Ever asked your EDR vendor for an SBOM or source code access? A recent study did it for 14 of them.
Most security teams evaluate EDR-EPP based on detection rates and remediation features. But what about transparency? What data actually leaves your network? Can you review the code? Do you control updates?
AV-Comparatives (commissioned by the Austrian Economic Chambers) looked at 14 leading cybersecurity vendors - including CrowdStrike, Microsoft, SentinelOne, Trellix, Kaspersky, Cisco, and others - on criteria that rarely make it into product brochures:
Ability to review source code
SBOM (Software Bill of Materials) availability
Telemetry control and opt-out options
Staged update rollouts
On-prem reputation services
Data residency and legal compliance
The results are uneven. Only 3 vendors allow enterprise customers to review source code. Only a handful provide SBOMs. Just 8 out of 14 offer staged updates - which matters a lot after the CrowdStrike incident.
The full report (including a breakdown by vendor) is available through AV-Comparatives. Link in the first comment if anyone wants to dig through the methodology.
Top comments (5)
For those who want to check the methodology or see the vendor-by-vendor breakdown: av-comparatives.org/independent-st...
The SBOM gap is the one that surprises me most. 3 out of 14 vendors will provide a Software Bill of Materials to enterprise customers. That means for the other 11, you literally cannot verify what components are running on your endpoints. In regulated environments, that is a dealbreaker, not a nice-to-have. The EU angle makes sense - their regulators are way ahead on supply chain transparency.
The staged updates finding is interesting given how much attention CrowdStrike got. Only 8 out of 14 vendors offer staged rollouts. That means nearly half of EDRs will push updates to all your endpoints at once if you let them. One bad definition and your entire fleet goes down. The study also notes that vendors with higher transparency scores tend to offer better telemetry controls. Might be correlation, but it makes sense - if they are opaque about their own practices, why trust them with your data?
The on-prem reputation service finding is the one that affects air-gapped environments most. Only 8 out of 14 vendors offer it. If you are running SCADA, critical infrastructure, or anything that cannot phone home to a cloud reputation service, your options just got cut almost in half. The cloud-native trend is great, but not every network can participate.
What I would like to see is a follow-up study that correlates these transparency scores with actual incident response metrics. Do vendors that allow source code review and provide SBOMs also have better vulnerability disclosure timelines? The report hints at this correlation but does not prove causation. Still, if a vendor is opaque about their own practices, that is a red flag regardless of detection scores.