For security operations teams, the efficacy of your endpoint detection and response (EDR) solution is not just about collecting data, it's about receiving timely and actionable intelligence that enables rapid response. In a landscape of sophisticated adversaries, actively detecting and attributing malicious activity at every attack stage is paramount. Equally critical is an EDR's resilience against attempts by attackers to disable or manipulate the endpoint agents.
That's why our results in the AV-Comparative EDR Detection Validation Test 2025 and the AV-Comparative Anti-Tampering Certification Test 2025, both conducted in May 2025, provide crucial, unbiased insights. These rigorous evaluations put leading EDR solutions through comprehensive attack scenarios designed to mimic real-world threats. Products are assessed for their ability to identify techniques in "detection-only mode" and, separately, for their anti-tampering capabilities.
We’re excited to share that among endpoint security market leaders1, Palo Alto Networks was the only vendor certified in both of these rigorous tests! A deeper dive into the results reveals that Cortex XDR didn’t just pass; it consistently demonstrated a far more proactive and explicit active detection capability compared to other vendors who participated in the tests. This dual certification provides an unparalleled level of confidence in both its detection capabilities and its foundational resilience.
How AV-Comparative Methodology Connects to Real-World Security Operations
AV-Comparative's EDR Detection Validation goes beyond simple malware blocking. It simulates a 12-step attack chain, inspired by advanced persistent threats, assessing how well EDRs detect individual attack steps and techniques.
While all products are tested in detection-only mode, the philosophy behind AVC’s configuration for optimal detection varies significantly. The reports from some vendors highlight that their product needed to be set to an "Extra Aggressive" (Source [1]) mode to achieve their results. Such aggressive postures, while useful for a pure detection validation test, are often impractical in real-world environments due to the overwhelming volume of false positives they can generate, leading to severe alert fatigue and reduced operational efficiency. In contrast, Cortex XDR demonstrated its superior detection capabilities through configurations which are more realistic in a real-world environment.
AV Comparative quoted “The solution demonstrated solid detection capabilities across key phases of the attack simulation.” We are the only vendor where such a strong conclusion was made. Source [2].
The Critical Role of Anti-Tampering
Detection is only part of the equation. A strong EDR must also resist adversaries' attempts to disable or modify its functionality. This test rigorously attempts to disable or modify EDR components and capabilities. It's vital to note AV-Comparatives' strict policy: "Certification reports are published only for vendors who achieved the certification." (Source [3]). This means that products that undergo the test but fail to meet the anti-tampering requirements do not have their reports publicly released, receiving private feedback instead. In this demanding Anti-Tampering test, Cortex XDR earned the "APPROVED Anti-Tampering" certification, successfully protecting against all tested tampering attacks.
A Closer Look at Cortex XDR’s Active Detection Performance
What This Means for Your Security Operations Team
Cortex XDR presented all phases of the attack information in a human-readable and easy-to-understand format. Related alerts were automatically grouped into a single incident for straightforward investigation, and detailed events were always easily accessible through a causality chain. Unlike other top-tier vendors who had to sift through raw logs and events to hunt for the threat manually, Cortex XDR does the hunting for you. This unique capability significantly reduces alert fatigue and accelerates incident response.
The test involved sophisticated techniques, such as using legitimate tools (powershell.exe, WMIC, services.exe) for malicious purposes and stealthy persistence mechanisms. Cortex XDR's success in detecting these activities means the security operations team has a powerful tool to catch modern, fileless, and "living off the land" attacks that often bypass traditional security solutions.
Learn more about how Cortex XDR delivers the world's most effective endpoint security, stopping complex attacks that other endpoint solutions miss.
References:
1 Market leader is defined as vendors who were named leaders in the 2025 Gartner EPP Magic Quadrant
2 On the Cortex Platform, alerts are called issues, and incidents are called cases
Source [1]: https://www.av-comparatives.org/wp-content/uploads/2025/06/EDR_Detection_CrowdStrike_2025.pdf
Source [3]: https://www.av-comparatives.org/wp-content/uploads/2025/04/avc_tampering_2025_PaloAlto.pdf