Fortinet is proud to announce that FortiEDR has achieved certification in the AV-Comparatives 2026 Shellcode Execution/Process Injection Certification Test. Notably, all endpoint detection and response (EDR) capabilities evaluated in this assessment are also fully delivered through FortiEndpoint, Fortinet’s unified endpoint platform.

Fortinet successfully prevented or detected all 15 shellcode execution and process injection techniques evaluated in the assessment, achieving a 100% protection rate and passing the false-positive validation tests. This significantly exceeded AV-Comparatives’ certification requirement to prevent or detect at least 10 of 15 tested techniques without blocking legitimate applications.

The AV-Comparatives Process Injection Certification evaluates how effectively endpoint security solutions prevent or detect advanced shellcode execution and process injection techniques that attackers and red teams frequently use to evade traditional defenses. These techniques are commonly associated with ransomware, fileless malware, privilege escalation, credential theft, and lateral movement attacks.

Unlike traditional malware tests that focus primarily on file-based threats, this assessment specifically evaluates protection against evasive in-memory attack techniques mapped to MITRE ATT&CK T1055 (Process Injection).

By the Numbers

• 15/15 process injection and shellcode execution techniques prevented or detected
• 100% certification success rate
• 0 false-positive failures
• 50% higher coverage than the minimum certification requirement (15 tested vs. 10 required)
• Protection validated against MITRE ATT&CK T1055 Process Injection techniques

Comprehensive Protection against Advanced Injection Techniques

To achieve certification, products were required to successfully prevent or detect at least two-thirds of the tested techniques without generating false positives for legitimate applications.

Fortinet successfully prevented or detected all 15 process injection and shellcode execution techniques tested in the assessment:

1. Classic Remote Thread
2. Thread Hijack
3. Ghostwriting
4. Transacted Hollowing
5. Process Doppelganging
6. APC Injection
7. Early Bird APC
8. Module Stomping
9. Process Hollowing
10. Process Herpaderping
11. Dirty Vanity (Process Reflection Injection)
12. Pool Party (Worker)
13. TLS Callback
14. Threadless Injection
15. Fiber Injection

In addition, Fortinet passed the false-positive validation test, ensuring that legitimate applications were not improperly blocked or disrupted.

According to AV-Comparatives, Fortinet FortiEDR met the certification requirements by “successfully prevent[ing] or detect[ing] the Shellcode Execution/Process Injection attempts used in this test.”

Why Process Injection Protection Matters

Process injection remains one of the most widely used techniques in modern cyberattacks because it enables adversaries to hide malicious activity within legitimate processes and evade traditional signature-based security controls.

These techniques are frequently leveraged by attackers for:

• Defensive evasion
• Privilege escalation
• Initial access operations
• Fileless malware execution
• Credential theft and lateral movement

The AV-Comparatives test intentionally varied multiple attack parameters, including shellcode frameworks, execution methods, APIs, injection techniques, and target processes, to simulate realistic attacker behavior.

The evaluated techniques included both self-injection and remote injection scenarios, using a variety of execution methods commonly associated with advanced threat actors and modern ransomware campaigns.

Independent Validation of Prevention-First Security

The certification further validates Fortinet’s prevention-first approach to endpoint security. Modern attacks increasingly rely on stealthy in-memory techniques to bypass traditional antivirus and static detection methods. Organizations therefore require behavioral protection that detects malicious runtime activity before attackers can establish persistence or move laterally.

Fortinet’s layered endpoint protection combines behavioral detection, exploit prevention, anti-ransomware protection, and real-time response to help organizations stop advanced threats earlier in the attack chain.

Unified Endpoint Security with FortiEndpoint

Although the certification was conducted using FortiEDR, customers receive the same validated EDR capabilities through FortiEndpoint, Fortinet’s unified endpoint platform.

FortiEndpoint unifies EPP, EDR, ZTNA/VPN, DLP, vulnerability visibility, threat-hunting telemetry, and AI-assisted operations into a single platform that simplifies endpoint security and improves protection and visibility across hybrid environments.

This unified approach helps organizations reduce agent sprawl, simplify operations with a single agent and a single console, accelerate detection and response, and lower operational overhead and total cost of ownership.

Building on Continued Third-Party Validation

This latest AV-Comparatives certification further reinforces Fortinet’s commitment to unified endpoint protection and advanced threat prevention. As attackers continue to adopt increasingly evasive in-memory techniques, Fortinet remains focused on helping organizations reduce risk, improve visibility, and strengthen resilience through an integrated endpoint security platform.

Read the full AV-Comparatives 2026 EDR Process Injection Protection report to learn more about the evaluation methodology and Fortinet’s results.

Learn more about Fortinet’s FortiEDR and FortiEndpoint solutions.