For HomeFor BusinessFor Partners
SMB Security Enterprise Security Endpoint Detection and Response Independent Testing
min read

AV-Comparatives Test: Bitdefender, Best at Stopping Threats Before They Start

Richard De La Torre
Richard De La Torre

November 10, 2025

AV-Comparatives Test: Bitdefender, Best at Stopping Threats Before They Start

Stop a threat before it executes, and you maintain business continuity. Respond after it runs, and you increase the odds of business disruption and costly remediation. Security solutions vary significantly in their ability to block threats pre-execution, and the latest AV-Comparatives Enterprise Advanced Threat Protection test quantifies this gap in stark terms: Bitdefender blocked 87% of threats at the pre-execution stage, while other vendors blocked just 36% of attacks pre-execution, on average. This 51-percentage-point advantage reveals more than superior detection rates—it demonstrates a fundamental architectural difference in how security solutions approach protection.   

Pre-execution blocking eliminates threats before they can establish persistence, exfiltrate data, or move laterally through networks. It’s like stopping a thief at the door instead of chasing them once they are already inside.  

Stopping an attack at the pre-execution stage also removes the window of vulnerability that exists between initial file execution and behavioral detection, a window that modern attackers exploit with increasing sophistication. For security teams, this prevention-first approach translates directly into reduced incident response costs, minimized downtime, and fewer emergency escalations.  Bitdefender’s outstanding results are not new; we’ve demonstrated the highest pre-execution protection of any vendor for the last several years, as AV-Comparatives has conducted these tests.  

Focusing on Advanced Persistent Threats 

Among the most dangerous methods used by cybercriminals is the use of Advanced Persistent Threat techniques. By gaining access to an organization’s networks, threat actors can create accounts with elevated privileges, move laterally across networks, plant ransomware, exfiltrate sensitive data, and compromise partner organizations through supply-chain attacks. The longer a threat actor remains within an organization, the more damage they can do. Understanding the threat posed by APTs, AV-Comparatives focuses the Enterprise Advanced Threat Protection tests on the Tactics, Techniques, and Procedures (TTPs) associated with these attacks.  

AV-Comparatives' Enterprise ATP Test represents one of the most rigorous evaluations in cybersecurity testing. The 2025 test was performed on fully-patched Windows 11 systems using 15 distinct attack scenarios incorporating: 

  • Fileless attacks that operate solely in memory to evade traditional detection
  • Multiple delivery vectors including spear-phishing, trusted relationships, and removable media
  • Advanced evasion techniques such as user-mode unhooking, event tracing manipulation, and shellcode obfuscation
  • Commercial attack frameworks like Metasploit and PowerShell Empire
  • Diverse payload types including .EXE, .VBS, .JS, .CPL, .SCR, .CHM, .HTA, .LNK, .PIF, and .DLL files

Each test case attempted to establish a Command-and-Control (C2) channel, simulating a successful breach. If the security product allowed this connection, the system was considered compromised – representing a genuine business risk.  The tests also included an evaluation of false positives.  When dealing with threat persistence, it’s important that security teams focus on genuine alerts rather than chasing ghosts. Maintaining a low rate of false positives is important in reducing the overall threat dwell time and decreasing alert fatigue for security teams. 

Exploring the Results of the Tests 

Only six vendors participated in this year’s test. Among them were Bitdefender, Avast, CrowdStrike, ESET, Kaspersky, and NetSecurity. Each vendor provided a copy of their enterprise product, and these were configured according to the vendor’s specifications for the test.  

vendor-advanced-threat-protection1

Figure 1: Bitdefender achieved perfect scores across all 15 tests 

Bitdefender was one of three vendors to completely block the attack and prevent any C2 connection from being established. Stopping a cyber-attack at the initial access phase is critical because it immediately nullifies the attacker's foothold, preventing resource expenditure on deeper defenses and preserving the integrity of the entire operational environment.  While those results are admirable on their own, in AV-Comparative's own words, “The intention of the test is to focus on early detection and prevention”, and so they further analyzed at what stage in the attack the threat was blocked.  

Bitdefender Stops More Attacks at Pre-Execution 

While achieving a perfect score is impressive, how Bitdefender achieved this protection reveals an even more significant security advantage. The test measured not just whether threats were blocked, but when they were intercepted: 

  • Pre-execution (PRE): Threat detected before running (static analysis)
  • On-execution (ON): Threat detected immediately after running (dynamic analysis)
  • Post-execution (POST): Threat detected after actions were recognized (in-memory detection)

Bitdefender's Detection Timeline: 

  • 13 of 15 threats (87%) blocked at pre-execution
  • 2 of 15 threats (13%) blocked at on-execution
  • 0 threats required post-execution detection

This pre-execution dominance represents the strongest proactive defense posture among all tested vendors: 

advancet-threat-protection-evaluation2

Figure 2: Bitdefender stopped more attacks at pre-execution than any vendor... again 

This achievement isn’t new for Bitdefender. Since AV-Comparatives began this test in 2021, Bitdefender has consistently led all vendors in stopping attacks at pre-execution. That includes test results from 2021202220232024, and the present 

Why Pre-Execution Protection Matters 

As AV-Comparatives notes in its report: "In our opinion, the goal of every AV/EPP/EDR system should be to detect and prevent attacks or other malware as soon as possible... A good burglar alarm should go off as soon as someone breaks into your home. It should not wait until they start stealing." 

