PL
PL

Detailed EDR-XDR Solutions Overview 2025, Edition 3rd

13 June 2025

A word of introduction

The growing number of network-connected devices and widespread access to AI language models make organizations constantly vulnerable to cyberattacks and the consequences of careless employees. What’s more, cybercriminals’ access to widely popular AI technologies means that even the sophisticated protection methods implemented by defenders are not always sufficient to fend off timely threats that exploit the ignorance of insufficiently trained employees, weaknesses and vulnerabilities in operating systems and the configuration of cloud application environments.

EDR and XDR-class solutions require systematic testing to assess their real-world applicability in sub-criminal situations. Simulations of offensive cyberattacks will give a more complete picture of what security management experts in an organization can expect from a product when it clashes with real-world threats.

The importance of using EDR-XDR 

EDR (Endpoint Detection and Response) and XDR (eXtended Detection and Response) solutions are derived from multi-layered endpoint protection. Their role is to monitor operating systems and cloud applications in real time. They take real-time and past threat searches to the next level, allowing you to spot the subtle signs of infected workstations. For any company, using this type of product can mean that it will receive more useful information from all endpoints, helping to contribute to better protection of the entire business from the aftermath of cyberattacks. Using EDR-XDR improves access to technical information from across the infrastructure. Insight into detailed telemetry from cyberattacks gives a broader perspective of what is happening in real time at endpoints.

Attacks visibility in telemetry

Having recorded at least residual information from potential cyber security incidents, it is possible to reconstruct the events that took place in the analyzed environment. Solutions for monitoring systems and applications, thanks to information correlation and automation functions, can clearly support IT employees who are responsible for security execution. With this, a team of experts can verify what and when the attacker did in the system, what processes and applications were referenced, what user accounts were used, and so on. All of this together will create an incident graph and reveal what the attacker targeted.

The broader the scope of data and system monitoring, the easier it is to recreate the intentions of the hacker, in addition, the easier it is to configure the security product for the specific requirements of the organization, which can better respond to incidents and minimize their detrimental impact on business operations. The importance of using these defensive technologies also stems from their ability to integrate deeply with the IT infrastructure, which also makes it possible to more than adequately separate so-called system noise from real security incident indicators.

Two-level certification

Advances in workstation monitoring and protection technologies allow for more sophisticated analysis and detailed visibility of incidents. Solutions are tested and certified based on attack visibility in telemetry.

Attacks Visibility in Telemetry GOLD AWARD 2025

Solutions that have achieved full visibility
of attacks in telemetry.

Attacks Visibility in Telemetry CERTIFIED 2025

Solutions that featured at least partial visibility
of each attack in telemetry.

Which solutions have we tested?

Most EDR-XDR solutions come with an antivirus agent. We’ve kept this enabled so that the tests are the same as what the administrator can see in the production. The configuration of policies for antivirus agents was usually the default or included additional settings for more detailed telemetry. For solutions that needed a predefined agent policy configuration, we chose the most hardened settings to understand the attack chain and telemetry. This was also the goal of the test.

Vendor's Tested List and a specific agent configuration:

Bitdefender GravityZone XDR

Configuration: Policy Default and also:

  • Ransomware Mitigation Enabled
  • Sandbox Analyzer Enabled (Automatic sample submission from managed endpoints – Monitoring Mode) + Scripts scanning
  • Intrusion Detection System (IDS) Enabled (Normal Mode)
  • Risk Management Enabled
  • Live Search Enabled for all features

Check Point Harmony Endpoint Advanced + EDR

  • Web & Files Protection all settings on Prevent mode
  • Behavioral Protection all settings on Prevent mode
  • All remediation security alerts enabled
  • Analysis & Remediation – Protection mode as “Always”, Enable Threat Hunting as “On”, Attack Remediation as “Always”.

Cisco AMP + XDR

  • Security Policy Default (Quarantine Threats) for all features

Elastic Security XDR

  • Default Policy + Complete XDR configuration

Metras

  • Default Policy

ThreatDown + EDR

  • Policy Default + EDR + Enable Event Tracing for Windows

Sophos Intercept X Advanced + XDR

  • Policy Default + Complete XDR

WithSecure Elements EDR

  • Policy Default + XDR

Xcitium XDR

  • Policy MDR Policy + agent configuration Windows 8.1 Default for all features

Download Full Report

Simulation of offensive fileless attacks taking into account incident visibility in telemetry.
DOWNLOAD
guest
0 Comments
Inline Feedbacks
View all comments

Latest Publications

Newsletter

SIGN UP

Newsletter

SIGN UP FOR EMAIL NOTIFICATIONS FOR ENGLISH CONTENT ONLY!
SIGN UP

Our Tests

Advanced In-The-Wild
Malware Test

Test of modules
to protect online banking

Attack Visibility
in EDR-XDR Telemetry

Cyber Transparency
Audit

The contents of the website is legally protected © 2025 | AVLab Cybersecurity Foundation | Privacy policy

Menu

Tests

AWARDS
\r\n <\/div>\r\n<\/div>\r\n","isUserRated":"0","version":"7.6.30","wc_post_id":"13522","isCookiesEnabled":"1","loadLastCommentId":"0","dataFilterCallbacks":[],"phraseFilters":[],"scrollSize":"32","url":"https:\/\/avlab.pl\/en\/wp-admin\/admin-ajax.php","customAjaxUrl":"https:\/\/avlab.pl\/en\/wp-content\/plugins\/wpdiscuz\/utils\/ajax\/wpdiscuz-ajax.php","bubbleUpdateUrl":"https:\/\/avlab.pl\/en\/wp-json\/wpdiscuz\/v1\/update","restNonce":"9d8d72321b","is_rate_editable":"0","menu_icon":"https:\/\/avlab.pl\/en\/wp-content\/plugins\/wpdiscuz\/assets\/img\/plugin-icon\/wpdiscuz-svg.svg","menu_icon_hover":"https:\/\/avlab.pl\/en\/wp-content\/plugins\/wpdiscuz\/assets\/img\/plugin-icon\/wpdiscuz-svg_hover.svg","is_email_field_required":"1"}; var wpdiscuzUCObj = {"msgConfirmDeleteComment":"Are you sure you want to delete this comment?","msgConfirmCancelSubscription":"Are you sure you want to cancel this subscription?","msgConfirmCancelFollow":"Are you sure you want to cancel this follow?","additionalTab":"0"}; -->