Cybereason vs. Carbon Black: Why Delayed Detections Matter

The U.S. Treasury Department estimates that U.S. companies have paid $1.6 billion in ransomware attacks since 2011. Given the lucrative nature of ransomware attacks, the threat shows no signs of diminishing.

In fact, the ransomware threat is constantly changing and evolving as attackers use more and more sophisticated techniques and vulnerabilities to gain access to organizations' data and networks. 

To ensure organizations remain secure today requires faster, more accurate, more dependable, and highly specialized AI-based threat prevention solutions. With that in mind let's consider how Cybereason compares to Carbon Black, and what each vendor is offering their customers.

In this article, we will take a look at three important areas where Carbon Black doesn’t deliver the protection that organizations need today

Three Black Marks on Carbon Black

  • Delayed Detections: Extra time allows attackers to demand extra ransom. 
  • Ships as an Empty Box: Carbon Black has very little threat intelligence built-in, leaving resource-strapped security teams to code detections manually. 
  • Limited Data Collection: Not having all the information—or even most of the information—leads to the wrong decisions.

delayed detections and why You should care

According to MITRE, a “delayed detection is an alert that is not received in real-time, or near real-time.” This means that detection may come minutes or hours after a malicious attack occurs. Traditionally this means the security product requires some form of human validation before being able to confirm the activity is malicious, often because the product cannot do it on its own. 

Let’s take a look at some interesting statistics behind delayed detections. According to the 2021 Verizon Data Breach Investigations Report (DBIR) report approximately 60% of incidents were discovered within days, while 20% of respondents reported that it could take months before an attack was detected.

In 2017, Equifax was hacked, and an investigation determined that it had taken place many months before. That breach compromised the Social Security numbers and other personal information of 143 million Americans.

How Carbon Black (Doesn't) Stack Up 

In a recent MITRE ATT&CK test, Carbon Black had a 9% delayed detection rate. That 9% delay means attackers have an open unattended door through which they can enter your network and begin stealing and encrypting critical data and information needed to keep your operations running. This vulnerability is not unique to Carbon Black, but a 9% delayed detection rate is a glaring hole that cannot be left to chance.

Inadequate security solutions lead to delayed detections and leave organizations open to ransomware and other attacks. More advanced security solutions like Cybereason’s Predictive Ransomware Protection are leaning forward and serving a preventative role by stopping attacks before they take hold. If you are interested in digging into delayed detection more, take a look at this blog

Protection Ready on Day 1

Consider the risks associated with installing a security product that requires significant amounts of customization and time to be properly configured to safely defend your organization. What does that time represent to your security posture? While customization isn’t inherently a bad thing, if done incorrectly it can lead to false positives and significant delays.

Off the shelf, Carbon Black relies on manual inputs to identify threats due to a lack of built-in detection content. This content can either be purchased at an additional cost or overburdened security teams can manually code threat detection heuristics once the product is purchased and deployed. Why is this important? All organizations today need smart and simple security solutions that provide robust protection right away. 

Cybereason’s predictive protection and built-in, AI-driven automation eliminates the need to manually block, investigate, and respond to threats. This critical time savings makes the work of defending easier and ensures that organizations have protection from malicious threats without extensive customization.

Bottom Line: Day 1 protection is better than day 2 or day 20 because threat actors aren’t waiting for you to set up your Carbon Black product so you can have a fair fight. Don’t wait, deploy Cybereason and be protected on Day 1.

Smarter Design and Better Analysis

Understanding the whole threat picture in a simple and easy-to-use interface that combines critical and actionable information gives organizations an edge in the fight against attackers. The Cybereason MalOp™ (malicious operation) detection engine is designed to do just that, and Carbon Black is not. More and better data makes a big difference. 

How do both compare?

Cybereason uses more than 30 sources of data to feed customers with faster and more accurate information. This large pool of data means more precise responses as well.

How does that data turn actionable?

