AV-TEST vs AV-Comparatives vs SE Labs: How Antivirus Labs Test (2026)

Quick answer: Five independent labs dominate consumer antivirus testing in 2026: AV-TEST (Germany, 6-point Protection/Performance/Usability scores), AV-Comparatives (Austria, Real-World plus Malware Protection plus Performance plus Advanced Threat Protection, with Advanced+ as top tier), SE Labs (UK, AAA ratings based on full-chain attack scenarios), MRG Effitas (UK, online banking and ransomware specialty certifications), and Virus Bulletin (UK, the VB100 pass/fail certification). All five are members of the Anti-Malware Testing Standards Organization (AMTSO) and have published methodologies you can verify. According to the most recent rounds (AV-TEST December 2025, AV-Comparatives March 2026, SE Labs Q1 2026), the same products often score differently across labs — which is exactly why reading three together is more honest than reading one. The U.S. National Institute of Standards and Technology references AMTSO standards in NIST SP 800-83 Rev. 1.

Last updated: April 25, 2026 — Reviewed by Kenji Watanabe (GCED)

Quick Answer / TL;DR

• Five labs matter; none is "best." Each measures something slightly different. Cross-referencing is how you avoid being misled.
• Methodology gaps are real. A product strong on URL-block can win AV-Comparatives' Real-World test while losing AV-TEST's file-detection heavy round.
• Yes, vendors pay. Certification and detailed reports are the labs' business model. AMTSO sample validation makes outright pay-to-pass unworkable.
• Freshness matters. Use data from the last six months. Threat samples and product engines both refresh fast.
• Our methodology integrates all five. This article is the foundation of how we read lab data on this site; see our methodology page for how we combine it into rankings.

The rest of this article walks through each lab in detail, explains why their results disagree, and shows the published scoring tables side by side.

The Five Labs You Should Care About

AV-TEST (Germany)

AV-TEST is the most consumer-recognizable of the labs. Founded in 2004 in Magdeburg, Germany, it publishes a Home User Windows test every two months, plus parallel tests for macOS, Android, and corporate endpoint products.

The scoring is three 6.0-point scales summed to 18.0:

• Protection (6 points): detection of zero-day attacks (collected over the previous 4 weeks) plus widespread malware (collected over the previous 4 weeks). Scored against a sample of around 250-350 zero-day threats and 9,000-12,000 widespread samples per round.
• Performance (6 points): measured slowdown when launching websites, downloading files, installing applications, copying files, and running standard applications, against a baseline machine.
• Usability (6 points): false positives — false detections of legitimate software during scans, false warnings during web browsing, and false blocks of legitimate installations.

A product earns the AV-TEST "Top Product" certification when it scores above defined thresholds in all three categories. The published reports include per-product scores back through every test cycle, which lets you see consistency over time — a single 6.0 score is less meaningful than six consecutive ones.

What AV-TEST is good for: consistent, comparable, dense data across many products and platforms. What it underweights: sophisticated multi-stage attacks, since the methodology is largely file-and-URL based rather than full-attack-chain.

AV-Comparatives (Austria)

Founded in 2004 by Andreas Clementi at the University of Innsbruck, AV-Comparatives runs the most extensive sample volumes of the consumer-focused labs and publishes four major test categories that together span most of what matters:

• Real-World Protection Test: runs every month. Tests against live exploit URLs and malware found in the wild within the last 24-48 hours. Around 350-450 test cases per cycle.
• Malware Protection Test: runs every six months. Tests against approximately 10,000 prevalent malware samples drawn from the wild. Includes both online detection and offline-scanning detection.
• Performance Test: runs every six months. Measures slowdown across application launching, file copying, archiving, downloading, etc.
• Advanced Threat Protection (ATP) Test: runs twice a year. Uses targeted attack scenarios (PowerShell, Office macros, exploits) similar to what enterprise EDR products would face.
• False Alarm Test: runs alongside Malware Protection. 1.4 million clean files plus 100+ clean websites and applications.

