Hubbry Logo
CylanceCylanceMain
Open search
Cylance
Community hub
Cylance
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Cylance
Cylance
Cylance
View on Wikipedia
from Wikipedia

Cylance Inc. is an American software firm based in Irvine, California,[3] that develops antivirus programs and other kinds of computer software that prevents viruses and malware.

Key Information

In February 2019, the company was acquired by BlackBerry Limited for $1.4 billion.[4][5] After the acquisition, it continues to operate as an independent subsidiary and will remain headquartered in Irvine, California.

In December 2024, Arctic Wolf entered into an agreement with BlackBerry Limited to purchase Cylance.[6] BlackBerry will sell its Cylance assets to Arctic Wolf for $160 million in cash, subject to certain adjustments, and approximately 5.5 million common shares of Arctic Wolf. After allowing for the purchase price adjustments, BlackBerry will receive approximately $80 million in cash at closing and approximately $40 million in cash one year following the closing.[7]

Founding

[edit]

Cylance was founded by Stuart McClure and Ryan Permeh in 2012. McClure was previously co-founder of Foundstone, a security consultancy. He sold Foundstone to McAfee in 2004, and became that firm's Chief Tech Officer.[8]

Funding

[edit]

A July 2015 report indicated that Cylance had raised $42 million from investors including Draper Fisher Jurvetson, Kohlberg Kravis Roberts, Dell, Capital One, and TenEleven Ventures.[8] It received another $100 million in June 2016 with lead investors Blackstone Tactical Opportunities (part of The Blackstone Group) and Insight Venture Partners.[9] They received an investment from In-Q-Tel in September 2015.[10][11]

Operation Cleaver

[edit]
Main article: Operation Cleaver

Operation Cleaver was a covert cyberwarfare operation allegedly carried out by the Iranian government against targets worldwide, specifically critical infrastructure entities. Cylance published a report about the operation in late 2014. Iranian officials rejected Cylance's conclusions, but the FBI tacitly confirmed them.[12][13][14]

Controversies

[edit]

Malware scandal

[edit]

In November 2016, a systems engineer evaluated 48 files of malware samples provided by Cylance for testing their protection system "Protect", and found that 7 of them weren't malware.[15] This led to an accusation that Cylance was using the test to look superior to its opponents by providing files that other products would fail to detect as malware.[16] In response, Cylance executives said that they used repackaged malware samples for testing.

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Cylance

View on Grokipedia
from Grokipedia

Cylance Inc. is an American cybersecurity company specializing in and machine learning-based endpoint protection solutions designed to predict and prevent and advanced threats without relying on traditional signature-based detection.
Founded in 2012 by Stuart McClure and Ryan Permeh in , where it maintains its headquarters, Cylance pioneered preventive AI-driven security approaches that analyze executable code to block zero-day attacks and known variants preemptively. The company achieved rapid growth, reaching unicorn status and serving enterprise clients with products like CylancePROTECT, which emphasized low resource usage and high efficacy in independent evaluations, though it drew scrutiny for disputes over testing methodologies and claims of superior performance. In 2019, acquired Cylance for $1.4 billion to bolster its offerings, but the unit underperformed, leading to its sale to in December 2024 for $160 million amid broader challenges in integrating and scaling the technology. Cylance has been credited with validating its approach in high-profile incidents, such as post-Sony hack analyses, yet faced controversies including researcher-demonstrated bypasses of its AI models and a 2024 via a third-party platform.

Company Overview

Founding and Early Development

Cylance Inc. was founded in July 2012 by Stuart McClure and Ryan Permeh in . McClure, who served as the company's CEO, brought extensive experience from prior roles, including co-founding Foundstone—a security consultancy acquired by for $86 million in 2004—and working as global CTO at and Security. Permeh, a co-founder with roots at , complemented this expertise in cybersecurity operations and research. The company's inception stemmed from a recognition of limitations in traditional antivirus solutions, which relied on signature-based detection prone to evasion by novel threats. Cylance pioneered a proactive, math-based approach using and to predict and prevent execution at the endpoint level, analyzing file characteristics mathematically rather than reactively scanning for known patterns. This innovation aimed to address recurring cyber attack successes due to industry inertia in detection methods. In its early years, Cylance focused on developing its core product, CylancePROTECT, which emphasized prevention over detection. By 2016, the technology had gained traction among early adopters, with professional services engagements demonstrating its efficacy against advanced threats. The firm operated as a channel-oriented from the outset, building partnerships to scale deployment without direct sales . This foundational strategy positioned Cylance for rapid growth, culminating in significant enterprise adoption by the late 2010s.

