Tag: NSS Labs

InsideCybersecurity: Cyber Assessment Firm Identifies Evasion Vulnerabilities in Enterprise Firewall Products

Posted on by NSS Labs

A nonprofit cyber assessment firm found vulnerabilities in the ability of widely used enterprise firewall products to block transport and network-layer evasions commonly deployed by cyber attackers, in a report examining the effectiveness of security offerings.

“Enterprise Firewalls are constantly evolving to combat new attacker techniques and tools but sometimes that evolution takes a wrong turn. A vendor can have a near-perfect detection engine but if attackers can bypass that engine it gives them a clear path through your defenses,” CyberRatings.org CEO Vikram Phatak sad in a Nov. 5 release.

CyberRatings is a nonprofit organization conducting independent testing of cybersecurity products through its testing partner firm, NSS Labs.

CyberRatings evaluated the “security effectiveness” of seven firewall products in 55 performance tests using 3,326 exploits, 11,311 malware samples, 5,752 evasion techniques in 53 evasion categories and 6,481 false-positive samples,” according to the report.

Read the full article here.

SDxCentral: Palo Alto Networks and Fortinet Given All Clear After Firewall Hiccups

Posted on by NSS Labs

Palo Alto Networks and Fortinet have received a clean bill of health for their firewall protections, while the jury is still out on current Cisco defenses.

CyberRatings.org recommended both Palo Alto and Fortinet after new tests confirmed they had patched evasions previously discovered by the security testing firm.

In tests carried out at the start of the month by CyberRatings’ testing partner NSS Labs, researchers found they were able to bypass protection using Layer 4 TCP evasions in both Palo Alto’s PAN-OS (version 11.2.8-c537) and Fortinet’s IPS (v7.01154), as well as evading Layer 3 IP in the Palo Alto operating system.

Both firms reacted quickly, with Palo Alto developing an updated PAN-OS firmware package (PAN-OS 11.2.10-c37) and Fortinet deploying an updated IPS package (v7.01165 (33.00064) to fix the vulnerabilities.

Read the full article here.

When Firewalls Fail Gracefully

Posted on by Vikram Phatak

The latest NSS Labs Enterprise Firewall Comparative Report was published this month and, as usual, provided a deep insight into the state of the enterprise firewall market.

Seven of the most widely deployed products were tested using real-world attack scenarios, enterprise-grade workloads, and adversarial evasion techniques to measure their resilience, reliability, and performance.

The results reveal a security landscape that remains uneven: most products blocked the majority of exploits and malware, but a few stumbled when exposed to modern, and not so modern, evasion techniques.

However, the story doesn’t end with the Comparative Security Map – it is also a case study in vendor accountability. How vendors respond when weaknesses are exposed in independent tests such as this tells us a lot about how they are likely to support their enterprise customers in a pinch. It also tells us how seriously they take engineering challenges that could result in serious failures, or even breaches, when installed in live environments.

Palo Alto Networks and Fortinet, though not the highest-scoring participants, stand out precisely because they treated the findings as an opportunity to rectify shortcomings in their products that could have a serious impact on their customers. Within days of publication, both vendors confirmed patches for the issues identified and scheduled retests for the affected products. That kind of responsiveness deserves as much attention as raw test scores.

The Test That Matters

NSS Labs enterprise-firewall evaluations are the most comprehensive in the industry. The 2025 round measured not only exploit and malware detection, but also resilience against 53 evasion categories, false-positive accuracy, TLS/SSL handling, and sustained throughput under realistic enterprise workloads.

In other words, this isn’t a marketing test with cherry-picked “perfect” network traffic and well-known basic exploits and malware. Each firewall was deployed in-line between trusted and untrusted networks, then stress-tested with:

  • A broad range of “real world” network traffic designed to emulate typical enterprise traffic, both encrypted and plain text.
  • 3,326 exploit samples from vulnerabilities found in the wild in enterprise environments.
  • 11,311 malware samples drawn from active campaigns.
  • 5,752 evasion variations spanning 53 evasion categories, crafted to bypass defenses.
  • 55 performance stress tests spanning HTTP, HTTPS, and UDP traffic, created to measure throughput, stability, and reliability under stress.

