Author: NSS Labs

Beyond Assumptions: Why Validation is the Next Frontier in Cybersecurity Defense

Posted on by NSS Labs

Last week, CISA published an incident response report detailing how a federal civilian executive branch (FCEB) agency was breached through exploitation of a known and documented vulnerability in GeoServer (https://www.cisa.gov/news-events/alerts/2025/09/23/cisa-releases-advisory-lessons-learned-incident-response-engagement). This was not a “sophisticated zero-day,” but a widely reported weakness defenders have been aware of for some time (https://nvd.nist.gov/vuln/detail/cve-2024-36401).

This breach underscores a sobering reality: attackers don’t need innovation when defenders rely on assumptions.

Known Exploits, Unknown Effectiveness

Each time an advisory like this is released, many CISOs and CTOs are left asking the same question: “Would this have worked against us?”

The uncomfortable truth is that in many environments, the answer is uncertain. Security leaders often deploy products with the expectation of protection, but without direct validation, those expectations may not hold under real-world attack conditions.

This is why we at NSS Labs regularly evaluate security products against actual exploit samples going as far back as 10 years—including the very vulnerability used in this breach. That type of validation gives defenders evidence, not just hope, that their technologies will withstand known threats.

The Flaw in “Defense-in-Depth by Assumption”

Defense-in-depth is a well-established strategy. Multiple layers of technology—firewalls, intrusion prevention, endpoint agents, and monitoring—create redundancy and resilience. But the mere presence of these controls is not enough.

  • Deployment ≠ Effectiveness. A product installed in the stack doesn’t guarantee it will perform as intended.
  • Context Matters. Effectiveness depends on how controls are configured, tuned, and integrated into the environment.
  • Silent Gaps Exist. Without validation, security teams may not realize that certain attack vectors bypass defenses entirely.

The CISA advisory makes clear: organizations cannot rely on “best practice” architectures alone. They must prove their defenses actually work.

Validation as the Next Frontier

Cybersecurity has long emphasized the importance of prevention and detection. The next frontier is validation: treating effectiveness as a measurable, verifiable outcome.

Validation is not theoretical—it’s practical. The critical difference between assumption and assurance is data. Testing security products against real exploits, simulating adversarial behavior, and quantifiably measuring whether defenses hold provides assurance that investment translates into protection. Independent testing bodies such as NSS Labs help provide this evidence, bridging the gap between vendor claims and operational reality.

A Practical Checklist for CISOs

Security leaders looking to strengthen their posture against known vulnerabilities can use the following framework:

  1. Inventory What Matters
    1. Catalog critical applications, platforms, and workloads.
    2. Prioritize those most tied to mission outcomes.
  2. Map Defenses to Assets
    1. Identify which controls protect which workloads.
    2. Look for overlaps, blind spots, and single points of failure.
  3. Validate Against Exploit Samples
    1. Test defenses against real-world exploits and malware, not just lab simulations.
    2. Leverage independent testing where available.
  4. Simulate Adversarial Behavior
    1. Ensure that each component in the defensive chain is independently tested and validated.
    2. Focus on tactics, techniques, and procedures (TTPs) that correspond to those utilized by threat actors in the current threat landscape.
  5. Make Validation Continuous
    1. Move from one-time testing to an ongoing validation cycle.
    2. Adjust configurations, patching, and investments based on results.

Final Thoughts

The lesson from this breach is clear: known vulnerabilities remain one of the most significant risks to enterprise security. Defense-in-depth alone is insufficient if it is built on untested assumptions.

The industry must embrace validation as a core pillar of cybersecurity strategy. By demanding measurable proof of effectiveness—through independent testing, adversarial approaches, and continuous validation—CISOs and CTOs can move from assumption to assurance.

The goal is simple yet profound: to ensure that when the next advisory is issued, leaders can answer with confidence:

“Yes—our defenses will hold.”

Futuriom: NSS Labs Launches Managed Cybersecurity Test Platform

Posted on by NSS Labs

The recently relaunched NSS Labs has released Minion by NSS Labs, a managed platform designed to validate the performance of cybersecurity products for service providers, enterprises, and vendors.

The remotely managed offering relieves customers of the burden of in-house testing while providing in-depth, objective validation of security products—a must, given the proliferation of cybersecurity threats in today’s AI-oriented environments.

“Security leaders need tools that let them compare and justify cybersecurity decisions with real evidence,” stated Ian Foo, Chief Technology Officer and EVP of Product, in a press release. “Our new data platform will modernize the way we share test data so that enterprises can make faster, smarter decisions across the organization.”