The award system has four tiers: Tested (passed minimum requirements), Standard (good), Advanced (very good), and Advanced+ (top tier). A product needs to clear specific thresholds in each test to qualify for each level. Advanced+ in the Malware Protection Test typically requires 99.5% protection with five or fewer false positives.

What AV-Comparatives is good for: sample volume and methodological breadth — you can find the same product evaluated under quite different conditions. What it underweights: macOS, Android, and small-vendor coverage, all narrower than AV-TEST.

SE Labs (UK)

SE Labs, based in Wokingham, UK and founded by Simon Edwards (who previously ran PC Pro's antivirus testing), takes a different angle. Where AV-TEST and AV-Comparatives mostly evaluate file or URL detection at scale, SE Labs runs full-attack-chain scenarios and grades remediation, not just detection.

The scoring is a Total Accuracy Rating in three tiers — A, AA, AAA — calculated from a points system. Each public-test round, SE Labs simulates real targeted attacks (drive-by exploits, weaponized documents, fileless attacks via PowerShell, lateral-movement scenarios in their Enterprise tests) and asks: did the product block the threat completely, partially, or not at all? Partial blocks get partial credit; complete cleanup with no residual artifacts gets full credit.

Public reports include the Home Anti-Malware Protection report (quarterly) and the Enterprise Endpoint Protection report (quarterly), with Q1 2026 being the most recent at time of writing. SE Labs is also the lab whose methodology is most often cited in enterprise security RFP processes.

What SE Labs is good for: realism. A AAA rating is hard, and the scenarios match how attacks actually unfold. What it underweights: sample volume — fewer test cases per round than AV-Comparatives, by design.

MRG Effitas (UK)

MRG Effitas runs more specialized tests, with two consumer-relevant streams: the Online Banking & Browser Security Certification (quarterly) and the 360° Assessment & Certification covering broader malware including ransomware (quarterly).

Their distinguishing methodology is realism in the financial-fraud specific scenarios: live banker trojans (e.g. real Trickbot and Emotet variants when active), MitB (Man-in-the-Browser) attacks, and ATM-targeting samples. A product earns the certification only by blocking 100% of the in-scope sample set during the test window — there is no partial-credit system, just pass or fail.

What MRG Effitas is good for: confirming whether a product holds up specifically against banking malware and ransomware, both of which are higher-stakes than general malware. What it underweights: general consumer scenarios outside banking and ransomware.

Virus Bulletin (UK)

The oldest lab in this list — founded in 1989 — Virus Bulletin runs the VB100 certification, a pass/fail test against the WildList (a curated list of currently active in-the-wild malware compiled by the WildList Organization). To pass VB100, a product must detect 100% of the WildList samples and generate zero false positives on a clean reference set during the test.

Today, VB100 is largely a baseline credential — most major consumer antivirus products pass routinely, so a current VB100 pass is more like a hygiene check than a competitive ranking. Failing VB100 is the more interesting signal, because it usually indicates a serious detection or false-positive regression.

Virus Bulletin also runs RAP (Reactive And Proactive) tests, which measure how quickly a product detects threats within hours, days, and weeks of their first appearance. The RAP quadrant chart is one of the more useful visualizations in the industry for understanding a product's freshness against new threats.

What Virus Bulletin is good for: long-running pass/fail baseline plus the RAP freshness visualization. What it underweights: granularity — VB100 binary, RAP only quarterly.

Side-by-Side Comparison Table

The following table summarizes the methodology and scope differences. Compare the rows; they are why the same product ranks differently in different reports.

