Shadow Verify is a Microsoft Defender validation framework designed to help security teams validate prevention controls, detection visibility, telemetry generation, alerting workflows, and analyst readiness.
Originally developed as the MDE Test Framework, Shadow Verify has been rebuilt as part of the Shadow Suite with enhanced reporting, guided validation experiences, analyst-focused workflows, and improved operational visibility.
Defender can appear healthy.
Devices can show as onboarded.
Policies can show as deployed.
That does not guarantee that:
- Prevention controls are working
- Telemetry is being generated
- Alerts are visible
- Analysts can validate security outcomes
Shadow Verify helps answer those questions safely and consistently.
Shadow Verify is the next evolution of the original MDE Test Framework.
β Shadow Suite branding and user experience
β Enhanced validation dashboard
β Validation scorecards (Pass / Verify / Fail)
β Interactive HTML reporting
β Guided Testing Experiences
β ASR validation workflows
β Pop-out analyst guidance blades
β Improved Defender portal verification guidance
β Purple/black Shadow Suite reporting theme
β Expanded reporting and analyst-focused validation
β EICAR validation
β EDR telemetry validation
β ASR configuration checks
β Microsoft Graph validation
β Defender alert retrieval
β HTML and JSON reporting
- Security Engineers
- Microsoft Defender Administrators
- Blue Team Analysts
- Security Consultants
- Microsoft Security Architects
- Lab and Validation Environments
- Organizations validating Defender deployments
- Overview
- What Shadow Verify Validates
- Features
- Guided Validation Experiences
- Architecture
- Quick Start
- Validation Categories
- Expected Outcomes
- Reporting
- Repository Structure
- Roadmap
- Requirements
- Licensing
- Disclaimers
Deploying Microsoft Defender is only the first step.
The more important question is:
Are your security controls actually working?
Shadow Verify provides a structured validation framework that helps organizations verify:
- Defender platform readiness
- Antivirus protection
- EDR telemetry visibility
- Attack Surface Reduction coverage
- Alert visibility
- Microsoft Graph access
- Analyst verification workflows
Shadow Verify is a defensive validation platform.
It is not an offensive tool.
It safely validates:
β Defender Antivirus Detection
β Endpoint Detection & Response Telemetry
β Attack Surface Reduction Configuration
β Microsoft Graph Visibility
β Defender Sensor Health
β Alert Retrieval
β Analyst Verification Workflows
β Guided Security Validation
- Defender sensor validation
- Microsoft Defender Antivirus validation
- EICAR malware simulation
- EDR telemetry generation
- ASR configuration inspection
- Microsoft Graph validation
- Alert retrieval validation
Shadow Verify includes analyst-focused validation workflows.
Current guided experiences include:
Validates:
Block all Office applications from creating child processes
Includes:
- Rule verification guidance
- Expected behavior by mode
- Validation workflow
- Device Timeline verification
- Advanced Hunting examples
- Portal confirmation guidance
Future guided experiences include:
- Credential Theft Protection
- Script Obfuscation Protection
- Executable Download Protection
- Office Process Injection Protection
- Network Protection Validation
Shadow Verify is organized into validation domains.
- Defender Sensor Status
- Defender Services
- Antivirus Readiness
- EICAR Detection Validation
- ASR Configuration Validation
- Benign EDR Simulation
- Timeline Artifact Generation
- Microsoft Graph Connectivity
- Alert Retrieval
- Analyst Workflows
- Security Portal Verification
- Advanced Hunting Guidance
- HTML Reporting
- JSON Reporting
- Validation Scorecards
Run PowerShell as Administrator.
git clone https://github.com/YOURUSERNAME/ShadowVerify.git
cd ShadowVerifySet-ExecutionPolicy Bypass -Scope CurrentUser.\Invoke-ShadowVerify.ps1Validates:
- Defender sensor status
- Defender services
- Antivirus readiness
Validates:
- EICAR detection
- Antivirus response
- ASR configuration
Validates:
- EDR visibility
- Timeline artifacts
- Telemetry generation
Validates:
- Microsoft Graph access
- Alert retrieval
- Security portal visibility
Provides:
- Step-by-step validation workflows
- Analyst verification guidance
- Portal confirmation steps
- Advanced Hunting examples
| Test | Expected Result | Where To Verify | Why It Matters |
|---|---|---|---|
| EICAR Validation | File detected or quarantined | security.microsoft.com / Device Timeline | Confirms AV protection |
| EDR Simulation | Telemetry generated | Device Timeline / Advanced Hunting | Confirms EDR visibility |
| Graph Validation | Alerts returned | Microsoft Graph / Defender Portal | Confirms cloud visibility |
| ASR Configuration | Rules identified | Defender Policy Configuration | Confirms protection coverage |
| Guided ASR Validation | Verification workflow completed | Defender Portal | Confirms analyst readiness |
Shadow Verify generates:
Includes:
- Validation Summary
- Pass / Verify / Fail Status
- Validation Score
- Guided Testing Experiences
- Interactive Validation Blades
- Verification Guidance
Includes:
- Structured validation results
- Automation-friendly output
- Integration-ready format
ShadowVerify/
βββ README.md
βββ CHANGELOG.md
βββ LICENSE
βββ SECURITY.md
βββ Invoke-ShadowVerify.ps1
βββ MDETestFramework.psm1
βββ shadowverify.png
βββ images/
βββ docs/
β βββ PLAYBOOK.md
βββ logs/
- Shadow Suite branding
- Guided ASR validation
- Interactive report blades
- Validation scorecards
- Enhanced reporting
- Expanded ASR validation experiences
- Additional guided workflows
- Enhanced verification reporting
- Network Protection validation
- SmartScreen validation
- Web Content Filtering validation
- Device Control validation
- Controlled Folder Access validation
- Defender control maturity assessments
- Windows endpoint
- Microsoft Defender for Endpoint onboarded
- PowerShell 5.1 or later
- Microsoft Graph PowerShell SDK (optional)
- Appropriate Graph permissions (optional)
Shadow Verify is licensed under the Shadow Suite Community License.
The Shadow Verify name, branding, and Shadow Suite identity are protected.
Refer to the LICENSE file for full terms and conditions.
Shadow Verify is intended for:
- Security validation
- Educational use
- Authorized testing
- Enterprise readiness assessments
Do not use this tool in unauthorized environments.
Some validation activities may generate Defender telemetry, detections, alerts, or security events.
Always perform testing in approved environments.
This project is an independent work developed in a personal capacity.
The views, opinions, code, and content expressed in this repository are solely my own and do not reflect the views, policies, or positions of any employer, client, or affiliated organization.
This project is not affiliated with or endorsed by Microsoft.
Β© 2026 Shadow Suite Validate. Verify. Defend.
Validate. Verify. Defend.
Shadow Verify is licensed under the Shadow Suite Community Edition License.
The Shadow Verify name, Shadow Suite name, associated logos, report styling, branding, and visual identities are protected and may not be reused, redistributed, or rebranded without written permission.
See LICENSE for full terms.