Advanced In-The-Wild Malware Test Summary – 2025
The purpose of the Advanced In-The-Wild Malware Test in 2025 is to identify security vendors whose solutions meet the rigorous testing requirements defined by the AVLab Foundation for Cybersecurity The “Product of the Year 2026” and “TOP Remediation Time 2026” certificates are awarded based on the results of multi-stage tests conducted in conditions that closely reflect real-world user environments.
The “Product of the Year 2026” certificate is granted to solutions that deliver comprehensive protection for Windows and Windows Server systems. The assessment covers the entire attack chain, with particular emphasis on realistic usage scenarios, including interaction with web content, downloading files from untrusted sources, and executing them within the operating system.
The second award, “TOP Remediation Time 2026” focuses on the speed and effectiveness of the response after malware execution. The analysis evaluates the product’s ability to interrupt malicious activity, remove threat components, and restore the system to a secure state. Mechanisms such as automatic neutralization, operating system restart, rollback, and automated data recovery are taken into account.
The Advanced In-The-Wild Malware Test series is characterized by a high level of methodological precision. The tests use real in-the-wild malware samples delivered via common attack vectors, including websites and user-initiated downloads. The objective is to evaluate product behavior under realistic exposure to active, real-world threats.
All tested solutions are evaluated using the manufacturer’s default configuration or, where justified, with additional protection features enabled. Any deviation from the default setup is clearly documented and described in the test report after each edition, ensuring full transparency and repeatability of the results.
Criteria for Awarding Certificates
To obtain the Product of the Year 2026 certificate, a tested solution was required to meet the following conditions:
- Participate in at least three editions of the Advanced In-The-Wild Malware Test.
(six editions are conducted annually). - Achieve the EXCELLENT certification in all three editions, corresponding to a minimum 99% protection effectiveness* in each test.
To obtain the additional TOP Remediation Time 2026 certificate, the tested solution was required to meet the following condition:
- Successfully neutralize 100% of threats in at least three test editions. If the solution was evaluated in more than three editions, the three editions with the highest average Remediation Time performance (i.e., the lowest average Remediation Time values) were taken into account for the final assessment.
*From 2026, we are raising the threshold from 99% to 99.6%, and in the linked article we explain why we are doing this: https://avlab.pl/en/we-are-changing-the-certification-thresholds-in-the-advanced-in-the-wild-malware-test/
What Is This Test? – Key Information
The Advanced In-The-Wild Malware Test is a long-term research initiative designed to evaluate the effectiveness of security solutions in protecting against malware under real-world conditions. The test focuses both on a product’s ability to prevent infections at the threat delivery stage (Web-Layer, Pre-Launch) and on its capability to detect and neutralize attacks after malicious code has been executed in the system ( Runtime Defense, Post-Launch). The assessment includes business-grade security solutions, often equipped with advanced EDR/XDR mechanisms, as well as products intended for individual users.
In practice, the test recreates realistic user behavior on a Windows system while browsing the internet, which reflects the most common infection vector. In this scenario, the user may fall victim to social engineering techniques and unknowingly download and execute malicious software, thereby initiating an attack in the Runtime environment.
The test uses real in-the-wild malware samples obtained from active URLs, ensuring a high level of realism and practical relevance for both end users and security vendors. After each edition, detailed technical data are published, covering the effectiveness of threat blocking at the Web-Layer stage, protection response in Runtime, and the time required to detect and neutralize an active attack (Remediation Time). Conducted in a graphical Windows environment, the test also evaluates the ability of products to automatically remediate incidents and restore the system to a secure state after an attack.
Three-Step Analysis Methodology
- Malware Selection Algorithm
- Simulating a Realistic System Protection Scenario
- Incident Remediation Time Assessment
The test results are based on three consecutive procedures, the first of which involves the selection of malware samples and the analysis of related events and telemetry logs.
Malware samples are continuously collected in the form of active, real-world URLs available on the internet. The samples originate from multiple sources, including public threat intelligence feeds, honeypots, and both closed and open groups on the Telegram messaging platform. This approach allows for the creation of a current and diverse set of real-world threats.
Before being used in the test, each malware sample undergoes a multi-stage technical verification process. One of the key steps involves comparing the SHA-256 checksum against an existing database, which eliminates the risk of re-testing previously analyzed malware.
Subsequently, the samples are analyzed in a Windows environment using hundreds of detection rules based on commonly observed attack techniques, including LOLBins mechanisms. System processes, network communication, Windows registry changes, and other system modifications are closely monitored in order to clearly determine which behaviors confirm the malicious nature of each sample.
Protection Effectiveness Matrix
The graphical placement of individual solutions in the Protection Effectiveness Matrix was developed based on the results achieved in combating malware used in the Advanced In-The-Wild Malware Test, taking into account only those solutions that participated in at least three editions of the test during the year.
The vertical axis reflects the effectiveness of early detection and blocking of threats at the delivery stage, i.e., before the malicious code is launched on the system (Web-Layer Protection, Pre-Launch).
The horizontal axis shows the ability to detect and neutralize threats after the file has been launched in the operating system (Runtime Defense, Post-Launch).
The position of the solution relative to the diagonal line indicates the dominant style of response to threats, i.e., the preference for protection at the Web-Layer stage or the effectiveness of actions taken in the Runtime Defense phase. This classification is based on a long-term analysis of thousands of real malware samples tested throughout the year.
Average Remediation Time – Annual Average Statistics
The Remediation Time (RT) metric is used to determine the time required to detect and effectively neutralize a threat. It is calculated from the moment the malware sample is delivered to the system (Web-Layer Protection: detection, file download or save, and response) until the end of the Runtime Defense phase. This means that the malware can be executed and then subjected to advanced detection and security incident remediation mechanisms.
Remediation Time covers the full range of responses by the protection solution, including blocking access to the file, moving it to quarantine, analyzing it in a sandbox, removing the malicious code, reversing the changes made, and restoring the system to a secure state (Neutralization). For each test edition, the average Remediation Time is calculated based on all malware samples used, which allows for the development of comparable statistics between the tested solutions.
Incident remediation time is expressed in seconds and may vary depending on the security solution configuration, the manufacturer’s architecture and infrastructure, as well as other technical factors.
Read Full Report:
„Product of The Year 2026”
and Additional TOP Remediation Time 2026 certificates
Based on Advanced in-the-wild malware test in 2025
