Cortex XDR: Once, Twice, Three Times a Leader

Oct 25, 2022
4 minutes
... views

This post is also available in: 简体中文 (Chinese (Simplified)) 繁體中文 (Chinese (Traditional)) 日本語 (Japanese) 한국어 (Korean)

Cortex XDR Named a Strategic Leader in the 2022 AV-Comparatives Endpoint Prevention and Response Test

For the third year in a row, AV-Comparatives has named Cortex XDR a Strategic Leader in its Endpoint Prevention and Response (EPR) test. We were thrilled to participate in one of the world’s most comprehensive endpoint security evaluations, and we are honored to achieve a Strategic Leader rating - the highest rating available - in the AV-Comparatives EPR CyberRisk Quadrant

In this year’s test, Cortex XDR outperformed, blocking 100% of all 50 attack scenarios by Phase 2 of the multi-phase evaluation, thereby stopping all attacks before they reached Phase 3, the asset breach phase. Cortex XDR achieved one of the lowest total cost of ownership (TCO) scores due to its superior prevention, detection, and response capabilities, combined with its low operational and workflow costs.


MITRE ATT&CK Techniques in the EPR Test

The AV-Comparatives EPR test simulated realistic attack sequences using adversary techniques cataloged in the MITRE ATT&CK Matrix for Enterprise.  AV-Comparatives performed the techniques highlighted below in green as part of their attack scenarios. For more information, see a magnified view of the ATT&CK tactics and techniques used in the test.

The MITRE ATT&CK Enterprise Matrix codifies the tactics, techniques, and procedures (TTPs) observed in real attacks by the world’s most dangerous adversaries. It helps security teams classify threats, identify attack attribution and objective, and assess an organization's risk. 

Independent tests built on the ATT&CK knowledgebase, such as the AV-Comparatives EPR test and the MITRE ATT&CK evaluations, provide invaluable insights into security efficacy. They assess the ability to stop advanced TTPs, not simply malware files. Since real life attacks usually involve multiple steps, not just a single malicious file, assessments like the AV-Comparatives EPR test provide a comprehensive picture of endpoint security effectiveness.

Cortex XDR EPR Test Highlights

The AV-Comparatives EPR Test pitted 10 endpoint security vendors against one another in a thorough and rigorous evaluation of detection, prevention, and response capabilities. The evaluation consisted of 50 separate targeted attack scenarios and each scenario included three phases: 

  1. Endpoint compromise and foothold 
  2. Internal propagation 
  3. Asset breach 

At each stage, AV-Comparatives assessed whether each product blocked (active response) or detected (passive response) adversary techniques.

Cortex XDR actively prevented 45 of the 50 tests in the first phase of the evaluation, achieving 96.7% total active response score average across all three phases, and detected 47 out of the 50, achieving 98% total passive response for the attack scenarios. In the second phase of the evaluation, Cortex XDR prevented the attack scenarios that had not been blocked in the first phase, achieving an overall cumulative response rate of 100%, because it blocked all 50 test scenarios before the asset breach phase.

The Cortex XDR agent integrates with the Palo Alto Networks WildFire malware prevention service to block known malware with threat intelligence and analyze unknown files with WildFire’s cloud-based malware analysis. If WildFire determines that an unknown file is malicious, Cortex XDR will terminate the process that executed it. This additional analysis by WildFire increases Cortex XDR’s passive response rate. The AV-Comparatives EPR test results did not fully account for WildFire cloud-based analysis because the WildFire verdict may be received after the execution, when AV-Comparatives measured response rates.

According to the AV-Comparatives EPR report, “Palo Alto Networks Cortex XDR Pro did well at handling threats that are targeted towards enterprise users, in particular before the threats could progress inside and infiltrate the organisation’s network.” In addition, the EPR report states that Cortex XDR “offers the ability to create different sets of behavioural rules, and good triaging ability for multiple users to collaborate on any given threat scenario at the same time,” and it “has good mapping to MITRE’s TTPs [tactics, techniques, and procedures], thus providing low-level SOC analysts with the data needed to investigate further and escalate when necessary.”

Get the Report Today!

We were happy to participate in the 2022 AV-Comparatives EPR Test and showcase our commitment to providing best-in-class security that starts at the endpoint and expands to protect all assets with extended detection and response (XDR).

To see how we stacked up against the competition, download the 2022 AV-Comparatives EPR Comparative Report. You can also check out the Palo Alto Networks Cortex XDR Product Validation Report for a deep dive into our individual results.


Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.