SE Labs

Special Edition
Computer security testing comment and analysis from SE Labs

Endpoint Detection and Response is more than anti-virus

Understand cybersecurity testing with visible threat intelligence.

EDR is more than antivirus

An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack.

Intelligence-led testing

While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.

Each step of the attack must be realistic too. You can’t just make up what you think bad guys are doing and hope you’re right. This is why SE Labs tracks cybercriminal behaviour and builds tests based on how bad guys try to compromise victims.

Download the report now! (free – no registration)

EDR is more than antivirus

The cybersecurity industry is familiar with the concept of the ‘attack chain’, which is the combination of those attack steps. Fortunately the MITRE organisation has documented each step with its ATT&CK framework. While this doesn’t give an exact blueprint for realistic attacks, it does present a general structure that testers, security vendors and customers (you!) can use to run tests and understand test results.

The Enterprise Advanced Security tests that SE Labs runs are based on real attackers’ behaviour. This means we can present how we run those attacks using a MITRE ATT&CK-style format. You can see how ATT&CK lists out the details of each attack, and how we represent the way we tested, in 4. Threat Intelligence, starting on page 13.

This brings two main advantages: you can have confidence that the way we test is realistic and relevant; and you’re probably already familiar with this way of illustrating cyber attacks.

Sign up to our monthly business and personal security newsletters.

EDR is more than antivirus because it needs to track many elements of an attack, only parts of which might involve malware. It’s perfectly possible to compromise a network without using malware at all!

In our Enterprise Advanced Security we use a combination of malware, social engineering and abuse of legitimate tools to generate attacks. We then track how each product handles every part of the attack to see how it would perform against a real adversary.

The results, as you’ll find in this report, assess CrowdStrike Falcon against real-world attacks and show that measuring just the anti-virus part of the product misses a great deal of its capabilities.

Find out more

Free security test reports

Stay in touch

Get tested

Discover how we work with large organisations and security vendors.

  • Do you run a large organisation’s security infrastructure and want an assessment?
  • Are you a security vendor that needs certification?
  • SE Labs anti-virus certification can help security vendors access Windows Early Launch Antimalware (ELAM).

Please contact us now.


SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.


SE Labs Ltd
Hill Place House
55A High Street
SW19 5BA