The problem lies in the fact that almost all customers trust<\/strong> their vendors to answer accurately when asked such questions \u2013 very often because they have no other choice. A more mature approach in today\u2019s cyber-reality is to verify<\/strong>.<\/p>\n In corporate-speak this is called supply-chain trust, and trying to solve this puzzle on your own is a serious headache. You need help from vendors. A responsible vendor is ready to show what\u2019s under the hood of its solutions, to open up the source code to partners and customers for review, and, in general, to earn trust not with nice slides but with solid, practical steps.<\/p>\n So who\u2019s already doing this, and who\u2019s still stuck in the past? A fresh, in-depth study<\/a> from our colleagues in Europe has the answer. It was conducted by the respected testing lab AV-Comparatives, the Tyrol Chamber of Commerce (WKO<\/a>), the MCI Entrepreneurial School, and the law firm Studio Legale Tremolada.<\/p>\n The main conclusion of the study is that the era of \u201cblack boxes\u201d in cybersecurity is over. RIP. Amen. The future belongs to those who don\u2019t hide their source code and vulnerability reports, and who give customers maximum choice when configuring their products. And the report clearly states who doesn\u2019t just promise but actually delivers. Guess who!\u2026<\/p>\n What a great guess! Yes \u2013 it\u2019s us!<\/p>\n We give our customers something that is still, unfortunately, a rare and endangered species in the industry: transparency centers, source code reviews of our products, a detailed software bill of materials (SBOM<\/a>), and the ability to check update history and control rollouts. And of course we provide everything that\u2019s already become the industry standard. You can study all the details in the full \u201cTransparency and Accountability in Cybersecurity\u201d (TRACS) report<\/a>, or in our summary<\/a>. Below, I\u2019ll walk through some of the most interesting bits.<\/p>\n TRACS reviewed 14 popular vendors and their EPP\/EDR products \u2013 from Bitdefender and CrowdStrike to our EDR Optimum<\/a> and WithSecure. The objective was to understand which vendors don\u2019t just say \u201ctrust us\u201d, but actually let you verify their claims. The study covered 60 criteria: from GDPR<\/a> (General Data Protection Regulation \u2013 it\u2019s a European study after all) compliance and ISO 27001 audits, to the ability to process all telemetry locally and access a product\u2019s source code. But the authors decided not to give points for each category or form a single overall ranking.<\/p>\n Why? Because everyone has different threat models and risks. What is a feature for one may be a bug and a disaster for another. Take fast, fully automatic installation of updates. For a small business or a retail company with thousands of tiny independent branches, this is a blessing: they\u2019d never have enough IT staff to manage all of that manually. But for a factory where a computer controls the conveyor it would be totally unacceptable. A defective update can bring a production line to a standstill, which in terms of business impact could be fatal (or at least worse than the recent Jaguar Land Rover cyberattack<\/a>); here, every update needs to be tested first. It\u2019s the same story with telemetry. A PR agency sends data from its computers to the vendor\u2019s cloud to participate in detecting cyberthreats and get protection instantly. Perfect. A company that processes patients\u2019 medical records or highly classified technical designs on its computers? Its telemetry settings would need to be reconsidered.<\/p>\n Ideally, each company should assign \u201cweights\u201d to every criterion, and calculate its own \u201ccompatibility rating\u201d with EDR\/EPP vendors. But one thing is obvious: whoever gives customers choices, wins.<\/p>\n Take file reputation analysis of suspicious files. It can work in two ways: through the vendor\u2019s common cloud, or through a private micro-cloud within a single organization. Plus there\u2019s the option to disable this analysis altogether and work completely offline. Very few vendors give customers all three options. For example, \u201con-premise\u201d reputation analysis is available from only eight vendors in the test. It goes without saying we\u2019re one of them.<\/p>\n In every category of the test the situation is roughly the same as with the reputation service. Going carefully through all 45 pages of the report, we\u2019re either ahead of our competitors or among the leaders. And we can proudly say that in roughly a third of the comparative categories we offer significantly better capabilities than most of our peers. See for yourself:<\/p>\n Visiting a transparency center and reviewing the source code? Verifying that the product binaries are built from this source code? Only three vendors in the test provide these things. And for one of them \u2013 it\u2019s only for government customers. Our transparency centers are the most numerous and geographically spread out, and offer customers the widest range of options.<\/p>\nNot mixing apples and oranges<\/h2>\n
Raising the bar<\/h2>\n
![\"The](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2026\/01\/14164251\/transparency-independent-study-center.jpg\")
<\/a>