Leadership and Key Personnel

Cylance was co-founded in 2012 by Stuart McClure and Ryan Permeh, with McClure serving as the initial CEO and Permeh as chief scientist. McClure, who previously co-founded the security consultancy Foundstone (acquired by for $86 million in 2004), led the company's strategic direction toward AI-driven endpoint protection, emphasizing mathematical models for threat detection over traditional signature-based methods. Under McClure's leadership, Cylance grew to over 900 employees and secured more than 3,000 enterprise customers before its acquisition by in November 2018 for $1.4 billion. Following the BlackBerry acquisition, McClure departed in September 2019, after which Daniel Doimo was promoted from his role as executive of worldwide sales to president of BlackBerry Cylance. This transition coincided with several other executive exits, including chief marketing officer Didi Dayton and senior vice presidents Tim Mackie and Louise Ray, who joined competing cybersecurity firms. Permeh remained involved in technical leadership post-acquisition, contributing to product architecture as senior vice president and chief security architect at . In December 2024, agreed to sell Cylance's assets to for $160 million in cash plus shares, with the deal closing in February 2025; no specific leadership changes for the Cylance unit were publicly detailed, as the assets were integrated into Arctic Wolf's security operations platform. Prior to these shifts, other key personnel included Brian Robins as , appointed in August 2017, who oversaw financial operations during the company's rapid scaling.

Business History

Funding Rounds

Cylance raised a total of $297 million across five funding rounds from 2013 to 2018, prior to its acquisition by . These rounds supported rapid expansion in artificial intelligence-based , with investments from prominent firms including Blackstone, , and Insight Venture Partners. The Series A round closed on February 13, 2013, for $15 million, co-led by and Fairhaven Capital Partners to fund initial product development and market entry. On February 20, 2014, Cylance secured $20 million in Series B funding, backed by Blackstone alongside returning investors and Fairhaven Capital, enabling team growth and technology scaling. The Series C round, announced July 28, 2015, raised $42 million with participation from Blackstone and Ventures, bringing cumulative funding to $77 million and supporting international operations. In Series D, completed June 8, 2016, the company obtained $100 million led by Blackstone Tactical Opportunities and Venture Partners, which fueled global sales and R&D investments. The final pre-acquisition round, Series E, raised $120 million on June 20, 2018, led by Blackstone Tactical Opportunities with additional undisclosed participants, valuing the company at approximately $1 billion and preparing for broader enterprise adoption.
RoundDateAmountKey Investors
Series AFeb 13, 2013$15M, Fairhaven Capital
Series BFeb 20, 2014$20MBlackstone, , Fairhaven Capital
Series CJul 28, 2015$42MBlackstone, Ventures
Series DJun 8, 2016$100MBlackstone Tactical Opportunities, Insight Venture Partners
Series EJun 20, 2018$120MBlackstone Tactical Opportunities

Acquisition by BlackBerry

On November 16, 2018, announced its agreement to acquire Cylance, Inc., an artificial intelligence-based cybersecurity firm specializing in predictive endpoint , for $1.4 billion in cash. The transaction included retention of Cylance's unvested employee incentives and represented BlackBerry's largest acquisition to date, aimed at enhancing its capabilities amid a strategic shift toward software and services following the decline of its hardware business. The deal was structured to allow Cylance to operate initially as a distinct business unit within , preserving its AI-driven technology focused on prevention through models trained on billions of points. 's leadership, including CEO John Chen, cited synergies between Cylance's proactive threat detection and 's existing secure communications and IoT platforms, positioning the combined entity to compete in the growing enterprise cybersecurity market. Regulatory approvals proceeded without noted delays, reflecting the non-antitrust-sensitive nature of the acquisition in the fragmented cybersecurity sector. The acquisition closed on February 21, 2019, after satisfying customary closing conditions. Post-closing, integration efforts emphasized embedding Cylance's AI engines into BlackBerry's broader security suite, though Cylance retained operational independence to maintain its specialized focus on lightweight, prevention-first endpoint agents. This move aligned with BlackBerry's goal of deriving over 90% of revenue from recurring software subscriptions, leveraging Cylance's established customer base of over 100 enterprise clients and its claims of blocking 100% of known malware in independent tests prior to the deal.

Sale to Arctic Wolf

BlackBerry Limited agreed to sell its Cylance endpoint security assets to Arctic Wolf on December 15, 2024, for $160 million in cash—subject to customary adjustments—and approximately 5.5 million common shares of the privately held Arctic Wolf. The deal marked a strategic divestiture for BlackBerry, which had acquired Cylance for $1.4 billion in cash in 2018, resulting in a substantial financial write-down amid efforts to refocus on its core IoT and QNX software businesses. The acquisition closed on February 3, 2025, enabling to integrate Cylance's AI-powered prevention technology into its managed detection and response platform. , a security operations firm founded in , launched Aurora Endpoint as its rebranded product incorporating Cylance's machine learning-based endpoint detection capabilities, aiming to enhance proactive prevention for enterprise customers. This marked Arctic Wolf's sixth acquisition, building on prior purchases like RootSecure and expanding its footprint beyond traditional MDR services. The transaction also expanded Arctic Wolf's global presence, adding over 100 Cylance employees and engineering offices in Bengaluru and , , to support enhanced R&D and customer delivery. BlackBerry retained certain non-endpoint Cylance-related intellectual property and transition services to facilitate a smooth handover, while Arctic Wolf committed to migrating existing Cylance customers to its unified platform without service disruptions. Industry analysts viewed the deal as mutually beneficial, with BlackBerry shedding underperforming assets amid cybersecurity market consolidation and Arctic Wolf accelerating its path toward potential IPO by bolstering product depth.

