Is Your Security Stack Actually Working? We Test It With Real Attacks.

What it does well: Palo Alto Networks produces arguably the most capable next-generation firewall on the market. App-ID provides genuine application-layer visibility that most competitors cannot match. Threat Prevention signatures are updated frequently and detection rates against known threats are consistently high. The management interface through Panorama is mature and policy hierarchy is well-structured for large deployments. WildFire sandboxing catches a meaningful percentage of novel malware.

Where it consistently fails in testing: Rule sprawl is the dominant finding. Organizations accumulate thousands of rules over years of operation and no one audits them. We routinely find rules created for temporary projects that were never removed, overly permissive "any-any" rules buried deep in the policy set and SSL decryption exceptions that effectively blind the firewall to encrypted threats. GlobalProtect VPN configurations frequently allow split tunneling that bypasses inspection entirely. Cloud egress rules in environments with hybrid infrastructure are almost always too permissive.

Recommended validation approach: Full firewall rule audit combined with ShadowTap internal testing. We test App-ID accuracy against evasive application traffic, verify SSL decryption coverage, validate zone protection configurations and confirm Threat Prevention profiles are applied consistently across all policy rules. External testing validates GlobalProtect and any published services.

Read the full Palo Alto validation page · Get a Palo Alto validation assessment

What it does well: SonicWall provides genuine enterprise-grade protection at price points accessible to mid-market organizations. The RFDPI (Reassembly-Free Deep Packet Inspection) engine handles high throughput efficiently. SonicOS 7 is a significant improvement over prior generations and the management interface has matured considerably. For organizations that need solid perimeter security without a six-figure firewall budget, SonicWall delivers real value.

Where it consistently fails in testing: Firmware update cadence is the critical issue. SonicWall appliances in the field frequently run firmware versions 12 to 18 months behind current releases. This creates CVE exposure windows that are well-documented and actively exploited. SSLVPN has been the target of multiple critical vulnerabilities in recent years and many deployments still expose it to the public internet with outdated firmware. DPI-SSL (SSL inspection) is frequently disabled because of certificate deployment complexity, which means encrypted traffic passes uninspected. GMS (Global Management System) in multi-site deployments often has default or weak credentials.

Recommended validation approach: External validation first, focusing on SSLVPN exposure and firmware version. Internal validation with ShadowTap to test DPI effectiveness and rule enforcement. Configuration audit to identify default credentials, unused rules and subscription status for threat intelligence feeds.

Read the full SonicWall validation page · Get a SonicWall validation assessment

What it does well: Fortinet offers one of the broadest unified threat management (UTM) feature sets in the industry. FortiGate appliances provide firewall, IPS, antivirus, web filtering, application control and sandboxing in a single platform. Hardware-accelerated performance through custom ASICs means features can be enabled without the throughput penalties common on competing platforms. FortiGuard threat intelligence is updated frequently and the Security Fabric concept provides genuine cross-product visibility when properly configured.

Where it consistently fails in testing: The breadth of features creates a specific problem: enabling all UTM features simultaneously causes performance degradation that administrators resolve by disabling features rather than right-sizing the appliance. We regularly find FortiGate deployments where IPS is disabled on high-traffic interfaces, where antivirus scanning is set to flow-based rather than proxy-based (significantly reducing detection) and where SSL inspection is limited to specific categories rather than applied broadly. VDOM (virtual domain) segmentation in multi-tenant environments frequently has inter-VDOM routing that undermines the intended isolation. FortiOS has also had its share of critical CVEs in SSL VPN and management interfaces.

Recommended validation approach: Configuration audit to verify which UTM features are actually enabled and in what mode. ShadowTap internal testing to measure real detection rates with the current configuration under production load. Performance baseline testing to determine whether the appliance is appropriately sized for full UTM feature enablement.

Read the full Fortinet validation page · Get a Fortinet validation assessment

What it does well: Cisco's security portfolio benefits from deep integration with Cisco networking infrastructure. Firepower provides legitimate next-generation firewall and IPS capabilities. Meraki simplifies management for distributed environments. ISE delivers network access control that integrates with Active Directory and provides posture assessment. For organizations already running Cisco networking, the platform approach reduces integration complexity and provides a single management plane across multiple security functions.

Where it consistently fails in testing: The platform approach creates product silos. ASA, Firepower, Meraki and ISE each have their own policy engines and their own management interfaces. Policies defined in one product do not automatically translate to another. We consistently find organizations where the ASA allows traffic that Firepower should inspect but does not because the policy integration was never completed. Meraki deployments in branch offices frequently operate with more permissive defaults than the centralized Firepower deployment at headquarters, creating inconsistent security posture across sites. ISE posture policies often allow non-compliant devices onto the network with limited restrictions that are insufficient to prevent lateral movement. Firepower in passive mode is a particularly common finding. The IPS is deployed but not enforcing.

