VB ESA - M365 for vendors

VB ESA - M365 for vendors

Not VB ESA - M365 certified and want to be? See how your product can be enrolled in the test programme.

This page is designed to give you insight into how the VB ESA - M365 programme is set up and runs, and how your product can be enrolled in the test programme.

• Overview
• Test scope
• Test types
• FAQs
• Getting in touch

Overview

VB ESA - M365 is a continuously running performance test programme for products that supplement Microsoft 365’s native email security. The programme is designed to quantify and compare the incremental protection these products provide against spam, phishing and malware emails that were not already filtered by Microsoft 365, while maintaining strict control over false positives.

Test scope

Our testing process uses real-world email streams to evaluate Microsoft 365 email security add-ons. Each product is exposed continuously to unwanted and legitimate emails, including spam, phishing, malware, ham and newsletters.

A central feature of the test is the Microsoft 365 comparative base. Emails filtered by Microsoft 365 itself are excluded from product scoring, allowing the test to focus only on the residual set that passed Microsoft 365 and remained available for the tested add-on to detect.

To quantify performance, we categorize outcomes into true positives, true negatives, false positives and false negatives. The main detection metric is the Incremental Detection Rate (IDR), which measures how many unwanted emails from the residual set were detected by the tested add-on.

For more detailed information, you can refer to the full methodology.

Test types

The following types of testing are available:

• Public testing: products in the public VB ESA - M365 series undergo continuous evaluation, with weekly feedback provided privately to participants outside the official public test periods. Public testing is based on performance data gathered during selected official periods each year. This provides continuous quality assurance for your product, alongside periodic public comparative tests.
• Private testing: private tests are typically conducted on an ongoing basis, serving as an extension of your own quality assurance in a non-comparative, non-public manner. One-off private testing is also available, for example for pre-release builds or alternative configurations. Private test results are shared only with the vendor and cannot be made public by either party.
• Bespoke testing: we also conduct stand-alone evaluations or commissioned comparative tests, either privately or publicly, sometimes using a customized methodology. Please get in touch to discuss your requirements.

Supported product types

VB ESA - M365 is designed for products that add protection to Microsoft 365 in one of two common deployment models:

• Integrated Cloud Email Security (ICES): products that integrate API-first, without MX changes, and can detect or remediate threats in Microsoft 365 mailboxes.
• Secure Email Gateways (SEGs) for Microsoft 365: products that sit in front of Microsoft 365 via MX routing and filter messages before or during delivery.

FAQs

General

• How do I get started in VB ESA - M365?

Testing process

• What kind of feedback do I receive?
• What kind of emails are used in the test?
• Who is going to host my product?
• How do I make sure my product is set up correctly for the test?
• My product takes specific actions on unwanted email. Can your test framework work with that?
• If my private test works out really well, can I make the result public? If my public test works out poorly, can I make it private?
• Will you let me know if my product is not performing well during the test?

Pricing and certification

• How much does testing cost?
• How long does it take to get certified?
• Does my award cover my other product editions?

AMTSO compliance

• What are the benefits of the AMTSO certification?
• What are my rights and obligations under the AMTSO Standard?
• Why aren’t VB ESA - M365 reports certified as AMTSO compliant immediately upon release?

General

How do I get started in VB ESA - M365?

These are the major steps you can expect:

• Project discussion: work with us to define your objectives, preferred test arrangement and desired start date.
• Agreement: sign a Test Agreement covering the relevant terms and conditions for participation.
• Setup: collaborate with us to set up your product in the Microsoft 365-based test environment.
• Testing: testing begins for the agreed duration. Weekly feedback is provided privately outside the designated public test periods.
• Public test period: at the end of an official public test period, feedback is shared for the entire period. You then have time to review and dispute the results before the public report is released.

Testing process

What kind of feedback do I receive?

The feedback we provide is specific to your product and non-comparative. It includes:

• Performance metrics on the various test case bodies.
• False negative and false positive samples, including MIME and transaction logs, subject to capacity limits.
• Mailbox or transaction evidence showing how the product handled the message, where applicable.

What kind of emails are used in the test?

Both unwanted and legitimate emails are used in the test.

• Unwanted emails: sourced in real time from third-party feeds and Virus Bulletin’s own threat intelligence.
• Legitimate emails: these include ham and newsletters.

Who is going to host my product?

VB ESA - M365 uses a Microsoft 365 tenant with a licensed user account configured for the tested product. In many cases, the product itself is hosted by the vendor as part of its normal service model. Where relevant, setup is carried out jointly with the vendor to ensure the product is connected correctly to the test tenant.

How do I make sure my product is set up correctly for the test?

We work with you during the initial setup and provide opportunities to validate that the tested configuration reflects the intended production use case. For products where this is appropriate, vendors may audit the product configuration, state or logs remotely during the test.

My product takes specific actions on unwanted email. Can your test framework work with that?

In most cases, yes. The test framework can accommodate common actions such as:

• SMTP rejection, including permanent 5xx rejections.
• Repeated transient failures that ultimately prevent delivery.
• Mailbox placement into Junk Email or a product-specific blocked-mail folder.
• Mailbox placement into Inbox or a product-specific legitimate-mail folder.

The test ultimately normalizes these product actions into a binary result: the email was treated as unwanted, or it was not.

If my private test works out really well, can I make the result public? If my public test works out poorly, can I make it private?

No. One of the fundamental rules of fair testing is that any test starting out as a private test cannot be made public, and a public test cannot be made private. This avoids cherry-picking of favourable results.

Will you let me know if my product is not performing well during the test?

Yes, if we suspect that a technical issue is affecting the results. For example, if we encounter an excessive number of false negatives or false positives, or if the product appears misconfigured or unstable, we will work with you to investigate. The review and dispute phase serves as a final checkpoint before publication of public results.

Pricing and certification

How much does testing cost?

Both public and private tests are available under a flexible commercial model. To discuss pricing and the most suitable arrangement for your product, please get in touch.

How long does it take to get certified?

Public testing is conducted on a continuous basis, with official public periods designated within the programme. If you are looking to join with a particular reporting timeline in mind, it is best to start the discussion in advance so setup and validation can be completed before the relevant official period begins.

Does my award cover my other product editions?

No. Awards are issued for a specific product edition and tested configuration. They do not automatically extend to derivative editions, OEM-licensed engines or other product variants that were not part of the test.

AMTSO compliance

What are the benefits of the AMTSO certification?

The AMTSO certification helps ensure that you receive a testing service that operates within established industry expectations for fairness, transparency and relevance. This benefits vendors directly and also increases confidence in the published reports.

What are my rights and obligations under the AMTSO Standard?

These are ultimately defined by the AMTSO Testing Protocol Standard. In practical terms, vendors participating in AMTSO-audited tests are typically asked to register on AMTSO’s contact list and provide feedback before and after the test regarding how the testing was conducted.

Why aren’t VB ESA - M365 reports certified as AMTSO compliant immediately upon release?

AMTSO audits and certifies tests periodically rather than instantly. Because vendor feedback after the test is part of that process, AMTSO compliance can only be confirmed after the public report has already been released.

Getting in touch

Ready to get the conversation started? Please email us at [email protected].

VB ESA - M365

Latest report

VB ESA - M365 test archive

VB testing

VB100

VBSpam

Consultancy services