Technology and Products

Core AI and Machine Learning Approach

Cylance's foundational technology employs algorithms to predict and prevent execution by analyzing file characteristics prior to runtime, eschewing reliance on databases or behavioral heuristics common in legacy antivirus solutions. Files are disassembled and converted into mathematical vectors representing structural, statistical, and behavioral attributes, which are then evaluated against models trained on datasets encompassing billions of benign and malicious samples collected over years of research. This offline model training, conducted using clusters, generates lightweight classifiers deployed via endpoint agents that render binary decisions—safe or malicious—without requiring real-time dependency for core verdicts, thereby minimizing latency and resource overhead. The pipeline incorporates techniques, such as models (e.g., random forests and neural networks in ensemble configurations), optimized for high precision in distinguishing novel threats, including zero-day exploits and polymorphic variants. derivation involves proprietary feature engineering, extracting over 100,000 attributes per file, such as sequences, metrics, and import/export tables, to capture intrinsic malicious patterns independent of tactics. Post-training, models achieve reported detection rates exceeding 99% on validation sets, with false positive tuning to balance usability in enterprise environments. This predictive shifts cybersecurity from detection-and-response to prevention-first, as articulated in Cylance's product . Integration of extends to adaptive model updates, where aggregated anonymized from deployed agents refines global models periodically without compromising endpoint performance. CylancePROTECT, the flagship endpoint solution, leverages this AI core to block threats at the pre-execution stage, supporting Windows, macOS, and environments with modular extensions for scripting and . Independent evaluations have validated the approach's efficacy against evasion techniques, though vulnerabilities to adversarial inputs—such as manipulated feature perturbations—have been demonstrated in controlled , underscoring ongoing challenges in ML robustness for security applications.

Endpoint Protection Features

Cylance's endpoint protection capabilities center on CylancePROTECT, an AI-driven platform designed to prevent execution at the endpoint level without dependence on traditional signature matching or behavioral heuristics alone. The system employs models trained on billions of points to evaluate over 2.7 million file properties—including , signing attributes, data, icons, imports, and —disassembling files to predict and block malicious code before it runs. This prevention-first approach targets known, unknown, and zero-day threats, as well as fileless attacks, by monitoring processes in memory and halting anomalous execution. Additional features encompass script control, which integrates with the core AI to restrict execution of potentially harmful scripts in environments like , macros, and , supplementing malware prevention without requiring separate rulesets. Application control enforces whitelisting or blacklisting for executables, scripts, and drivers, while USB and device control policies prevent unauthorized peripheral access and . Memory protection specifically counters by scanning running processes for injection attempts or anomalous memory patterns, enabling proactive blocking rather than post-infection remediation. The platform supports deployment across Windows, macOS, , and legacy systems like , with centralized management for dynamic endpoints such as laptops and fixed devices including point-of-sale terminals and industrial control systems. Automated response mechanisms include bulk of threats, root cause analysis, and integration with (EDR) via CylanceOPTICS for threat hunting and forensic visibility. Compliance reporting aids regulatory adherence by logging prevention events and policy enforcement. Following integrations post-BlackBerry acquisition, features expanded to include network protection via CylanceGATEWAY, offering web filtering and safe browsing modes to block malicious domains and attempts at the endpoint.

Product Evolution Post-Acquisitions

Following 's acquisition of Cylance, completed on February 21, 2019, the company's core endpoint protection platform, originally known as CylancePROTECT, was rebranded and integrated into 's broader cybersecurity suite as BlackBerry Cylance. This integration aimed to leverage Cylance's AI-driven prevention models alongside 's existing tools for (EDR), though the core architecture emphasizing pre-execution blocking remained largely unchanged initially. Subsequent updates included the release of BlackBerry Protect Desktop agent version 3.x in early 2025, which introduced enhanced features such as v2 for runtime exploit mitigation and Script Control v2 for behavioral analysis of scripting languages like and , improving efficacy against fileless attacks without relying on signature-based detection. Despite these technical refinements, shifted resources away from aggressive development of Cylance's standalone capabilities, prioritizing integration with its software and other profitable segments over endpoint expansion, which contributed to stagnant market growth and operational challenges. By late 2024, had curtailed investments in Cylance, viewing it as underperforming relative to competitors like , leading to a strategic divestiture rather than further evolution of the product line as an independent offering. Arctic Wolf's acquisition of Cylance assets, agreed upon December 16, 2024, and closed on February 3, 2025, for $160 million in cash plus shares, marked a pivot toward embedding Cylance's technology into a managed (SOC) framework. Under Arctic Wolf, the platform was rebranded as Aurora Endpoint Security, combining Cylance's AI-based prevention engine with Arctic Wolf's managed detection and response (MDR) services to provide unified endpoint defense, threat hunting, and automated response across hybrid environments. This evolution extends beyond isolated endpoint protection by incorporating Arctic Wolf's concierge security team for 24/7 monitoring and , aiming to reduce alert fatigue and enhance overall risk mitigation through correlated intelligence from endpoint data and network telemetry. Early post-acquisition updates, documented as of September 2025, renamed components like Aurora Endpoint Defense (formerly CylanceENDPOINT) to streamline integration, while preserving the lightweight agent design for minimal performance impact on endpoints.