This combination produces an in-depth view of security efficacy, together with an evaluation of performance using mixtures of real-world traffic. In today’s enterprise networks, where more than 95 percent of web sessions are HTTPS, it is important for firewalls to be able to handle encrypted traffic.

How the Vendors Fared

Three of the seven firewalls achieved Recommended ratings: Check Point, Juniper Networks, and Versa Networks. All delivered security effectiveness above 99 percent with false-positive accuracy in the high 90s.

Three vendors received Caution ratings: Cisco, Fortinet, and Palo Alto Networks. Their placement wasn’t due to catastrophic malware or exploit detection failures, since each still handled most malicious payloads effectively, but because of critical failures in their ability to resist low-level evasion techniques.

This continues to be an issue today, just as it was at the inception of NSS Labs 1.0 in 2007. You might think that we should be seeing 100% resistance by now, but instead coverage appears to be cyclical. It seems that vendors will work hard to build robust code that handles evasions well, but later engineering teams deprioritize that area of development, or complex new features simply break it.

Two key points are evident:

  1. Evasion handling is a powerful differentiator today, just as it has always been.
  2. Throughput disparities can be significant, especially when encrypted traffic is thrown into the mix.

What Went Wrong—and Right

While malware and exploit detection rates across the board were excellent (most above 99 percent), the evasion results exposed real-world risk. A single missed evasion can allow bad actors to reuse entire classes of exploits allowing malicious traffic to go undetected.

Cisco failed one critical TCP-segmentation evasion, reducing its exploit-evasion resistance to 40 percent; Fortinet missed one transport-layer variant, scoring 60 percent; and Palo Alto Networks failed both network and transport-layer categories, resulting in 0 percent exploit-evasion resistance.

Why Responsiveness Matters

However, it is not all about pure test results, but rather how a vendor responds to those results that really matters. That defines the kind of relationship they are likely to have with their customers, and how seriously they take their engineering mission. In cybersecurity, perfection is fleeting. Every product eventually encounters a configuration bug or parser flaw. What separates mature vendors from pretenders is how quickly and transparently they respond.

Palo Alto Networks and Fortinet publicly acknowledged the test outcomes, issued software updates within a couple of weeks, and scheduled retesting. That is what enterprise customers should be looking for from their security partners: transparency and the willingness to participate in independent tests in the first place, followed by the desire to act on the results of those tests to improve their product expediently where necessary.

NSS Labs urges enterprises to hold vendors accountable and demand transparency. Vendors who view testing as collaboration rather than confrontation, will build lasting trust as well as solid products.

Performance Under Pressure

Security effectiveness means little if performance tanks under real workloads. NSS Labs Rated Throughput metric weights encrypted traffic at 95 percent, mirroring modern conditions. Versa achieved the highest sustained throughput (7.6 Gbps) with strong security; Juniper balanced speed and protection; Fortinet offered excellent value; Palo Alto trailed but excelled in accuracy.

False Positives: The Hidden Cost

NSS Labs replaced its previous price-per-protected-megabit metric with false-positive accuracy as a more meaningful measure of operational overhead. Cisco’s 80 percent accuracy implies legitimate traffic was incorrectly blocked one-fifth of the time, which may cause issues in live deployments. Conversely, Palo Alto, Versa, and Fortinet all exceeded 99 percent in terms of resistance to false positive scenarios.

The New Baseline: Encryption Everywhere

With more than 95 percent of global web traffic encrypted, enterprise firewalls need to be able to handle it without suffering significant performance degradation. All firewalls handled decryption properly, but some paid steep penalties in terms of performance. Versa and Juniper maintained 80–90 percent efficiency, while Palo Alto and Cisco lagged near 70 percent.

Beyond the Scoreboard

At first glance, a Caution rating in the CSM might appear damning, but within weeks those numbers will likely change as fixes are validated and re-tested. Resilience isn’t static; what defines market leadership is the ability to recover quickly, transparently, and collaboratively.

Independent testing remains the crucible through which trust is forged. The vendors who embrace scrutiny, fix what’s broken, and invite another round of validation are the ones enterprises should bet their networks on.