The MalOp is designed to provide an operation-centric approach to better understand and visualize a malicious operation from the root cause to each affected endpoint. This robust and broad-based visibility gives security teams more accurate and actionable information. 

Accurate analysis depends on having complete visibility of the whole environment to see everything that poses a threat. Carbon Black, however, uses less native telemetry to feed their solution. Fewer telemetry feeds mean less information intake and poorer results. That puts Carbon Black customers at a major disadvantage.

What's the Bottom Line?

More data and more accurate information improves response time and gives defenders another edge that is desperately needed in the fight against ransomware and malicious actors.

Cybereason Versus VMware Carbon Black


Carbon Black

Undefeated in the Fight Against Ransomware

Cybereason’s Predictive Ransomware Protection is undefeated in the fight against ransomware, with artificial intelligence on the endpoint, multi-layered prevention, and visibility from the kernel to the cloud, eliminating ransomware before it takes hold.

Delayed Detections Make an Attacker’s Job Easy

In MITRE ATT&CK tests, Carbon Black detections were delayed 9% of the time. One delayed detection is enough for ransomware to wreak havoc, what happens when 9% are delayed?

Designed to Protect on Day 1

Cybereason solutions include predictive protection, resulting in unparalleled productivity for Defenders. In-Product automation eliminates the need to manually block, investigate, or respond, saving critical time in the fight against ransomware.

Lacks Built-in Detection

Off the shelf, Carbon Black relies on manual inputs to identify threat actors. This lack of built-in detection content prevents teams from accurately predicting attackers’ next moves, and increases the risk of a successful attack.

Reduce Time to Detect & Respond by 93%

Cybereason increases analyst efficiency and productivity with simplified platform management and accelerated triage. Companies that switched to Cybereason reduced management tasks by 75% and time spent on detection and response by 93%.

Fragmented Tools Mean Less Productivity and Missed Threats

Carbon Black requires users to shuffle back and forth between separate consoles, decreasing ease of use and increasing complexity. When every second counts, this not only wastes time but can lead to confusion and delays.

Elite Experts and Around the Clock Protection

Cybereason MDR and IR services provide relief for overburdened security teams. Recognized by Forrester as one of the top MDR providers in the industry, customers receive fully managed threat hunting, detection, and response 24x7x365.

Immature, Unproven, and Unvalidated

Carbon Black’s MDR and IR service is immature, unproven, and unvalidated. Today’s threat landscape is too complex to risk partnering with an untested vendor that is one step behind in the market and malicious actors.

An Operation-Centric Approach Leaves Attackers Nowhere to Hide

An operation-centric approach allows defenders to instantly visualize the entire malicious operation, from root cause to every affected endpoint, with visualizations that deliver the details of an attack across all devices and all users.

False Positives Provide Camouflage for Attackers

Carbon Black solutions require excessive fine-tuning to avoid distracting alerts. Carbon Black’s add-on detection libraries leave customers with high false-positive rates and missed detections.

Robust and Actionable Data Drive Cybereason Solutions

Cybereason collects and uses more than 30 sources of data to anticipate and detect with speed and precision. Attackers are correlated and presented in simple and actionable ways that decrease response times and end attacks from endpoint to everywhere.

Limited Telemetry Leaves Customers Vulnerable

Carbon Black fails to provide defenders with adequate security and protection, with limited native telemetry capabilities for detection, investigation, and response, leaving customers to fend for themselves

If you want to learn more about Cybereason and how our products stack up against Carbon Black, take a look at our webpage.


Cybereason is dedicated to teaming with Defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Cody Queen
About the Author

Cody Queen

Cody Queen is a Product Marketing Manager at Cybereason leading the go-to-market strategy for NGAV, endpoint protection and cloud workload security solutions. Before joining Cybereason, Cody led and supported product launches for Dell Technologies in their APEX Cloud and security business, primarily around managed data center services. He also brings over 10 years of experience in the public sector planning for, managing and responding to security threats against the United States.

All Posts by Cody Queen