Research and Threat Intelligence

Operation Cleaver Report

In December 2014, Cylance published an 87-page report titled Operation Cleaver, detailing a multi-year cyber espionage campaign attributed to Iranian state-sponsored actors targeting worldwide. The report identified the primary threat group as "Tarh Andishan," described by Cylance as an Iranian team operating primarily from with auxiliary members in the , , and the , potentially backed by Iran's (IRGC). Cylance's analysis linked the operations to retaliation for Western cyber operations like , with activity traced back to at least 2010 but intensifying post-2012. The campaign compromised over 50 organizations across 16 countries, including , , , , , , , , , , , , , , the , and the . Targeted sectors encompassed and (DIB) entities, oil and gas firms, utilities, transportation (including and airports), hospitals, , companies, educational institutions, , chemicals, and government bodies. Specific incidents highlighted included a breach of the U.S. Navy's Network Marine Corps Intranet (NMCI) in 2013, intrusions into a major U.S. , a U.S. medical university, a U.S. company, a U.S. defense contractor, and a U.S. installation, as well as oil and gas companies in nine countries. Cylance documented attack methods relying on opportunistic techniques such as vulnerabilities, spear-phishing, and exploitation of unpatched systems like ’s MS08-067. Custom tools included TinyZBot for command-and-control, Net Crawler for network , and Shell Creator 2 for generating webshells; malware families encompassed PrivEsc for and zhCat for backdoor access. occurred via protocols like FTP, SMTP, and , with infrastructure involving rapidly cycled IP addresses in ’s AFRANET and domains mimicking legitimate entities (e.g., microsoftupdateserver.net). The report estimated involvement of at least 20 hackers and emphasized gathering over destructive actions at the time, though it warned of escalation risks to industrial control systems (ICS/), airline operations, and . While Cylance's attribution to Iranian state actors drew media attention and prompted U.S. alerts, including from the FBI, some cybersecurity firms expressed caution; for instance, Mandiant's Counter Threat Unit noted a lack of independent intelligence confirming Iranian state ties to the specific infrastructure observed. The report positioned the threats as a precursor to broader disruptions, citing potential Iranian-North Korean cyber collaboration following a September 2012 technology agreement. Cylance urged global operators to prioritize threat hunting and patching, framing the operation as evidence of Iran's advancing cyber capabilities beyond mere .

Other Contributions to Cybersecurity Research

In addition to the Operation Cleaver report, Cylance researchers have conducted detailed analyses of (APT) groups and their tactics. The BlackBerry Cylance Threat Research team, formed post-2018 acquisition, specializes in samples to uncover attack vectors, payloads, and evasion methods, sharing findings through technical reports and whitepapers. A key example is the report on the OceanLotus (APT32) group, a Vietnam-linked actor targeting governments and organizations in . Researchers identified a novel loader using to hide encrypted backdoor payloads within image files, extracting and decrypting them at runtime to bypass signature-based detection. The detailed the malware's decoding process, command-and-control communication, and indicators of compromise, enabling broader industry defenses against similar image-based techniques. Cylance contributions extend to ongoing threat intelligence via BlackBerry's quarterly Global Threat Reports, which incorporate from endpoint detections to track trends like host-dependent in APT and increases in targeted campaigns. These reports provide empirical data on behaviors, such as protection methods observed in samples, informing preventive strategies beyond reactive measures.

Performance and Reception

Independent Testing and Efficacy Claims

CylancePROTECT, the company's flagship endpoint protection product, has claimed prevention efficacy rates above 99% against known and unknown threats, attributing this to its models analyzing mathematical patterns in files rather than relying on signatures or behavioral heuristics. These claims were substantiated in early independent tests, such as a 2017 evaluation co-developed with Cylance, where it achieved over 97% efficacy against unknown samples, outperforming five signature-based antivirus solutions in side-by-side comparisons. In AV-Comparatives' March 2018 Advanced Endpoint Protection Test, Cylance recorded a 99.5% protection rate against advanced threats, with a subsequent phase yielding 99.3%. However, Cylance publicly disputed methodologies from AV-Comparatives and MRG Effitas in September 2016, accusing them of fraud, manipulation, and unauthorized use of its software in evaluations that allegedly favored legacy vendors. AV-Comparatives responded by emphasizing standardized testing protocols, but the dispute highlighted tensions between next-generation vendors and traditional labs over test realism for AI-driven tools. Post-2018 acquisition by , evaluations of BlackBerry Cylance products continued to show strong results. A 2021 SE Labs test awarded it top ranking for new endpoint solutions, with 100% and zero false positives across evaluated scenarios. In May 2024, The Tolly Group independently tested CylanceENDPOINT, reporting nearly 100% detection rates both online and offline, alongside low CPU utilization compared to competitors. NSS Labs' prior assessment of CylancePROTECT under Advanced Endpoint criteria also validated high effectiveness, though specific metrics emphasized comprehensive coverage over raw percentages. Participation in MITRE ATT&CK Evaluations, such as those for + and Turla campaigns, demonstrated Cylance's detection of techniques, including malicious injections and command execution, though MITRE scores focus on technique coverage rather than aggregate prevention rates. Independent reviews, like PCMag's analysis of Cylance Smart Antivirus, confirmed effective machine learning-based identification in commissioned labs but noted limitations in usability and occasional false positives impacting enterprise deployment. Overall, while efficacy claims hold in controlled tests from , SE Labs, and Tolly, real-world performance depends on model updates and configuration, with no universal consensus due to varying test methodologies.