Because in the end, cybersecurity isn’t about being flawless. It’s about being fast, honest, and relentless in pursuit of better protection.

CyberRatings.org and NSS Labs Announce Follow-On Enterprise Firewall Results

Posted on by CyberRatings.org

Austin, TX – November 25, 2025 – CyberRatings.org (CyberRatings), the non-profit organization dedicated to providing confidence in cybersecurity products and services through independent testing, today announced Follow-On Test Results for the Fortinet FortiGate-200G and Palo Alto Networks PA-1410 Enterprise Firewalls.

Both products have improved their ratings from Caution to Recommended following submissions to NSS Labs to retest after developing new builds to address their earlier evasion resistance deficiencies published on November 5, 2025.

“Both Fortinet and Palo Alto Networks responded quickly and transparently to our original findings, issuing updates within days and requesting immediate retesting,” said Vikram Phatak, CEO of NSS Labs. “The speed at which these vendors addressed and resolved critical issues shows their commitment to their customers’ security.”

Read key findings in the full press release here.

NSS Labs Selects ectacom GmbH to Expand Cybersecurity Representation in Central Europe

Posted on by NSS Labs

Austin, Texas / Munich, Germany – November 12, 2025

NSS Labs, the leading authority in independent cybersecurity product validation today announced that ectacom GmbH, a German value-added distributor, will be representing NSS Labs in the Central European regions of Germany, Austria, Switzerland (DACH) and Poland.

Through this collaboration enterprises, service providers, and security vendors in the region will gain access to NSS Labs real-world cybersecurity testing services, helping organizations strengthen defenses, ensure compliance, and reduce risk.

Among the services offered will be Minion by NSS Labs, a managed security testing service based on live attack scenarios, including malware, exploits, evasion techniques, and false positives sourced from active threat intelligence. Delivered remotely with encrypted control, Minion allows customers to:

  • Continuously monitor ongoing test results
  • Track improvements in security products over time
  • Generate compliance-ready documentation without the burden of in-house test management

This service is designed to support CISOs, CIOs, and Chief Risk Officers in meeting the growing demands of regulatory compliance, supply chain assurance, and resilience.

“ectacom understands the cybersecurity challenges enterprises face today,” said Vikram Phatak, CEO of NSS Labs. “As we expand globally, we are delighted to be represented by ectacom in Central Europe.”

“We are very proud to be partnering with NSS Labs again,” added Tomé Spasov, Managing Partner and Chief Strategy Officer at ectacom GmbH. “Enterprises continue to face significant breach risks, and testing provides the validation needed to ensure vendor products are meeting critical security performance standards.”

About ectacom

ectacom is one of the leading independent German Value-Added Distributors (VAD) for complex IT, OT, and IoT solutions and services. The company works closely with channel partners and integrators, to help companies improve infrastructure efficiency, optimize processes, and maintain compliance. For more information, please visit ectacom.com

About NSS Labs

NSS Labs delivers research-backed insights through its advanced testing platforms, empowering enterprises, security vendors, and service providers to make informed, evidence-based cybersecurity decisions. By handling the heavy lifting of testing for effectiveness, performance, and suitability, NSS Labs helps clients move beyond assumptions to gain actionable clarity. Its auditing and governance services offer continuous assurance that deployed security technologies are performing as expected—protecting investments and supporting accountability. For more information visit nsslabs.com

CyberRatings.org and NSS Labs Announce 2025 Enterprise Firewall Test Results

Posted on by NSS Labs

Austin, TX – November 5, 2025 – CyberRatings.org (CyberRatings), the non-profit organization dedicated to providing confidence in cybersecurity products and services through independent testing, today announced the results of its latest Enterprise Firewall (EFW) evaluation.  Tests were conducted by NSS Labs and are now available at no cost on the CyberRatings.org website.

NSS Labs performed independent evaluations of seven leading Enterprise Firewall products using the Enterprise Firewall Test Methodology v3.0. The testing revealed a striking disparity in performance — Security Effectiveness ranged from 46.37% to 99.59%.

