Independent research shows strong protection against known APT threats, while highlighting challenges in detecting modified variants
AV-Comparatives, the independent cybersecurity testing organisation, has published its APT Detection Coverage 2026 report, an in-depth evaluation of how effectively consumer cybersecurity solutions detect known Advanced Persistent Threat (APT) toolsets used in cyber-espionage campaigns.
Advanced Persistent Threats represent some of the most sophisticated forms of cyberattack. Unlike conventional malware, APT campaigns are typically designed to infiltrate specific targets, remain undetected for extended periods, and gather sensitive information. These operations often involve advanced evasion techniques, custom malware, and multi-stage attack chains.
To assess current protection capabilities, AV-Comparatives conducted a long-term study examining 14 consumer cybersecurity products using a dataset of 7,579 samples from 126 publicly documented APT groups. The research began in November 2024 and concluded in February 2026, with testing phases including offline and online scanning, follow-up testing after vendor updates, and behavioural detection during execution. The study provides one of the largest empirical datasets currently available on how consumer security products detect publicly documented APT toolsets.
The results show that modern consumer security solutions provide strong protection against well-known APT threats, particularly when behavioural detection mechanisms are triggered during runtime. Execution testing produced the highest protection levels, with all tested products achieving detection rates exceeding 99% for the original APT samples.
Andreas Clementi, Founder and CEO of AV-Comparatives, commented: “Advanced Persistent Threats are often discussed in political or strategic terms, but from a technical perspective they are simply malware. Our study shows that modern consumer security products are generally very effective at detecting known APT toolsets, particularly during execution. At the same time, the results highlight that modified variants can still challenge some detection engines, which underlines the importance of behavioural detection and continuous improvement of protection technologies.”
When minor binary modifications were introduced to change file hashes without altering malicious behaviour, detection rates declined for some solutions. This finding indicates that protection mechanisms relying heavily on static indicators may struggle to recognise altered versions of known malware.
The analysis also examined whether detection performance correlated with the geographic origin of threat actors or security vendors. The results showed no meaningful relationship between a vendor’s location and its ability to detect regionally associated APT groups, suggesting that remaining detection gaps are primarily technical rather than geopolitical in nature.
AV-Comparatives notes that the findings underline the growing importance of behavioural analysis, heuristic detection, and machine-learning technologies in defending against advanced and evolving cyber threats. Continued independent testing and timely threat-intelligence updates remain essential to maintaining strong protection against sophisticated attacks.
The full APT Detection Coverage 2026 report is available on the AV-Comparatives website.