惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

aimingoo的专栏
aimingoo的专栏
V
V2EX
G
Google Developers Blog
F
Full Disclosure
Martin Fowler
Martin Fowler
宝玉的分享
宝玉的分享
H
Hacker News: Front Page
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
NISL@THU
NISL@THU
G
GRAHAM CLULEY
V
Vulnerabilities – Threatpost
Hacker News - Newest:
Hacker News - Newest: "LLM"
A
About on SuperTechFans
The Cloudflare Blog
C
Cisco Blogs
D
DataBreaches.Net
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Vercel News
Vercel News
P
Privacy International News Feed
Microsoft Security Blog
Microsoft Security Blog
Help Net Security
Help Net Security
Recorded Future
Recorded Future
PCI Perspectives
PCI Perspectives
S
Schneier on Security
AI
AI
N
News | PayPal Newsroom
雷峰网
雷峰网
C
Cyber Attacks, Cyber Crime and Cyber Security
P
Proofpoint News Feed
The Last Watchdog
The Last Watchdog
L
LINUX DO - 最新话题
Hugging Face - Blog
Hugging Face - Blog
Apple Machine Learning Research
Apple Machine Learning Research
Schneier on Security
Schneier on Security
S
Securelist
云风的 BLOG
云风的 BLOG
Stack Overflow Blog
Stack Overflow Blog
博客园_首页
AWS News Blog
AWS News Blog
TaoSecurity Blog
TaoSecurity Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Recent Commits to openclaw:main
Recent Commits to openclaw:main
博客园 - 三生石上(FineUI控件)
C
CXSECURITY Database RSS Feed - CXSecurity.com
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Cloudbric
Cloudbric
C
Cybersecurity and Infrastructure Security Agency CISA
Project Zero
Project Zero
C
Check Point Blog
S
Security Affairs

Business Insights

Bind Link Abuse: One Windows Feature, Many Ways to Blind Your EDR Bitdefender Threat Debrief | July 2026 Trust Under Attack: How Deepfakes Are Rewriting Cybercrime Your AI SOC Won’t Catch Ransomware by Itself 2026 Cybersecurity Assessment: The Gap Between Knowing and Doing Your Last Red Team Tested the Wrong Attack MSP Strategic Defense: Why MDR Is the New Security Baseline for MSPs Technical Advisory: FortiBleed Credential Exposure Campaign Targeting Internet-Facing Fortinet Devices Bitdefender Recognized in the 2026 Gartner® Europe Context: Magic Quadrant™ for Endpoint Protection CISA Mandates Change for Structured, Prioritized Updates and Vulnerability Management Claimed Twice: Five Reasons the Same Ransomware Victim Shows Up Under Two Flags What’s New in GravityZone June 2026 (v 6.74) Bitdefender Threat Intelligence: Built for How Security Teams Work Bitdefender Threat Debrief | June 2026 Cut Complexity in Half While Reducing Risk Across Your Endpoint Environment Bitdefender Named a Visionary in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection How Leading Organizations Turn EDR Into Operational Resilience Bitdefender Supports Ferrari Through Cybersecurity Built on Trust Bitdefender at Infosecurity Europe 2026: Staying Ahead of Faster Threats Endpoint Detection & Response Is Table Stakes Security Operation Saffron: Bitdefender Joins “First VPN” Takedown MSP Strategic Defense: Why Dual-Layer Email Security (SEG + API) Is Now Essential FamousSparrow APT Targets Azerbaijani Oil and Gas Industry Bitdefender Threat Debrief | May 2026
Bitdefender GravityZone: 100% Telemetry in AV-Comparatives 2026 EDR Test
Richard De La Torre · 2026-05-15 · via Business Insights

Bitdefender GravityZone Business Security Enterprise recorded 100% relevant telemetry across all 14 attack steps during our inaugural participation in AV-Comparatives’ EDR Detection Validation Certification Test, published May 2026. Bitdefender was the only certified product to achieve complete chain-of-attack visibility.

edr-detection-test-1

The results reflect Bitdefender’s research-led prevention architecture which is also applied to detection: when defensive layers are built to understand the attack surface before exploitation, the same behavioral models that prevent attacks also surface them when operating in detection-only mode.

What Are Key results of the 2026 AV-Comparatives EDR Detection Validation Certification Test?

