This GigaOm Research Reprint Expires Jun 17, 2025

GigaOm Radar for Network Detection and Response (NDR)v2.0

1. Executive Summary

Network detection and response (NDR) solutions represent a critical evolution in cybersecurity. Designed to address the increasingly sophisticated and varied nature of cyberthreats facing organizations today, they enable the detection of malicious behavior and the response to cyberthreats within network traffic, offering a level of visibility and analytical depth that traditional security measures cannot match. By leveraging advanced analytics, AI, and ML, NDR solutions can identify subtle attack signals and anomalies in network traffic, providing a proactive stance against potential security breaches.

The importance of NDR solutions in the modern cybersecurity landscape cannot be overstated. As organizations continue to expand their digital footprints, incorporating cloud services, internet of things (IoT) devices, and remote work models, the complexity and volume of network traffic have increased exponentially. This expansion, coupled with the sophistication of cyberattackers who continually develop new methods to bypass traditional security defenses, necessitates a more dynamic and intelligent approach to network security. NDR solutions fill this gap by offering comprehensive network visibility, including analysis of encrypted traffic and the ability to detect and respond to threats in real time. This ensures continuous operation and threat detection capabilities under a wide array of failure scenarios, including catastrophic events.

The NDR market is rapidly evolving, driven by several key trends. Integration with AI and ML is becoming more sophisticated, enabling NDR solutions to become even more adept at identifying anomalies and predicting malicious activity. There is a growing convergence with extended detection and response (XDR) platforms, blurring the lines between NDR and XDR to offer more unified detection and response capabilities across the entire IT environment. Additionally, the focus on automation is intensifying, with NDR solutions streamlining incident response protocols to mitigate threats more efficiently.

For organizations considering NDR solutions, several factors are critical to the purchase decision. Interoperability with existing network and security infrastructures ensures that NDR solutions can seamlessly integrate into the organization’s technology stack. Manageability and scalability are essential for adapting the solution to changing security needs, while performance and resilience guarantee that the solution can effectively protect the network without disrupting business operations. Vendor support is also a key consideration, as robust support models with highly trained staff and comprehensive documentation can significantly enhance the solution’s effectiveness.

As the market continues to evolve, organizations must carefully evaluate NDR solutions against their specific needs and requirements, ensuring that they select a solution that not only addresses current security challenges but is also capable of adapting to future threats and technological advancements.

This is our second year evaluating the NDR space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report examines 29 of the leading NDR solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading NDR offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

2. Market Categories and Deployment Types

To help prospective customers find the best fit for their use case and business requirements, we assess how well NDR solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

  • Cloud service providers (CSPs): Providers delivering on-demand, pay-per-use services to customers over the internet, including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
  • Network service providers (NSPs): Service providers selling network services—network access and bandwidth—provide entry points to backbone infrastructure or network access points (NAP). In this report, NSPs include data carriers, ISPs, telcos, and wireless providers.
  • Managed service providers (MSPs): Service providers delivering application, IT infrastructure, network, and security services and support for businesses on customer premises, in the MSP’s data center (hosting), or in a third-party data center.
  • Large enterprises: Enterprises of 1,000 or more employees with dedicated IT teams responsible for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.
  • Small-to-medium businesses (SMBs): Small businesses (fewer than 100 employees) to medium-sized businesses (100 to 1,000 employees) with limited budgets and constrained in-house resources for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.

In addition, we recognize the following deployment models:

  • Standalone hardware sensors: Network data is collected by installing dedicated physical hardware sensors at critical junctions across the network.
  • Embedded hardware sensors: Network data is collected by embedding sensors such as routers or switches in network equipment throughout the network.
  • Virtual sensors: Network data is collected by installing dedicated virtual sensors on IaaS platforms or in VMs at critical junctions in the network.
  • Endpoint sensors: Network data is collected by embedding sensors in endpoints of the network, including user devices.
  • Third-party infrastructure: Network data is collected from preexisting third-party infrastructure logs or via packet visibility APIs throughout the network.

Table 1. Vendor Positioning: Target Market and Deployment Model

Target Market and Deployment Model

Target Market

Key Criteria

Vendor

CSP NSP MSP Large Enterprise SMB Standalone Hardware Sensors Embedded Hardware Sensors Virtual Sensors Endpoint Sensors Third-Party Infrastructure
Arista
Broadcom (Symantec)
Broadcom (VMware)
Cisco
Comcast
Corelight
Cryptomage
Cynamics
Darktrace
Exeon
ExtraHop
Fidelis Security
Fortinet (FortiNDR)
Fortinet (FortiNDR Cloud)
GREYCORTEX
IronNet
Lumu Technologies
NETSCOUT
NetWitness
NextRay
OpenText
Plixer
Progress
Stamus Networks
Stellar Cyber
Trellix
Trend Micro
Vectra AI
WatchGuard

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1).

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

3. Decision Criteria Comparison

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

  • Comprehensive threat detection
  • Non-signature-based threat detection
  • North-south and east-west monitoring
  • Out-of-the-box analysis
  • Built-in incident response

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

  • Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating an NDR solution.
  • Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months.
  • Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating NDR Solutions.”

Key Features

  • Intelligent anomaly detection: Intelligent anomaly detection correlates anomalies and alerts across disparate network components, providing contextualized behavior analysis. By aggregating and prioritizing the most relevant alerts, potential threats are quickly detected and mitigated, accelerating investigation and targeted response within existing workflows before they compromise the network.
  • Deep packet inspection (DPI): DPI is a technique that examines the entire data packet, including the payload content, as it traverses the network, analyzing its contents beyond just the header information. It is crucial for advanced network security, traffic management, and policy enforcement because it enables granular inspection and control of network traffic contents.
  • Encrypted traffic analysis: Encrypted traffic analysis is a critical capability of advanced NDR solutions, enabling the detection of sophisticated threats within encrypted data flows without compromising privacy. This is achieved through innovative techniques that adapt to new encryption protocols, ensuring comprehensive threat detection while maintaining the confidentiality of sensitive data.
  • Integrated flow data: Integrated flow data is a crucial component of NDR solutions, enabling the ingestion and analysis of network flow information. By comparing incoming flows against baseline models based on flow attributes and frequency, NDR tools can identify anomalous patterns and potential threats within the network traffic.
  • Metadata threat detection: Metadata threat detection leverages contextual information about data, network traffic, and user activities to identify potential cyberthreats or anomalous behaviors using ML. It provides crucial insights beyond just analyzing payload contents, uncovering subtle, sophisticated attacks that might not be detected through traditional means, and enhancing the overall security posture.
  • Historical forensics: Historical forensics in NDR solutions involves the lightweight storage of network data for later analysis, enabling the reconstruction of cybercriminal activities. By capturing, reconstructing, and replaying an entire event chain, NDR tools allow security teams to retrace attackers’ step-by-step actions, facilitating incident response and investigations.
  • Automated response: Automated response is a critical component of NDR solutions. It enables the system to take immediate action upon identifying potential threats or compromises on the network. This capability helps to streamline incident response processes, minimizing the impact of security incidents and reducing the workload on security teams.
  • Regulatory compliance: Regulatory compliance ensures that NDR solutions adhere to data protection regulations, such as GDPR, which restrict the sharing of confidential data with external parties. To maintain compliance, NDR solutions should not send sensitive data outside the customer’s network for analysis, including data used for historical forensics.

Table 2. Key Features Comparison

Key Features Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Key Features

Vendor

Average Score

Intelligent Anomaly Detection Deep Packet Inspection Encrypted Traffic Analysis Integrated Flow Data Metadata Threat Detection Historical Forensics Automated Response Regulatory Compliance
Arista 4.1
Broadcom (Symantec) 4.3
Broadcom (VMware) 3.5
Cisco 3.9
Comcast 3.5
Corelight 3.5
Cryptomage 3.5
Cynamics 3.9
Darktrace 3.9
Exeon 3.5
ExtraHop 4.8
Fidelis Security 4.1
Fortinet (FortiNDR) 4.3
Fortinet (FortiNDR Cloud) 4.1
GREYCORTEX 4
IronNet 3.8
Lumu Technologies 3.6
NETSCOUT 4
NetWitness 4.4
NextRay 3.3
OpenText 3.6
Plixer 3.6
Progress 3.6
Stamus Networks 4.3
Stellar Cyber 4
Trellix 3.6
Trend Micro 3.6
Vectra AI 4.3
WatchGuard 3.8

Emerging Features

  • Zero-network footprint: A zero-network footprint refers to the ability to monitor and analyze network traffic metadata without deploying any physical sensors or components on the network itself. This is important for reducing complexity, costs, and potential performance impacts associated with traditional network taps or probes.
  • Custom data lake integration: Custom data lake integration allows NDR solutions to export data automatically and efficiently, enhancing the synergy with various data analysis tools and enriching security analytics across multiple disciplines. This integration is pivotal for allowing organizations to leverage their accumulated data for advanced threat detection and insights.
  • Core network integrations: Core network integrations in NDR solutions enable seamless and automated connectivity with all network devices and applications. This integration is vital for ensuring that the NDR system can efficiently leverage existing network infrastructure to enhance visibility and threat detection capabilities.
  • Generative/predictive AI: Generative AI and predictive AI are advanced capabilities in NDR solutions that enhance the analysis and anticipation of network threats. Generative AI creates data models to simulate potential attack patterns, while predictive AI forecasts and mitigates threats in real time, improving accuracy and proactive defense.
  • Automated response playbooks: Automated response playbooks in NDR solutions are essential for providing a structured, predefined set of actions for threat detection and response. They enable rapid, automated, and optimized handling of security incidents, ensuring real-time threat prediction and prevention, which is crucial for maintaining network integrity.
  • Managed NDR: Managed NDR, or NDR as a service (NDRaaS), refers to outsourcing NDR capabilities to a third-party security provider. It offloads the operational burden of deploying and managing an in-house NDR solution, providing access to advanced threat detection expertise and technologies.

Table 3. Emerging Features Comparison

Emerging Features Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Emerging Features

Vendor

Average Score

Zero-Network Footprint Custom Data Lake Integration Core Network Integrations Generative/Predictive AI Automated Response Playbooks Managed NDR
Arista 3.3
Broadcom (Symantec) 3.7
Broadcom (VMware) 2.8
Cisco 3.3
Comcast 2.2
Corelight 3.7
Cryptomage 1.5
Cynamics 4.7
Darktrace 3
Exeon 2.5
ExtraHop 4.2
Fidelis Security 2.5
Fortinet (FortiNDR) 3
Fortinet (FortiNDR Cloud) 3.7
GREYCORTEX 2
IronNet 2.8
Lumu Technologies 4.8
NETSCOUT 2.8
NetWitness 3.5
NextRay 2
OpenText 3
Plixer 2.5
Progress 3
Stamus Networks 2.5
Stellar Cyber 3.7
Trellix 3.5
Trend Micro 3.7
Vectra AI 4.8
WatchGuard 3

Business Criteria

  • Configurability: NDR solution configurability enables organizations to align their security posture with their unique risk tolerance and compliance requirements by easily tailoring security policies. This flexibility is crucial for ensuring that the NDR solution effectively addresses the organization’s specific security needs and adapts to changing conditions.
  • Interoperability: NDR solution interoperability refers to the ability of the solution to seamlessly integrate with existing network and security infrastructures, adhering to industry standards. This interoperability is crucial for ensuring comprehensive visibility and coordination across a wide range of devices, systems, and applications from various vendors.
  • Manageability: NDR solution manageability refers to the ability to centrally control the entire security lifecycle, including configuration, management, scaling, and upgrades, through a single, unified interface. This streamlined management is essential for efficiently overseeing and optimizing the NDR solution to meet an organization’s specific security needs and workflows.
  • Observability: NDR solution observability refers to the ability to gain deep, easily maintainable visibility into the network, enabling the identification and resolution of security issues. This observability is crucial for understanding the overall health and functionality of the system, allowing for proactive optimization of functionality and timely problem-solving.
  • Performance: NDR solution performance refers to the efficiency and effectiveness of the system in detecting and responding to threats while maintaining excellent low latency and high throughput. High-performance NDR solutions ensure that the user experience is not compromised, providing fast response times and superior network visibility under all conditions.
  • Resiliency: NDR solution resiliency refers to the system’s ability to maintain continuous operation and threat detection and response capabilities under nearly all failure scenarios, including catastrophic events. This resilience is achieved through state-of-the-art redundancy, seamless failover, automated recovery, and self-healing capabilities for all components and functions.
  • Support: NDR vendor support refers to the quality and availability of assistance provided by the solution vendor, including highly trained staff, comprehensive documentation, and expert advice on regulatory requirements. Given the critical role of NDR in an organization’s security posture, robust vendor support is essential for ensuring the solution’s effective implementation, operation, and maintenance.
  • Cost: NDR solution costs encompass the various pricing models offered by vendors, which can include subscription-based pricing with no upfront costs or hidden fees, or upfront costs for hardware and annual maintenance with the potential for hidden fees. Understanding the cost structure of an NDR solution is crucial for budgeting and ensuring a strong return on investment.

Table 4. Business Criteria Comparison

Business Criteria Comparison

Exceptional
Superior
Capable
Limited
Poor
Not Applicable

Business Criteria

Vendor

Average Score

Configurability Interoperability Manageability Observability Performance Resiliency Support Cost
Arista 4.3
Broadcom (Symantec) 4.1
Broadcom (VMware) 4.4
Cisco 4.1
Comcast 3.3
Corelight 4.5
Cryptomage 3.8
Cynamics 4.5
Darktrace 3.8
Exeon 4
ExtraHop 4.4
Fidelis Security 3.8
Fortinet (FortiNDR) 4.6
Fortinet (FortiNDR Cloud) 4.6
GREYCORTEX 4
IronNet 3.6
Lumu Technologies 4.8
NETSCOUT 4
NetWitness 4.6
NextRay 3.6
OpenText 4.1
Plixer 4.4
Progress 4.3
Stamus Networks 3.8
Stellar Cyber 4.5
Trellix 4.3
Trend Micro 3.5
Vectra AI 4.9
WatchGuard 4.1

4. GigaOm Radar

The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for NDR

As you can see in Figure 1, Arista, Broadcom (Symantec), Cynamics, ExtraHop, Fortinet, Lumu Technologies, NetWitness, Stellar Cyber, and Vectra AI are Leaders based on their high scores across the decision criteria evaluated in this report. In addition, Arista, Cynamics, ExtraHop, Fortinet (FortiNDR Cloud), Lumu Technologies, Plixer, Stamus Networks, Stellar Cyber, and Vectra AI are recognized as Outperformers based on their pace of innovation compared to the industry in general.

It should be noted that Maturity does not exclude Innovation. Instead, it differentiates a vendor enhancing existing capabilities from one innovating by adding new capabilities. Furthermore, with different approaches available for capturing and analyzing network traffic, positioning in each quadrant is determined as follows:

  • Maturity/Platform Play: The vendor’s solution provides robust DPI for encrypted traffic analysis and metadata threat detection captured using physical, virtual, and/or containerized appliances or sensors and third-party network flow or sub-flow data.
  • Innovation/Platform Play: The vendor’s solution provides metadata threat detection captured using physical, virtual, and/or containerized appliances or sensors but lacks robust DPI and/or deep integration with third-party network flow or sub-flow data.
  • Innovation/Feature Play: The vendor’s solution provides metadata threat detection captured exclusively using third-party network flow or sub-flow data without the use of physical, virtual, and/or containerized appliances/sensors but does not provide any DPI.
  • Maturity/Feature Play: The vendor’s solution provides DPI for encrypted traffic analysis and metadata threat detection captured using only physical appliances or sensors but does not capture third-party network flow or sub-flow data.

