Fortinet proudly announces that FortiEDR has achieved certification in the AV-Comparatives 2026 EDR Detection Validation Test. Importantly, all endpoint detection and response (EDR) features tested are also fully available via FortiEndpoint, Fortinet’s unified endpoint platform.

Fortinet achieved certification by delivering validated visibility across 12 of the 14 attack stages evaluated in the assessment, significantly exceeding AV-Comparatives’ requirement for visibility into at least two-thirds of attack steps. The solution combined active alerts with telemetry-based visibility to help analysts identify, investigate, and reconstruct attacker activity throughout the attack chain.

The AV-Comparatives EDR Detection Validation Test evaluates how effectively EDR solutions detect and provide visibility into advanced multistage attack chains mapped to the MITRE ATT&CK framework. Unlike prevention-focused testing, this assessment emphasizes detection visibility, telemetry quality, operational context, and support for threat hunting and workflow investigation.

By the Numbers

• 12 of 14 attack stages validated through alerts and/or telemetry
• 19 security alerts correlated across the attack scenario
• 4 of 5 signal-to-noise validation scenarios successfully handled

Certified Detection Visibility Across Multistage Attacks

In the 2026 test, AV-Comparatives executed a real-world 14-step attack chain simulating advanced adversary activity, including:

• Spear phishing and malicious payload delivery
• Process injection and browser-parented beaconing
• Scheduled task persistence
• Kerberoasting and credential access attempts
• Lateral movement across systems
• Privilege escalation and domain compromise techniques
• Command-and-control communication
• DCSync credential replication attempts

Fortinet achieved certification by demonstrating meaningful detection visibility and telemetry across a substantial portion of the attack chain.

“Fortinet demonstrated solid target-side visibility during server-based lateral movement, with the pivot to the file server being one of the evaluation's stronger detection sequences. The product provided convincing coverage of service-based staging and process injection throughout the attack chain,” says Andreas Clementi, founder and CEO of AV-Comparatives.

The report further validated Fortinet’s ability to provide both active response detections through alerts, and deep telemetry visibility for retrospective investigation and threat hunting.

This combination is critical for modern SOC teams that require not only prevention but also contextual visibility to investigate sophisticated attacks across the kill chain.

Strong Visibility into Real-World Adversary Techniques

The test scenario simulated techniques commonly associated with advanced threat actors and ransomware operations, including process injection, remote service execution, privilege escalation, and credential abuse.

AV-Comparatives highlighted several areas where Fortinet delivered strong operational visibility, including:

• Detection of malicious ‘rundll32.exe’ execution chains
• Visibility into process injection into legitimate browser processes
• Correlation of scheduled-task persistence activity
• Detection of lateral movement and remote payload execution
• Visibility into malicious execution on server systems
• Detailed telemetry supporting threat hunting and investigation workflows

The report specifically noted Fortinet’s “solid visibility for overt malicious execution, service-based staging, and process injection.”

Why Detection Visibility Matters

Modern attacks increasingly evade traditional prevention mechanisms by blending into legitimate tools and user behavior. Security teams, therefore, need more than simple malware blocking—they need rich telemetry, behavioral visibility, and investigative context.

The AV-Comparatives EDR Detection Validation Test reflects this reality by evaluating:

• Alert fidelity
• Threat hunting visibility
• Event correlation
• Operational usability
• Signal-to-noise performance
• Multistage attack reconstruction

Fortinet achieved meaningful detection coverage across the attack chain while maintaining the signal-to-noise ratio required for certification.

Unified Endpoint Security with FortiEndpoint

Although the test was conducted using FortiEDR, customers receive the same validated EDR capabilities through FortiEndpoint as part of Fortinet’s unified endpoint platform approach.

FortiEndpoint combines the following functions into a single unified platform designed to reduce complexity and improve operational efficiency:

• Endpoint protection (EPP)
• Endpoint detection and response (EDR)
• Secure access (ZTNA/VPN)
• Data loss prevention (DLP)
• Vulnerability and posture visibility
• Threat hunting telemetry
• AI-assisted operations

This unified architecture helps organizations:

• Reduce agent sprawl
• Simplify endpoint operations
• Improve visibility across managed endpoints
• Accelerate detection and response workflows
• Lower operational overhead and total cost of ownership

Independent Validation of Fortinet’s Endpoint Vision

This AV-Comparatives certification underscores Fortinet’s ongoing investment in unified endpoint security and advanced detection capabilities. As organizations face increasingly sophisticated attacks, Fortinet remains focused on delivering integrated protection, deep visibility, and efficient security operations through a unified platform.

Read the full AV-Comparatives 2026 EDR Detection Validation report to learn more about the evaluation methodology and Fortinet’s results.

Learn more about Fortinet’s FortiEDR and FortiEndpoint solutions.