A recent study by AV-Comparatives (commissioned by the Austrian Economic Chambers) analyzed 14 leading EDR-EPP vendors on transparency metrics: source code access, SBOM availability, telemetry controls, staged updates, on-prem reputation services, and data residency.
The raw numbers are one thing. But the study also found a correlation worth discussing: vendors with higher transparency scores tended to perform better on vulnerability handling, incident disclosure timelines, and overall security maturity.
In other words, how vendors treat transparency says something about how they treat security.
Three findings stood out to me:
Only 3 vendors allow enterprise customers to review source code. Those same vendors also had better-than-average vulnerability disclosure practices.
Only 8 out of 14 offer staged update rollouts. The study notes that this group also demonstrated more mature incident response processes.
The top tier on the combined transparency score was Cisco, Kaspersky, and Microsoft. Not the usual marketing leaders, but established vendors with enterprise compliance experience.
If you are renewing an EDR contract or evaluating new vendors, this report gives you specific questions to ask. Not just "what is your detection rate" but "can you provide an SBOM" and "do you offer staged updates."
Has anyone here successfully used transparency requirements as a leverage point in vendor negotiations?
Top comments (4)
The correlation between transparency and security maturity is intuitive but it is good to see data backing it up. A vendor that hides its SBOM or refuses source code review is also likely to be slow on vulnerability disclosure. It is the same organizational culture. The study does not prove causation, but for procurement decisions, correlation is enough to ask harder questions.
What I would add is that transparency requirements are becoming contractual, not just nice-to-have. I have seen RFPs lately that explicitly ask for SBOMs and staged update policies. The vendors that cannot provide them are getting filtered out before the technical evaluation even starts. This study gives procurement teams ammunition to say "three vendors already do this, why cannot you?"
The point about established vendors (Cisco, Kaspersky, Microsoft) outperforming newer cloud-native entrants on transparency is not surprising. Enterprise compliance experience matters. A startup focused on detection ML may not have legal teams thinking about SBOMs or data residency. The problem is that many organizations are now forced to care about these things due to regulations (DSA, cyber resilience act, etc). The newer vendors will have to catch up or lose enterprise deals.
The study leaves one question open: do transparency scores correlate with actual breach prevention metrics? A vendor can be transparent about their practices but still have mediocre detection. The report hints at this but does not have the data. That said, for compliance-heavy environments, transparency is a requirement regardless of detection scores. You cannot pass an audit if you do not know what is running on your endpoints.