The length of the arrow (Forward Mover, Fast Mover, or Outperformer) is based on customer adoption and execution against roadmap and vision (based on vendor input and in comparison to improvements made across the industry in general).

Comcast, Exeon, Fortinet, NETSCOUT, NextRay, and Stellar Cyber are new additions to the list of vendors this year. In September 2023, Cisco acquired Accedian, with Skylight Interceptor’s capabilities being integrated more deeply into Cisco’s broader network assurance and performance management offerings. As a result, Accedian has been removed from this year’s report.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

5. Solution Insights

Arista: Arista NDR

Solution Overview
Founded in 2004, Arista is an industry leader in data-driven, client-to-cloud networking for large data center, AI, campus, and routing environments. In September 2020, Arista announced the acquisition of award-winning Awake Security, an NDR platform combining AI-driven situational awareness and threat detection capabilities to autonomously hunt for and respond to insider and external threats, renaming it Arista NDR.

The architecture of Arista NDR is built around three core components: AVA Sensors for traffic monitoring, AVA Nucleus for centralized analysis and decision-making (run on-premises or as a SaaS offering), and AVA AI for intelligent threat detection. Arista NDR can be deployed in all-in-one or split modes, depending on customer requirements and network architecture. In all-in-one mode, the AVA Sensor and AVA Nucleus are deployed on a single appliance, suitable for isolated or single-instance deployments. In split mode, AVA Sensors and AVA Nucleus are deployed separately, with sensors available on Arista switches, physical or virtual appliances, and within cloud platforms like AWS or GCP.

The core of Arista NDR’s functionality lies in its advanced data capture and analysis techniques. The AVA Sensors collect detailed network traffic data, which is then enriched using Arista’s EntityIQ technology and analyzed by the AVA Nucleus using AVA AI functioning as an AI-enabled decision support system combining cloud scalability with the codified expertise of real-world network security management experts.

AVA AI employs various AI approaches, including supervised and unsupervised ML, deep neural networks, and other techniques, to detect malicious intent with low false positives and negatives. The platform’s Adversarial Modeling Language (AML) uses heuristics, fingerprints, and other ML models to autonomously identify complex attacker tactics, techniques, and procedures (TTPs), thereby lowering SecOps costs and improving the efficiency of threat detection and response.

Strengths
Arista NDR leverages advanced AI and ML technologies to provide comprehensive Layer 2 through 7 network security, including the ability to autonomously detect and respond to threats in real time, extensive visibility across the network through EntityIQ technology, and the integration of AVA AI for enhanced decision support. Arista NDR’s architecture supports a wide range of deployments, ensuring compatibility with diverse network environments. The platform’s use of behavioral analytics and adversarial modeling enables the accurate identification of malicious activities with minimal false positives. Additionally, Arista’s managed NDR service offers 24/7 expert monitoring and threat hunting, enhancing organizations’ security posture by proactively identifying and mitigating potential threats, ensuring protection against a wide array of cyberthreats.

Challenges
While providing DPI and analysis through AVA sensors, Arista NDR does not automate the ingestion of indicators of compromise (IoCs) without manual import, which could potentially slow down threat detection and response compared to solutions with more automated threat intelligence integration. Moreover, Arista NDR uses AVA Sensors that need to be deployed across the network for traffic analysis. While Arista network switches can be used to monitor and forward data to the AVA Nucleus, reducing the need for dedicated sensors, this approach introduces some level of footprint on the network, especially in environments not already using Arista hardware.

Purchase Considerations
Arista offers tiered capacity and throughput-based software subscriptions and perpetual hardware licensing, with pricing varying based on the selected deployment architecture. Arista NDR can be deployed in two modes: all-in-one (AVA Sensor and AVA Nucleus on a single appliance) or split mode (AVA Sensor and AVA Nucleus deployed separately). Split mode allows AVA Sensors to be deployed on Arista switches, physical/virtual appliances, or in the cloud, while the AVA Nucleus can be on-premises or consumed as a SaaS service from Arista. Managed services are available as an optional add-on.

Arista NDR provides comprehensive network visibility, AI-driven threat detection, incident response support, proactive threat hunting, IoT threat detection, lateral movement detection, and encrypted traffic analysis.

Radar Chart Overview
Arista is a Leader in the Maturity/Platform Play quadrant. Arista NDR supports deployment on Arista switches, standalone appliances, VMs, and cloud instances, providing visibility across hybrid environments. By analyzing full packet data from Layer 2 to Layer 7 and extracting rich metadata, Arista NDR delivers advanced threat detection, investigation, and response capabilities. The platform’s ability to process hundreds of gigabits of traffic while maintaining performance positions it as a scalable, high-fidelity solution for securing modern networks against sophisticated threats.

Broadcom (Symantec): Symantec Security Analytics

Solution Overview
Founded in 1991, Broadcom is a global technology leader that designs, develops, and supplies a wide range of semiconductor and infrastructure software solutions. In 2019, the company acquired Symantec, an industry leader in endpoint protection and threat detection, and in November 2023, VMware, a cloud computing and virtualization technology company.

Symantec Security Analytics is a network visibility and forensics solution that enables organizations to capture, index, classify, and enrich all network traffic to facilitate thorough investigations and informed incident response. The system comprises Security Analytics Appliances for capturing network traffic, Security Analytics Virtual Appliance for flexible deployment, and the Security Analytics Central Manager, which provides a centralized platform for aggregated views from multiple sensors.

Developed as a network forensics solution, Symantec Security Analytics uses DPI to capture Layer 2 through Layer 7 network traffic, recording and classifying over 3,300 applications and protocols. It incorporates a variety of analytics tools—such as anomaly detection; complete session, file, and object reconstruction; data visualization; IP geolocation; and root cause, timeline, and trend analysis—to index, enrich, and store all network data, providing complete visibility of events with clear, actionable intelligence.

Symantec Security Analytics taps into the vast threat data from Symantec’s Global Intelligence Network to inspect all web, mail, and file protocols for malicious activity and files, delivering real-time threat analysis and threat reputation to full packet capture content and malware analysis. The Incident Response Launchpad channels key alerts to security analysts, enabling them to focus on what is critical to the organization, manage the timeline of alerts, and pivot directly to detailed reports. It also enables the assignment of alerts to analysts and the management of their status.

Strengths
Symantec Security Analytics excels in providing DPI and full packet capture across data centers, remote offices, and cloud workloads, enabling detailed network traffic analysis (NTA) and classification of over 3,300 applications and protocols. It integrates with Symantec’s Global Intelligence Network for real-time threat intelligence, enhancing the detection of emerging and zero-day threats through anomaly detection and sandboxing of unknown files. The solution offers comprehensive forensic capabilities, including complete session reconstruction and Root Cause Explorer, for in-depth incident analysis and response. Additionally, it supports a wide range of deployment options, from on-premises to cloud environments, and features a user-friendly dashboard for streamlined data analysis.

Challenges
Symantec Security Analytics offers robust network visibility and threat detection but may be limited in scalability and storage due to its comprehensive data capture approach, compared to NDR solutions that use selective capture or metadata analysis for efficiency. However, Release 9.0 supports a new metadata storage model and offers intelligent capture capabilities with retention policies set based on an analysis of the generated metadata. In addition, it lacks a zero-network footprint because it requires on-network deployment, unlike agent-based or cloud-analyzed solutions. Its detection techniques, while advanced, may not encompass the full spectrum of AI-driven or behavioral analytics offered by some competitors. While some automated response capabilities are integrated within the Symantec ecosystem, they may not be as granular or customizable as those in other NDR platforms. Additionally, while it supports hybrid environments, it might not offer the level of native cloud or container integration seen in other solutions.

Purchase Considerations
Broadcom offers a perpetual hardware and subscription-based software licensing model. Customers can choose to deploy the software on-premises, as a virtual appliance, or in the cloud for greater scalability and cost savings.

Symantec Security Analytics use cases include identifying unusual network activities, detecting high traffic to/from restricted countries, and supporting incident response with detailed analysis and alert management.

Radar Chart Overview
Broadcom is a Leader in the Maturity/Platform Play quadrant. Symantec Security Analytics integrates appliances and virtual appliances to capture, index, classify, and enrich all network traffic, including full packets. This enables detailed analysis and swift incident response across various platforms, including on-premises, virtual, and cloud environments. The solution’s DPI and extended metadata retention stand out, offering granular visibility into network activity and threats, making it a robust choice for organizations prioritizing advanced security measures and extensive traffic analysis.

Broadcom (VMware): VMware vDefend NDR

Solution Overview
Founded in 1998 and acquired by Broadcom in November 2023, VMware specializes in cloud computing and virtualization technology and offers a wide range of products and services in modern applications, cloud management, infrastructure, networking, and security. VMware vDefend Network Detection and Response (NDR) was released as part of the NSX-T Data Center 3.2 in December 2021 to provide advanced threat detection and response capabilities within network environments.

VMware vDefend NDR (previously known as VMware NSX NDR) is an integral part of the VMware vDefendsuite, which provides a layered defense strategy against cyberthreats. VMware vDefend NDR can be deployed as a standalone product or as an add-on to VMware vDefend to create vDefend Advanced Threat Prevention (ATP). vDefendNSX ATP also includes a network sandbox, network traffic analysis (NTA), and intrusion detection and prevention services (IDS/IPS).

The architecture of vDefend NDR is on-premises with cloud-based malware analysis capabilities. It leverages built-in and distributed sensors throughout the network environment to monitor network traffic flows and analyze object behavior to detect threats across the MITRE ATT&CK framework. Threat alert data is sent to the VMware vDefend ATP cloud services for correlation and visualization in the centralized vDefend NDR user interface, vDefend Manager. Furthermore, vDefend NDR scales up to 200,000 endpoints per manager and has a dedicated console for monitoring and managing network threats.

vDefend NDR’s network traffic analysis uses ML algorithms and advanced statistical techniques to develop a baseline of normal activities and identify anomalies, while IDS/IPS monitors network traffic for malicious patterns. vDefend NDR’s analytics capabilities are powered by VMware’s global threat intelligence network, VMware Contexa. This network provides deep visibility into both north-south and east-west traffic for real-time intelligence on anomalous activities, detecting advanced malware and intrusion campaigns.

Strengths
VMware vDefend NDR is a comprehensive security solution that offers advanced threat detection and response capabilities within network environments. Its cloud-based architecture, flexible deployment options, and powerful analytics make it a valuable tool for security operations teams looking to enhance their network security posture. vDefend NDR employs a three-tier architecture consisting of a monitoring tier, an analysis tier, and a management tier. In an on-premises installation, all three tiers are installed in the data center, while for the hosted environment, only the monitoring tier is installed, with the VMware back end providing the analysis and management tiers. For clients running their workloads on VMware hypervisors, deploying ATP is an efficient way to ingest network data because vDefend does not require hardware sensors.

Challenges
VMware vDefend NDR is primarily designed for on-premises deployments, so it may not be suitable for organizations that prefer cloud-based solutions or have a cloud-first strategy, and does not support TLS 1.3, which may limit its encryption and secure communication capabilities. The solution has limited support for OT/ICS/IIoT protocols, such as DNP3, Modbus, and MQTT, which may be insufficient for organizations requiring comprehensive monitoring and protection for their industrial control systems.

Additionally, the solution has some work to do in the area of playbook development and response capabilities, as more support for playbooks and response actions would make the solution more appealing to organizations that require advanced incident response features. Lastly, VMware vDefend NDR is certified only for CSA Star Level 1, which may be a concern for organizations that require specific certifications or compliance with industry standards.

Purchase Considerations
VMware offers perpetual hardware and tiered subscription-based software licensing. To obtain accurate pricing details, prospective customers should contact the VMware sales team.

VMware vDefend NDR’s use cases include real-time threat detection, incident response, NTA, and securing both north-south and east-west network traffic. It is particularly valuable for organizations looking to enhance their security posture against sophisticated cyberthreats and for those requiring detailed insights into network behavior to prevent data breaches and cyberattacks.

Radar Chart Overview
VMware is a Challenger in the Innovation/Platform Play quadrant. VMware vDefend NDR captures traffic through built-in and distributed sensors, analyzing data for malicious activities across the MITRE ATT&CK framework. Its deployment flexibility across vDefend environments, including on-premises and cloud, underscores its capability to secure diverse network infrastructures against sophisticated cyberthreats.

Cisco: Cisco Secure Network Analytics

Solution Overview
Founded in 1984, Cisco is a global technology company that designs, manufactures, and sells a wide range of products and services for building intelligent, secure, and scalable IT infrastructures. In March 2024, Cisco acquired Splunk, a leader in cybersecurity and observability, to enhance its capabilities in AI, security, and observability.

Cisco Secure Network Analytics, formerly known as Stealthwatch, can be deployed as a hardware appliance, VM, or cloud-based solution (as part of Cisco XDR) to provide advanced threat detection, accelerated threat response, and simplified network segmentation. It employs an agentless architecture that offers pervasive visibility across the extended network, from on-premises data centers to public cloud environments. Core components include flow collectors, flow rate licenses, and the manager, with optional data stores, flow sensors, and a UDP director for a more robust architecture.

Flow collectors process enterprise telemetry such as NetFlow, IPFIX, sFlow, and SYSLOG from existing infrastructure, while the manager—available as a hardware appliance or a VM—aggregates and analyzes data collected from flow collectors and other proxy data sources. The analytics capabilities of Secure Network Analytics are powered by a combination of behavioral modeling, multilayer ML (supervised and unsupervised), and global threat intelligence from Cisco Talos.

The solution leverages Cisco’s Encrypted Traffic Analytics (ETA) technology, enabling the detection of threats within encrypted traffic, without the need for decryption, by analyzing data elements such as the initial data packet and sequence of packet lengths and times. Integration with the Cisco Identity Services Engine (ISE) enables rapid threat containment through network segmentation enforcement. Secure Network Analytics also integrates with Cisco XDR, a built-in platform that unifies visibility, enables automation, and simplifies threat response across an organization’s security architecture.

Strengths
Cisco Secure Network Analytics offers comprehensive network visibility, advanced threat detection, and efficient incident response. Its agentless architecture ensures pervasive visibility of on-premises, cloud, and encrypted traffic, enabling the detection of threats even within encrypted communications without requiring decryption. The solution leverages behavioral modeling, multilayer ML, and Cisco Talos threat intelligence to identify anomalies and sophisticated threats such as malware, insider threats, and policy violations, reducing false positives by focusing on critical threats and facilitating rapid response. Additionally, its scalability and compatibility with various deployment options help ensure flexibility to meet diverse organizational needs.

