Abstract

Crytica Security commissioned Tolly to evaluate the efficacy, responsiveness, and resource efficiency of its Rapid Detection & Alert (RDA) platform versus Microsoft Defender in both Windows 11 and Linux environments. The main focus of the project was to determine how effectively each solution could detect known and simulated zero-day executable malware, how quickly threats were identified, and how much CPU and memory each product consumed while providing protection.  

Crytica Security’s Rapid Detection & Alert is positioned as a lightweight endpoint protection approach built to reduce malware dwell time by detecting unauthorized executable changes rather than relying on traditional signature databases or cloud threat intelligence. In this Tolly evaluation, RDA was compared with Microsoft Defender in both Microsoft Windows 11 and Linux environments, with emphasis on detection efficacy, speed of detection, and system resource consumption. The report argues that these factors are especially important for Linux-based IoT and operational technology systems, where CPU and memory headroom are often limited.  

For known-malware testing, Crytica RDA detected 100% of the executable malware samples in both operating systems. On Windows 11, Microsoft Defender for Business detected 94.88% of 215 recent malware executables, while on Red Hat Enterprise Linux 9, Microsoft Defender for Endpoint detected 94.44% of 18 ELF malware samples. Tolly also found a major difference in efficiency. In Windows, Microsoft Defender used about 200MB of memory while idle and more than 350MB during scanning, with CPU frequently above 90%. By contrast, Crytica RDA used about 2MB of memory and typically 0 to 12% CPU while maintaining continuous monitoring. On Linux, Microsoft Defender consumed about 2.28GB of memory and about 59% system CPU during a full-disk scan, while Crytica RDA used roughly 750KB of memory and up to 36.9% overall CPU during its recurring scans.  

The report also examined simulated zero-day attacks. These tests used newly created foreign executables that decrypted previously known malware packaged into encrypted data files. In both Ubuntu Linux and Windows 11, Crytica RDA detected all six foreign executables within 15 seconds of arrival. Microsoft Defender detected none of the foreign executables immediately. After the malware was decrypted, Microsoft detected only two of six samples in Linux and three of six in Windows. Tolly presents this as evidence that Crytica’s model can identify previously unseen threats by flagging unauthorized executable changes rather than waiting for known-malware recognition. Overall, the report presents Crytica RDA as a fast, resource-efficient endpoint protection architecture that delivered full detection of both known and simulated zero-day executable threats in the tests, while maintaining a very small memory footprint and substantially lower CPU demands than Microsoft Defender.