Recommended validation approach: Multi-product audit that tests policy consistency across all deployed Cisco security products. ShadowTap testing from multiple network segments to identify gaps between products. ISE posture bypass testing. Firepower enforcement mode verification.

Read the full Cisco validation page · Get a Cisco validation assessment

What it does well: CrowdStrike Falcon is one of the strongest endpoint detection and response (EDR) platforms available. The cloud-native architecture means signature updates and behavioral models are current without requiring on-premises infrastructure. Detection of known malware, fileless attacks on managed endpoints and credential theft techniques is consistently strong. The Falcon OverWatch managed threat hunting service adds a human layer that catches threats the automated engine misses. For organizations that deploy it across all endpoints, CrowdStrike provides genuine protection.

Where it consistently fails in testing: CrowdStrike is an endpoint product. It sees what happens on endpoints where the agent is installed. It does not see network traffic. East-west lateral movement between managed endpoints may be detected through endpoint telemetry, but lateral movement from unmanaged devices (BYOD, IoT, OT systems, legacy servers that cannot run the agent) is invisible. We consistently find environments where CrowdStrike coverage is 70-85% of endpoints, with the remaining 15-30% being devices that cannot run the agent or were missed during deployment. Those unmanaged devices become the attacker's operating base. Policy exclusions created for business applications also accumulate over time and create detection gaps that are difficult to audit through the console alone.

Recommended validation approach: Endpoint validation to test detection against MITRE ATT&CK techniques on managed endpoints. Network validation with ShadowTap to test visibility gaps from unmanaged devices. Coverage audit to identify endpoints without the agent and policy exclusion review to find unnecessary exceptions.

Read the full CrowdStrike validation page · Get a CrowdStrike validation assessment

What it does well: SentinelOne's autonomous detection and response model is genuinely differentiated. The agent makes local decisions about threat remediation without requiring cloud connectivity, which means response times are measured in milliseconds rather than minutes. The ransomware rollback feature is legitimately useful when it works as intended. Storyline technology provides clear attack visualization that helps analysts understand the full scope of an incident. For organizations without a 24/7 SOC, the autonomous model provides a meaningful layer of protection that does not depend on human response time.

Where it consistently fails in testing: Rollback is the headline feature but it has documented limitations. Encrypted payloads that destroy the Volume Shadow Copy service before encrypting files cannot be rolled back. Some ransomware families specifically target the SentinelOne rollback mechanism. Policy exclusion sprawl is a significant issue because application compatibility exclusions are frequently created during deployment and rarely audited afterward. We find organizations with dozens of exclusions that effectively blind the agent to activity in critical directories. The autonomous model also creates a false sense of security. Organizations assume "autonomous" means "complete" and reduce their investment in detection engineering and threat hunting.

Recommended validation approach: Ransomware simulation testing against the deployed configuration including rollback verification with multiple payload types. Policy exclusion audit. Living-off-the-land binary (LOLBin) testing to validate behavioral detection beyond signature-based identification. Coverage audit for agent deployment gaps.

Read the full SentinelOne validation page · Get a SentinelOne validation assessment

What it does well: Sophos Synchronized Security is a genuinely innovative concept. When the firewall (XG/XGS) and endpoint protection (Intercept X) communicate through the Security Heartbeat, compromised endpoints can be automatically isolated at the network level. This provides a response speed that manual SOC processes cannot match. Intercept X provides strong endpoint protection with legitimate deep learning models for malware detection. Central Cloud Management simplifies administration for organizations with limited security staff. For mid-market organizations that deploy both the firewall and endpoint product, the synchronized approach provides real value.

Where it consistently fails in testing: Synchronized Security depends on correct configuration of both the firewall and endpoint components. When the Security Heartbeat breaks, and it breaks more often than Sophos documentation suggests, the synchronized response fails silently. The firewall continues operating and the endpoint continues operating, but the automatic isolation that justified the architecture no longer functions. We find heartbeat failures caused by network segmentation changes, firewall firmware updates that break the heartbeat protocol and endpoint agent updates that require heartbeat re-registration. SSL/TLS inspection on XG/XGS is frequently disabled due to certificate trust issues, leaving encrypted traffic uninspected. Web filtering categories are often too broadly permitted because administrators add exceptions for user complaints without reviewing aggregate policy impact.

Recommended validation approach: Integration validation that tests Security Heartbeat functionality end-to-end under realistic conditions. ShadowTap testing to verify that synchronized isolation actually triggers when a rogue device appears on the network. SSL inspection coverage audit. Web filtering bypass testing.