Challenges
Cisco Secure Network Analytics is primarily reliant on NetFlow and may not provide the granularity of full packet capture that some competitors offer. Although it minimizes network footprint through agentless monitoring, visibility may be limited compared to environments where deploying agents on endpoints could offer richer contextual data. Moreover, its detection techniques do not cover the full spectrum of threat detection capabilities, such as signature-based detection for known threats. Automated response actions, while fully integrated with Cisco’s ecosystem, might not offer the same level of automation or third-party integration flexibility found in some other NDR solutions. Additionally, while it supports hybrid environments, some users find the management less integrated compared to solutions designed natively for cloud environments.

Purchase Considerations
Cisco offers perpetual hardware and subscription licensing based on flows per second (FPS). Additional licenses are required for specific features or sub-product categories. Secure Cloud Analytics (formerly Stealthwatch Cloud) offers a cloud-based deployment option, enabling organizations to monitor network traffic and detect threats without the need for on-premises hardware or virtual appliances.

Cisco Secure Network Analytics is used for advanced threat detection, including identifying malware, insider threats, and policy violations. It provides network visibility for security monitoring, incident response, and forensics.

Radar Chart Overview
Cisco is a Challenger in the Innovation/Platform Play quadrant. Cisco Secure Network Analytics provides deep visibility and advanced threat detection across on-premises networks, private and public clouds, and encrypted traffic. Its agentless architecture captures and analyzes network telemetry data, integrating with Cisco’s ISE and XDR platform for an automated response. The platform is designed to scale with the network, supporting both on-premises and cloud environments, making it a versatile choice for diverse network infrastructures.

Comcast Technology Solutions: BluVector

Solution Overview
A division of Comcast Corporation, Comcast Technology Solutions was created in 1994 to provide a wide range of media and entertainment technology solutions. In August 2022, Comcast acquired BluVector, a leader in network security, to leverage its advanced AI and ML technologies to enhance cybersecurity and support Comcast’s DataBee, a cloud-native data fabric for security, risk, and continuous controls monitoring.

BluVector is an AI-driven sense and response network security solution that combines proprietary and patented technologies to provide comprehensive in-memory analysis. It ensures efficient data processing to detect, analyze, and contain sophisticated threats such as fileless malware, zero-day malware, and ransomware in real time. The core of BluVector’s technology stack includes a supervised ML engine and a speculative code execution engine, which work in tandem to analyze diverse protocols and large volumes of web traffic at high speeds.

BluVector’s deployment options vary to suit different organizational requirements and network environments. It can be deployed in-line, out-of-band, or in a hybrid manner, with support for public, private, and virtual infrastructures. It is also integrated with packet capture solutions like EndaceProbes, which record and store network traffic with 100% accuracy, enabling detailed forensic analysis and incident response. BluVector stores summaries of the most relevant raw logs, using patented retraining techniques that leverage analyst feedback to continuously improve its detection capabilities.

For analytics, BluVector employs deep packet analysis and ML to parse and analyze network traffic, enabling the detection of advanced and evolving threats. The analytics console offers real-time accuracy for all detected samples, with detailed event logs, visual aids, and threat categorization. The platform’s advanced detection, automated triage, and integrated incident response empower security teams to make informed decisions and respond to threats quickly and effectively.

Strengths
BluVector uses DPI and AI to enhance cybersecurity measures within existing security stacks. The solution is built on trusted open source technologies like Suricata and Zeek and is enhanced by proprietary machine-learning algorithms to detect fileless malware, zero-day threats, and other sophisticated cyberthreats. It offers broad coverage of the MITRE ATT&CK framework and includes a built-in tuning assistant to reduce false positives. The platform can be deployed on-premises or in virtualized environments, including public clouds, and integrates with multiple intelligence feeds and sandboxes for comprehensive threat analysis.

Challenges
BluVector primarily focuses on network logs and cannot monitor or track endpoint events that do not generate observable network patterns, such as process details, registry changes, or system commands. Additionally, BluVector is unable to examine some cloud or identity data and other sources of security information. While it offers real-time packet monitoring, it may lack the network context provided by flow-based solutions that offer a zero-network footprint. BluVector supports hybrid environments, but its automated response capabilities might not be as comprehensive as other NDR solutions that provide more integrated and proactive threat detection and response. Furthermore, BluVector’s detection techniques, heavily based on proprietary algorithms, may not offer the transparency some organizations seek for in-depth threat analysis and validation and could require additional tools like security information and event management (SIEM) and security orchestration, automation, and response (SOAR) for addressing complex threats.

Purchase Considerations
Comcast does not provide pricing for BluVector. Interested parties should contact Comcast Technology Solutions directly for a quote based on their particular requirements and deployment scenario.

BluVector’s primary use case is real-time detection and analysis of advanced cyberthreats, including fileless malware, zero-day exploits, and ransomware, across enterprise networks. Additionally, it offers a flexible deployment model, including on-premises and cloud options, and can integrate with SIEM tools, endpoint detection and response (EDR) solutions, and threat intelligence feeds.

Radar Chart Overview
Comcast is a Challenger in the Innovation/Platform Play quadrant. BluVector captures traffic using DPI or full packet capture solutions like Endace for detailed analysis and incident response, combining proprietary AI and ML engines with open source tools to detect advanced threats in real time by analyzing network traffic at line speed. It offers flexible deployment options, including in-line, out-of-band, cloud, and virtual, with automated threat detection, triage, and hunting across the cyber kill chain, making it an option for enterprises seeking scalable, high-fidelity threat detection without impacting network performance.

Corelight: Open NDR Platform

Solution Overview
Founded in 2013, Corelight specializes in providing cybersecurity solutions. Its primary product is the Open NDR Platform, which consists of several components, including the Corelight Sensor, Corelight Investigator, Corelight Smart PCAP, Corelight Suricata IDS, and Corelight Fleet Manager. On October 13, 2021, Corelight acquired PatternEx, a cybersecurity startup that developed an AI platform to detect cyberattacks.

Corelight’s Open NDR Platform combines open-source technologies like Suricata and Zeek with proprietary capabilities to provide comprehensive network visibility, advanced analytics, and accelerated incident response. It can be deployed in a single-sensor architecture as hardware appliances, VMs, software, or natively in cloud environments like AWS, Azure, and GCP. These sensors capture network traffic and transform it into protocol logs, extracted files, and selectively captured packets. The sensor data is then fed into Corelight Investigator, a SaaS-based interface for security analysts and/or the customer’s existing SIEM, XDR, or data lake solutions.

Corelight Sensors connect to traffic mirrors within physical networks via packet brokers, SPAN ports, or optical taps. In cloud environments, the sensors leverage native traffic mirroring capabilities like Amazon VPC traffic mirroring. The platform provides visibility across north-south and east-west traffic, spanning standard network protocols, encrypted protocols, and OT/ICS protocols. Corelight’s Smart PCAP technology optimizes packet capture by configuring protocol, byte depth, encryption status, and other parameters.

Corelight’s analytics leverage behavioral analysis, ML, signatures, and threat intelligence to detect known and unknown threats with high fidelity. The platform recently integrated GPT-4 AI capabilities to summarize alert logic, provide automated investigative recommendations, and accelerate analyst workflows. For response, Corelight Investigator provides incident prioritization, evidence correlation, and one-click pivoting between alerts, protocol logs, and packets to speed investigation.

Strengths
The Open NDR Platform by Corelight offers a comprehensive NDR solution, leveraging open-source technologies like Suricata and Zeek alongside proprietary capabilities. Its technical strengths include expansive network visibility across various protocols and environments, enhanced detection coverage through a combination of ML, behavioral analysis, signatures, and threat intelligence covering over 80 MITRE ATTA&K network relevant TTPs and over 70,000 unique detections, and accelerated incident response facilitated by direct access to evidence and AI-enriched alert context. The platform’s openness allows for significant customization and integration, enabling organizations to tailor the solution to their specific needs. Additionally, Corelight’s commitment to community-driven R&D ensures that the platform benefits from continuous content creation and updates.

Challenges
While Corelight’s Open NDR Platform offers many strengths, its open nature requires customization effort, and some emerging features, like automated response, are still maturing in the platform. Leveraging open-source technologies like Suricata and Zeek enhances flexibility and community-driven updates but requires advanced skills and significant time to customize and maintain the stack for a production environment. Moreover, while they’re on the roadmap, Corelight currently lacks the advanced out-of-the-box automated response capabilities available in some other solutions, with the first response integration (CrowdStrike Falcon) only recently released. Although providing DPI, the platform does not natively ingest or analyze NetFlow data, which some customers may require. Finally, CISO-level visibility could be improved through the development of native executive dashboards rather than integrations with third-party products.

Purchase Considerations
Corelight offers capacity-based subscriptions to Corelight Investigator (SaaS NDR analyst console) or Corelight Sensors (for customers preferring self-hosted or on-prem SOC tools), with the option to add-on subscriptions for Suricata IDS, Corelight Smart PCAP, and Corelight Fleet Manager products. Customers have the option to stream partial or full telemetry from Corelight Sensors to their SIEM or XDR platform.

The Open NDR Platform’s use cases include reducing risk, accelerating threat hunting and investigation, consolidating toolsets across on-premises, cloud, and SaaS, and post-breach monitoring and historical network activity analysis for compliance purposes.

Radar Chart Overview
Corelight is a Challenger in the Innovation/Platform Play quadrant. The Open NDR Platform provides a flexible architecture leveraging open source and proprietary technologies for network visibility and threat detection. It integrates with existing security tools, offering automated and manual response capabilities, and stands out for its openness, allowing for extensive customization and integration with other security solutions.

Cryptomage: Cryptomage Cyber Eye

Solution Overview
Founded in 2016, Cryptomage offers network anomaly detection and cybersecurity services. Its flagship product, Cryptomage Cyber Eye, is a cybersecurity probe built on proprietary network equipment powered by a custom AI chip that utilizes Intel FPGA (fleet programmable gate array) technology to perform deep packet analysis.

Built upon proprietary AI and ML algorithms, Cryptomage Cyber Eye detects advanced persistent threats (APTs), DDoS attacks, malware, unknown network attacks, and other threats that traditional signature-based tools may not identify. The solution’s architecture is unique in its ability to analyze both network protocol behavior and host communication behavior, providing proprietary flow metadata formats that go beyond traditional network flow analysis to offer a wider understanding of traffic flow and behavior.

Cryptomage Cyber Eye is deployed as a hardware probe, the Cyber Eye Enterprise, within an organization’s network infrastructure in passive mode to monitor traffic and detect anomalies in real time without interfering directly with network traffic. The probe performs deep inspection of every network packet, including the transported data, using network protocol discovery and validation, ML algorithms for proactive risk scoring, and built-in analytic tools. Cryptomage also offers a cloud-based solution, the Cyber Eye SOC, which provides cybersecurity services for small and medium-sized enterprises, allowing for a more accessible and scalable deployment option.

The solution provides forensics capabilities, allowing for better measurement of the ratio of security events against the source of traffic and facilitating the extraction of high-risk network traffic for further analysis. Cyber Eye integrates with SIEM, SOAR, and next-generation firewall (NGFW) systems and includes a dedicated GDPR module that inspects network packets to detect the transmission of personal data, such as ID numbers, social security numbers, and bank account numbers, generating reports that support data protection officers in their compliance efforts.

Strengths
Cryptomage Cyber Eye offers a unique approach to NTA by combining protocol behavior, packet analysis, and host communications behavior analysis to provide real-time, network-based anomaly detection and prediction powered by AI and ML algorithms. The solution performs DPI, including network protocol discovery and validation, to detect unknown and hidden threats. It offers network monitoring using proprietary flow metadata formats, protocol behavior and anomaly statistics, and passive mode operation. Cryptomage Cyber Eye integrates with SIEM, SOAR, and NGFW tools for event management and includes built-in analytic tools, risk scoring, and configurable event triggers. Additionally, it features a dedicated GDPR module for detecting personal data leaks. These capabilities enable organizations to efficiently identify, prioritize, and respond to sophisticated cyberthreats.

Challenges
A smaller vendor with headquarters in Wroclaw, Poland, Cryptomage offers GDPR compliance as a critical differentiator, concentrating primarily on the European Union with limited support for large international deployments. Cryptomage Cyber Eye can be deployed only on-premises as a hardware appliance, so support for hybrid environments is limited since the system does not include native cloud integration. Moreover, it does not support flow-based data capture, and its detection techniques, while sophisticated, may not cover the full spectrum of threats detectable by solutions with broader heuristic or behavioral analytics. If Cryptomage Cyber Eye is deployed on-premises in environments without an internet connection, updates must be uploaded manually, which may not meet the needs of all users.

Purchase Considerations
Cryptomage offers perpetual hardware and subscription-based software licensing. Interested parties should contact Cryptomage directly for a quote based on their particular requirements and deployment scenario.

Cryptomage Cyber Eye is designed for real-time, network-based anomaly detection and prediction. Additionally, it supports GDPR compliance by detecting personal data leaks, making it suitable for organizations that handle sensitive information.

Radar Chart Overview
Cryptomage is a Challenger in the Maturity/Feature Play quadrant. Cryptomage Cyber Eye captures network traffic using hardware probes and combines protocol behavior analysis, DPI, and host communications behavior analysis. Its unique multifaceted approach to NTA, use of proprietary AI and ML algorithms, focus on GDPR compliance, seamless integration with other security tools, and groundbreaking network steganography expertise make it useful for European organizations seeking to bolster their cybersecurity defenses.

Cynamics: Cynamics NDR

Solution Overview
Founded in 2019, Cynamics is a pioneer in next-generation sample-based NDR solutions using standard sampling protocols built into every gateway. In April 2023, Cynamics partnered with Merlin Cyber to create Cynamics Federal, bringing Cynamics NDR to US government agencies to protect against growing cybersecurity threats.

Cynamics NDR protects networks of all sizes and complexity without requiring the deployment of appliances, agents, or sensors. Cynamics NDR collects small network traffic samples, typically less than 1% of total traffic, using industry-standard sampling protocols like NetFlow, sFlow, IPFIX, VPC Flow Logs (AWS, GCP), and NSG (Azure) that are built into network devices such as firewalls, switches, and cloud gateways and cloud networks to infer the network behavior. Implemented as a SaaS offering, the solution can be easily onboarded from any network environment, including on-premises, cloud, and hybrid infrastructures.

The collected network metadata is analyzed by Cynamics’ AI-driven detection engine, which employs advanced patented techniques such as auto-encoder transfer learning and graph neural networks to identify threats and anomalies. By normalizing network behavior among different clients, Cynamics NDR can detect previously unknown attack patterns without relying on signatures or having to learn from scratch for each deployment. The solution continuously monitors north-south traffic crossing the network perimeter as well as east-west communications within the network to detect threats at every stage of an attack, from initial compromise to data exfiltration.

When a threat is detected, Cynamics NDR provides detailed root cause analysis and actionable insights through its user-friendly dashboard. Security teams can perform real-time and historical forensic investigations, with the ability to retain network metadata for extended periods due to the solution’s efficient sampling approach. Cynamics NDR integrates with third-party security tools like SIEM, SOAR, and firewalls to enable automated response and mitigation actions using detected root-cause information based on third-party policies.

