Top scoring in industry tests

Microsoft Threat Protection technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis.

Microsoft Threat Protection

Microsoft Threat Protection is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Microsoft Threat Protection combines into a single solution the capabilities of Microsoft Defender ATP, Office 365 ATP, Azure ATP, Azure AD Identity Protection, and Microsoft Cloud App Security.

MITRE: Demonstrated real-world detection, response, and protection from advanced attacks

Core to MITRE’s testing approach is emulating real-world attacks to understand whether solutions are able to adequately detect and respond to them. While the test focused on endpoint detection and response, MITRE’s simulated APT29 attack spans multiple attack domains, creating opportunities to empower defenders beyond just endpoint protection. Microsoft expanded defenders’ visibility beyond the endpoint with Microsoft Threat Protection (MTP).

  • ATT&CK-based evaluation of Microsoft Threat Protection — May 2020: Leading in real-world detection

    Microsoft Threat Protection provided nearly 100 percent coverage across the attack chain stages. It delivered leading out-of-box visibility into attacker activities, dramatically reducing manual work for the security operations center vs. vendor solutions that relied on specific configuration changes. It also the fewest gaps in visibility, diminishing attacker ability to operate undetected.

Next generation protection

Windows Defender Antivirus consistently performs highly in independent tests, displaying how it is a top choice in the antivirus market. Keep in mind, these tests only provide results for antivirus and do not test for additional security protections.

Windows Defender Antivirus is the next generation protection capability in the Microsoft Defender ATP Windows 10 security stack that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped milliseconds after a campaign starts. That's because Windows Defender Antivirus and other endpoint protection platform (EPP) capabilities in Microsoft Defender ATP detect and stops malware at first sight with machine learning, artificial intelligence, behavioral analysis, and other advanced technologies.

Download the latest transparency report: Examining industry test results, November 2019

AV-TEST: Protection score of 5.5/6.0 in the latest test

The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").

AV-Comparatives: Protection rating of 99.6% in the latest test

Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance.

SE Labs: AAA award in the latest test

SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services.

  • Enterprise Endpoint Protection January — March 2020: AAA award pdf

    Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but one public threat.

  • Enterprise Endpoint Protection October — December 2019: AAA award pdf

  • Enterprise Endpoint Protection July — September 2019: AAA award pdf | Analysis

  • Enterprise Endpoint Protection April — June 2019: AAA award pdf | Analysis

  • Enterprise Endpoint Protection January — March 2019: AAA award pdf | Analysis

Endpoint detection & response

Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.

MITRE: Industry-leading optics and detection capabilities

MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework. The framework is widely regarded today as the most comprehensive catalog of attacker techniques and tactics.

  • ATT&CK-based evaluation of Microsoft Defender ATP — December 2018: Leading optics and detection capabilities | Analysis

    Microsoft Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring.

To what extent are tests representative of protection in the real world?

Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what's tested in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.

The capabilities within Microsoft Defender ATP provide additional layers of protection that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how Microsoft's security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that Microsoft Defender ATP components catch samples that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively Microsoft's security suite protects customers in the real world.

Learn more about Microsoft Defender ATP and evaluate it in your own network by signing up for a 90-day trial of Microsoft Defender ATP, or enabling Preview features on existing tenants.

Learn more about Microsoft Threat Protection or start using the service.