AV-Comparatives conducts targeted offensive security evaluations, offering vendors the opportunity to achieve certification in specific protection domains. In 2026, the focus was again on “Shellcode Execution / Process Injection.” Certification reports are published exclusively for vendors that successfully meet the defined criteria. Participating vendors receive detailed technical feedback to support continuous product improvement.

https://www.av-comparatives.org/news/process-injection-certification-test-2026/

Process injection remains one of the most relevant and widely used techniques in modern attack chains. Within the MITRE ATT&CK framework (T1055), it represents a broad class of techniques spanning multiple stages, including initial access, defence evasion, and privilege escalation. Its flexibility and prevalence make it a key indicator of how effectively a product can handle stealthy, memory-based threats.

Positioning: Complementary to MITRE and EPR

This test is intentionally designed to provide a focused, deep-dive assessment of a single but critical attack technique, rather than a full attack-chain simulation.

• Compared to MITRE ATT&CK evaluations, which emphasize visibility, telemetry, and detection coverage across multi-stage scenarios, the Process Injection Test places stronger emphasis on active prevention and immediate detection at the point of execution.
• Compared to AV-Comparatives’ Endpoint Prevention and Response (EPR) Test, which evaluates overall protection effectiveness and operational impact across complete attack scenarios, this test isolates one of the most challenging technical layers: memory execution and process manipulation.

This positioning makes the Process Injection Test particularly relevant for analysts and enterprise buyers who want to understand how well a product handles highly evasive, low-level techniques, beyond broader detection narratives.

Methodology

The evaluation focuses on the prevention and detection capabilities of AV, EPP, and EDR solutions in scenarios involving shellcode execution and process injection during initial access.

The objective is to assess how products perform when core attack variables are systematically modified, including:

• command-and-control frameworks and shellcode types
• memory allocation and execution methods
• API usage and injection techniques
• targeted processes and execution contexts

All scenarios are executed on a fully updated Windows system with standard user privileges, ensuring realistic attack conditions without artificial hardening.

Key Variables

To create evasive and realistic attack scenarios, multiple variables were combined:

• Execution / Injection Techniques: e.g. classic injection, early bird injection, process hollowing
• Formats / File Types: .exe, .dll, .bin and others
• Frameworks / Shellcode: including widely used C2 frameworks such as Metasploit, Empire, and Covenant
• Injection Context: self-injection vs. remote process injection
• Target Processes: variation of execution and injection targets

This multi-variable approach ensures that products are evaluated against a broad spectrum of real-world tradecraft, rather than optimized or static test cases.

Certified Products

The 2026 evaluation once again demonstrated that robust protection against process injection remains a significant technical challenge.

While participation across vendors was broad, only a very limited number of products achieved certification. To qualify, a product must successfully prevent or detect at least two-thirds of all scenarios without generating false positives .

The following products met these requirements in 2026:

• CrowdStrike Falcon Enterprise
• Fortinet FortiEDR

Only certified vendors are publicly listed. Non-certified participants receive detailed internal feedback, supporting iterative improvements without public exposure.

Outlook: Internal Evaluation in 2027

Based on the results of the 2026 Process Injection Certification Test, which saw broad participation across vendors but only limited certification success, AV-Comparatives will offer an optional internal test in 2027.

This internal evaluation will use the same test cases as in 2026 and is intended to give vendors the opportunity to identify gaps and further improve their protection capabilities in a controlled, non-public setting ahead of the next public certification evaluation in 2028.

Conclusion

For analysts and enterprise decision-makers, the 2026 results highlight an important gap between visibility and true prevention capabilities in the area of memory-based attacks.

The Process Injection Test complements broader evaluations by isolating one of the most technically demanding aspects of endpoint security. As such, it provides additional decision-making value beyond full attack-chain tests, particularly when assessing a product’s ability to stop advanced, evasive techniques at the point of execution.