Strengths
Cynamics NDR’s AI-driven, patented technology enables comprehensive network analysis and threat prediction by analyzing less than 1% of network traffic, ensuring negligible performance impact. It infers full network behavior from these small samples, offering visibility and predictive capabilities across complex networks without the need for deploying sensors or agents. This approach allows for rapid, scalable deployment across any network infrastructure, including legacy, cloud, and hybrid environments. Cynamics NDR’s technology is academically acknowledged, leveraging novel algorithms and ML for non-signature-based threat detection, ensuring it can identify both known and unknown threats. Its integration capabilities with third-party tools facilitate automated incident response, enhancing the overall cybersecurity posture.

Challenges
Cynamics NDR relies on sampling only 1% of network traffic, which could potentially miss threats in the remaining 99% of traffic not analyzed, with benign activities mistakenly flagged as threats (false positives) or actual threats going undetected (false negatives). While Cynamics states that its AI algorithms can infer full network behavior and detect attacks across all threat vectors from these samples, the effectiveness of this approach has yet to be fully validated.

In addition, Cynamics may face challenges detecting threats in encrypted traffic without decryption capabilities due to the widespread use of TLS, necessitating the use of additional measures like SSL/TLS decryption proxies or specialized decryption software. Moreover, while Cynamics NDR offers comprehensive network visibility, it provides limited endpoint visibility, which may require integration with EDR solutions for improved coverage.

Purchase Considerations
Cynamics offers subscription licensing based on the number of network gateways sending network samples to the Cynamics SaaS platform.

Cynamics NDR’s use cases include protecting critical infrastructure systems, such as those in the federal government sector through Cynamics Federal, and securing large, complex networks like data centers with Cynamics AI-in-the-Edge. It offers complete network visibility and predictive threat detection without requiring sensor deployment.

Radar Chart Overview
Cynamics is a Leader in the Innovation/Feature Play quadrant. Cynamics NDR is distinguished by its AI-driven, sample-based architecture, capturing traffic metadata from existing network devices using standard protocols to deliver comprehensive network visibility and threat prediction across physical, virtual, and cloud infrastructures without deploying sensors. It offers non-signature-based threat detection, using auto-encoder transfer learning and additional patented technologies for immediate, effective anomaly detection post-onboarding, and supports automated incident response through third-party integrations, providing detailed root-cause analysis for swift threat mitigation.

Darktrace: Darktrace PREVENT/DETECT+RESPOND/HEAL

Solution Overview
Founded in 2013, Darktrace develops cybersecurity AI solutions to detect, respond to, and prevent advanced cyberthreats. The Darktrace ActiveAI Security Platform (announced on April 9, 2024) encompasses Darktrace’s PREVENT, DETECT+RESPOND, and HEAL capabilities within a single cybersecurity platform, Cyber AI Analyst, that can autonomously spot and respond to threats.

Darktrace PREVENT, Darktrace DETECT+RESPOND, and Darktrace HEAL work collaboratively to protect the entire network from external and internal threats. Powered by Darktrace’s proprietary self-learning AI, unsupervised learning models build a dynamic understanding of the constantly changing digital environment and create a unique multidimensional view of the ways users and devices interact. This creates a baseline of what’s normal to identify previously unknown and unpredictable threats.

Based on data collected from network appliances, software sensors, or third-party security products, PREVENT prioritizes vulnerabilities and proactively hardens defenses, highlighting risky and vulnerable assets to DETECT+RESPOND for further analysis. If an anomaly or potential threat is detected, an alert is either sent to the security team or, in specific configurations, triggers an autonomous response to slow down or stop the threat, such as isolating a device from the network or restricting its access to specific resources. Enhancing cyber resiliency, DETECT+RESPOND analyses and actions are fed back into PREVENT to provide metric-driven, evidence-based attack path analyses.

Darktrace HEAL, the latest addition to the suite, automates incident recovery processes, allowing organizations to return systems to a trusted operational state in the event of a cyberattack. It provides a timeline of events and actions taken during an attack, which can be used for compliance, forensic analysis, and/or stakeholder communication. HEAL integrates with various security tools to enable coordinated response actions from a centralized interface. It also offers features like attack simulations and secure crisis communication channels to enhance an organization’s cyber resilience.

Strengths
PREVENT uses AI to identify critical assets and vulnerabilities, enhancing proactive defense by modeling potential attack paths. DETECT+RESPOND employs unsupervised ML to establish a baseline of normal behavior, enabling the detection of subtle, novel threats without relying on prior threat knowledge, correlating events into incidents for increased SOC efficiency and autonomously mitigating threats in real time with precise actions, such as quarantining devices or blocking traffic, to minimize disruption. HEAL focuses on post-intrusion recovery, dynamically generating detailed incident reports and timelines, facilitating rapid restoration of operations. Together, these components provide a robust, self-learning defense system that evolves with the threat landscape.

Challenges
Darktrace relies on self-learning AI to analyze thousands of metrics, which may not capture as much raw data as other solutions focused solely on DPI, potentially leading to blind spots in detecting certain threats. In terms of detection techniques, Darktrace’s AI-based approach excels at identifying subtle deviations and unknown threats but may struggle with known threats that do not deviate from normal behavior. Other NDR solutions that utilize a combination of more sophisticated AI/ML and rule-based detection techniques may provide more comprehensive threat coverage.

While Darktrace’s automated response capabilities can interrupt attacks at machine speed with surgical precision, some organizations may not be comfortable with AI-driven decision-making. Furthermore, configuring and managing Darktrace’s fully autonomous, partially autonomous, human confirmation mode, and human manual response options may be overwhelming for some IT teams. Lastly, some customers report Darktrace’s pricing model to be confusing, with costs quickly escalating as devices are added to the network.

Purchase Considerations
Darktrace offers hardware subscriptions and IP-based subscription-based module licensing. Trials are available with no commitment to purchase, allowing organizations to evaluate the technology in their own environment.

Darktrace’s offerings provide end-to-end coverage across the entire attack lifecycle, from proactive risk reduction (PREVENT) to real-time threat detection with autonomous response (DETECT+RESPOND), and streamlined incident recovery (HEAL).

Radar Chart Overview
Darktrace is a Challenger in the Innovation/Platform Play quadrant. Darktrace’s product suite accepts virtually every data format across core internal network traffic, capturing data through port spanning, network taps, or packet brokers. Its proprietary self-learning AI continuously learns and adapts to an organization’s unique digital environment, enabling the detection of novel and sophisticated threats that may evade traditional security tools.

Exeon: ExeonTrace

Solution Overview
Founded in 2016, Exeon Analytics is a cybersecurity firm specializing in protecting IT infrastructures through AI-driven security analytics. It focuses on fighting cyberattacks using big data analytics and ML to detect advanced persistent threat attacks and malware infections.

Exeon’s flagship product, ExeonTrace, is a lightweight, hardware-free network security monitoring (NSM) solution focused on the analysis of network log data rather than relying on data-heavy traffic mirroring. Deployed on-premises, in the cloud, or as a hybrid solution, its architecture leverages self-learning algorithms developed at ETH Zurich, a public research university located in Zurich, Switzerland, to analyze network activity to detect anomalies and potential threats.

Offering fast and non-disruptive setup within existing IT environments, ExeonTrace captures network log data from various sources, including firewalls, NetFlow, secure web gateways, IPFIX, and native cloud applications such as Google, Amazon, and Azure. The platform stores the data in a graph database, reducing the input data volume by a factor of 100, and provides high-end visualization and an intuitive GUI for fast, interactive drill downs. Moreover, the platform integrates seamlessly with SIEM, EDR, and IDPS security systems without the need for extensive configuration changes.

The platform’s analytics capabilities include supervised and unsupervised ML models, expert use cases, and threat correlation. ExeonTrace enriches captured traffic with additional logs, providing specialized detection algorithms for network log data. Additionally, the platform offers AI-based threat scoring to prioritize investigations and insight-driven visualizations, including a global map of traffic sources. When threats are detected, ExeonTrace provides a graphic representation of security incidents, incident prioritization, and APIs for triggering alerting and response actions.

Strengths
ExeonTrace provides signature-free detection using advanced analytical protocols and ML algorithms to identify threats in real time, including zero-day attacks that lack existing signatures or known malicious indicators. Its ability to analyze encrypted traffic without DPI allows it to detect hidden threats, a crucial advantage as encryption is commonly used by attackers to evade detection. Furthermore, ExeonTrace’s network forensics and incident investigation capabilities are enhanced by its archival of past network activities, enabling comprehensive network forensics and facilitating incident investigations. Security teams can examine historical network data to identify the source and impact of security incidents, preventing the recurrence of similar security breaches and enhancing incident response effectiveness.

Challenges
ExeonTrace, while offering advanced capabilities, relies on metadata analysis of network log data, which may not capture all relevant information or provide as comprehensive a view of network activity as DPI, especially in environments with limited logging or log manipulation by attackers. Additionally, while it can inspect encrypted traffic metadata, ExeonTrace’s visibility into encrypted payloads is limited, potentially missing certain threats. ExeonTrace uses ML algorithms to detect anomalous behavior, but these algorithms may generate false positives or false negatives, requiring skilled analysts to investigate and triage potential threats accurately.

Moreover, as networks grow in size and complexity, ExeonTrace’s ability to process and analyze large volumes of log data efficiently could be a challenge, potentially impacting its performance and responsiveness. Finally, integrating ExeonTrace with existing security tools and log sources across diverse IT environments could pose compatibility and configuration challenges, potentially impacting its effectiveness.

Purchase Considerations
Exeon offers a subscription-based licensing model customized to each customer’s requirements. Prospective buyers should contact Exeon for pricing information.

ExeonTrace’s use cases include detecting and responding to advanced persistent threats and zero-day attacks, monitoring encrypted traffic, and conducting network forensics. It is particularly useful for organizations handling sensitive or regulated data.

Radar Chart Overview
Exeon is a Challenger in the Innovation/Feature Play quadrant. ExeonTrace is a lightweight, hardware-free platform that analyzes network raw log data instead of mirroring traffic. It offers signature-free threat detection, including zero-day and encrypted threats, by inspecting traffic metadata using supervised and unsupervised ML models, leveraging AI-driven threat scoring for rapid triage and automated incident response capabilities.

ExtraHop: RevealX

Solution Overview
Founded in 2007, ExtraHop provides AI-based network intelligence to stop advanced threats across cloud, hybrid, and distributed environments. In September 2023, ExtraHop announced that its flagship product, RevealX, would be available for purchase in the CrowdStrike Marketplace to enable integration with CrowdStrike Falcon, providing visibility and protection of enterprise endpoints, workloads, identities, and data.

Available as a SaaS (RevealX 360) or on-premises deployment, RevealX is an agentless solution using physical and virtual sensors to collect data from any type of network, starting with discovery and inventory for a full and accurate dynamic catalog of the user’s environment and attack surface. The platform is structured around RevealX providing the core NDR functionality, augmented by IDS for signature-based detection, Packet Forensics for in-depth analysis through PCAP interfaces and decryption capabilities, and the cloud record store for extensive forensic analysis and root cause investigation.

The data collected is processed using ExtraHop’s own cloud-based intelligence hosted on AWS. It leverages over 300 unsupervised ML detectors and deep learning to autonomously improve its detection engine. A combination of signature, heuristic, and AI/ML-based analytics for robust threat detection results in best-in-class MITRE ATT&CK framework coverage. RevealX processes over 90 enterprise network protocols at high line rates with native Layers 2 to 7 decryption of both SSL/TLS and Microsoft networking protocols, ensuring that no malicious activity goes undetected.

The system employs ML and deep learning to identify anomalies and deviations from baseline activity, uncover patterns and correlations that may elude traditional signature-based detection methods, and flag potential security incidents with high accuracy and low false positives. This fusion of AI/ML, signature, and heuristic detection methods and out-of-the-box integration with SIEM, SOAR, and EDR tools ensures the quick identification, investigation, and resolution of critical issues.

Strengths
RevealX offers a robust set of technical strengths and benefits using cloud-scale AI and ML to autonomously improve threat detection, handling over 90 enterprise network protocols with native decryption capabilities for SSL/TLS and Microsoft protocols. Its proprietary packet processing engine enhances its ability to parse complex protocols and detect threats with high fidelity, supporting comprehensive threat detection across various stages of an attack and leveraging behavioral analysis and deep learning to minimize false positives. Additionally, RevealX offers 90 days of transaction record retention for detailed forensic investigations and proactive threat hunting, significantly enhancing its incident response capabilities.

Challenges
ExtraHop must enhance executive reporting to provide more concise, insightful overviews of network security posture and trends for leadership, and enhance RevealX’s file carving and detection features to identify and reconstruct files from network traffic, even if fragmented or obfuscated, to detect data exfiltration and malware. Moreover, improving agent management would streamline the deployment and maintenance of RevealX across diverse environments, and expanding its partner ecosystem would enhance its interoperability and the ability to provide a more unified security posture. Additionally, addressing pricing concerns could make RevealX more accessible to a broader range of organizations, ensuring that businesses of all sizes can benefit from its advanced threat detection and network visibility capabilities.

Purchase Considerations
ExtraHop offers perpetual hardware licensing based on physical appliances and size and flexible annual software subscriptions aligned to specific deployment models and requirements.

RevealX’s use cases include protecting against sophisticated cyberthreats, ensuring compliance with regulatory standards, and maintaining a strong security posture across hybrid and multicloud environments. It monitors sensitive workloads, conducts forensic investigations, and automatically discovers and classifies all network devices.

Radar Chart Overview
ExtraHop is a Leader in the Maturity/Platform Play quadrant. RevealX supports both physical and virtual sensors, ensuring comprehensive coverage across hybrid environments. It leverages cloud-scale AI and ML for autonomous threat detection with a proprietary packet processing engine that provides deep analysis of over 90 enterprise protocols with native decryption capabilities. RevealX offers always-on visibility with 90 days of transaction record retention for retrospective threat detection and forensic investigation. It integrates with a broad ecosystem of technology partners, enhancing its threat detection and automated response capabilities.

Fidelis Security: Fidelis Network

Solution Overview
Founded in 2002 and acquired by Partner One in August 2023, Fidelis Security (previously Fidelis Cybersecurity) focuses on threat detection, hunting, and targeted response to advanced threats and data breaches. The Fidelis Elevate platform offers complete visibility across hybrid environments via rich, dynamic cyber terrain mapping and a multifaceted context and risk assessment platform.

Fidelis Network employs a patented technology known as Fidelis Deep Session Inspection (DSI), which allows for the in-depth analysis of network traffic across all ports and protocols. This technology enables Fidelis Network to inspect the full context of network sessions, beyond just the header information, uncovering hidden threats that traditional security measures might miss, including malware, data exfiltration attempts, and other IoC by examining network traffic patterns and behavioral anomalies.

The solution is delivered as a cloud-based solution hosted on-premises or by Fidelis, which includes maintenance, processing power, and storage for log files and historical data, or as an on-premises deployment. Sensors are delivered as physical or virtual appliances (VMware ESXi) and can be deployed in-line using SPAN or TAP ports, or they can be deployed in the cloud. Moreover, Fidelis Network supports a combination of on-premises hardware, VMs (VMware), and cloud deployment (customer or Fidelis Security managed).

In addition to heuristics, signatures, and threat intelligence, Fidelis Network uses supervised and unsupervised ML and statistical modeling, utilizing over 300 metadata attributes. It automatically identifies and classifies network assets and calculates risk based on vulnerabilities, threat detection, security deployment, and asset priority, providing real-time content analysis rules for proactive network security and integrating with the MITRE ATT&CK framework for improved response strategies.