Market Traction and Achievements

Cylance demonstrated rapid early market expansion, recording 322 percent year-over-year revenue growth in and 607 percent in 2016, driven by demand for its AI-based preventive . By fiscal year 2017, the company achieved over $100 million in trailing twelve-month revenue, a 177 percent increase from 2016, with annual sales reaching $130 million by April 2018. This trajectory supported a high-profile acquisition by in November 2018 for up to $1.4 billion, reflecting investor confidence in its technology amid a competitive endpoint protection landscape. Customer adoption grew substantially, with deployments across more than 14.5 million endpoints and over 6,000 global clients by 2019, including more than 100 companies and government entities. Venture funding milestones included a $120 million Series E round in , elevating total investment to approximately $297 million and enabling international scaling. in hovered around 1.4 percent pre-acquisition, positioning Cylance as a notable challenger to incumbents. Industry accolades underscored its innovations, with Cylance named a Visionary in Gartner's 2016 Magic Quadrant for Endpoint Protection Platforms and positioned highest for Ability to Execute among Visionaries in 2017. Frost & Sullivan awarded it top honors in 2016 for machine learning-driven pre-execution malware blocking, citing superior performance against unknown threats. Post-BlackBerry integration, products like CylancePROTECT earned Gartner's Customers' Choice for endpoint protection for two consecutive years, while a 2019 Forrester Total Economic Impact study quantified a 99 percent three-year ROI for adopters. Additional recognitions included Cybersecurity Excellence Awards and a 2018 Globee Award for endpoint security.

Criticisms of Technology and Business Model

Critics of Cylance's technology have highlighted vulnerabilities in its models, which rely on static analysis of file characteristics for prevention. In July 2019, independent researchers reverse-engineered the CylancePROTECT model and developed a bypass by appending benign strings—derived from code such as that in —to malicious executables, altering detection scores from negative values (e.g., -920) to positive ones (e.g., +630 or higher). This technique evaded detection in 83.6% to 88.5% of tested samples, including all top-10 threats from May 2019, exposing the model's sensitivity to feature manipulation without dynamic behavioral analysis. The platform has also faced scrutiny for high false positive rates, which disrupt legitimate operations. Usability tests by AV-Comparatives in 2016 reported 26 false positives for Cylance, far exceeding the group average of 3, leading to blocks on benign software. User deployments have similarly encountered issues, such as flagging core OS files after updates, causing system crashes, or blocking tools like CCleaner and Autodesk installers due to heuristic overreach. Cylance has countered such evaluations by accusing testing organizations like AV-Comparatives of fraud, bias, and unethical repackaging of samples to inflate false alarms, opting out of some assessments. Regarding the business model, Cylance's subscription-based, endpoint-centric approach drew criticism for limited scalability as a standalone point solution, lacking native integration with broader security stacks. Post-acquisition by in February 2018 for $1.4 billion, the product experienced stagnant growth—described by BlackBerry's CEO as "flattish" in fiscal 2020—and failed to justify the valuation amid integration hurdles. This contributed to a $51 million EBITDA loss in BlackBerry's cybersecurity division for fiscal 2024, prompting the sale of Cylance's endpoint assets to in December 2024 for $160 million, a fraction of the purchase price. Analysts attributed the underperformance to halted investments in expansion and challenges aligning Cylance's AI focus with BlackBerry's ecosystem.

Controversies

Claims of Prevention Efficacy

Cylance has asserted high prevention efficacy for its CylancePROTECT software, primarily based on models that classify files as malicious or benign prior to execution. In a 2017 NSS Labs Advanced Endpoint Protection , CylancePROTECT achieved a security effectiveness score of 99.69%, with a block rate exceeding 99% against a range of threats, including exploits, and zero false positives in detection accuracy. The company has marketed its AI-driven approach as preventing 99.1% of both known and zero-day threats by analyzing mathematical patterns in code rather than relying on traditional signatures or behavioral heuristics. These claims faced significant scrutiny and , particularly regarding the validity of testing methodologies and Cylance's responses to unfavorable results. In February 2016, an AV-Comparatives assessment found CylancePROTECT provided inferior protection against in-the-wild s and exploits compared to competitors like Symantec, prompting Cylance to accuse the tester of , , and software while demanding test data under of legal action. Similarly, disputes with MRG Effitas arose over tests where Cylance allegedly supplied non-malicious samples misrepresented as s, leading to inflated self-reported detection rates near 100%; independent verification later revealed some samples were benign or outdated, undermining the claims. Critics, including security researchers, have highlighted vulnerabilities in Cylance's ML models, such as susceptibility to adversarial examples—subtly modified that evades detection—demonstrating that efficacy claims may not hold against evolved threats. Cylance's aggressive legal tactics against testers, including cease-and-desist letters to suppress comparative evaluations, raised concerns about transparency and the reliability of efficacy assertions, as independent benchmarks like those from AV-Comparatives often yielded lower prevention rates in real-world scenarios. While proponent tests from labs like NSS Labs supported high scores, the pattern of disputes with multiple evaluators suggested potential overstatement of preventive capabilities, particularly for non-file-based or obfuscated attacks.