Read the full Sophos validation page · Get a Sophos validation assessment

What it does well: Check Point pioneered the stateful firewall and their current next-generation firewall remains one of the most capable platforms available. Threat Prevention blades (IPS, Anti-Bot, Anti-Virus, Threat Emulation, Threat Extraction) provide thorough protection when fully licensed and properly configured. SmartConsole provides a mature management interface that experienced administrators find efficient. R81.x introduced unified policy management that simplifies what was previously a complex multi-blade policy structure. For organizations with dedicated security teams, Check Point provides granular control that other platforms sacrifice for simplicity.

Where it consistently fails in testing: Blade licensing is the most consistent finding. Check Point's blade architecture means each security function requires a separate license. We regularly find deployments where Threat Prevention blades are not licensed, where Threat Emulation (sandboxing) was purchased but never activated, or where blade licenses have expired and the gateway continues operating with reduced protection without generating management alerts. Policy ordering in large rule bases creates evaluation issues where overly permissive rules near the top of the policy short-circuit more restrictive rules below. SmartConsole database synchronization between management servers and gateways occasionally fails, creating a gap between the policy the administrator sees and the policy the gateway enforces. CloudGuard posture management for cloud infrastructure frequently drifts from intended baselines without generating alerts.

Recommended validation approach: License audit to verify all purchased blades are activated and current. Configuration audit to verify Threat Prevention profiles are applied to all relevant rules. Policy optimization review. ShadowTap internal testing to validate actual detection rates. CloudGuard posture drift assessment for cloud deployments.

Read the full Check Point validation page · Get a Check Point validation assessment

What it does well: Zscaler's cloud-native architecture genuinely eliminates the need for traditional VPN in many use cases. ZIA (Zscaler Internet Access) provides consistent web security regardless of user location, which is a real advantage for distributed workforces. ZPA (Zscaler Private Access) provides application-level access without exposing the network, which is a meaningful security improvement over traditional VPN. The zero trust model, when properly implemented, reduces the attack surface substantially. For organizations moving to a cloud-first architecture with a distributed workforce, Zscaler addresses real architectural challenges.

Where it consistently fails in testing: Split tunneling is the dominant finding. Organizations deploy Zscaler to inspect web traffic but exclude specific applications, cloud services or IP ranges from inspection for performance or compatibility reasons. Each exclusion is a bypass path. PAC file configurations on endpoint devices frequently contain errors or legacy entries that route traffic around Zscaler entirely. ZPA application segmentation policies are often too broad, granting access to entire subnets rather than specific applications, which undermines the zero trust model. Client Connector (the endpoint agent) tamper protection is sometimes disabled for troubleshooting and never re-enabled. Organizations that deploy Zscaler alongside legacy VPN infrastructure frequently have both active simultaneously, creating parallel access paths that bypass Zscaler's inspection entirely.

Recommended validation approach: ZTNA bypass testing to identify all paths that circumvent Zscaler inspection. PAC file and Client Connector configuration audit. ZPA application segmentation review. Split tunnel policy analysis. ShadowTap testing from inside the network to validate that east-west traffic is still monitored by complementary network detection tools, since Zscaler does not inspect internal network traffic.

Read the full Zscaler validation page · Get a Zscaler validation assessment

What it does well: Darktrace's unsupervised machine learning approach to network detection is genuinely different from signature-based alternatives. The Enterprise Immune System builds a behavioral model of every device and user on the network and alerts on deviations from that model. This means Darktrace can detect novel threats that have no signature, which is a legitimate capability gap in traditional NIDS platforms. Antigena (autonomous response) can contain threats at network speed without human intervention. For organizations that need network-level visibility without maintaining signature databases, Darktrace provides a distinct approach.

Where it consistently fails in testing: The behavioral model is both Darktrace's strength and its weakness. Low-and-slow lateral movement that stays within the learned behavioral norms of the network does not trigger alerts. If an attacker operates during business hours, uses protocols that are normal for the environment and keeps data transfer volumes within expected ranges, Darktrace's model accepts the activity as normal. Encrypted command-and-control traffic that uses standard HTTPS to legitimate cloud services (a technique we test extensively) is consistently missed because it looks like normal cloud application traffic. DNS tunneling at low bit rates falls below detection thresholds. The training period is also a vulnerability. Attackers who are already present during the initial learning period have their activity incorporated into the baseline as normal behavior. Alert fatigue is a practical issue. Darktrace generates a high volume of informational alerts and organizations without dedicated analysts to tune the system experience significant noise.

Recommended validation approach: ShadowTap deployment combined with manual testing specifically designed to operate within behavioral norms. Encrypted C2 testing. DNS tunneling at various bit rates. Low-and-slow lateral movement over extended time periods. Antigena response validation to confirm autonomous containment functions as configured.

Read the full Darktrace validation page · Get a Darktrace validation assessment