Strengths
Fidelis Network’s patented DSI technology enables the collection of rich metadata for advanced retrospective analysis, allowing security teams to apply new threat intelligence to historical data to uncover previously unknown compromises. In addition, the solution offers improved detection speed and efficiency, extended visibility via an interactive risk-based infrastructure map, automatic threat detection through traffic analysis and anomaly detection, reduced false positives, and faster response times by grouping related alerts. Fidelis Network offers flexible deployment options, including cloud-based SaaS, on-premises, and hybrid models. By integrating with the MITRE ATT&CK framework, the solution delivers advanced threat detection, network forensics, data loss prevention, and threat intelligence in a unified solution.

Challenges
Fidelis Network’s challenges include complex configuration, potential network latency, lack of zero-network footprint, limited decoding of network traffic, varying support for automated response, and less extensive use of behavioral analytics. In terms of data capture capabilities, Fidelis Network analyzes all content and accumulates more metadata than most other Netflow-based NDR systems. However, its ability to decode network traffic may not be as rigorous as more advanced NDR solutions, limiting its ability to discover risks hidden within encrypted traffic.

Furthermore, while Fidelis Network employs various detection techniques, including deep session inspection and ML, it may not utilize behavioral analytics as extensively as some competitors. Additionally, Fidelis Network supports hybrid environments, but its automated response capabilities may not be as robust as other NDR solutions.

Purchase Considerations
Fidelis Security offers perpetual, subscription, and term hardware and software licensing based on aggregate network bandwidth and days of stored metadata extracted by the network sensors. On-premises management and data storage are also available. Optional network sensor hardware is sold separately.

Fidelis Network’s use cases include proactive threat hunting, NTA, incident response, and compliance reporting. The solution also supports threat intelligence integration, enabling security teams to stay informed about emerging threats and adapt their defenses accordingly.

Radar Chart Overview
Fidelis Security is a Challenger in the Innovation/Platform Play quadrant. Fidelis Network offers deep visibility into network traffic, detecting advanced threats that may evade traditional security measures and accumulating more metadata than most other Netflow-based NDR systems for historical forensics. However, it may not provide the same level of network traffic decoding as some advanced NDR solutions, which could limit its ability to uncover risks hidden within encrypted traffic.

Fortinet: FortiNDR

Solution Overview
Founded in 2000, Fortinet provides a broad range of cybersecurity solutions, including next-generation firewalls, network security, and various security management products. Fortinet has two NDR offerings: FortiNDR, which was developed in-house and deployed on-premises, and FortiNDR Cloud, a SaaS solution built on Gigamon ThreatINSIGHT, a cloud-native, high-velocity NDR solution acquired by Fortinet in January 2023.

FortiNDR is designed for customers who require all data to remain on-site to meet compliance or air-gap requirements. It provides comprehensive visibility into network traffic, including east-west communications, to detect advanced threats that may bypass traditional security controls. FortiNDR uses a combination of ML models, an artificial neural network (ANN) for real-time file analysis, and threat intelligence to identify anomalous and malicious activity across IT and OT environments.

The FortiNDR architecture consists of hardware or virtual sensors deployed throughout the network to capture traffic from test access points (TAPs), switch port analyzers (SPANs), or in-line devices like FortiGate NGFWs. Sensors operate in standalone mode or in a distributed deployment with a central manager. Traffic metadata is analyzed on-premises with no customer data leaving the network. FortiNDR can ingest raw packets, IPFIX, NetFlow, and sFlow data from network devices, and files submitted via Fortinet’s Security Fabric or ICAP integration.

FortiNDR employs supervised and unsupervised ML to profile normal traffic and detect deviations. The patented ANN enables high-speed malware classification of files extracted from network flows without relying on signatures, with detections mapped to the MITRE ATT&CK framework and automated response triggered via the Fortinet Security Fabric, such as quarantining hosts via FortiGate, FortiNAC, or FortiSwitch. An intuitive UI allows pivoting from detection to investigation to threat hunting, while open APIs enable integration with third-party SIEM, SOAR, and XDR solutions.

Strengths
FortiNDR, Fortinet’s on-premises NDR solution, is distinguished and features patented ANN for real-time file and malware scanning directly from network traffic, setting it apart from competitors that rely solely on file hash analysis. This capability enables faster detection speeds without signature matching and adapts to malware variants, enhancing threat identification accuracy. FortiNDR supports comprehensive threat detection across various attack vectors, including intrusions on OT and SCADA systems and botnet attempts, classifying OT/industrial malware, and integrating industrial IPS and ML for anomaly detection in OT applications. FortiNDR’s simple licensing model, without device or user restrictions, and seamless integration with Fortinet’s Security Fabric and third-party APIs enable automated incident response actions, enhancing the overall security posture, cost-effectiveness, and scalability for organizations.

Challenges
FortiNDR’s performance is hardware-dependent, with virtual models operating at 40-80% efficiency compared to hardware models, lacking GPU acceleration. The system requires meticulous configuration and integration with other Fortinet products to function optimally, which can be complex in diverse network environments. Future enhancements include integrating with more third-party services for comprehensive case management capabilities, particularly with platforms like ServiceNow, and developing cross-detection technology leveraging ML for advanced security threat analysis to maintain competitiveness and effectiveness. Additionally, FortiNDR aims to expand its support for hybrid and complex IT/OT environments, including XDR and FortiSOAR integrations, and further development of OT support features like ML on SCADA protocols and MITRE ICS matrix support.

Purchase Considerations
Fortinet offers subscription licensing based on the number of appliances or VMs deployed, either in standalone or sensor mode, with optional licenses for OT security services and NetFlow support.

FortiNDR’s use cases include intrusion detection, botnet attempts, weak cipher and vulnerable protocol detection, traffic profiling, and patented ANN-based malware detection and classification.

Radar Chart Overview
Fortinet is a Leader in the Maturity/Platform Play quadrant. FortiNDR offers robust compliance and comprehensive threat detection, non-signature-based threat detection, north-south and east-west monitoring, out-of-the-box analysis, and built-in incident response. It uses ANN for real-time scanning of files for malware on the network, OT support, and a simple licensing model. However, it is heavily dependent on Fortinet’s portfolio for optimal threat detection and response.

Fortinet: FortiNDR Cloud

Solution Overview
Founded in 2000, Fortinet provides a broad range of cybersecurity solutions including next-generation firewalls, network security, and various security management products. Fortinet has two NDR offerings: FortiNDR, developed in-house and deployed on-premises, and FortiNDR Cloud, a SaaS solution built on Gigamon ThreatINSIGHT, a cloud-native, high-velocity NDR solution acquired by Fortinet in January 2023.

FortiNDR Cloud is a cloud-native solution using sensors deployed as either standalone appliances or ESXi and KVM VMs. These sensors ingest north-south and east-west full packet streams from TAPS/SPANS/vTAPS/vSPANS or network aggregators for core or cloud workload traffic. These sensors classify traffic and send metadata to the SaaS platform for further analysis and investigation. Integrations with CrowdStrike Falcon, FortiEDR, and FortiGate NGFWs allow analysts to isolate endpoints and IP addresses via the FortiNDR Cloud interface, streamlining response directly in the solution.

FortiNDR Cloud leverages open-source technologies such as Suricata and Zeek, along with proprietary technology for reassembly of Layers 2 to 7 metadata. All metadata is enriched with entity and event context, and detection rules are constantly updated by the FortiGuard Labs Applied Threat Research (ATR) team. The solution detects activities and behaviors correlated directly with the MITRE ATT&CK framework, providing high-quality detection rules across 14 TTP categories and 88 techniques.

FortiNDR Cloud speeds up the investigation process during incident response by providing low false positives, ATT&CK mapping, and auto-providing evidence, and facilitating unlimited granularity via flexible queries. The solution can also inform users of detections first seen and last seen, with validated significant reductions in both metrics. In addition, FortiNDR Cloud’s Guided-SaaS offering includes experienced technical success managers who are accessible to customers during incidents to provide threat information and best practices to triage, investigate, and respond.

Strengths
FortiNDR Cloud, a cloud-native SaaS solution by Fortinet, offers comprehensive NDR capabilities designed to monitor network traffic for malicious activities and respond to cyberattacks. It leverages ML, behavioral analysis, and metadata to identify network anomalies and threats, ensuring protection against both known and unknown threats. The solution provides extensive threat detection across the MITRE ATT&CK framework, offering high-quality detection rules for rapid identification and response. FortiNDR Cloud facilitates seamless integration with the Fortinet Security Fabric and other third-party tools, enhancing incident response through automated investigation, triage, and remediation processes. Its cloud-native architecture ensures scalability, rapid deployment, and ease of management, making it a robust solution for modern cybersecurity needs.

Challenges
FortiNDR Cloud’s challenges include improving OT support, as customers often opt for the on-premises FortiNDR solution for OT environments, indicating a gap in the cloud solution’s capabilities for handling specialized networks. Another challenge is expanding local points of presence (PoPs) for customers in EMEA and APAC regions to enhance service delivery and data processing speeds in these areas. Moreover, with FortiNDR Cloud being a cloud service, organizations with strict data residency and compliance requirements may face challenges in adopting the solution if their data cannot leave their premises. Fortinet must explore offering more flexible deployment options beyond just the cloud, such as on-premises or hybrid models. Additionally, the integration of generative AI into the investigation processes is a complex task involving significant architectural and design efforts to effectively incorporate large language models.

Purchase Considerations
Fortinet offers a subscription model based on the number of hardware sensors deployed by the customer and a software license based on the aggregated throughput from all sensors to the SaaS platform, charged in units of 1 Gbps.

FortiNDR Cloud’s use cases include real-time threat detection, incident response, and threat hunting across various environments, including IT, OT, and IoT.

Radar Chart Overview
Fortinet is a Leader in the Innovation/Platform Play quadrant. FortiNDR Cloud is a cloud-native SaaS solution using sensors to capture north-south and east-west traffic, leveraging open source technologies like Suricata and Zeek for stream reassembly and metadata extraction. Integrated with Fortinet’s Security Fabric, it offers seamless incident response capabilities, enabling rapid threat mitigation. FortiNDR Cloud supports hybrid network deployments, ensuring visibility and control over on-premises, cloud, and hybrid environments.

GREYCORTEX: GREYCORTEX Mendel

Solution Overview
Founded in 2016, GREYCORTEX specializes in cybersecurity solutions focusing on NDR for IT and OT networks. It is part of the ESET Technology Alliance, a collaboration of companies working on integrating their solutions to provide better security services.

GREYCORTEX Mendel provides deep network visibility, advanced threat detection, and robust response capabilities for both IT and OT networks. Its architecture consists of sensors that capture network traffic via mirrored ports or network taps and a central collector that aggregates and analyzes the data. Mendel can be deployed as a physical or virtual appliance with a multilevel structure for larger deployments. The installation process involves setting up the Mendel sensor, which acts as both a sensor and a collector, capturing all network traffic via a mirrored network bridge from the physical network.

With its advanced analytics and intuitive interface, GREYCORTEX Mendel empowers security teams to quickly detect, investigate, and mitigate threats. Mendel captures network traffic using DPI techniques, including support for industrial protocols like ICS and SCADA. It analyzes the captured data using DPI, IDS, network behavior analysis (NBA), encrypted traffic analysis, network and application performance monitoring, event correlation, and risk assessment, combining specific signatures for the detection of known threats with its own detection signatures to identify approximately 300 types of industrial and critical infrastructure attacks on the most used OT protocols.

The system supports configurations that allow remote SSH access and can operate in both online and offline modes, depending on the organization’s security policies and network architecture. It provides an intuitive web interface for visualizing network activity, investigating incidents, and performing forensic analysis. Mendel integrates with other security tools, such as SIEM, firewalls, and NAC, to enable automated incident response and includes an incident management module for collaboration and workflow tracking.

Strengths
GREYCORTEX Mendel performs standard NTA functions and understands a wide array of enterprise IT, streaming, OT, and IIoT protocols, such as CIP, CoAP, DNP3, Modbus, MQTT, OPC-UA, and S7. It employs various enhanced traffic analysis (ETA) techniques, leveraging Snort and Suricata rules alongside unsupervised ML detection engines. Mendel’s high throughput per sensor, reaching 40 Gbps, allows for robust network monitoring. It supports role-based access control (RBAC) and integrates with multiple SIEM systems for comprehensive security management. Although it does not offer multifactor authentication (MFA) or federation, Mendel’s flexible deployment options across on-premises networks and cloud environments like AWS and Azure make it a versatile tool for detecting and mitigating cyberthreats.

Challenges
GREYCORTEX Mendel does not use supervised ML or deep learning for threat detection, relying instead on unsupervised ML and traditional detection engines like Snort and Suricata. In addition, its data capture capabilities do not include capturing malware samples or sandbox integrations, limiting its forensic analysis potential. Mendel does not automatically build cases, add threat intelligence, or create IoCs for threat hunting, requiring manual intervention for these tasks. The solution does not come with predefined playbooks, and any response actions must be configured over APIs and are constrained by downstream security tools. Additionally, Mendel does not support MFA or federation for user access, and it has not achieved any security certifications, which may impact its trustworthiness and adoption in highly regulated industries.

Purchase Considerations
GREYCORTEX offers perpetual hardware and subscription software licensing based on the number of connected flow exporting devices (appliances or VMs) and flow rates.

GREYCORTEX Mendel’s use cases span network performance monitoring, incident response, threat hunting, and compliance management for large organizations and SMBs. It is particularly well-suited for securing industrial networks, including ICS and SCADA systems, by providing deep visibility into OT and IT network traffic.

Radar Chart Overview
GREYCORTEX is a Challenger in the Maturity/Platform Play quadrant. GREYCORTEX Mendel’s multilevel appliance architecture, high throughput per sensor, support for a wide range of IT, OT, and IIoT protocols, and various deployment options make it suitable for securing large-scale enterprise and industrial networks. However, its lack of certain features like MFA, sandbox integration, and automated playbook creation may be considered limitations compared to some competitors.

IronNet: IronDefense

Solution Overview
Founded in 2014 by General (Ret.) Keith Alexander, the former Director of the United States National Security Agency (NSA) and the founding commander of United States Cyber Command, IronNet employs several former NSA cybersecurity operators with offensive and defensive cybersecurity experience to integrate deep tradecraft knowledge into the IronNet Collective Defense platform.

The core component of the IronNet Collective Defense platform, IronDefense provides advanced threat detection and visibility across cloud, hybrid, and on-premises networks. It applies advanced behavioral analysis and AI/ML models to network packets, network flow records, and input from third-party platforms (with new sensors auto-commissioned and auto-upgraded without requiring interaction from SOC staff) to detect anomalous and malicious activity. The solution automatically correlates alerts, acquires contextual data, and applies security playbooks to vet, prioritize, and rate threats.

The IronDefense architecture consists of several key components. Network sensors (physical or virtual) are deployed to collect network metadata and full packet capture (PCAP) from enterprise traffic at speeds up to 10 Gbps, while the IronDefense back end processes this data using analytics and threat intelligence. IronDefense can be deployed on-premises, in the cloud, or in hybrid environments. Supported deployment modes include passive, in-line, out-of-band, public cloud, private cloud, and virtual, providing flexibility to fit different customer environments and requirements.