Firewalls were tested under encrypted enterprise-grade workloads using 3,326 exploits, 11,311 malware samples, 5,752 evasion techniques spanning 53 evasion categories, 6,481 false-positive samples, and 55 performance tests. Each firewall was required to maintain operational stability throughout testing.

Read key findings in the full press release here.

Beyond Assumptions: Why Validation is the Next Frontier in Cybersecurity Defense

Posted on by NSS Labs

Last week, CISA published an incident response report detailing how a federal civilian executive branch (FCEB) agency was breached through exploitation of a known and documented vulnerability in GeoServer (https://www.cisa.gov/news-events/alerts/2025/09/23/cisa-releases-advisory-lessons-learned-incident-response-engagement). This was not a “sophisticated zero-day,” but a widely reported weakness defenders have been aware of for some time (https://nvd.nist.gov/vuln/detail/cve-2024-36401).

This breach underscores a sobering reality: attackers don’t need innovation when defenders rely on assumptions.

Known Exploits, Unknown Effectiveness

Each time an advisory like this is released, many CISOs and CTOs are left asking the same question: “Would this have worked against us?”

The uncomfortable truth is that in many environments, the answer is uncertain. Security leaders often deploy products with the expectation of protection, but without direct validation, those expectations may not hold under real-world attack conditions.

This is why we at NSS Labs regularly evaluate security products against actual exploit samples going as far back as 10 years—including the very vulnerability used in this breach. That type of validation gives defenders evidence, not just hope, that their technologies will withstand known threats.

The Flaw in “Defense-in-Depth by Assumption”

Defense-in-depth is a well-established strategy. Multiple layers of technology—firewalls, intrusion prevention, endpoint agents, and monitoring—create redundancy and resilience. But the mere presence of these controls is not enough.

  • Deployment ≠ Effectiveness. A product installed in the stack doesn’t guarantee it will perform as intended.
  • Context Matters. Effectiveness depends on how controls are configured, tuned, and integrated into the environment.
  • Silent Gaps Exist. Without validation, security teams may not realize that certain attack vectors bypass defenses entirely.

The CISA advisory makes clear: organizations cannot rely on “best practice” architectures alone. They must prove their defenses actually work.

Validation as the Next Frontier

Cybersecurity has long emphasized the importance of prevention and detection. The next frontier is validation: treating effectiveness as a measurable, verifiable outcome.

Validation is not theoretical—it’s practical. The critical difference between assumption and assurance is data. Testing security products against real exploits, simulating adversarial behavior, and quantifiably measuring whether defenses hold provides assurance that investment translates into protection. Independent testing bodies such as NSS Labs help provide this evidence, bridging the gap between vendor claims and operational reality.

A Practical Checklist for CISOs

Security leaders looking to strengthen their posture against known vulnerabilities can use the following framework:

  1. Inventory What Matters
    1. Catalog critical applications, platforms, and workloads.
    2. Prioritize those most tied to mission outcomes.
  2. Map Defenses to Assets
    1. Identify which controls protect which workloads.
    2. Look for overlaps, blind spots, and single points of failure.
  3. Validate Against Exploit Samples
    1. Test defenses against real-world exploits and malware, not just lab simulations.
    2. Leverage independent testing where available.
  4. Simulate Adversarial Behavior
    1. Ensure that each component in the defensive chain is independently tested and validated.
    2. Focus on tactics, techniques, and procedures (TTPs) that correspond to those utilized by threat actors in the current threat landscape.
  5. Make Validation Continuous
    1. Move from one-time testing to an ongoing validation cycle.
    2. Adjust configurations, patching, and investments based on results.

Final Thoughts

The lesson from this breach is clear: known vulnerabilities remain one of the most significant risks to enterprise security. Defense-in-depth alone is insufficient if it is built on untested assumptions.

The industry must embrace validation as a core pillar of cybersecurity strategy. By demanding measurable proof of effectiveness—through independent testing, adversarial approaches, and continuous validation—CISOs and CTOs can move from assumption to assurance.

The goal is simple yet profound: to ensure that when the next advisory is issued, leaders can answer with confidence:

“Yes—our defenses will hold.”

