Bitdefender GravityZone Business Security Enterprise recorded 100% relevant telemetry across all 14 attack steps in AV-Comparatives’ inaugural EDR Detection Validation Certification Test, published May 2026. Bitdefender was the only certified product to achieve complete chain-of-attack visibility.
The results reflect Bitdefender’s research-led prevention architecture which is also applied to detection: when defensive layers are built to understand the attack surface before exploitation, the same behavioral models that prevent attacks also surface them when operating in detection-only mode.
The evaluation used a 14-step attack scenario inspired by APT29 (Cozy Bear), APT41 (Winnti), APT27 (Emissary Panda), APT10 (Stone Panda), and FIN7 (Carbanak) tactics. AV-Comparatives’ EDR Detection Validation Certification Test measures how completely endpoint detection and response (EDR) platforms surface attack activity across a multi-stage intrusion. Bitdefender GravityZone Business Security Enterprise finished first among the nine certified products evaluated.
The scenario covered initial access via a spearphishing link, persistence through scheduled-task masquerading, credential access (Kerberoasting, an attack targeting service account credentials by requesting Kerberos tickets, and DCSync, a technique that mimics domain-controller replication to extract password hashes), lateral movement across three systems (WS01 → FS01 → DC01), privilege escalation, and command-and-control through a live C2 framework with redirector infrastructure on Azure (a proxy infrastructure masking the attacker’s actual server to evade detection).
All products were configured in detection-only mode, meaning no blocking or prevention capabilities were active.
The test isolates detection visibility – what the product sees and reports to analysts – from prevention quality. AV-Comparatives’ separate EPR Test covers prevention effectiveness. It’s no accident that Bitdefender GravityZone was the only vendor platform to achieve 100% prevention in the initial attack phase during the EPR Test for 2025. This year’s certification test focuses exclusively on whether the product gives analysts enough visibility to reconstruct what happened.
Two metrics determine the result:
A separate Signal-to-Noise assessment tests whether the product generates false alerts on benign administrative activity. For full methodology detail, see the published test report.
The following table consolidates Active Response, Telemetry, and Signal-to-Noise results across all 9 certified products in AV-Comparatives’ the 2026 EDR Detection Validation Certification Test. AV-Comparatives publishes per-vendor reports for this certification test; this view merges them for cross-vendor comparison.
Source: AV-Comparatives EDR Detection Validation Certification Test 2026 individual vendor reports. Table compiled by Bitdefender. Cohort median computed from published scores.
In the inaugural edition of AV-Comparatives’ EDR Detection Validation Certification Test, Bitdefender was the only certified product to record relevant telemetry across every step of a 14-stage attack chain.
The result reflects Bitdefender’s prevention-first posture applied to detection.
Prevention-first architecture means understanding the attack surface and emerging-attack patterns through sustained research, then building defensive layers for those attacks before they appear in the wild.
AV-Comparatives noted Bitdefender’s visibility across the intrusion chain explicitly. The lateral-movement stage (Step 11, compromising DC01 via WinRM) was cited as “one of the strongest parts of the evaluation,” with detections tying remote execution to privileged account context through WinRM, PowerShell, AMSI (Antimalware Scan Interface, a Windows telemetry hook that intercepts script content before execution), and wsmprovhost.exe (the Windows Remote Management process host) activity.
The DCSync credential-theft technique (Step 14) demonstrates the telemetry-depth advantage. DCSync mimics domain-controller replication to extract password hashes – a technique that leaves minimal forensic traces because it uses legitimate domain-controller protocols. Bitdefender did not generate an alert on Step 14 but surfaced the activity through telemetry: domain-controller replication detections mapped directly to the DCSync attempt, giving analysts enough context to reconstruct what happened. When replication traffic originates from a non-domain-controller system in an unusual user context, that’s detectable – if the product is recording the right data.
Bitdefender consolidated 245 alerts into 3 incidents through automated correlation. Alert volume alone is not a quality signal; what matters is whether an analyst can reconstruct the attack without manually stitching together hundreds of disconnected events. Three incidents for a 14-step intrusion spanning three systems demonstrates analyst-workload efficiency.
For the full Bitdefender report, including stage-by-stage detection breakdowns and alert-correlation details, see the published certification document.
You can also learn more about the Bitdefender GravityZone platform.