Andreas Hi Andreas,
Well I had one client who always had their own shared hosting, twice that website has been hacked in 5 years. What's interesting, is the last time it was hacked (very recent), I couldn't access their cpanel. So I took a backup I made a few weeks prior, put it on one of my servers near her and used WordFence to monitor all the attacks in real-time and then I created extra blocking rules, so that even if they managed to breach the site, I'd stop the scripts by name being accessible.
For 24 hours, I held off a ton of bot traffic that was trying to talk to the site, then re-attack it.
When I got cPanel access and cleaned up the old hacked code on shared hosting, cloned over the freshly updated site I'd been hosting. In less than 24 hours it was hacked again. Of course I was monitoring it, but WordFence simply couldn't scan, the shared resources where too slow to even complete. So I pointed the domain back at my servers and held off all the attacks since. That website has been running on enhance, with OLS, free CF and free WordFence very happily.
So in this instance, it was the shared hosting, they're big enough name too. I personally feel there servers where miss managed and not protected enough. Hence the extra methods of attacking.
But same code base, just on my servers I kept it safe. So WordFence can have a serious role to play, this was the free edition by the way, it's a small client.
But thats my experience, I've not played with scurri much, but respect it as a valid competitor to WordFence, I've seen some others, but in all honesty, I trust them way, way less.
As to how can you test it? Pentest a website with different security tools installed and see what works or not, I am sure someone must of put some research into this area online, maybe youtube. I don't have the time to either test or go look for the research. (I am quite happy with Wordfense)
Likewise Wordfence reports form your website let me know when plugins are out of date and if it's critical or medium issue. Likewise, if admin logs into a website and I notice the email I check and I caught the first hacker that way. Finally, it's the emails you receive with all the pen-testing research that's done both in-house and through freelancers that tip us off to any serious threats to any known plugins I might recognise.
I don't pay too much attention to the increased attack rates emails, I just take a look and see what site and attack types they're trying. Then decide if I wish to give it any more attention.