small align text-align-left refresh


Carbon Black earns highest marks for detecting threats with speed, confidence and predictability

two-columns refresh

Carbon Black Outperforms All Other EDR Solutions in MITRE ATT&CK™ Evaluation

MITRE’s public evaluation of endpoint detection and response (EDR) products demonstrated why Carbon Black is a top choice of security and IT professionals, showcasing how Carbon Black detects sophisticated attacks quickly, so teams can respond confidently.

This test was based on MITRE’s popular ATT&CK framework and represents a new approach to EDR testing: open, sophisticated, rigorous, and reflective of the real world.

In the first test, which mirrored the tactics, techniques and procedures of APT3, Carbon Black demonstrated strong results that set us apart from the rest of the security products tested. Carbon Black showed:

  • Speed: Zero delayed detections, so you can respond faster before the attack gets worse
  • Confidence: Zero tainted detections, so you know that threats will be detected even as attackers change tactics
  • Predictability: Zero reliance on humans in the loop, so you know detections will not be subject to human error
padding refresh
text_image_eight full_width
basic_heading secondary align text-align-center color text-blue refresh

Primary Findings

The following table shows a summary of the results of Carbon Black's MITRE ATT&CK evaluation.

text_image_eight full_width
Not Detected
Not Tested
  • Execution
  • CLI
  • Exec through API
  • GUI
  • PowerShell
  • Rundll32
  • Scheduled Task
  • Scripting
  • Service Execution
  • User Execution
  • Persistence
  • Accessibility Features
  • Create Account
  • New Service
  • Reg Run Keys / Startup Folder
  • Scheduled Task
  • Valid Accounts
  • Priv Esc
  • Access Token Manipulation
  • Accessibility Features
  • Bypass UAC
  • New Service
  • Process Injection
  • Scheduled Task
  • Valid Accounts
  • Defense Evasion
  • Access Token Manipulation
  • Bypass UAC
  • File Deletion
  • File Perm Mod
  • Masquerading
  • Network Share Con Removal
  • Process Injection
  • Rundll32
  • Scripting
  • Valid Accounts
  • Credential Access
  • Brute Force
  • Cred Dumping
  • Creds in Files
  • Input Capture
  • Discovery
  • Account Discovery
  • App Window Discovery
  • File & Dir Discovery
  • Network Share Discovery
  • Password Policy Discovery
  • Perm Groups Discovery
  • Process Discovery
  • Query Registry
  • Remote System Discovery
  • Security Software Discovery
  • System Information Discovery
  • System Network Configuration Discovery
  • System Network Connections Discovery
  • System Owner/User Discovery
  • System Service Discovery
  • Lateral Movement
  • RDP
  • Remote File Copy
  • Windows Admin Shares
  • Collection
  • Clipboard Data
  • Data Staged
  • Data from Network Shared Drive
  • Input Capture
  • Screen Capture
  • Exfiltration
  • Data Compressed
  • Data Encrypted
  • Exfil Over Alt Protocol
  • Exfil Over C2 Channel
  • C2C
  • Commonly Used Port
  • Data Encoding
  • Multiband Comm
  • Remote File Copy
  • Standard App Layer Protocol
  • Standard Cryptographic Protocol
padding refresh
basic_heading secondary align text-align-left color text-blue refresh

Key Takeaways

padding refresh
two-columns refresh

Speed: Zero Delayed Detections

Many vendors had delayed detections, which happens when the capability does not detect the activity in real-time or near-real-time. Hours may pass as events are sent off out-of-band for either human or machine analysis. Delayed detections mean attackers have more time to spread throughout your environment and infect additional systems.

Carbon Black had no delayed detections, so when events happen you’ll be responding much faster — in minutes instead of hours.

padding refresh
two-columns refresh

Confidence: Zero Tainted Detections

While many vendors did about the same in coverage, not all coverage is equal. Dig one layer deeper into the results and you’ll see that many vendors’ coverage models were tainted — meaning that detections ONLY happened because the initial vector (e.g., PowerShell) was being monitored. The risk is that if the attacker uses a different initial approach, the detection may not happen.

Carbon Black had zero tainted detections, meaning we will still detect the same events even as attackers change their tactics.

padding refresh
two-columns refresh

Predictability: Zero Humans in the Loop

Other vendors — especially newer next-gen security providers — have an over-reliance on a human element in the process. While it’s important to have people involved, requiring them for basic detection can introduce human error and delay. This just doesn’t scale.

Carbon Black had no humans in the loop during this evaluation. Every detection was produced automatically through the native product, without requiring a person to see, investigate, and send a note about it.

padding refresh
basic_heading tertiary align text-align-left color text-white refresh

Objective, transparent and open testing is critical as a means of driving the industry forward, and the MITRE ATT&CK framework offers a critical look at how real-world attacks play out. We believe MITRE has set an excellent standard for how testing should be conducted in an open, rigorous and sophisticated way. We thank MITRE for its leadership.

Scott Lundgren
Chief Technology Officer, Carbon Black

basic_heading secondary align text-align-left color text-black refresh


The information provided here is a subset of the results MITRE found during its testing. To get the full results of every vendor's participation, including Carbon Black's, please click the link below.

cta align left refresh