SE Labs

Special Edition
Computer security testing comment and analysis from SE LABS Ⓡ

Enterprise Advanced Security test expanded

The Enterprise Advanced Security testing programme includes new attack groups.

Enterprise Advanced Security

Our Enterprise Advanced Security (EAS) tests can assess any security software, hardware appliance, cloud service or combination thereof. Always evolving, these tests have expanded to include new attacks.

(These tests were originally called the Breach Response test. We renamed them for a number of reasons.)

Hackers and way they hack

Research on real attacker behaviour is a fundamental element of our EAS testing. Our team looks at the real-world behaviour of advanced threat groups, known as Advanced Persistent Threats (APTs).

While useful, MITRE’s ATT&CK framework does not provide a full list of how the bad guys operate. The Tactics, Techniques and Procedures (TTPs) used by an APT vary widely and we go further than using solely those listed in the ATT&CK database.

To improve the accuracy and relevance of our tests, the team investigates other sources of research, as well as performing their own on malware samples and tools attributed to different APTs. Over time, often years, our knowledge of an APT can change as our research, and the research of others, progresses. The more eyes there are on a threat, the more information comes to light.

Enterprise Advanced Security Threat Series

During a test we choose a range of APTs and create attacks similar to those seen in the real world as used by those attackers. We organise these threats by creating a series, or menu, of different threat groups. We’ve previously written in detail about the first three Threat Series.

Since then we doubled the number of Threat Series to six. Here is a summary of all current Threat Series and the attack groups within each.

Threat Series groups

Threat SeriesAPT Groups
1APT29, APT3, OilRig, APT33
2FIN4, FIN7 & Carbanak, FIN10, Silence
3APT19, Deep Panda, Dragonfly & Dragonfly 2.0
4 (NEW)APT29, FIN7 & Carbanak, Dragonfly & Dragonfly 2.0, OilRig
5 (NEW)APT29, OilRig, FIN7 & Carbanak, APT3 
6 (NEW)Wizard Spider, Sandworm, Dragonfly & Dragonfly 2.0
Each Threat Series contains attacks similar to known attack groups

For detailed information on Threat Series 1, 2 and 3 please refer to our previous article.

New Threat Series Details

Threat Series 4

Background: APT29, FIN7 & Carbanak, Dragonfly & Dragonfly 2.0, Oilrig

These groups were combined to form a “Best of” compilation of the previous APTs used in our tests. It has the biggest diversity of TTPs tested at the time, with APT29 and ‘FIN7 & Carbanak’ being the two used in the most recent MITRE Engenuity evaluations.

We topped up the Threat Series with ‘Dragonfly & Dragonfly 2.0’ and OilRig to add a wider range of threats.

  • Enterprise Advanced Security Threat Series 3
  • Enterprise Advanced Security Threat Series 2
  • Enterprise Advanced Security Threat Series 1
  • Enterprise Advanced Security Threat Series 5
  • Enterprise Advanced Security Threat Series 6
  • Enterprise Advanced Security Threat Series Key
  • Enterprise Advanced Security Threat Series 4

Threat Series 5

Background: APT29, FIN7 & Carbanak, Oilrig, APT3 

This Threat Series was created for our new Network Detection and Response (NDR) test. These APTs allowed us to better showcase NDR capabilities. The most well-known report is the one we created for VMware. This report goes some way to highlighting the wide range of solutions compatible with our testing.

We are expecting more NDR reports focused on this series later this year.

Threat Series 6

Background: Wizard Spider, Sandworm, Dragonfly & Dragonfly 2.0 

The newest addition to our Threat Series contains our take on Wizard Spider and Sandworm from the MITRE Engenuity Evaluation, coupled with the APTs we have in Dragonfly & Dragonfly 2.0. These provide the widest range of techniques of all the groups we include in the tests.

What’s next for the test? 

Our first public comparative of endpoint detection and response (EDR) products will take place in Q2 of 2022, with publication expected in June. We will announce a new Threat Series and the exact dates later this month (February 2022). Throughout the year we expect to publish at least one comparative report, multiple NDR reports out and our first extended detection and response (XDR) reports.

Other projects are also in the pipeline and the best way to get advance notice of these is to subscribe to our free newsletter.

Why did we rename ‘Breach Response’ as ‘Enterprise Advanced Security’?

Some people assumed, for historical reasons, that the Breach Response test was suitable for endpoint solutions only. However, its scope was much wider because we test like real attackers, using the full attack chain. As such, we can test most security products in much the same way. To avoid confusion we adopted the simpler name of Enterprise Advanced Security at the end of 2021. We feel that Enterprise Advanced Security better encompasses the wide range of products we can test as well as being more appropriate for the readers of our reports. As a result of this change we have found increased participation from security vendors of different types, including EDR, NDR, XDR and network security appliances such as firewall.

Find out more

Free security test reports

Stay in touch

Get tested

Discover how we work with large organisations and security vendors.

  • Do you run a large organisation’s security infrastructure and want an assessment?
  • Are you a security vendor that needs certification?
  • SE Labs anti-virus certification can help security vendors access Windows Early Launch Antimalware (ELAM).

Please contact us now.


SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.


SE Labs Ltd
Hill Place House
55A High Street
SW19 5BA