CyberCompare Marktkommentar #34: The Most Uneconomical Security Measures, MITRE EDR Tests, and Forecasts

Articles, Marktkommentar /

Hello everyone,

Already ready for a vacation after your first enemy contact in the office? Then here’s something to make you smile: What’s the most expensive security control you’ve seen that added zero security?
DLP, NDR, and CISOs are particularly often highlighted as unnecessary expenses by the working level 😉.
Everyone is sure to find their personal favorite providers there.

But back to the serious side of life in the cyber defense room – and who could provide us with more reliable information about the situation than the insurance industry? As far as I know, that’s where the most reliable figures for our industry come from, at least for the private sector. “The number of ransomware attacks observed worldwide has increased by almost 50 percent in 2025,” reports MunichRe in collaboration with Mandiant. Further exciting facts from a survey of 3,000 respondents from almost 100 countries conducted by Allianz:
– Cyber remains the top risk at board level, across all company sizes.
– Approximately 60% of the reported damage caused by cyber attacks was caused by ransomware, ~40% by data theft.
– Approximately 90% of respondents plan to invest further in cybersecurity, driven by supply chain + AI risks.

MITRE Engenuity has published its latest EDR evaluation. We have summarized the results as we see fit:

  • In our evaluation, we only rated the two highest-value detection categories (Technique/Tactic) as recognized.
  • Reason: All detections without Tactic (i.e., from “General” onwards, red or orange) are classified by MITRE as not “actionable,” but are nevertheless fully rated by the manufacturers in their advertising in some cases.
  • In addition, we only evaluated alerts that were reported without subsequent configuration optimization (i.e., the stricter variant). This is also published differently depending on the manufacturer.
  • Eleven providers participated—unfortunately (and surprisingly), Microsoft, SentinelOne, and Palo Alto were not among them.
  • New and exciting: Acronis, previously known for backups, and Cyberani (full-service cybersecurity provider from Saudi Arabia, subsidiary of the oil company and at times largest company in the world, Aramco).
  • The test environment was more complex than in the last test, but of course not comparable to a real corporation: hybrid infrastructure with 7-9 servers + 4 desktop clients on premise, plus 3 VMs and 1 S3 bucket in AWS. Operating systems in the victim environment were Windows Server 2022, Windows 11, and Linux Ubuntu 22.04 LTS.
  • No explanation was published as to why no provider participated in Protection Test 2 (Identity Providers) – perhaps there was something wrong with the test setup? This is unfortunate, of course, because highly topical attack methods such as the misuse of federated tokens or the registration of second factors should have been tested here.

As always, different methodologies can be applied, resulting in different rankings. Anyone who disagrees with our approach or discovers errors in the still very manual evaluation is welcome to contact us. And, of course, the test is only a single data point; a decision for or against a solution should not be based solely on this.

Predictions: Brief review and outlook

My hypotheses for 2025 from a year agohit rateComment
The number of cybersecurity IPOs will at least triple by 2024 (i.e., from 1 to 3).67%There were only two IPOs (Netskope and Sailpoint, with share prices now well below the issue price for both – at least I was spared that), and Wiz was bought by Google instead of going public.
Google acquires an EDR provider50%Partially true. Wiz now also offers protection for on-premise endpoints.
Cisco/Splunk is either acquiring a “proper” EDR provider or a cloud/data security manufacturer.80%With a little goodwill, one could say that Cisco has acquired Aura Asset Intelligence and NeuralFabric, both of which could be broadly classified as data security.
Microsoft is really stepping up its game with Defender for IoT (formerly CyberX) in the NDR + OT NIDS market in terms of advertising, sales, and bundle pricing.-100%The exact opposite has happened. MS has discontinued on-premises support, and Defender for IoT plays no role in NDR/OT NIDS tenders. Or has anyone had different experiences that support my hypothesis?

Because it worked so well with the predictions, here are the next ones for 2026:

  • At least 3 relevant MSSPs / IR providers in the DACH region will be bought up + merged as part of the overdue consolidation
  • IPOs: I only believe in 2 this year, because the valuations for SW providers are crumbling again. Candidates for 2026 include Arctic Wolf, Snyk, Proofpoint, Cohesity, 1Password
  • There are 2-3 generally accepted solutions for AI security in the enterprise segment that CISOs can buy without risking their careers, even if something does go wrong

M&A:

  • In 2025, there was USD 14 billion in funding for cybersecurity startups and scaleups, a good 50% more than in 2024. However, we are still a long way from 2021 (USD 21 billion). By comparison, the global VC market across all industries is only USD 100 billion
  • After Veza, ServiceNow is now also taking over Armis for just under USD 8 billion. Access rights management and vulnerability management require effective workflows and collaboration across business departments, so they make sense additions to Servicenow
  • Crowdstrike acquires Seraphic (Browser Security) for 400 million and SGNL. AI, a real-time PAM provider, for ~$700 million.  Does anyone remember the CyberArk acquisition by Palo Alto? I would guess that Fortinet is also in talks with some IAM/PAM vendors right now. Cisco, on the other hand, no longer seems to take the vision of the platform so seriously – the vulnerability management solution (formerly Kenna) has been discontinued. Competitors such as Brinqa, Vulcan/Tenable, Qualys or NopSec are happy.
  • OVHCloud buys seald (SDK for E2E encryption from France)
  • SPIE (Globale Technik DL) buys Cyqueo, a German MSSP with ~30 employees and ~20 million sales
  • Diligent (GRC) acquires 3rdRisk (supplier risk management from NL)
  • OneSpan (US provider for fraud prevention, especially for finance) buys the German Build38 (Mobile Protection)
  • DeceptIQ (UK) strengthens its team with deception specialist Thinkst Canary
  • Delinea (PAM) buys smaller competitor StrongDM
  • Cyera raises $400 million from Blackstone