Product Vulnerabilities and Scandals

In 2018, security researchers at Atredis Partners identified a vulnerability in CylancePROTECT, exploitable by local users through channels to gain elevated privileges. Prior to July 21, 2019, Cylance's AI-based antivirus products contained flaws enabling adversaries to craft malicious files that evaded detection via concatenation bypass techniques, as detailed in a CERT advisory. In the same period, Skylight Cyber disclosed a separate in CylancePROTECT that permitted to manipulate the product's software ranking system, allowing evasion of preventive controls. In November 2021, Pen Test Partners reported three vulnerabilities in Cylance for Windows, including CVE-2021-32021 (denial-of-service in the ), which were subsequently addressed by the vendor. More recently, on August 20, 2024, released advisory BSRT-2024-001 for CVE-2024-35214, a tampering in the Package of CylanceOPTICS versions 3.2 and 3.3, allowing local administrators to bypass uninstall protections or modify installation processes. In June 2024, data allegedly belonging to Cylance—encompassing approximately 34 million emails and personal identifiers—was listed for sale on underground forums, prompting BlackBerry to investigate and confirm it as outdated marketing information stolen via a third-party platform breach linked to Snowflake customer incidents (tracked as UNC5537). BlackBerry emphasized that the incident involved no customer systems or current product data, attributing it to misconfigured third-party access rather than a direct product flaw.

