EDR tools have become a standard line of defense, but many organizations don’t know how well they actually work under pressure.
Horizon3.ai is tackling that gap with the launch of
Endpoint Security Effectiveness (ESE) in its
NodeZero platform. The new capability lets security teams validate whether their EDR solutions catch real-world attacker behavior or simply look secure on paper.
Traditional EDR Metrics Fall Short
Most organizations measure EDR performance by checking agent deployment or signature updates. Those checks confirm coverage at a surface level but don’t answer the more important question: can attackers bypass them?
Horizon3.ai’s data shows they often can. Out of more than 7,000 simulated attempts to deploy a remote access tool across customer environments, most successful bypasses relied on stolen credentials rather than software exploits. Only 3% of successful intrusions were linked to vulnerabilities. Once inside, NodeZero was able to complete critical actions - like collecting data or impersonating users - in a median of three minutes, with some Linux compromises taking just 20 seconds.
"These findings highlight how credentials remain one of the easiest ways around endpoint defenses,” said
Stephen Gates, Principal Security SME at Horizon3.ai told MSSP Alert.
"By validating against those techniques, enterprises can see where identity and detection strategies need to be strengthened. The outcome isn’t about blame - it’s about helping teams adjust their defenses with real evidence," Gates said.
Controlled Check on EDR Performance
Attackers often get around signatures and slip past inconsistent behavioral alerts. Using stolen credentials is still the quickest way in, and most tools struggle to spot it. The new ESE feature addresses this by turning every NodeZero pentest into a controlled check on EDR performance. Security teams can see exactly how their tools respond when faced with tactics that adversaries rely on every day.
"Other platforms test if an attack works. We validate if your EDRs are actually working as intended,” Gates explained. "That’s what sets NodeZero apart. The key point is giving customers confidence that their endpoint investments are effective. As more organizations expect this level of assurance, it will help raise the bar across the EDR market.”
NodeZero deploys a harmless test remote access tool, mimics attacker behavior, and tracks whether the EDR blocks, alerts, or misses the activity. The process runs safely in live environments without interrupting operations. Teams get clear evidence of where blind spots exist, where configurations need tuning, and whether improvements hold up when retested.
"Endpoint validation is where we start, not where we stop,” Gates said. "Attackers don’t limit themselves to endpoints, and neither should defenders. We’ve expanded into identity, data, and cloud controls so organizations can validate that every layer of their security stack is doing its job.”
Consistent Reporting for MSSPs and Clients
With the ESE healthcheck, companies can measure EDR performance in terms that actually matter - that is how quickly threats are detected when credentials are misused, where gaps in logging, policies, or integrations leave openings, and whether fixes stand up to repeated attempts at evasion.
The capability was also designed with service providers in mind. "ESE was built for scale,” Gates noted. "MSSPs can validate endpoint security across multiple customers and platforms, then provide consistent reporting that shows clients their protections are - or are not - tuned and effective. It helps MSSPs demonstrate value while giving customers peace of mind.”
By building this evaluation directly into NodeZero, Horizon3.ai is pushing security teams toward evidence-based assessments instead of assumptions. The goal is to help organizations get the full value out of their EDR investments and to make defense strategies more resilient against the attacks most likely to succeed.