At Palo Alto Networks, our mission is to be the cybersecurity partner of choice, protecting our digital way of life. We are thrilled to share that Cortex XDR has been certified in the prestigious 2026 AV-Comparatives EDR Detection Validation2 Test. 
This rigorous evaluation specifically measures the ability of EDR solutions to detect and provide visibility into complex, multi-step attack scenarios. Our performance in the 2026 test confirms that Cortex XDR provides the deep technical visibility and intelligent correlation required to stop modern adversaries.
A Masterclass in Detection and Visibility
The 2026 test utilized a 14-stage attack scenario modeled after advanced persistent threats (APTs) such as APT29 (also known as Cloaked Ursa, Nobelium or Cozy Bear), APT41, APT27 (also known as TG-3390, Bronze Union, Lucky Mouse), and APT10. Cortex XDR demonstrated outstanding coverage across the attack chain, providing security teams with the alerts and telemetry needed to identify and investigate malicious activity at every turn.
Key Highlights from the Attack Scenario:
- Advanced Execution Detection: Once execution began, Cortex XDR immediately identified suspicious behavior, such as trusted Windows binaries being used to launch unsigned modules.
- Persistent Threat Monitoring: One of our most impactful results was the specific detection of stealthy persistence mechanisms, where the solution alerted on rare scheduled tasks created by compromised actors to ensure no backdoor went unnoticed.
- Lateral Movement Visibility: The pivot between systems was captured with high precision, including remote service creation and malicious process injection.
- Stopping High-Impact Attacks: Cortex XDR provided some of its clearest detections during the final stages, reliably identifying unauthorized directory replication (DCSync) attacks.
The Gold Standard for Alert3 Consolidation
One of the most significant challenges for modern SOC analysts is "alert fatigue". During this test, Cortex XDR showcased its industry-leading correlation capabilities by consolidating 68 individual alerts into just 3 coherent incidents4.
This performance caught the eye of the evaluators. As noted by the leadership at AV-Comparatives:
"Palo Alto Networks stood out through its effective alert consolidation, grouping 68 individual alerts into just three coherent incident cases, which supports efficient investigation workflows. The product also delivered one of the clearest DCSync detections in the evaluation, with both a direct high-severity alert and an anomaly-based replication alert."
— Andreas Clementi, Founder & CEO, AV-Comparatives
Why It Matters
AV-Comparatives concluded that Palo Alto Networks delivered a "strong overall result" and provided "strong behavioral and technical visibility across all the operationally important stages of the attack".
Whether it is identifying in-process shellcode or flagging unusual administrative group modifications, Cortex XDR ensures that nothing goes unnoticed. This certification is a testament to our ongoing commitment to providing the most effective, easy-to-use detection and response platform on the market today.
Built to Perform. Tested to Prove It.
Want to see how Cortex XDR performs where it counts? Browse third-party test results and certifications on our Industry Validation page.
Reference:
1 Market leader is defined as vendors who were named leaders in the 2025 Gartner EPP Magic Quadrant
2 EDR Detection Validation Certification Test 2026
3Alerts are called Issues on Cortex XDR
4Incidents are called cases on Cortex XDR