Endpoint/Device Security, EDR

Horizon3.ai Expands NodeZero with Endpoint Security Effectiveness Check

EDR tools have become a standard line of defense, but many organizations don’t know how well they actually work under pressure. Horizon3.ai is tackling that gap with the launch of Endpoint Security Effectiveness (ESE) in its NodeZero platform. The new capability lets security teams validate whether their EDR solutions catch real-world attacker behavior or simply look secure on paper.

Traditional EDR Metrics Fall Short

Most organizations measure EDR performance by checking agent deployment or signature updates. Those checks confirm coverage at a surface level but don’t answer the more important question: can attackers bypass them?

Horizon3.ai’s data shows they often can. Out of more than 7,000 simulated attempts to deploy a remote access tool across customer environments, most successful bypasses relied on stolen credentials rather than software exploits. Only 3% of successful intrusions were linked to vulnerabilities. Once inside, NodeZero was able to complete critical actions - like collecting data or impersonating users - in a median of three minutes, with some Linux compromises taking just 20 seconds.

"These findings highlight how credentials remain one of the easiest ways around endpoint defenses,” said Stephen Gates, Principal Security SME at Horizon3.ai told MSSP Alert.

"By validating against those techniques, enterprises can see where identity and detection strategies need to be strengthened. The outcome isn’t about blame - it’s about helping teams adjust their defenses with real evidence," Gates said.

Controlled Check on EDR Performance

Attackers often get around signatures and slip past inconsistent behavioral alerts. Using stolen credentials is still the quickest way in, and most tools struggle to spot it. The new ESE feature addresses this by turning every NodeZero pentest into a controlled check on EDR performance. Security teams can see exactly how their tools respond when faced with tactics that adversaries rely on every day.

"Other platforms test if an attack works. We validate if your EDRs are actually working as intended,” Gates explained. "That’s what sets NodeZero apart. The key point is giving customers confidence that their endpoint investments are effective. As more organizations expect this level of assurance, it will help raise the bar across the EDR market.”

NodeZero deploys a harmless test remote access tool, mimics attacker behavior, and tracks whether the EDR blocks, alerts, or misses the activity. The process runs safely in live environments without interrupting operations. Teams get clear evidence of where blind spots exist, where configurations need tuning, and whether improvements hold up when retested.

"Endpoint validation is where we start, not where we stop,” Gates said. "Attackers don’t limit themselves to endpoints, and neither should defenders. We’ve expanded into identity, data, and cloud controls so organizations can validate that every layer of their security stack is doing its job.”

Consistent Reporting for MSSPs and Clients

With the ESE healthcheck, companies can measure EDR performance in terms that actually matter - that is how quickly threats are detected when credentials are misused, where gaps in logging, policies, or integrations leave openings, and whether fixes stand up to repeated attempts at evasion.

The capability was also designed with service providers in mind. "ESE was built for scale,” Gates noted. "MSSPs can validate endpoint security across multiple customers and platforms, then provide consistent reporting that shows clients their protections are - or are not - tuned and effective. It helps MSSPs demonstrate value while giving customers peace of mind.”

By building this evaluation directly into NodeZero, Horizon3.ai is pushing security teams toward evidence-based assessments instead of assumptions. The goal is to help organizations get the full value out of their EDR investments and to make defense strategies more resilient against the attacks most likely to succeed.

Suparna Chawla Bhasin

Suparna is the Senior Managing Editor for CyberRisk Alliance’s Channel Brands, including MSSP Alert and ChannelE2E. She manages content development, sharpens editorial workflows, and ensures storytelling is tightly aligned with audience needs. With a background in technology, media, and education, she combines strategic insight with creative execution.

You can skip this ad in 5 seconds