SE Labs

Special Edition
Computer security testing comment and analysis from SE LABS Ⓡ

Breach Response Test: Crowdstrike Falcon

If an EDR solution can spot an attack, why doesn’t it stop it too?

Crowdstrike Breach Response test 2020 Q4

SE Labs tested Crowdstrike Falcon in this Breach Response test, pitting it against a range of hacking attacks designed to compromise systems.

This month shattered any doubt that intrusion detection technology is necessary. Large companies and other organisations that rely on compromised technology from IT management firm SolarWinds are racing to discover possible breaches.

Download the report now! (free – no registration)

Journalists: Google your next headline

And it’s not like things have been quiet on the breach front more generally. Once security vendors and the press cast around desperately for examples of breaches. The vendors used rare known cases to sell their software.

Journalists used them to write explosive articles. Now it’s a case of Googling ‘ransomware’ and choosing from the dozens of recent reports, including attacks on major healthcare, technology and educational victims.

Security vendors design so-called endpoint detection and response (EDR) products to spot a breach and document it. If something weird happens, like company data being leaked, you want to know what happened to avoid a similar problem.

An EDR product or service can help, even when the security industry doesn’t know about the specific malware used. Some of those companies reeling from the SolarWinds attack are probably digging through their EDR logs now, wishing they had monitored them more closely.

This poses a question, though. If an EDR solution can spot an attack,
why doesn’t it stop it too?

Transforming detection into protection

Increasingly vendors have been taking this approach, ‘weaponising’ the capability of their detection technology to enable protection. It’s a bit like attaching a sniper rifle or (less lethally) a massive glue gun to a CCTV camera. Wouldn’t it be better to neutralise the threat rather than quietly observe as it does damage or steals things?

Breach Response Test: Crowdstrike Falcon

In our Breach Response testing we have two different modes that we use to test products. The ‘Detection’ mode measures all the different ways in which a product can detect an attack, and at which stages it can do so. Our ‘Protection’ mode, as used in this report, shows its abilities to detect and stop a threat.

Understanding the capabilities of different security products is always better achieved before you need to use them in a live scenario. SE Labs’ Breach Response test reports help you assess which are the best for your own organisation.

Find out more

Free security test reports

Stay in touch

Get tested

Discover how we work with large organisations and security vendors.

  • Do you run a large organisation’s security infrastructure and want an assessment?
  • Are you a security vendor that needs certification?
  • SE Labs anti-virus certification can help security vendors access Windows Early Launch Antimalware (ELAM).

Please contact us now.


SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.


SE Labs Ltd
Hill Place House
55A High Street
SW19 5BA