2025 certification test, and one in the earlier pilot phase — under our transparent and rigorous methodology.

The following products earned certification in the 2025 test round:

crowdstrike

CrowdStrike Falcon Pro

ESET

ESET PROTECT Enterprise Cloud

g-data

G DATA 365 MXDR (MDR solution)

Kaspersky

Kaspersky Next EDR Expert (in the pilot test)

Palo Alto Networks

Palo Alto Networks Cortex XDR Pro

While the pilot test used the same core methodology, the attack scenarios, metrics, and scoring criteria were adjusted in the certification test based on analyst feedback. As a result, pilot and certification test results are not directly comparable. In general, due to the nature of this test and the evolving attack scenarios, results should be viewed standalone and not used for direct product-to-product comparison.

A Focus on Real-World Visibility

This evaluation simulates Advanced Persistent Threat (APT) attacks, using known Tactics, Techniques, and Procedures (TTPs) from frameworks such as MITRE ATT&CK. All products were tested in monitoring mode only, meaning prevention features were disabled. The goal: to measure how well threats are detected and reported, not blocked.

Highlights of the methodology:

  • Execution of complex attack chains
  • Validation of detections via alerts in the management console or through manual threat hunting in telemetry
  • Transparent certification model: only products meeting the detection threshold are certified and publicly listed
EDR Detection Validation Test