Futuriom: NSS Labs Launches Managed Cybersecurity Test Platform

Posted on by NSS Labs

The recently relaunched NSS Labs has released Minion by NSS Labs, a managed platform designed to validate the performance of cybersecurity products for service providers, enterprises, and vendors.

The remotely managed offering relieves customers of the burden of in-house testing while providing in-depth, objective validation of security products—a must, given the proliferation of cybersecurity threats in today’s AI-oriented environments.

“Security leaders need tools that let them compare and justify cybersecurity decisions with real evidence,” stated Ian Foo, Chief Technology Officer and EVP of Product, in a press release. “Our new data platform will modernize the way we share test data so that enterprises can make faster, smarter decisions across the organization.”

Minion Addresses the Needs of Three Markets

With Minion, NSS Labs is fulfilling a major need among cybersecurity customers of all types—namely, to get an unbiased, real-world view of the actual performance of products before they hit the network. To reach this goal, the platform offers a range of features that meet the requirements of three distinct constituencies.

Read the full article here: https://www.futuriom.com/articles/news/nss-labs-launches-managed-cybersecurity-test-platform/2025/08

NSS Labs Introduces Minion, a Managed Security Testing Service for Enterprises, Service Providers, and Cybersecurity Vendors

Posted on by NSS Labs

LAS VEGAS, NV– August 5, 2025. NSS Labs, the leading authority in independent cybersecurity product validation, today announced the launch of  Minion by NSS Labs, a managed, security testing platform developed by NSS Labs to independently validate real-world performance of security products. It delivers third-party validation of security controls through rigorously designed and remotely executed testing cycles—all without the operational burden of in-house test management.  

Minion by NSS Labs: Built for Three Critical Audiences 

Minion for Enterprises 

Minion supports CISO, CIO, Chief Risk Officer, and CEO priorities by testing to ensure that deployed or procured security products meet performance claims and policy goals. Test outputs can be integrated into broader Governance, Risk and Compliance practices and security performance dashboards. 

Minion for Service Providers and Managed Service Providers 

Service Providers (SPs) and Managed Service Providers (MSPs) can use Minion to validate OEM-based or proprietary security solutions under real-world threat conditions. This helps accelerate time-to-market, differentiate in competitive markets, develop roadmap priorities, and ensure continuous service quality for regulated customers – all backed by objective test data. 

Minion for Cybersecurity Vendors 

Designed originally for enterprise buyers and risk officers, Minion offers cybersecurity vendors a unique opportunity: external, objective testing that aligns with the evolving needs of procurement teams, GRC mandates, and competitive product positioning. 

“Our goal is to provide transparency into the effectiveness of cybersecurity products,” said Vikram Phatak, CEO. “Minion delivers high-impact answers with speed and scale. Cybersecurity professionals will know if the products they rely on are working.”   

NSS Labs is also introducing its interactive data platform during DEF CON 33 in Las Vegas. The platform will provide users with self-service access to test results, enabling interactive exploration, comparison, and decision support through a visual, executive-ready interface. 

Executives from NSS Labs will demo the platform and gather feedback during Networking Bar sessions: 

  • Friday, August 8, from 11:00 AM – 2:00 PM
  • Saturday, August 9, from 12:00 PM – 2:00 PM

“Security leaders need tools that let them compare and justify cybersecurity decisions with real evidence,” said Ian Foo, Chief Technology Officer and EVP of Product. “Our new data platform will modernize the way we share test data so that enterprises can make faster, smarter decisions across the organization.” 

Futuriom: NSS Labs Is Back! And That’s a Great Thing

Posted on by NSS Labs

It’s important to have quality independent testing of technology. That’s why I think it’s great that technology testing firm NSS Labs has been relaunched as NSS Labs 2.0.

Originally founded in 2007, NSS Labs was a respected testing firm that filled a vital role in independent testing for many years, putting out detailed testing of firewalls and other networking and security products from the top vendors. The original NSS Labs was taken over by a private equity company in 2019 and shuttered in 2020.

The reimagined NSS Labs has been created by original founder Vikram Phatak, who will now serve as the CEO of the new NSS Labs.

Read the full article here: https://www.futuriom.com/articles/news/nss-labs-is-back-and-thats-a-great-thing/2025/07