When threats are blocked before execution, no malicious code ever runs on the endpoint. This means: 

  • No opportunity for memory manipulation or process injection
  • No potential for data exfiltration, even momentarily
  • No system resources consumed by malicious processes
  • No possibility of persistence mechanisms being established
  • No possibility of files being encrypted or destroyed by ransomware 

By stopping the attack before it reaches the initial stage, the threat actor’s playbook is rendered unserviceable, leaving them to look for a victim elsewhere.  

Bitdefender’s Strong Commitment to Proactive Protection 

Bitdefender's exceptional pre-execution performance stems from a multi-layered approach.  It includes deep file inspection using machine learning models trained on millions of malware samples. Adversarial AI is trained to identify obfuscated payloads, analyze execution chains before processes launch, recognize anomalous behavior, and identify malicious intent without relying on known indicators. It all happens within nanoseconds to protect and alert security teams of the potential danger without bogging them down with false alarms.   

Pre-execution protection against malicious payloads is only part of the story. Threat actors are increasingly exploiting Living-off-the-Land (LOTL) techniques that use an organization's own tools against itself. A Bitdefender analysis of 700,000 major security incidents found that 84% of high-severity attacks utilized LOTL techniques.

This type of proactive security becomes paramount in the effort to keep threat actors at bay. This is why Bitdefender released revolutionary attack surface reduction in the form of GravityZone PHASR (Proactive Hardening and Attack Surface Reduction). Using unique machine-learning models created on each individual endpoint, PHASR learns each user and application’s behavior and proactively restricts access to admin tools or specific operations within them when deemed unnecessary. This technology deprives threat actors of the very utilities they need to perform their malicious attacks. Available as both a part of the unified GravityZone platform and as a stand-alone product to complement existing security solutions, PHASR dynamically reduces the attack surface of your organization. 

Conclusion 

The multi-billion dollar cyber-crime industry targets organizations of all sizes. Organizations need security solutions that don't just react to attacks – they need platforms that prevent breaches before they happen. For leaner security teams, it’s even more critical that threats are blocked early to reduce the need for remediation efforts. Bitdefender's perfect 15/15 score in the 2025 ATP Test, combined with the industry-leading 87% pre-execution detection, validates this proactive approach. A proactive strategy transforms security from a necessary expense into a sustainable competitive advantage that outpaces evolving adversary tactics. This prevention-first strategy also contributed to Bitdefender achieving the highest protection rate while having the lowest cost of ownership in the latest AV-Comparatives Endpoint Prevention & Response test 

To learn more about Bitdefender’s proactive approach to security, request a demo with one of our qualified engineers, or explore our solutions and services at your own pace to see how Bitdefender can help secure your organization. 

tags

SMB Security Enterprise Security Endpoint Detection and Response Independent Testing

Author

Richard De La Torre

Richard De La Torre

My name is Richard De La Torre. I’m a Technical Marketing Manager with Bitdefender. I’ve worked in IT for over 30 years and Cybersecurity for almost a decade. As an avid fan of history I’m fascinated by the impact technology has had and will continue to have on the progress of the human race. I’m a former martial arts instructor and continue to be a huge fan of NBA basketball. I love to travel and have a passion for experiencing new places and cultures.

View all posts

Right now Top posts

EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company
Enterprise Security Threat Research Advanced Persistent Threats Threat Intelligence

EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company

September 17, 2025

Why Alert Volume Matters: Cutting Through the Noise
Endpoint Protection & Management

Why Alert Volume Matters: Cutting Through the Noise

February 27, 2025

ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again
Ransomware Threat Research Threat Intelligence

ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again

November 13, 2024

5 Approaches to Counter a Cybercriminal’s Growing Arsenal
Enterprise Security Threat Research

5 Approaches to Counter a Cybercriminal’s Growing Arsenal

November 06, 2024

FOLLOW US ON SOCIAL MEDIA

SUBSCRIBE TO OUR NEWSLETTER

Don’t miss out on exclusive content and exciting announcements!

You might also like

AV-Comparatives Test: Bitdefender, Best at Stopping Threats Before They Start
SMB Security Enterprise Security Endpoint Detection and Response Independent Testing

AV-Comparatives Test: Bitdefender, Best at Stopping Threats Before They Start
Richard De La Torre
Richard De La Torre

November 10, 2025

What’s New in GravityZone November 2025 (v 6.68)
SMB Security Enterprise Security

What’s New in GravityZone November 2025 (v 6.68)
Grzegorz Nocoń
Grzegorz Nocoń

November 07, 2025

Bring Every Signal Into Focus With GravityZone Security Data Lake
Business Insights

Bring Every Signal Into Focus With GravityZone Security Data Lake
Kevin Gee
Kevin Gee

November 05, 2025

Bookmarks

loader