A recent study by AV-Comparatives (commissioned by the Austrian Economic Chambers) analyzed 14 leading EDR-EPP vendors on transparency metrics: source code access, SBOM availability, telemetry controls, staged updates, on-prem reputation services, and data residency.
The raw numbers are one thing. But the study also found a correlation worth discussing: vendors with higher transparency scores tended to perform better on vulnerability handling, incident disclosure timelines, and overall security maturity.
In other words, how vendors treat transparency says something about how they treat security.
Three findings stood out to me:
Only 3 vendors allow enterprise customers to review source code. Those same vendors also had better-than-average vulnerability disclosure practices.
Only 8 out of 14 offer staged update rollouts. The study notes that this group also demonstrated more mature incident response processes.
The top tier on the combined transparency score was Cisco, Kaspersky, and Microsoft. Not the usual marketing leaders, but established vendors with enterprise compliance experience.
If you are renewing an EDR contract or evaluating new vendors, this report gives you specific questions to ask. Not just "what is your detection rate" but "can you provide an SBOM" and "do you offer staged updates."
Has anyone here successfully used transparency requirements as a leverage point in vendor negotiations?
Top comments (0)