Beyond Certification: The Role of Evaluations in Real-World Cybersecurity Testing
- Stefan Dumitrascu
- May 16
- 2 min read
As we continue to talk about our testing portfolio and look ahead to an exciting 2025, it’s the perfect time to delve into the topic of certifications and evaluations. What do they entail? How can they benefit your organization? What are their roles in cybersecurity? And what are their respective strengths and limitations? Let’s explore these questions to better understand their value.
What are they?
Certifications are, usually, formal standardised acknowledgements by recognised bodies to validate a product complies with a specific set of standards and requirements. They are typically obtained through audits (i.e. ISO 27001) or standardised assessments to demonstrate credibility and compliance to external stakeholders.
In the security vendor world common requirements for certification are the requirements for Microsoft Virus Initiative or VirusTotal. These follow established requirements by their respective stakeholders.
Evaluations are, usually, comprehensive assessments designed to test effectiveness and real-world applications of a security product. They allow for more extensive testing, tailored to the needs of an industry or an organisation. They can serve a multitude of purposes, such as validating a new approach, uncovering vulnerabilities or improving the security posture against real-world threats. Rather than adhering to a fixed standard that can sometime be slow to update, evaluations can have for more extensive and unique tradecraft in place, hardening security vendors against the multitude of attack methods.
Probably the most prevalent evaluations in the security testing world are the MITRE Engenuity ATT&CK evaluations. These offer extensive testing for enterprise focused vendors to showcase their capabilities against the chosen APT for the attack series.
How do they compare?
Certifications and evaluations are complementary and while they sometimes get lost under the same “testing” umbrella how they are operated from both the tester and participants side differ quite a lot. Certifications are usually easier to start with and predictable as they follow a well-established standard. It’s important to set expectations when engaging in an evaluation as these can be a lot more intensive from both sides but when executed correctly the benefits from both an engineering and marketing perspective are tremendous.
Evaluations are the tests can really push the needle in terms of product improvement while showcasing a products capabilities in real world applications.
Ready to take your cybersecurity defences to the next level? Our tailored evaluations go beyond checklists to simulate real-world threats. Gain actionable insights, validate your security measures, and build confidence in your defenses. Partner with us to stay ahead of evolving threats—join our one of our evaluation programs today!