  • Bitdefender recorded relevant telemetry across all 14 attack steps in the test scenario, the only product to achieve 100% visibility among the 9 certified products.
  • Bitdefender alerted on 11 of 14 attack steps (Active Response), tied for highest in the cohort with Palo Alto and ESET.
  • Combined detection coverage (alert or telemetry): 14 of 14 attack steps – full visibility across the intrusion chain.
  • Signal-to-Noise: 1 false alert across 5 benign-activity scenarios, well under the certification threshold of 3.
  • Alert correlation: 245 alerts consolidated into 3 incidents, reducing analyst workload through automated cross-stage correlation.
Source: Bitdefender report, AV-Comparatives EDR Detection Validation Certification Test 2026.

How Was the 2026 AV-C EDR Certification Test Conducted?

The evaluation used a 14-step attack scenario inspired by APT29 (Cozy Bear), APT41 (Winnti), APT27 (Emissary Panda), APT10 (Stone Panda), and FIN7 (Carbanak) tactics. AV-Comparatives’ EDR Detection Validation Certification Test measures how completely endpoint detection and response (EDR) platforms surface attack activity across a multi-stage intrusion. Bitdefender GravityZone Business Security Enterprise finished first among the nine certified products evaluated.

The scenario covered initial access via a spearphishing link, persistence through scheduled-task masquerading, credential access (Kerberoasting, an attack targeting service account credentials by requesting Kerberos tickets, and DCSync, a technique that mimics domain-controller replication to extract password hashes), lateral movement across three systems (WS01 → FS01 → DC01), privilege escalation, and command-and-control through a live C2 framework with redirector infrastructure on Azure (a proxy infrastructure masking the attacker’s actual server to evade detection).

All products were configured in detection-only mode, meaning no blocking or prevention capabilities were active.

The test isolates detection visibility – what the product sees and reports to analysts – from prevention quality. AV-Comparatives’ separate EPR Test covers prevention effectiveness. It’s no accident that Bitdefender GravityZone was the only vendor platform to achieve 100% prevention in the initial attack phase during the EPR Test for 2025. This year’s certification test focuses exclusively on whether the product gives analysts enough visibility to reconstruct what happened.

edr-detection-test-2

Two metrics determine the result:

  • Active Response (alerting): Does the product generate an alert for this attack step?
  • Telemetry (threat-hunting visibility): Does the product record enough event data and forensic logs that an analyst could reconstruct this attack step during investigation, even without an alert?

A separate Signal-to-Noise assessment tests whether the product generates false alerts on benign administrative activity. For full methodology detail, see the published test report.

Full Results Table

The following table consolidates Active Response, Telemetry, and Signal-to-Noise results across all 9 certified products in AV-Comparatives’ the 2026 EDR Detection Validation Certification Test. AV-Comparatives publishes per-vendor reports for this certification test; this view merges them for cross-vendor comparison.

Source: AV-Comparatives EDR Detection Validation Certification Test 2026 individual vendor reports. Table compiled by Bitdefender. Cohort median computed from published scores.

Results in Context

In the 2026 AV-Comparatives’ EDR Detection Validation Certification Test, Bitdefender was the only certified product to record relevant telemetry across every step of a 14-stage attack chain.

The result reflects Bitdefender’s prevention-first posture applied to detection.

Prevention-first architecture means understanding the attack surface and emerging-attack patterns through sustained research, then building defensive layers for those attacks before they appear in the wild.

AV-Comparatives noted Bitdefender’s visibility across the intrusion chain explicitly. The lateral-movement stage (Step 11, compromising DC01 via WinRM) was cited as “one of the strongest parts of the evaluation,” with detections tying remote execution to privileged account context through WinRM, PowerShell, AMSI (Antimalware Scan Interface, a Windows telemetry hook that intercepts script content before execution), and wsmprovhost.exe (the Windows Remote Management process host) activity.

The DCSync credential-theft technique (Step 14) demonstrates the telemetry-depth advantage. DCSync mimics domain-controller replication to extract password hashes – a technique that leaves minimal forensic traces because it uses legitimate domain-controller protocols. Bitdefender did not generate an alert on Step 14 but surfaced the activity through telemetry: domain-controller replication detections mapped directly to the DCSync attempt, giving analysts enough context to reconstruct what happened. When replication traffic originates from a non-domain-controller system in an unusual user context, that’s detectable – if the product is recording the right data.

edr-detection-test-3

Bitdefender consolidated 245 alerts into 3 incidents through automated correlation. Alert volume alone is not a quality signal; what matters is whether an analyst can reconstruct the attack without manually stitching together hundreds of disconnected events. Three incidents for a 14-step intrusion spanning three systems demonstrates analyst-workload efficiency.

Resources

For the full Bitdefender report, including stage-by-stage detection breakdowns and alert-correlation details, see the published certification document.

You can also learn more about the Bitdefender GravityZone platform.