IronDefense integrates with IronNet’s IronDome, a collective defense platform that shares anonymized threat data across organizations to provide real-time visibility of attack patterns and behaviors. The IronVue dashboard provides a visual interface for analysts to investigate and hunt for threats. IronDefense also integrates with CrowdStrike endpoints, SentinelOne EDR, and Splunk SIEM to enable coordinated detection and response across the security stack.

Strengths
IronDefense enhances visibility across the threat landscape and improves detection efficacy within a network environment. It works in conjunction with IronNet’s IronDome Collective Defense solution to deliver dynamic, real-time visibility to threats targeting a supply chain, industry, or region. IronDefense reduces false positives through automated alert correlation, including malicious payload detection, and extends the supported hunt window. The solution provides early visibility of unknown cyberthreats that have slipped past the endpoint and firewall, whether on-premises or in the cloud. A managed security service, IronNet’s Cyber Operations Center (CyOC) provides round-the-clock monitoring, detection, and response services to customers, backed by a team of expert offensive and defensive cybersecurity operators with private and public sector experience.

Challenges
While IronDefense employs sophisticated detection techniques using AI and ML, other solutions might offer more diverse or specialized detection algorithms tailored to specific threats or industries. Its automated response capabilities are robust but may not be as extensive or customizable as those found in some competitors’ solutions, potentially limiting flexibility in incident response strategies. Moreover, while IronDefense supports hybrid environments, its deployment and integration in highly complex or unique network architectures may not be as seamless as solutions designed with a broader focus on diverse IT ecosystems. The company ceased operations in September 2023 before restructuring and emerging from Chapter 11 as a private company in February 2024. Potential customers should verify IronNet’s financial stability before engaging.

Purchase Considerations
IronNet offers 12-month subscriptions with tiered, per-user pricing for increasing capabilities aligned with requirements and budget. The SaaS version of IronDefense, IronCloud, is available on the AWS Marketplace with throughput-based pricing.

IronDefense is designed for advanced threat detection, insider threat monitoring, and cyberattack mitigation within enterprise networks. Additionally, IronDefense supports compliance with cybersecurity frameworks and regulations by providing comprehensive network visibility and detection of sophisticated cyberthreats.

Radar Chart Overview
IronNet is a Challenger in the Maturity/Platform Play quadrant. IronDefense offers a robust architecture with on-premises and virtual network sensors for comprehensive data capture. Its capabilities are enhanced by its integration with IronDome for collective defense and real-time threat intelligence sharing. However, IronNet’s innovation and operations have been impacted by its ongoing financial struggles.

Lumu Technologies: Lumu Defender

Solution Overview
Founded in 2019, Lumu helps organizations measure and detect compromises within their networks using network metadata. Lumu’s Continuous Compromise Assessment framework leverages the patent-pending Illumination Process to continuously ingest and analyze an organization’s network metadata to measure and understand the level of a compromise occurring inside the network in real time.

Lumu Defender is a cloud-based NDR solution leveraging a SaaS architecture with the core analytics engine hosted in AWS. It offers multiple deployment options, including virtual sensors, lightweight agents for endpoints, and direct integrations with third-party security tools and cloud providers. This flexible deployment model allows Lumu to ingest and analyze network metadata from various sources across on-premises, hybrid, and cloud environments without the need for physical appliances or network taps.

The solution captures and analyzes a wide range of network metadata, such as DNS queries, network flows, proxy logs, firewall logs, and email intelligence. This metadata is fed into Lumu’s patented Illumination Process, which combines known IoCs correlation, anomaly detection using ML models, and deep correlation analysis to identify potential threats with high accuracy. The solution leverages collective defense by continuously learning from the network data of all its customers, enabling it to adapt to evolving threats rapidly.

The analytics engine continuously monitors the ingested metadata to detect various threat vectors, including malware, phishing, command-and-control communications, lateral movement, and data exfiltration attempts. Once a threat is detected, Lumu Defender provides rich context and visibility into the incident, including affected assets, attack techniques (mapped to the MITRE ATT&CK framework), and potential impact. It then enables automated response actions through Lumu AutoPilot and out-of-the-box integrations with existing security tools.

Strengths
Lumu Defender provides comprehensive threat detection across the entire network infrastructure, including user devices, OT, and IoT, through its ability to ingest and analyze network metadata from various sources like DNS, firewall logs, proxy logs, and email intelligence. Its patented Illumination Process combines known threat intelligence, anomaly detection using AI/ML models, and deep correlation analysis to precisely identify compromises with high accuracy and low false positives. The playback feature enables retrospective threat hunting, continuously storing network metadata to allow customers to see when they first made contact with a domain or IP that later became malicious. Lumu Defender also offers automated response capabilities through native integrations with existing security tools, enabling real-time mitigation of detected threats across the full attack surface.

Challenges
Lumu Defender relies on network metadata for threat detection, which may result in false positives or negatives, potentially affecting the ability to detect sophisticated or low-and-slow attacks. Lumu must expand its threat intelligence sources to provide a more comprehensive view of potential cyberthreats, including DPI for root cause analysis (currently available via Lumu’s partnership with Gigamon), the enhanced detection of advanced malware threats and APTs, and support for decryption of SSL/TLS traffic. Moreover, the cloud-based deployment model may not suit all organizations, especially those in heavily regulated industries, and some users have reported difficulties in integrating Lumu Defender with existing security systems, causing delays in response capabilities. Lumu must also extend its threat-hunting capabilities beyond network threat detection, applying its continuous compromise assessment model to endpoints and identities for improved coverage.

Purchase Considerations
Lumu offers tiered subscription licensing based on the number of connected devices being monitored. Lumu Free includes network-level visibility, five metadata collectors, and 45-day data retention.

Lumu Defender’s use cases include orchestrating detection and response across tools, securing remote user access, and instantly blocking threats detected through Lumu Autopilot and native integrations with firewalls, EDR, secure access service edge (SASE), and other security solutions.

Radar Chart Overview
Lumu is a Leader in the Innovation/Feature Play quadrant. Lumu Defender is a SaaS solution providing comprehensive threat detection and automated response capabilities through the collection and analysis of network metadata. Its key strengths lie in its patented Illumination Process for non-signature-based threat detection, continuous network metadata analysis across hybrid environments, and seamless integration with existing security tools for orchestrated incident response.

NETSCOUT: Omnis Network Security

Solution Overview
Founded in 1984, NETSCOUT provides service assurance, cybersecurity, and business analytics solutions to service providers, enterprises, and government agencies. At the Mobile World Congress in February 2024, NETSCOUT announced a partnership with Palo Alto Networks to combine NETSCOUT’s network visibility with Palo Alto’s 5G security solutions, enhancing visibility for security teams using Omnis Network Security.

Omnis Network Security provides NDR capabilities based on DPI. It has three main components: Omnis CyberStream network sensors for continuous packet capture and real-time vulnerability and threat analysis, Omnis Cyber Intelligence as the central on-premises management console and user interface, and Omnis AI Streamer for exporting curated metadata to third-party SIEM tools, data lakes, and AI analysis and XDR systems.

Omnis Network Security supports flexible deployment options across on-premises, virtual, and private and public cloud environments. The highly scalable CyberStream sensors can be deployed as physical or virtual appliances, capturing packets at speeds up to 100 Gbps. They leverage NETSCOUT’s patented Adaptive Service Intelligence (ASI) technology to convert raw packets into rich Layer 2-7 metadata and perform multidimensional threat detection at the point of capture. This metadata, along with full packets, is stored locally on the multi-terabyte CyberStream sensors for real-time and historical analysis. The solution is also supported by a large portfolio of optional taps, smart packet brokers, and decryption appliances that can provide high-performance visibility into encrypted traffic, including TLS/SSL and SSH.

The platform employs multiple threat detection methods, including threat intelligence feeds, Suricata-based rules, custom policies, and ML-driven behavioral analysis, enabling security teams to detect threats earlier in the attack lifecycle, gather forensic evidence, and reduce mean time to respond (MTTR). Additionally, Omnis Cyber Intelligence provides a unified interface for triaging alerts, conducting contextual investigations using the stored metadata and packets, and integrating with existing security tools, while Omnis AI Streamer enables the curation and export of select Omnis sensor metadata to third-party data lakes or AI pipelines for data enrichment.

Strengths
Omnis Network Security offers comprehensive packet-level network visibility, enabling the detection of both known and unknown threats across diverse network environments. Its patented DPI and ASI technology converts raw packets into rich metadata for precise threat detection with fewer false positives. The solution’s multidimensional threat detection leverages threat intelligence, behavioral analysis, protocol compliance, and custom policies. Additionally, Omnis Network Security provides real-time and historical threat detection, supporting continuous network traffic monitoring and metadata extraction. It integrates with SIEM, SOAR, and XDR platforms for incident response, and its scalable CyberStream sensors ensure performance across on-premises, cloud, and hybrid environments. Lastly, NETSCOUT’s portfolio of taps, smart packet brokers, and decryption appliances enable seamless packet acquisition and decryption.

Challenges
Omnis Network Security has room to grow in areas like cloud integrations, advanced AI/ML, automated response playbooks, and custom data integration. Its data capture capabilities, although extensive, do not ingest or analyze network flow data like IPFIX, NetFlow, or sFlow, relying solely on packet data capture and analysis. The system does not offer a zero-network footprint, requiring significant instrumentation and data processing resources. In terms of detection techniques, they depend on predefined threat intelligence and behavioral analysis, which might not detect entirely new or sophisticated zero-day threats effectively. The automated response capabilities are strong but could be limited by the integration complexity with existing security infrastructures. Additionally, while it supports hybrid environments, seamless integration and consistent performance across all platforms can be challenging.

Purchase Considerations
NETSCOUT offers perpetual license and subscription options, with core components priced separately. Omnis CyberStream network sensors come as software for certified physical or virtual appliances with varying network monitoring speeds and storage capacities. The Omnis Cyber Intelligence management console is priced based on the number of CyberStream sensors managed.

Omnis Network Security’s use cases include continuous network monitoring, real-time threat detection leveraging multiple techniques like threat intelligence and behavioral analysis, historical investigation and forensics using stored metadata and packets, and integration with SIEM/SOAR/XDR platforms for enhanced incident response.

Radar Chart Overview
NETSCOUT is a Challenger in the Innovation/Platform Play quadrant. Omnis Network Security’s patented ASI technology enables real-time, multidimensional threat detection leveraging threat intelligence, behavioral analysis, and custom policies. With robust integration capabilities and plans for advanced AI/ML, Omnis Network Security offers a scalable and high-performance NDR solution for effective threat detection and response.

NetWitness: NetWitness Network

Solution Overview
Conceived in 1997 as a US intelligence agency research project and spun out in 2006, NetWitness delivers comprehensive and highly scalable threat detection and response capabilities based on a unified data architecture. In 2023, after several years of transition between RSA, EMC, and Dell, NetWitness became an independent business unit of RSA Security.

NetWitness Network captures and analyzes data from various points in an IT infrastructure–including logs, packets, NetFlow, endpoints, and IoT devices–across physical, virtual, and cloud platforms. It dynamically parses and enriches network data at the time of capture—with NetWitness FirstWatch Threat Intelligence, business context, technical context, Mitre ATT&CK mapping, and geolocation data—to create sessionized metadata that significantly accelerates alerting and analysis.

The solution is highly modular and can be deployed on dedicated hardware appliances, VMs, or in major public cloud environments like AWS, Azure, GCP, and OCI. It employs a distributed architecture with components like decoders, concentrators, and brokers that facilitate data capture, processing, and analysis across geographically dispersed locations. It can also be deployed as a managed security solution (MSS) or managed detection and response (MDR) offering for organizations that prefer to outsource some or all the administrative and/or investigative burden.

Combining DPI across hundreds of protocols with advanced analytics powered by ML, behavioral analysis, and integrated threat intelligence, NetWitness Network provides long-term historical packet retention so analysts can reconstruct entire network sessions, decode encrypted traffic, and provide automated detection and forensic capabilities. It also integrates with NetWitness Orchestrator and optional log (SIEM) and endpoint (EDR) modules to improve detection, visibility, and response.

Strengths
NetWitness Network provides a scalable architecture supporting high throughput and geographically distributed deployments and integration with SASE vendors for comprehensive network visibility (including encrypted SASE/SaaS traffic), advanced threat detection, and deep packet forensics, making it a robust solution for network security. It leverages real-time data enrichment, including threat intelligence and contextual information, and employs multiple correlated detection techniques, such as network signatures, rule-based correlations, and ML-based behavioral analytics, to identify both known and unknown threats effectively. Additionally, NetWitness Network offers flexible deployment options across on-premises, cloud, and hybrid environments and integrates seamlessly with additional security modules like SIEM and EDR for expanded visibility and control. Customers can choose between full-packet and metadata-only licensing models to limit costs, depending on the use case.

Challenges
NetWitness Network’s challenges include its complexity and depth of capabilities, including the volume of data generated, which demand significant security expertise, potentially limiting adoption for some organizations. Its detection techniques, while comprehensive, may still miss advanced threats that evade signature-based, behavioral analytics, and ML models. Data capture capabilities are limited to network traffic, lacking visibility into endpoint and cloud workload activity. Additionally, its native automated response options necessitate integrations with other security tools for a broader response range. Lastly, cost optimization for large data volumes and long-term retention remains an area of focus for NetWitness, and integration with cloud and SASE vendors is still evolving and may have gaps.

Purchase Considerations
NetWitness offers a tiered throughput (based on the amount of network traffic being collected) and meta-only (allowing only metadata storage) subscription licensing model, with different support tiers and user and entity behavior analytics (UEBA) priced according to the number of users or entities involved in the analyzed data. MSS and MDR offerings are available through partners.

NetWitness Network’s use cases include detecting and responding to advanced threats, reconstructing entire network sessions for forensic investigations, and effective threat hunting through enriched contextual data and threat intelligence integration.

Radar Chart Overview
NetWitness is a Leader in the Maturity/Platform Play quadrant. NetWitness Network provides extensive visibility through full packet capture, metadata analysis, and network flow monitoring across on-premises, cloud, and hybrid environments. Offering real-time data enrichment, automated response capabilities, and deep forensic investigation tools, NetWitness Network enables organizations to reduce dwell time and accelerate incident response.

NextRay: NextRay NDR

Solution Overview
Founded in 2021, NextRay specializes in network security, with NextRay NDR as its only solution. The company partners with Garland Technology to ensure complete packet visibility by delivering a full platform of network TAP (test access point), inline bypass, and packet broker products, enhancing NextRay NDR’s capabilities by providing a strong foundation of network visibility and access.

NextRay NDR provides real-time visibility and automated incident response across an organization’s entire network infrastructure. Its architecture is designed to monitor and analyze both north-south traffic and east-west traffic to detect and mitigate threats. NextRay NDR can be deployed on-premises, in the cloud, or in a hybrid environment, offering flexibility to fit various organizational needs.

At the core of NextRay NDR’s data capture capabilities are strategically placed network sensors and DPI. These sensors capture network traffic in real time, including raw packets and metadata. The solution integrates with network TAPs and packet brokers, such as those from Garland Technology, to ensure complete packet visibility without dropping packets, even in high-throughput environments.