References

  1. https://www.crunchbase.com/organization/cylance
  2. https://pitchbook.com/profiles/company/56120-32
  3. https://dfjgrowth.com/founders/stuart-mcclure-cylance/
  4. https://www.linkedin.com/company/cylanceinc
  5. https://www.inc.com/will-yakowicz/cylance-2016-company-of-the-year-nominee.html
  6. https://www.forbes.com/sites/tonybradley/2017/04/21/dont-shoot-the-messenger-cylance-didnt-break-av-testing/
  7. https://techcrunch.com/2024/12/16/blackberry-sells-cylance-for-160m-a-fraction-of-the-1-4b-it-paid-in-2018/
  8. https://www.jonesday.com/en/practices/experience/2019/02/cylance-to-be-acquired-by-blackberry-for-14-billio
  9. https://www.innovationaus.com/stuart-mcclure-on-blackberry-cylance/
  10. https://www.securityweek.com/researchers-claim-they-bypassed-cylances-ai-based-antivirus/
  11. https://siliconangle.com/2024/06/11/blackberry-cylance-hit-data-breach-hacker-lists-data-sale-breachforums/
  12. https://www.crn.com/news/security/cylance-founder-ceo-stuart-mcclure-exits-months-after-blackberry-deal
  13. https://www.rsaconference.com/experts/stuart-mcclure
  14. https://obj.ca/blackberry-to-buy-cybersecurity-company-cylance-for-us1-4-billion/
  15. https://cybersecurity-excellence-awards.com/candidates/cylance-5/
  16. https://roadtripnation.com/leader/stuart-mcclure
  17. https://www.cxotalk.com/bio/stuart-mcclure-ceo-founder-cylance
  18. https://app.dealroom.co/companies/cylance
  19. https://www.reddit.com/r/cybersecurity/comments/18o9ksn/why_is_cylance_doing_so_poorly_business_wise/
  20. https://www.crn.com/slide-shows/security/8-things-you-need-to-know-about-the-1-4b-blackberry-cylance-deal
  21. https://www.forbes.com/sites/tonybradley/2014/04/16/in-their-own-words-cylance-founder-and-ceo-stuart-mcclure/
  22. https://www.securityweek.com/cylance-founder-stuart-mcclure-leaves-blackberry/
  23. https://arcticwolf.com/resources/press-releases/arctic-wolf-and-blackberry-announce-acquisition-agreement-for-cylance/
  24. https://arcticwolf.com/resources/press-releases/arctic-wolf-and-blackberry-announce-closing-of-acquisition-for-cylance/
  25. https://www.comparably.com/companies/cylance/executive-team
  26. https://tracxn.com/d/companies/cylance/__OK2kINXia_eTaJ7yxxrgfC5JERuzYGKa3LLTFiXsQOE/funding-and-investors
  27. https://www.darkreading.com/cybersecurity-analytics/cylance-announces-15m-in-funding
  28. https://seedtable.com/funding-round/Cylance_Inc._Series_A_round%252C_February_13%252C_2013-W4ZG694
  29. https://www.blackstone.com/news/press/cylance-announces-20-million-in-series-b-funding/
  30. https://www.vcnewsdaily.com/Cylance/venture-funding.php
  31. https://fortune.com/2015/07/28/cylance-42-million/
  32. https://www.prnewswire.com/news-releases/cylance-announces-100-million-series-d-funding-round-led-by-blackstone-tactical-opportunities-and-insight-venture-partners-300281390.html
  33. https://www.insightpartners.com/ideas/cylance-announces-100-million-series-d-funding-round-led-by-blackstone-tactical-opportunities-and-insight-venture-partners/
  34. https://www.finsmes.com/2018/06/threat-prevention-company-cylance-raises-120m-in-funding.html
  35. https://www.helpnetsecurity.com/2018/06/19/cylance-120-million-funding-round/
  36. https://www.securityweek.com/blackberry-acquire-cylance-14-billion-cash/
  37. https://www.blackberry.com/content/dam/blackberry-com/Documents/pdf/investors/BlackBerry-to-Acquire-Cylance-Investor-Presentation.pdf
  38. https://www.forbes.com/sites/greatspeculations/2018/11/26/why-blackberrys-acquisition-of-cylance-makes-sense/
  39. https://technologymagazine.com/ai-and-machine-learning/blackberry-acquires-ai-cybersecurity-firm-cylance-biggest-ever-acquisition
  40. https://www.prnewswire.com/news-releases/blackberry-completes-acquisition-of-cylance-300800003.html
  41. https://www.computerweekly.com/news/252458168/BlackBerry-acquires-Cylance-to-cement-security-capability
  42. https://finance.yahoo.com/news/arctic-wolf-blackberry-announce-acquisition-140000399.html
  43. https://finance.yahoo.com/news/blackberry-completes-sale-cylance-endpoint-142700106.html
  44. https://www.crn.com/news/security/2025/arctic-wolf-completes-160m-acquisition-of-cylance-launches-endpoint-security-product
  45. https://arcticwolf.com/cylance/
  46. https://www.linkedin.com/posts/shraddha-goled_cylance-acquisition-added-100-india-employees-activity-7315007726051282944-doNg
  47. https://cyberscoop.com/arctic-wolf-cylance-blackberry-acquisition/
  48. https://www.msspalert.com/news/160-million-cylance-deal-a-win-for-both-arctic-wolf-blackberry
  49. https://tomorrowdesk.com/info/cylance
  50. https://www.blackberry.com/content/dam/bbcomv4/blackberry-com/en/products/resource-center/resource-library/ebooks/Replace-Your-AV-EBook.pdf
  51. https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/white-papers/AI_and_Machine_Learning.pdf
  52. https://www.sdxcentral.com/news/cylance-uses-ai-machine-learning-to-prevent-security-threats/
  53. https://www.content.shi.com/SHIcom/ContentAttachmentImages/SharedResources/PDFs/Cylance/Cylance_012419_CWhy%2520Cylance%2520Beats%2520the%2520Competition_AI%2520%2B%2520ML_Data%2520Sheet.pdf
  54. https://adapture.com/artificial-intelligence-and-anti-virus-the-cylance-cybersecurity-approach/
  55. https://www.hts-tx.com/blog?p=cylanceprotect-revolutionizing-cybersecurity-with-ai-powered-malware-detection-240618
  56. https://blogs.blackberry.com/en/2023/10/predictive-ai-in-cybersecurity
  57. https://www.ignition-technology.com/wp-content/uploads/2024/02/Cylance_Endpoint_Security_Overview_Architecture.pdf
  58. https://www.blackberry.com/content/dam/bbcomv4/blackberry-com/en/products/blackberry-protect-vs-blackberry-smart-antivirus/CylancePROTECTvsCylanceSmartAntivirus.pdf
  59. https://www.infosecinstitute.com/resources/general-security/cylanceprotect-product-overview/
  60. https://www.blackberry.com/content/dam/cylance/documents/pdf/pdf-feature-focus-protect-malware-control.pdf
  61. https://www.blackberry.com/content/dam/cylance/documents/pdf/pdf-feature-focus-protect-script-control.pdf
  62. https://www.blackberry.com/content/dam/cylance/documents/pdf/pdf-feature-focus-protect-memory-protection.pdf