Minion Addresses the Needs of Three Markets

With Minion, NSS Labs is fulfilling a major need among cybersecurity customers of all types—namely, to get an unbiased, real-world view of the actual performance of products before they hit the network. To reach this goal, the platform offers a range of features that meet the requirements of three distinct constituencies.

Read the full article here: https://www.futuriom.com/articles/news/nss-labs-launches-managed-cybersecurity-test-platform/2025/08

NSS Labs Introduces Minion, a Managed Security Testing Service for Enterprises, Service Providers, and Cybersecurity Vendors

Posted on by NSS Labs

LAS VEGAS, NV– August 5, 2025. NSS Labs, the leading authority in independent cybersecurity product validation, today announced the launch of  Minion by NSS Labs, a managed, security testing platform developed by NSS Labs to independently validate real-world performance of security products. It delivers third-party validation of security controls through rigorously designed and remotely executed testing cycles—all without the operational burden of in-house test management.  

Minion by NSS Labs: Built for Three Critical Audiences 

Minion for Enterprises 

Minion supports CISO, CIO, Chief Risk Officer, and CEO priorities by testing to ensure that deployed or procured security products meet performance claims and policy goals. Test outputs can be integrated into broader Governance, Risk and Compliance practices and security performance dashboards. 

Minion for Service Providers and Managed Service Providers 

Service Providers (SPs) and Managed Service Providers (MSPs) can use Minion to validate OEM-based or proprietary security solutions under real-world threat conditions. This helps accelerate time-to-market, differentiate in competitive markets, develop roadmap priorities, and ensure continuous service quality for regulated customers – all backed by objective test data. 

Minion for Cybersecurity Vendors 

Designed originally for enterprise buyers and risk officers, Minion offers cybersecurity vendors a unique opportunity: external, objective testing that aligns with the evolving needs of procurement teams, GRC mandates, and competitive product positioning. 

“Our goal is to provide transparency into the effectiveness of cybersecurity products,” said Vikram Phatak, CEO. “Minion delivers high-impact answers with speed and scale. Cybersecurity professionals will know if the products they rely on are working.”   

NSS Labs is also introducing its interactive data platform during DEF CON 33 in Las Vegas. The platform will provide users with self-service access to test results, enabling interactive exploration, comparison, and decision support through a visual, executive-ready interface. 

Executives from NSS Labs will demo the platform and gather feedback during Networking Bar sessions: 

  • Friday, August 8, from 11:00 AM – 2:00 PM
  • Saturday, August 9, from 12:00 PM – 2:00 PM

“Security leaders need tools that let them compare and justify cybersecurity decisions with real evidence,” said Ian Foo, Chief Technology Officer and EVP of Product. “Our new data platform will modernize the way we share test data so that enterprises can make faster, smarter decisions across the organization.” 

Futuriom: NSS Labs Is Back! And That’s a Great Thing

Posted on by NSS Labs

It’s important to have quality independent testing of technology. That’s why I think it’s great that technology testing firm NSS Labs has been relaunched as NSS Labs 2.0.

Originally founded in 2007, NSS Labs was a respected testing firm that filled a vital role in independent testing for many years, putting out detailed testing of firewalls and other networking and security products from the top vendors. The original NSS Labs was taken over by a private equity company in 2019 and shuttered in 2020.

The reimagined NSS Labs has been created by original founder Vikram Phatak, who will now serve as the CEO of the new NSS Labs.

Read the full article here: https://www.futuriom.com/articles/news/nss-labs-is-back-and-thats-a-great-thing/2025/07

SDxCentral: Security testing firm returns as NSS Labs 2.0

Posted on by NSS Labs

NSS Labs relaunched with a new ownership structure and leadership, seeing a return for the security testing firm after its dissolution in 2020.

Founder Vikram Phatak returns as CEO for what’s being dubbed as NSS Labs 2.0, with the firm announcing it is now “wholly owned and operated by its senior partners and executive team.”

That team continues a crossover with CyberRatings.org, where NSS Labs has been named the official testing partner as part of its return to operations.

Since 2022, the non-profit, which publishes public test results and research on cybersecurity tech, has offered The NSS Labs archive, a library of material from NSS’s operations prior to its dissolution.

Additionally, Cathy Main joins NSS as chief marketing and communications officer whilst continuing in the role of president at CyberRatings.org.

With its return, NSS Labs says it is tailoring confidential, data-driven testing services to enterprises, security vendors and service providers.

Read the full article here: https://www.sdxcentral.com/news/security-testing-firm-returns-as-nss-labs-20/