NextRay NDR leverages AI, ML, and behavioral analytics to analyze traffic patterns, protocols, and payloads, accurately identifying risks and anomalous activities that deviate from established baselines of normal network behavior, such as advanced persistent threats, IoC, and zero-day exploits that signature-based tools might miss. When a threat is detected, NextRay NDR automatically triggers incident response workflows, enabling security teams to investigate, prioritize, and mitigate risks quickly. The solution also integrates with EDR, SIEM, and SOAR platforms to streamline security operations and accelerate threat containment.

Strengths
NextRay NDR offers comprehensive network visibility and advanced threat detection capabilities. By analyzing all network traffic, including north-south and east-west, using AI, ML, behavioral analytics, and over 15,000 Suricata rules (disabled by default), it can accurately identify both known and unknown threats, including IoCs. NextRay NDR reduces false positives to less than 20% and detects anomalies within six hours. Its automated incident response and integration with EDR, SOAR, and SIEM solutions streamline SecOps procedures, enabling faster investigations and reduced response times. NextRay NDR provides protection against insider threats, ransomware, and APTs, as well as visibility into cloud environments and IT, IoT, and OT devices. With flexible deployment options and powerful analytics, NextRay NDR enhances an organization’s overall security posture by delivering efficient, AI-driven threat detection and mitigation.

Challenges
NextRay NDR’s challenges include scaling to accommodate rapidly growing network traffic volumes, integration complexities with existing security infrastructure, and the need for fine-tuning to reduce false positives despite claims of low rates. While NextRay NDR offers automated response capabilities, the efficiency of these automated processes in resource-constrained environments, where prioritization of critical threats is vital, could be a limitation depending on the solution’s ability to accurately triage and respond to incidents.

NextRay NDR offers comprehensive visibility and control over digital spaces, including cloud, IoT, and remote work environments, but the extent to which it can seamlessly protect across diverse and hybrid IT environments without compromising performance or visibility remains a critical consideration. Additionally, while NextRay NDR uses advanced detection techniques, it may still require skilled security personnel to manage and interpret alerts effectively.

Purchase Considerations
NextRay offers perpetual hardware and subscription-based software licensing. However, prices can vary widely based on the scale of deployment. Prospective customers should contact NextRay for specific pricing details.

Designed for mid-market businesses and large enterprises seeking advanced threat detection and response, NextRay NDR’s use cases include protecting against insider threats, ransomware, and advanced persistent threats (APTs), ensuring visibility into cloud environments and IoT devices and automating incident responses.

Radar Chart Overview
NextRay is a Challenger in the Maturity/Feature Play quadrant. NextRay NDR captures traffic using network TAPs from Garland Technology. Threat detection is powered by advanced ML and behavioral analytics, enabling it to identify both known and unknown threats. The platform’s automated response capabilities and integration with existing security workflows allow for swift threat mitigation, positioning NextRay NDR as a robust solution for enhancing cybersecurity defenses.

OpenText: OpenText NDR

Solution Overview
Founded in 1991, OpenText is an enterprise information management company providing software products and services for managing information assets. In November 2021, OpenText acquired Bricata, rebranding its NDR offering as OpenText Network Detection & Response. In January 2023, OpenText acquired Micro Focus, boosting its information management and security capabilities.

OpenText NDR provides real-time visibility and advanced threat detection capabilities across on-premises, hybrid, and cloud environments. The solution’s on-premises architecture is built around lightweight sensors deployed as a VM, physical device, or cloud appliance, or on commodity hardware. These sensors capture network traffic using various methods, including port mirroring, TAP, and tunnel-based capture, leveraging high-fidelity metadata and SmartPCAP to ensure thorough visibility across both east-west and north-south network traffic.

The captured network data is then analyzed by OpenText NDR’s back-end components, using a combination of signature-based detection, stateful anomaly detection, and ML-powered malware conviction. This multilayered approach enables the detection of known and unknown threats, including advanced persistent threats (APTs), malware, and insider threats. The solution generates rich metadata from the captured traffic, which is stored and analyzed for historical forensics and threat-hunting purposes.

OpenText NDR provides comprehensive threat detection and response capabilities through its centralized management console. Security teams can leverage customizable dashboards, robust threat-hunting and forensic analysis tools, and seamless integration with SIEM, SOAR, and other security solutions. The solution also offers automated response mechanisms, such as isolating compromised devices or blocking suspicious traffic, enabling rapid incident response and mitigation of identified threats.

Strengths
OpenText NDR offers comprehensive threat detection capabilities by combining signature inspection, stateful anomaly detection, and ML-powered malware conviction to provide complete 360-degree visibility. Its lightweight sensors enable flexible deployment options, including virtual sensors and cloud support, enabling seamless integration into diverse environments to capture traffic from various sources for thorough east-west and north-south monitoring, enabling the detection of known and unknown threats across the entire attack chain. The solution offers robust historical analytics, leveraging rich metadata and SmartPCAP storage for detailed forensics and threat hunting. Additionally, OpenText NDR ensures regulatory compliance by keeping sensitive data within the customer’s network and offering data sovereignty capabilities.

Challenges
OpenText NDR’s challenges include the need to rearchitect the back-end system to handle the vast amount of data generated by global companies. The current system’s data storage format and strategy are not suited for large-scale historical behavioral analysis. The company intends to overcome this by developing a more intelligent data storage method, enabling the detection of persistent threats over extended periods beyond the current 30-day retention limit. Additionally, while the solution is scalable and flexible, there is a focus on maintaining the same user interface and API flexibility as the back end evolves to support increased data storage capacity. While excelling at network monitoring, OpenText NDR has limited visibility into endpoint activities and user behaviors on individual devices. Integration with EDR solutions may be needed for comprehensive coverage.

Purchase Considerations
OpenText offers tiered throughput-based term licensing or per-user licensing for service providers. OpenText NDR can be bundled with multiple layers of additional services, including full-time on-site support in certain regions.

OpenText NDR’s use cases include detecting known and unknown threats, conducting forensic investigations, enabling proactive threat hunting, automating incident response, and securing cloud workloads and network traffic flows.

Radar Chart Overview
OpenText is a Challenger in the Innovation/Platform Play quadrant. OpenText NDR offers a multifaceted architecture combining signature inspection, stateful anomaly detection, and ML for malware conviction. It provides real-time visibility across on-premises, hybrid, and cloud environments through lightweight sensors capturing high-fidelity metadata and SmartPCAP data. Its centralized management, customizable dashboards, and flexible deployment options position it as a robust and adaptable NDR platform for enterprises seeking enhanced network security.

Plixer: Plixer One Security

Solution Overview
Founded in 1999, Plixer specializes in network monitoring and management, providing adaptable and cost-effective solutions to help businesses navigate the complexities of network security and efficiency. Plixer’s flagship product, Scrutinizer, was developed to address the gap in network data visualization and analytics.

Composed of multiple integrated products, Plixer One Security provides comprehensive visibility and advanced threat detection capabilities across on-premises, cloud, and hybrid environments. The platform offers a non-intrusive, agentless deployment model that enables rapid implementation and scalability. Plixer One Security captures network traffic data from a wide range of sources, including flow logs, packet captures, and endpoint telemetry, without requiring complex network reconfigurations.

The solution’s architecture is designed to handle large-scale, distributed networks and includes components such as unlimited collectors for distributed reporting, endpoint analytics, ML models for security-specific events, selective packet capture, and the Plixer Replicator for data replication and redundancy. Plixer One Security can be deployed on-premises, in the cloud, or in hybrid environments, providing seamless visibility across diverse network landscapes.

Plixer One Security combines threshold-based, supervised and unsupervised ML, deep learning, and Suricata signatures with customizable detection sensitivity thresholds, seasonality baselining, adjustable dimensions for modeling, encrypted traffic analytics, threat intelligence feed integration, and transparent ML models. The platform aligns with the MITRE ATT&CK framework to detect lateral movement, identify threat actors in real time, and proactively detect pre-breach stages.

Strengths
Plixer One Security offers a non-intrusive, agentless deployment model for real-time security risk detection. It provides enhanced visibility and detailed network insights across on-premises, hybrid, and cloud environments, enabling organizations to ensure network availability, scalability, and performance optimization. It leverages multiple detection technologies, including tunable AI/ML algorithms, threshold-based anomaly detection, and signature and rule-based detections, to identify and mitigate threats. Plixer One Security’s strengths lie in its ability to swiftly detect lateral movement, neutralize attacks proactively, and provide deep, clear visibility into threats with comprehensive endpoint insight through agentless discovery, risk assessment, and behavior monitoring. Its architecture supports unlimited data collection, analysis, and reporting, making it suitable for large-scale, distributed networks.

Challenges
Plixer One Security faces challenges related to cloud-native solutions, cloud services support, and MSP and MDR support. Plixer is rearchitecting the platform to optimize cloud deployments, enabling more efficient resource scaling and monitoring of cloud workloads and services, such as containers and microservices, for flow ingestion.

While some MSPs and MDRs already use Plixer’s solution, improvements are needed to support centralized dashboards, administration, automated provisioning, and billing. Additionally, Plixer needs to expand its encrypted traffic analytics (ETA) to detect anomalies without decrypting traffic, risk-based alerting for prioritizing alerts, and automated forensics/UEBA capabilities.

Purchase Considerations
Plixer offers subscription-based licensing based on the number of flow-exporting devices and/or VPCs (virtual private clouds). The licensing includes Scrutinizer, Replicator, FlowPro Defender, FlowPro APM, Endpoint Analytics, and the ML Engine.

Plixer One Security’s use cases include asset discovery and profiling, internal and external threat detection, application dependency mapping, threat investigation and forensics, risk assessment and device hardening, MITRE ATT&CK framework mapping, and zero trust planning, deployment, and monitoring.

Radar Chart Overview
Plixer is a Challenger in the Maturity//Platform Play quadrant. Plixer One Security’s agentless, nonintrusive deployment model, distributed architecture for scalability, and diverse data collection and detection techniques (repositioning Plixer from 2023’s Innovation/Feature Play quadrant) leverage network telemetry data like NetFlow, IPFIX, and cloud flow logs for threat detection and response. With its focus on using readily available network data, Plixer aims to complement existing security investments while offering cost-effective NDR capabilities.

Progress: Flowmon

Solution Overview
Founded in 1981, Progress specializes in providing software to develop, deploy, and manage business applications safely and securely. Kemp Technologies acquired Flowmon Networks in November 2020, with Kemp (including Flowmon) subsequently acquired by Progress in September 2021.

Flowmon is built around a centralized architecture that includes collectors, probes, and extending modules. Available in hardware, virtual, and cloud options, collectors serve as the management, analytical, and data storage units. Probes, which are optional but recommended, act as sources of enriched network data and are also available in hardware, virtual, and cloud formats. Extending modules enhance the analytical capabilities of the collectors, offering AI-based security detection, application-aware performance monitoring, and packet capture with automated analysis.

Flowmon offers flexible deployment options to suit various environments, including on-premises, cloud, and hybrid setups. This adaptability ensures that Flowmon can provide comprehensive coverage across an organization’s entire network. The solution supports a wide range of data capture methods, including traditional flow data formats like NetFlow and IPFIX, as well as cloud-native flow logs from major providers such as AWS, GCP, and Azure. This capability allows Flowmon to integrate seamlessly with existing network infrastructure, reducing the need for additional sensors and thereby lowering overall deployment costs.

Flowmon’s analytics capabilities include ML-based anomaly detection, behavior analysis, adaptive baselining, and reputation databases to identify known and unknown threats. Flowmon’s application performance monitoring (APM) and packet investigator modules provide additional insights into application performance and network traffic, respectively. The solution also includes a user-friendly UI environment for data visualization and detailed analysis, enabling infrastructure teams to quickly identify and resolve network issues before they impact business operations.

Strengths
Flowmon is a network and security monitoring platform that offers AI-based detection of cyberthreats and anomalies, as well as actionable insights into network and application performance. The high-performance solution supports cloud, on-premises, and hybrid environments, making it suitable for company-wide coverage with a fast deployment time. Flowmon’s key strengths include minimizing complexity, unprecedented scalability, full attack coverage, and reliability. It differentiates itself by providing a single appliance solution, reducing complexity, deployment time, and cost. Flowmon also offers comprehensive threat detection, non-signature-based threat detection, north-south and east-west monitoring, transparent out-of-the-box analysis, and built-in incident response capabilities. The platform’s multifaceted approach integrates AI, ML, behavior, anomaly, heuristics, statistical analysis, baselining, signatures, and threat intelligence to improve detection accuracy and lower false positives.

Challenges
Flowmon, while offering numerous benefits, also has some technical challenges and limitations. One such challenge is the potential for high storage and processing resource requirements when dealing with large, complex networks generating significant flow data, potentially straining storage and processing resources. Incomplete or inconsistent flow exports from network devices can also impact visibility and detection accuracy.

Additionally, encrypted traffic can hinder DPI, although Flowmon partially mitigates this with behavioral analysis. False positives can still occur despite advanced analytics, requiring extensive tuning efforts from security teams. Integration with other security tools may be limited, with specialized expertise needed to operate and maintain the system effectively. Lastly, Flowmon is an on-premises solution, so organizations must manage the infrastructure and perform the updates themselves.

Purchase Considerations
Progress offers perpetual and subscription licensing based on performance in terms of traffic flows processed per second and storage capacity, with costs varying depending on the customer’s environment and requirements for different functionalities.

Flowmon’s use cases for security operations include early threat detection and warning, threat hunting, incident response, and breach recovery.

Radar Chart Overview
Progress is a Challenger in the Innovation/Platform Play quadrant. Flowmon provides AI-driven threat detection across cloud, on-premises, and hybrid environments with a scalable, single-appliance architecture, multifaceted threat detection, and seamless integration with existing network infrastructure. It differentiates itself through massive scalability, full attack coverage, robust data capture, and detection transparency.

Stamus Networks: Stamus Security Platform

Solution Overview
Founded in 2014, Stamus Networks is a global provider of network threat detection and response systems. Its flagship product, the Stamus Security Platform (SSP), combines intrusion detection, NSM, and NDR capabilities into a single platform.

Leveraging the powerful open-source Suricata engine, SSP leverages DPI and continuous NTA to identify anomalous activity, threats, and unauthorized actions. Its architecture includes Stamus Network Probes, which passively monitors network traffic and performs first-level detection, metadata collection, and artifact extraction, and the Stamus Central Server, which provides centralized management, advanced threat detection, and log aggregation.

The platform can be deployed on-premises, in the cloud, or in a hybrid model, supporting physical and virtual appliances and containerized deployments. SSP captures network telemetry using either strategically placed Stamus Network Probes or native Suricata sensors for comprehensive visibility into north-south and east-west traffic. Leveraging DPI, SSP generates rich metadata, protocol transaction logs, and flow records correlated with security events to provide context and facilitate incident investigation.

SSP employs multiple detection mechanisms to accurately identify threats, including signature-based detection, ML, statistical anomaly detection, heuristics, and custom detections integrated with third-party threat intelligence feeds to adapt to unique environments and emerging threats. Transparent detection algorithms allow users to understand the context behind triggered alerts, aiding in incident triage and response. Advanced features–such as detailed attack timelines, declarations of compromise, and guided threat-hunting capabilities–can initiate predefined automated responses and empower security teams to investigate, contain, and mitigate threats quickly.