Notes from vendor conversations:

Red Mimicry:

  • Breach & Attack Simulation Startup aus Berlin
  • Special feature: Real attack chains recreated in detail, which can then be tested
  • Start with possible code execution and then test detection/response
  • Also includes actually implemented bypasses of EDR systems (e.g. obfuscation, unhooking, direct syscalls, steganography, signed files) and anti-analysis techniques to prevent e.g. execution on sandboxes
  • Emulates attacker network communications such as C2 and data exfiltration
  • No agents are used, but payloads are generated => advantage that no trust level (of the agent) is inherited to child processes (of the malware under test)
  • Onprem and air-gapped recoverable – no data exchange between customer and manufacturer necessary
  • Currently about 36 playbooks (like BlackBasta) available
  • Can also be obtained from partners (such as DCSO, SITS, Schutzwerk) as a Red Teaming / Incident Response exercise

NTT Data (Update):

  • I’m sure everyone knows it, one of the largest providers, HQ Japan, 7500 security employees. In the final stages of the summary of all security services (have so far been somewhat fragmented about different legal entities and customer contacts)
  • 49 SOC locations worldwide, in the EU: Italy, Romania, Sweden
  • Reference customers in the DACH region: EON, …
  • In addition to Splunk and Exabeam, Elastic can also be used as a SIEM
  • The briefing focused on the new MDR/MSOC offering SamurAI:
  • Highly standardized, with a focus on SMEs. Had the impression that the Arctic Wolf concept was the inspiration here
  • In-house developed EPP/EDR agents, Suricata-based NTA as VM, log collectors and central SIEM/SOAR platform
  • In addition, connectors for many common security tools including OT NIDS / firewalls / CNAPP. Even Kubernetes workloads are monitored as part of the service at no additional cost (via Falco), ditto WAF and SAP applications
  • Onboarding possible in ~2 weeks, example with > 1 TB/day log volume shown
  • Licensing only based on the number of endpoints, as long as log volume per endpoint max. 5 GB/month. Data retention time 400 days standard. Example for customer with 4500 endpoints was ~360 thousand EUR/year
  • Connection also from OT NIDS
  • Analysts are based in Sweden, all customer data remains in the EU
  • So far everything in English
  • No breach warranty, may still come
  • DFIR retainer optional as add-on, as well as concierge service
  • CTI also based on own analyses / NTT Internet Backbone (similar to Orange)
  • Customer size between 50 and 11,000 employees

Netskope (Update):

  • Since the IPO at the latest, most people are probably familiar with this – in addition to DLP/CASB/SWG, now also DSPM, SSPM, ZTNA, SD-WAN, Enterprise Browser, Remote Browser Isolation. Main competitors ZScaler, PAN, Cato, Forti
  • ~4,500 corporate customers (e.g. Mercedes, ZF, Novartis, a large health insurance company in Germany), ~3,000 employees, ~150 data centers worldwide, 4 of them in China (self-operated) for Chinese customer locations.
  • EU data centers are C5 certified, customers can also choose to use them exclusively
  • Recommends as one of the few manufacturers to also inspect M365 traffic (instead of running it through the bypass to avoid latencies)
  • All features / policies configurable via the same GUI
  • Patented approach to still be able to read certificate pinning: Session key is read from the client’s memory. So far, it only works with Google Drive, but is to be expanded
  • In general, the CA can be used by customers or by Netskope to break up traffic
  • Enterprise Browser (similar to Iceland): Blackens sensitive data, prevents copy+paste/upload/download, etc. Block popups can be adapted to the company (e.g. also with instructions for MA for approval / awareness snippets when using ChatGPT)
  • Of course, integrations esp. for risks with all common IAM/PAM/EDR/SIEM/Emailfilter/CRM. There are also special “Cloud Taps” for NDR to forward the flows
  • Managed Service Partner in the DACH region, esp. Eviden + Deloitte

As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.

For the people who have received the market commentary for the first time: Here you can register if you are interested or search in vain for the AI that writes these texts.

Many greetings + again all the best for the new year

Jannis Stemmann

Ready to make your cybersecurity more affordable?

CyberCompare is your independent partner to make IT, OT and IoT security easier, clearer and more affordable.

With our established cybersecurity ecosystem, you achieve cybersecurity excellence and increase your resilience: With us you save time and money but never lose focus.

Get in Touch

Get in Touch

Associations and industry collaborations

Scroll to Top