Ranked by demonstrated-against count (the field-evidence proxy) over the most recent 90 days. Lab miss rates from the most recent independent test on file.
| Vendor | Lab miss | Demonstrations | Breaches | Total signal |
|---|---|---|---|---|
| Palo Alto Networks | — | 38 | 2 | 127 |
| CrowdStrike | 1.5% | 25 | 1 | 153 |
| Microsoft | 1.0% | 22 | 0 | 170 |
| SentinelOne | — | 4 | 0 | 48 |
| Fortinet | — | 1 | 0 | 1 |
| CyberArk | — | 0 | 0 | 2 |
| Sophos | 2.0% | 0 | 0 | 2 |
| Zscaler | — | 0 | 0 | 1 |
| ESET | 0.5% | 0 | 0 | 1 |
| Arctic Wolf | — | 0 | 0 | 1 |
A lab miss rate is a percentage out of a few hundred curated samples. A demonstration count is a raw number of independent research publications. A breach count is incidents at organizations who were paying for the product. Each measures a different thing — and that's the point. The spine lays them side by side so any reader can see how lab outcomes, attacker attention, and field reality line up. We do not normalize the three numbers against each other; we do not weight them; we do not score the vendor. We publish them.
ColdRecon delivers a daily intelligence brief from the seller's seat — what every tracked vendor shipped, who used their product and got hit, which demonstrations dropped overnight. Request clearance and the first lands tomorrow at 0600.
Request Clearance →