Lab	Country	Founded	Scoring	Cadence	Sample focus	Awards/tiers
AV-TEST	Germany	2004	3 × 6.0 = 18.0	Bi-monthly	Zero-day + widespread file/URL	Top Product certificate
AV-Comparatives	Austria	2004	% protection + false alarms	Monthly Real-World; bi-annual others	Largest sample volume; multi-test	Tested/Standard/Advanced/Advanced+
SE Labs	UK	2014	Total Accuracy Rating	Quarterly	Full attack chains, realistic scenarios	A / AA / AAA
MRG Effitas	UK	2009	100% pass / fail	Quarterly	Banking trojans, ransomware	360° Cert; Online Banking Cert
Virus Bulletin	UK	1989	Pass/fail; RAP quadrant	Bi-monthly	WildList + RAP freshness	VB100

For our own ranking work — and you can see how this rolls up in our methodology — we treat the most recent two AV-TEST cycles, the most recent AV-Comparatives Real-World plus Malware Protection plus ATP, the most recent SE Labs Home Anti-Malware Protection, and current VB100 status as a five-input composite. We weight them deliberately, and we publish those weights, because the only honest way to use lab data is to be transparent about how you collapse it into a single score.

Why the Same Product Gets Different Scores

If you have ever wondered why a vendor's marketing page cherry-picks one lab's data and ignores another's, here is what is actually going on. Five methodological choices create the gap.

1. Sample source. AV-Comparatives' Real-World Test uses live exploit URLs harvested in the previous 24-48 hours; AV-TEST uses zero-day samples accumulated over the previous four weeks; SE Labs builds custom attack scenarios. A product whose URL filter and cloud reputation are fast will dominate the first source and look mediocre on the third — the test sample is shaped differently.

2. What counts as "blocked." Some labs grant detection credit if the product blocks at the URL stage; others require execution-time block; SE Labs requires full clean-up with no residual artifacts to grant full credit. A product that lets malware reach disk but cleans it up perfectly will look strong in remediation-weighted scoring and weaker in early-block-only scoring.

3. False positive weighting. AV-Comparatives' Advanced+ award has a hard cap on false alarms; SE Labs' Total Accuracy directly subtracts points for false detections of legitimate software; AV-TEST's Usability score is essentially a false-positive measure but is summed with two other dimensions. A product can hit 100% detection and still rank below a 99.7% detection competitor that flagged fewer clean files.

4. Threat freshness. Virus Bulletin's RAP tests explicitly measure detection at hours-old, days-old, and weeks-old freshness. AV-TEST's monthly cycles, by contrast, give vendors slightly more time for cloud propagation. Engines optimized for fast cloud uplift and engines optimized for offline signature breadth both score well, but on different tests.

5. Update window. Tests pause vendor signature updates at different points — some at scan start, some at sample download. A vendor whose engine downloads a fresh definition mid-test in one lab and not another can show measurable score gaps for that reason alone.

This is why lab-result cherry-picking is the single most common form of marketing dishonesty in this industry. A vendor who finishes #1 in one lab and #11 in another will quote only the first. Reading multiple labs together is how you spot when that is happening.

How Our Methodology Uses This

Most consumer antivirus review sites pick one lab — usually AV-TEST because the scoring is easiest to display — and rank products on its data alone. That works as a starting point but produces the cherry-picking failure mode described above.

Our approach, documented in full here, takes the most recent six months of all five labs' published reports and rolls them into a composite score using disclosed weights. Concretely:

• Detection sub-score combines AV-TEST Protection, AV-Comparatives Real-World plus Malware Protection, and SE Labs Total Accuracy.
• Performance sub-score combines AV-TEST Performance and AV-Comparatives Performance.
• Usability/false-positive sub-score combines AV-TEST Usability and AV-Comparatives False Alarm.
• Realism modifier uses SE Labs' attack-chain results and MRG Effitas' banking/ransomware certifications.
• Hygiene check confirms current VB100 status and recent RAP standing.

We then add two non-lab dimensions that none of the labs measure — privacy/data-handling track record and pricing transparency — because those affect the user's actual experience even when detection is identical. Our transparency page explains why these matter and what we audit.

Cross-referencing all five labs is more work than reading one. It also produces rankings that survive next month's lab cycle, which is the test of whether your scoring model is stable or just opportunistic.