  63. https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/briefs/CylanceEvaluationGuide.pdf
  64. https://softwarefinder.com/cybersecurity/cylanceprotect/reviews
  65. https://giganetworks.com/products/endpoint-protection/cylance/
  66. https://www.sonicwall.com/support/knowledge-base/cylance-protect-updating-to-agent-version-3-for-windows/241216203646410
  67. https://www.bankinfosecurity.com/blackberry-cuts-cylance-spend-to-focus-on-profitable-areas-a-26565
  68. https://docs.arcticwolf.com/bundle/aes_introduction/page/product_naming.html
  69. https://www.aclu.org/sites/default/files/field_document/Cylance-Operation-Cleaver-Report-1748-1833.pdf
  70. https://www.csoonline.com/article/549952/cylance-unveils-details-of-iran-based-hacking-in-operation-cleaver-report.html
  71. https://www.nytimes.com/2014/12/03/world/middleeast/report-says-cyberattacks-originated-inside-iran.html
  72. https://www.reuters.com/article/technology/iran-hackers-targeted-airlines-energy-firms-report-idUSKCN0JG18I/
  73. https://www.defensenews.com/global/mideast-africa/2014/12/02/report-iran-hackers-infiltrated-airlines-energy-defense-firms/
  74. https://www.bloomberg.com/news/articles/2014-12-02/iran-backed-hackers-target-airports-carriers-report
  75. https://www.linkedin.com/pulse/more-operation-cleaver-carlos-krystof
  76. https://blogs.blackberry.com/en/author/the-cylance-threat-research-team
  77. https://blogs.blackberry.com/en/2019/09/meet-blackberry-cylance-research-and-intelligence-unit
  78. https://blogs.blackberry.com/en/2019/04/report-oceanlotus-apt-group-leveraging-steganography
  79. https://www.blackberry.com/us/en/solutions/threat-intelligence/threat-report
  80. https://www.asiapacificsecuritymagazine.com/cylance-outperforms-five-legacy-av-vendors-in-av-test-study-featuring-side-by-side-testing-against-unknown-and-known-malware/
  81. https://diarioti.com/cylance-outperforms-five-legacy-av-vendors-in-av-test-study/103123
  82. https://www.av-comparatives.org/tests/advanced-endpoint-protection-test/
  83. https://www.csoonline.com/article/560059/cylance-accuses-av-comparatives-and-mrg-effitas-of-fraud-and-software-piracy.html
  84. https://www.csoonline.com/article/560121/vendors-respond-to-cylances-new-testing-methods-with-av-test.html
  85. https://www.stocktitan.net/news/BB/blackberry-ranked-best-new-endpoint-protection-solution-by-se-t3sfj7tqsedg.html
  86. https://www.prnewswire.com/news-releases/new-independent-tests-of-endpoint-protection-reveal-significant-differences-in-performance-and-efficacy-302136442.html
  87. https://jerrysoverinsky.com/wp-content/uploads/2020/10/BlackberryCylance_website.pdf
  88. https://evals.mitre.org/results/enterprise/cylance/carbanak-fin7_configuration
  89. https://blogs.blackberry.com/en/2023/09/blackberry-ai-cybersecurity-effective-against-turla
  90. https://au.pcmag.com/software/57646/cylance-smart-antivirus
  91. https://www.asiapacificsecuritymagazine.com/cylance-positioned-highest-for-ability-to-execute-in-visionaries-quadrant-of-2017-gartner-magic-quadrant-for-endpoint-protection-platforms/
  92. https://www.wsj.com/articles/cylance-growing-while-hitting-100-million-revenue-1517056200
  93. https://channellife.com.au/story/cylance-hits-100m-revenue-thanks-growth-nz
  94. https://blog.fivenines.com/what-makes-cylance-different
  95. https://www.experiencerochestermn.com/blog/post/cylance-is-golden/
  96. https://www.sdxcentral.com/news/endpoint-security-firm-cylance-raises-120m-in-series-e/
  97. https://www.6sense.com/tech/endpoint-security/cylance-market-share
  98. https://www.prnewswire.com/news-releases/cylance-positioned-as-a-visionary-in-the-2016-gartner-magic-quadrant-for-endpoint-protection-platforms-300215049.html
  99. https://www.prnewswire.com/news-releases/cylance-wins-top-honors-from-frost--sullivan-for-its-cybersecurity-solutions-that-employ-complex-machine-learning-algorithms-for-pre-execution-malware-blocking-300327699.html
  100. https://www.stockinsights.ai/us/BB/earnings-transcript/fy25-q1-e4d4
  101. https://crackberry.com/forresters-total-economic-impact-study-shows-blackberry-cylance-delivers-99-roi-three-years
  102. https://cybersecurity-excellence-awards.com/candidates/cylance/
  103. https://globeeawards.com/2018-winners-cybersecurity/
  104. https://skylightcyber.com/2019/07/18/cylance-i-kill-you/
  105. https://www.kb.cert.org/vuls/id/489481/
  106. https://news.sophos.com/en-us/2016/06/29/thoughts-on-comparative-testing/
  107. https://community.spiceworks.com/t/what-are-your-thoughts-on-cylance/723448
  108. https://www.nasdaq.com/articles/blackberrys-%241.4-billion-cylance-acquisition-will-continue-to-cause-problems-2020-09-29
  109. https://seekingalpha.com/article/4745755-blackberry-q3-the-cylance-aftermath
  110. https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/white-papers/NSS_Labs_CylancePROTECT_Results_Feb_2017.pdf
  111. https://www.blackberry.com/content/dam/bbcomv4/blackberry-com/en/partners/solution-provider-cylance/Not_All_AI_Is_Created_Equal_White_Paper.pdf
  112. https://www.av-comparatives.org/wp-content/uploads/2017/03/avc_mrg_prot_2016_02_24_cyl_sym_en.pdf
  113. https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/
  114. https://news.ycombinator.com/item?id=20475957
  115. https://www.securityweek.com/cylance-battles-malware-testing-industry/
  116. https://www.blackhillsinfosec.com/bypassing-cylance-part-5-looking-forward/
  117. https://www.atredis.com/blog/cylance-privilege-escalation-vulnerability
  118. https://integrisit.com/the-new-cylance-vulnerability-what-you-need-to-know/
  119. https://www.pentestpartners.com/security-blog/pun-free-cylance-vulnerability-fixed/
  120. https://support.blackberry.com/pkb/s/article/140080
  121. https://nvd.nist.gov/vuln/detail/CVE-2024-35214
  122. https://www.securityweek.com/blackberry-cylance-data-offered-for-sale-on-dark-web/
  123. https://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/
  124. https://www.theregister.com/2024/06/11/cylance_clarifies_data_breach_details/
Add your contribution
Related Hubs
User Avatar
No comments yet.