SE Labs

Special Edition
Computer security testing comment and analysis from SE Labs

Breach Response Test: Crowdstrike Falcon

If an EDR solution can spot an attack, why doesn’t it stop it too?

Crowdstrike Breach Response test 2020 Q4

SE Labs tested Crowdstrike Falcon in this Breach Response test, pitting it against a range of hacking attacks designed to compromise systems.

This month shattered any doubt that intrusion detection technology is necessary. Large companies and other organisations that rely on compromised technology from IT management firm SolarWinds are racing to discover possible breaches.

Download the report now! (free – no registration)

Journalists: Google your next headline

And it’s not like things have been quiet on the breach front more generally. Once security vendors and the press cast around desperately for examples of breaches. The vendors used rare known cases to sell their software.

Annual Report 2020

Journalists used them to write explosive articles. Now it’s a case of Googling ‘ransomware’ and choosing from the dozens of recent reports, including attacks on major healthcare, technology and educational victims.

Security vendors design so-called endpoint detection and response (EDR) products to spot a breach and document it. If something weird happens, like company data being leaked, you want to know what happened to avoid a similar problem.

An EDR product or service can help, even when the security industry doesn’t know about the specific malware used. Some of those companies reeling from the SolarWinds attack are probably digging through their EDR logs now, wishing they had monitored them more closely.

This poses a question, though. If an EDR solution can spot an attack,
why doesn’t it stop it too?

Transforming detection into protection

Increasingly vendors have been taking this approach, ‘weaponising’ the capability of their detection technology to enable protection. It’s a bit like attaching a sniper rifle or (less lethally) a massive glue gun to a CCTV camera. Wouldn’t it be better to neutralise the threat rather than quietly observe as it does damage or steals things?

Breach Response Test: Crowdstrike Falcon

In our Breach Response testing we have two different modes that we use to test products. The ‘Detection’ mode measures all the different ways in which a product can detect an attack, and at which stages it can do so. Our ‘Protection’ mode, as used in this report, shows its abilities to detect and stop a threat.

Understanding the capabilities of different security products is always better achieved before you need to use them in a live scenario. SE Labs’ Breach Response test reports help you assess which are the best for your own organisation.

Find out more

Our latest reports, for enterprise, small business and home users are now available for free. Please download them and follow us on Twitter and/or LinkedIn to receive news, comment, updates and future reports.

Sign up to our monthly business and personal security newsletters.

See all blog posts relating to test results.


SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.


SE Labs Ltd
Hill Place House
55A High Street
SW19 5BA

020 3875 5000