What This Means When You Read Antivirus Reviews

Three practical takeaways:

1. If a review site quotes only one lab, ask why. Especially if that lab happens to favor the product the site is recommending. The convenient correlation is rarely accidental.
2. Pay attention to the test month, not just the year. "AV-TEST 2025" without a specific month means the writer either does not know or does not want you to know that the data is older than it should be.
3. A product that is consistently top-tier across labs is more reliable than one that wins one lab and loses another. Bitdefender, Kaspersky, Norton, and Microsoft Defender, in some recent rounds, have all hit the top of multiple labs simultaneously. That is the more meaningful signal than any single 100% score.

For an end-to-end view of how the underlying engines actually do their job — which directly determines lab outcomes — read How does antivirus work?.

The Bottom Line

The five major labs — AV-TEST, AV-Comparatives, SE Labs, MRG Effitas, Virus Bulletin — each measure something genuinely different, and the gaps between their results are real, defensible, and methodologically explainable. Single-lab rankings are not wrong, but they are incomplete; multi-lab rankings are how serious testing teams (and serious enterprise security buyers) work.

This site's policy is to read all five, weight them transparently, refresh the data every quarter, and publish the weights so you can disagree if you want to. That is what we mean when we say "based on independent lab data" — not a single quoted figure, but a documented composite. See our methodology page for the full weight table, and our best antivirus ranking for what those weights produce when applied to the current product field.

External references: AV-TEST, AV-Comparatives, SE Labs, MRG Effitas, Virus Bulletin, AMTSO.

FAQs

Which antivirus lab is the most trusted? All five major labs — AV-TEST, AV-Comparatives, SE Labs, MRG Effitas and Virus Bulletin — are AMTSO members and follow standardized testing principles. None is universally "best." AV-TEST publishes the most consumer-friendly six-monthly reports, AV-Comparatives runs the most extensive sample sets, and SE Labs uses the most realistic full-attack-chain methodology. Reading three labs together is more reliable than any single one.

Why do different labs rank antivirus products differently? Methodology choices drive the differences: sample sources (URL-based vs file-only), threat freshness (hours vs days old), what counts as "protection" (block at network, block at file, block at execution, or allow then remediate), and how false positives are weighted. A product strong on URL filtering may dominate AV-Comparatives' Real-World Test while finishing mid-pack at AV-TEST, which weights file-based detection heavily.

What does AV-Comparatives "Advanced+" mean? Advanced+ is the top tier in AV-Comparatives' four-level award system (Tested, Standard, Advanced, Advanced+). To earn it, a product must score above defined thresholds — typically 99.5% protection with 5 or fewer false positives in the Malware Protection Test and 99.6% block rate with low false positives in the Real-World Protection Test. Awards are issued twice a year per test category.

Are antivirus labs paid by the vendors they test? Yes — vendors pay certification and detailed-report fees, which is the labs' primary revenue model. This is openly disclosed by AV-TEST, AV-Comparatives and SE Labs. The labs argue, plausibly, that paid certification does not equal pay-to-pass, because results are reproducible by any third party using their published methodology and AMTSO sample-validation standards. Vendors who fail tests do not stop paying — they want the diagnostic data to fix their products.

What is the difference between AV-TEST's score and SE Labs' AAA rating? AV-TEST gives three numerical scores out of 6.0 each (Protection, Performance, Usability) for a possible 18.0/18.0. SE Labs uses a Total Accuracy Rating, ranging A through AAA, derived from a points system that rewards full blocking and penalizes incomplete remediation. The two systems answer slightly different questions: AV-TEST asks "did the file get caught?", SE Labs asks "did the entire attack chain get stopped?"

How recent should antivirus lab data be? Treat anything older than six months as informational, not decisional. Threat landscape and product engines both evolve quickly. When evaluating a product in 2026, you should be looking at AV-TEST and AV-Comparatives reports from at least two of the most recent three test cycles, plus SE Labs' most recent quarterly Home Anti-Malware Protection report.