WithSecure named Strategic Leader in AV-Comparatives Endpoint Prevention and Response report

Strategic Leader in Endpoint Prevention and Response

Being named a Strategic Leader isn’t a participation award. AV-Comparatives defines Strategic Leaders as vendors that « show others the way forward by setting ambitious targets and meeting them » — « they develop groundbreaking ideas and implement these impressively in their products ». It’s a high bar, and the test behind it is one of the most comprehensive EPR evaluations conducted to date.

MITRE ATT&CK® Enterprise evaluations have long been the go-to independent benchmark for EDR capabilities. But they test detection in isolation when prevention capabilities must be turned off. For organizations that want to understand how their Endpoint Protection (EPP) and EDR work together — and what that combination actually costs to own and operate — AV-Comparatives’ EPR evaluation offers a compelling alternative. It’s the more complete picture for anyone making a real-world procurement decision.

What AV-Comparatives actually tested

The EPR evaluation put 10 security vendor solutions through 50 simulated targeted attack scenarios, covering techniques used in real advanced persistent threat (APT) campaigns. Each scenario was structured across three attack phases:

1. Compromise and foothold phase: The initial intrusion attempt. Can the product stop the attacker before they establish a presence?
2. Internal propagation phase: If the attacker gets in, can the product detect and disrupt lateral movement before the threat spreads?
3. Asset breach phase: If propagation isn’t stopped, can the product prevent the attacker from reaching their target?

At each phase, AV-Comparatives logged whether the product blocked the attack automatically, detected it and flagged it for manual response, or missed it entirely. Critically, the test also factored in cost — purchase price, operational overhead, and the calculated breach savings — to produce a realistic total cost of ownership (TCO) over five years. This is what makes the EPR evaluation different from most independent tests: it measures value, not just capability.

WithSecure stopped attacks before they could spread

WithSecure Elements XDR for Endpoint Security, including both EDR and EPP capabilities, stopped every simulated attack before it reached Phase 3. The asset breach scenario wasn’t needed — because there was no breach to test.

AV-Comparatives noted in the product validation report: « WithSecure did exceptionally well at handling threats that are targeted towards the user, and in particular, before the threat even progresses inside the user environment. »

That’s the right place to stop an attack. Detecting a breach after the fact is expensive and damaging. Stopping it at the point of entry — or before it moves laterally — is where the real security value lies.

The report specifically commended WithSecure Elements XDR focusing on Endpoint Security that includes EDR and EPP for:

• Exceptional prevention capabilities, stopping threats before they progress inside the user environment
• Aggregation and prioritization of alerts to minimize noise
• Good mapping to MITRE ATT&CK® tactics, techniques, and procedures (TTPs), giving SOC analysts the context to investigate and escalate effectively
• Multiple response options for mitigated threats, with detailed information for SOC analysis
• Ease of configuration and deployment across domain and workgroup environments
• An intuitive management console with useful contextual data
• Low total cost of ownership over a five-year period

What the CyberRisk Quadrant™ measures

The AV-Comparatives CyberRisk Quadrant™ plots vendors based on two axes: technical effectiveness and cost-to-value ratio. Strategic Leaders — the top tier — deliver exceptional technical capabilities alongside a genuinely low TCO. High detection rates with an unmanageable price tag, or low cost with mediocre protection, won’t land you there.

WithSecure’s placement reflects both sides of that equation. Elements’ modular, cloud-native architecture means organizations pay for what they need and can expand coverage — adding vulnerability management or Microsoft 365 protection, for example — without rebuilding their security stack. The result is a lower real-world TCO than many point solutions that appear cheaper at first glance.

Why prevention matters as much as detection

A recurring theme in this evaluation — and in how WithSecure approaches product design — is that detection and response capabilities only matter if prevention has already failed. The best outcome isn’t catching an attacker mid-breach. It’s stopping them at the perimeter.

This is why investing in the strongest possible prevention layer isn’t optional. EDR and XDR tools are essential, but they’re a safety net — not the first line of defense. The two work together, and the EPR evaluation was specifically designed to measure how well vendors balance both.

For teams with limited security resources

One result worth highlighting for smaller organizations and MSPs: the EPR evaluation explicitly factors in operational burden. Products that generate excessive alerts or require deep SOC expertise to operate score worse on TCO, even if their raw detection numbers look good.

WithSecure Elements is built with this in mind. Alert prioritization, intuitive management, and the option to escalate to WithSecure experts directly through the product — or hand off entirely to a managed detection and response (MDR) service — means organizations without large in-house security teams can still operate at enterprise-grade protection levels.

Read the full report

The full AV-Comparatives EPR report for WithSecure (formerly F-Secure Business) is available at av-comparatives.org. If you want to understand what these results mean for your specific environment, get in touch and we’ll walk you through it.