Strengths
The Stamus Security Platform consolidates multiple security functions into one platform, supporting flexible on-premises, cloud, or hybrid deployment options and scaling from small instances to large multisite deployments. It captures network telemetry in real time from Stamus probes or native Suricata sensors, enabling comprehensive traffic analysis and high-fidelity threat detection with algorithmic anomaly detection, heuristics, ML, and classic signature-based and IoC matching threat detection based on DPI-derived protocol transactions and flow records. The platform integrates threat intelligence, custom signatures, and guided threat hunting for enhanced analytics and rapid threat response. Its open architecture and simple licensing model based on monitored links provide cost-effective enterprise-grade security. For a turnkey deployment, Stamus offers a family of integrated network appliances optimized for and preloaded with the Stamus Network Probe or Stamus Central Server software.

Challenges
Stamus Security Platform relies heavily on the open-source Suricata engine, which may limit its effectiveness in environments where these specific data capture methods are not feasible or fully compatible with existing infrastructure. Deploying, managing, and scaling the platform across complex, hybrid network architectures can be challenging and might introduce complexity and compatibility issues. Additionally, the effectiveness of threat detection depends on the quality and relevance of integrated threat intelligence and custom signatures, which require ongoing updates and maintenance. While the platform aims to reduce alert fatigue, the volume of network data and potential threats could still overwhelm security teams without suspicious activity roll-ups, attack surface dashboards, and more complete and exportable incident reports.

Purchase Considerations
Stamus Networks offers a straightforward, link-based annual licensing model determined by the number and speed of the network links being monitored by the Stamus Network Probes. The pricing scales with network size and speed but allows unlimited assets, users, hosts, and integrations under each license.

The Stamus Security Platform’s use cases include threat hunting, incident response, compliance monitoring, and network forensics based on real-time visibility, enabling security teams to quickly detect, investigate, and respond to potential threats.

Radar Chart Overview
Stamus Networks is a Challenger in the Innovation/Platform Play quadrant. Stamus Security Platform combines IDS, NSM, and NDR to reduce tool sprawl and address governance, risk, compliance, and operational security challenges through a single consolidated solution. Flexible deployment options and a simple, link-based licensing model make SSP a powerful, cost-effective enterprise NDR platform.

Stellar Cyber: Stellar Cyber NDR

Solution Overview
Founded in 1993, Stellar Cyber is a cybersecurity company focused on bridging the gap between EDR and NDR by providing an Open XDR platform incorporating built-in NDR, next-gen SIEM, and automated response features. In March 2023, it partnered with Torq, a security hyperautomation company, to deliver an automation-driven security operations platform for deploying automated tasks across security workflows, from data ingestion to threat response.

Part of the Stellar Cyber Open XDR Platform delivered as a standalone solution, Stellar Cyber NDR leverages a distributed architecture with sensors, a powerful DPI engine, and ML-powered IDS to monitor traffic and automatically identify assets, users, and applications. Deployed on-premises, in public clouds, or in a hybrid architecture supporting multitier, multitenant, and multisite deployments, physical and virtual sensors monitor network traffic and capture data from various sources, including logs, network flows, and packet data. The collected data is then processed and analyzed by the centralized big data lake, which hosts the user interface and cloud-based integrations.

The Stellar Cyber NDR platform uses DPI to capture data from the network. It supports over 3,700 protocols, including 57 SCADA and 18 IoT protocols. The platform also includes real-time updates from paid signature feeds and malware AV for signature-based detection. The data processor uses three layers of AI to perform big data analysis in real time, starting with unsupervised ML, then supervised ML, and finally GraphAI for anomaly detection and asset discovery. The platform also includes a threat intelligence feed to provide context for investigation and response to attacks.

The Stellar Cyber NDR platform provides automated threat-hunting capabilities, with more than 40 prebuilt automated threat-hunting (ATH) playbooks spanning the entire attack surface. The platform also supports user-defined playbooks to identify behaviors not covered in out-of-the-box playbooks. The platform provides alert triage and incident resolution in minutes, using contextual interflow enriched with threat intelligence, geolocation, user name, hostname, and other information.

Strengths
Stellar Cyber NDR uses lightweight sensors with a powerful DPI engine to monitor both east-west and north-south traffic, ensuring comprehensive visibility across public, private, and hybrid cloud environments. The solution leverages supervised and unsupervised ML for anomaly detection and signature-based detection for known threats, enriching the data with threat intelligence, geolocation, and asset information for enhanced context to minimize false positives, with automated correlation of security events along the entire kill chain to identify complex, multistage attacks. Additionally, Stellar Cyber NDR features automated asset management and threat response and integrates seamlessly with existing security tools like EDR.

Challenges
While Stellar Cyber NDR offers robust NDR capabilities, it can be computationally and bandwidth-intensive due to processing and analyzing large volumes of network data in real time. Deploying sensors across distributed environments and integrating them with existing security tools can also be complex, requiring careful planning and configuration. Additionally, capturing and analyzing network traffic data may raise data privacy concerns, especially in regulated industries or regions with strict data protection laws.

Despite using ML, effectively managing false positive alerts can still be a challenge, requiring continuous tuning and refinement of detection rules and models. Furthermore, while Stellar Cyber NDR supports multitenancy and distributed deployments, scaling to handle extremely large or complex environments may present performance and/or cost challenges.

Purchase Considerations
Stellar Cyber offers flexible pricing options, including a single-license model for the full Open XDR platform, a network traffic-based pricing model specifically for the NDR component, and a choice between asset-based or ingestion-based pricing models to suit different customer needs.

Stellar Cyber NDR’s use cases include detecting lateral movement, compromised credentials, ransomware attacks, insider threats, and malware. It also secures multicloud environments, automates incident response, and consolidates security stacks.

Radar Chart Overview
Stellar Cyber is a Leader in the Maturity/Platform Play quadrant. Stellar Cyber NDR is built around a distributed system of physical and virtual sensors that perform DPI and ML-based intrusion detection. It excels in real-time threat detection and response, using AI to correlate and analyze data, and offers automated response capabilities, improving overall security efficacy.

Trellix: Trellix NDR

Solution Overview
Launched in January 2022, Trellix is a cybersecurity company that provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks. It resulted from the merger of McAfee Enterprise and FireEye, which created a comprehensive cybersecurity solution provider with a strong focus on EDR, NDR, and XDR.

Trellix NDR comprises Trellix Network Security (formerly FireEye), Trellix Intrusion Prevention System (formerly McAfee Network Security Platform), and Trellix Network Forensics. It can be deployed either as a standalone solution ingesting data from its own physical or virtual sensors or as an add-on to an existing Trellix deployment. The solution includes network sensors—such as the Trellix Network Security (NX) appliances—deployed in inline or out-of-band mode on physical appliances, as VMs, or in public or private clouds, capturing network traffic at speeds from 50 Mbps to 100 Gbps.

Trellix NDR captures network flow records, Layer 7 metadata, and full packet captures (PCAP) from the deployed sensors, enabling rapid threat investigation and response by providing a unified view of network alerts correlated from multiple sensors. Trellix NDR also integrates with the Trellix Intrusion Prevention System (IPS) and Network Forensics (PX) for additional data collection and threat prevention, and security orchestration and response tools to automate and accelerate incident response workflows.

This rich network data is analyzed using multiple detection techniques—signatures, ML models (including beaconing detection on time-series data and volumetric analysis for data exfiltration detection), AI-based behavioral analysis, and network traffic profiling. These detect known and unknown threats–including multiflow and multistage attacks, zero-day exploits, polymorphic malware, ransomware, and lateral movement–and map them to the MITRE ATT&CK framework for context and prioritization.

Strengths
Trellix NDR provides enhanced visibility and advanced threat detection capabilities across networks. It employs state-of-the-art, signatureless detection techniques to identify a wide array of threats, including multiflow, multistage, zero-day, polymorphic, and ransomware attacks. The solution is adept at detecting both known and unknown threats in real time and enables retrospective detection for comprehensive network security. Trellix NDR effectively tracks and blocks lateral threats within the enterprise network, reducing post-breach dwell time. It prioritizes alerts by separating critical from non-critical malware, thereby streamlining response efforts. Additionally, detected threats are mapped to the MITRE ATT&CK framework, offering contextual evidence for future containment and remediation efforts.

Challenges
While Trellix NDR provides advanced detection techniques and automated response capabilities, its effectiveness can be constrained by the complexity of deployment in highly dynamic or hybrid environments. The solution’s data capture capabilities, crucial for threat detection, may not cover all network traffic types or encrypted communications without additional configuration. Moreover, its zero-network footprint approach, aimed at minimizing system impact, might limit visibility in certain scenarios. Automated response actions, although efficient, require fine-tuning to avoid false positives and ensure accurate threat mitigation. Additionally, while Trellix NDR supports hybrid environments, seamless integration across all cloud and on-premises infrastructures can be challenging, potentially affecting its overall threat detection and response efficacy.

Purchase Considerations
Trellix offers perpetual physical and virtual hardware and throughput-based subscription software licensing. Prospective customers should contact Trellix or their authorized resellers for the pricing model and options.

Trellix NDR’s use cases include identifying zero-day exploits, ransomware, and lateral movement within the network. It also helps improve SOC efficiency by reducing alert fatigue and prioritizing critical threats.

Radar Chart Overview
Trellix is a Challenger in the Innovation/Platform Play quadrant. Trellix NDR is a robust cybersecurity solution integrated with Trellix’s Intrusion Prevention System and Network Forensics for enriched data capture and event correlation. It supports a range of deployment scenarios, including on-premises and cloud environments, and provides high-fidelity alerts and automated response capabilities to streamline incident resolution.

Trend Micro: Network One

Solution Overview
Founded in 1988, Trend Micro is a cybersecurity service provider that develops and markets internet and computer content security and threat management solutions. In February 2023, Trend Micro acquired Anlyz, a provider of SOC technology, to enhance the orchestration, automation, and integration capabilities of Trend Micro’s products.

Trend Micro Network One is a unified cybersecurity platform providing comprehensive threat detection and response capabilities for enterprise networks. Built on a modular architecture enabling seamless integration with existing network infrastructure and security tools, it leverages a cloud-native architecture consisting of cloud-deployed sensors for public/private cloud, virtual networks, and on-premise networks, enabling comprehensive visibility across hybrid environments.

Network One offers flexible deployment options to fit various customer needs, including on-premises, cloud, and hybrid environments. It can be deployed as a SaaS solution managed by Trend Micro, which reduces the burden of infrastructure management and provides automated updates and resource scaling. Alternatively, customers can choose to deploy and manage Network One within their own network infrastructure for greater control and customization.

Supporting various data capture methods, such as network TAPs, SPAN ports, and virtual sensors, to monitor both north-south and east-west traffic, the solution also provides deep insights through TLS Inspection, which decrypts, inspects, and re-encrypts traffic while maintaining perfect forward secrecy (PFS) and strong performance. In addition, Network One includes behavioral analysis, anomaly detection, and threat intelligence from Trend Micro Research and the Zero Day Initiative (ZDI), enabling the detection of zero-day malware and URLs, zero-day vulnerabilities, and zero-day exploits.

Strengths
Trend Micro Network One’s cloud-native architecture and flexible deployment options enable comprehensive visibility across hybrid environments, while its real-time traffic inspection, even when encrypted, ensures thorough analysis without compromising performance. The platform offers flexible deployment options, including SaaS and on-premises, to fit various customer needs. To capture network data, Network One sensors monitor north-south traffic at the network perimeter and east-west traffic within the enterprise. By leveraging advanced behavioral analytics, ML, and AI models developed by Trend Micro Research, Network One automatically correlates alerts, acquires contextual data, and applies security playbooks to prioritize and rate threats, streamlining the work of security analysts. Integration with Trend Vision One enables coordinated threat detection and response across multiple security layers.

Challenges
Trend Micro’s portfolio is challenging to navigate, with product names, marketing material, and licensing constantly changing. Some users have reported that setting up and configuring or integrating Trend Micro solutions with third-party products or complex IT environments can be challenging and time-consuming and that security solutions can impact system performance and consume significant resources, particularly during scanning. In addition, Trend Micro solutions are perceived as pricier than alternatives, especially the premium versions, making it difficult for SMBs to deploy advanced threat detection and response capabilities using Trend Micro solutions. Moreover, the company promotes integration within the customer’s existing Trend Micro security product portfolio to take advantage of multiple product correlation capabilities.

Purchase Considerations
Trend Micro offers a pay-as-you-go model with a free monthly data allowance, hourly billing for usage beyond the free tier, and options for custom or discounted pricing based on specific requirements. Trend Micro also offers a 30-day free trial with unlimited use of the Trend Cloud One platform, including Network One. After the trial, users automatically move to an always-free tier.

Trend Micro Network One’s use cases include real-time threat detection, incident response, compliance monitoring, and network visibility. Network One is particularly useful for monitoring high-risk, unmanaged assets and shadow IT deployments.

Radar Chart Overview
Trend Micro is a Challenger in the Innovation/Platform Play quadrant. Trend Micro Network One is a unified cybersecurity platform offering comprehensive visibility across hybrid environments by deploying cloud-deployed sensors to monitor both north-south and east-west traffic. Network One integrates industry-leading threat research with Trend Vision One for XDR, offering coordinated threat detection and response across multiple security layers for faster protection against vulnerabilities and emerging threats.

Vectra AI: Vectra NDR

Solution Overview
Founded in 2011, Vectra AI is a cybersecurity company that provides AI-driven hybrid attack detection, investigation, and response solutions for hybrid and multicloud organizations. In 2023, Vectra AI partnered with Curtiss-Wright’s Defense Solutions Division to support cyber stacks used in national security operations.

A core component of Vectra AI’s broader Threat Detection and Response (TDR) for Hybrid Cloud, Vectra NDR’s architecture is based on AI-driven Attack Signal Intelligence (ASI) using advanced ML and AI tools to model adversary TTPs mapped to the MITRE ATT&CK framework to detect attacker behaviors with high precision. Vectra NDR surfaces security-relevant context, extracts high-fidelity data, and correlates events across time, users, and applications to reduce time and effort spent on investigations.

Vectra NDR is composed of several components, including sensors, a management console, and a cloud-based analytics engine. The sensors are deployed on-premises as physical or virtual sensors or in the cloud as containerized sensors to capture network traffic metadata using various data capture methods, including SPAN, TAP, and NetFlow. These are then sent to the management console for processing by Vectra’s proprietary neural networks and deep learning models to identify IoCs, behavioral anomalies, lateral movement, data exfiltration attempts, and post-compromise attack behaviors along the full kill chain.

Vectra NDR’s analytics capabilities include AI-driven detection, triage, and prioritization, enabling security teams to proactively detect, investigate, and respond to threats. The solution provides an aerial view of the interactions between all devices on the network, enabling security teams to answer a broad range of questions when responding to an incident. Vectra NDR integrates seamlessly with cloud network, firewall, EDR, and XDR security, and SIEM/SOAR solutions, providing comprehensive threat detection and response.

Strengths
Vectra NDR is a single platform with modular components, including Vectra NDR for on-premises and cloud networks, Vectra IDR for Azure AD, Vectra CDR for M365 and AWS, Vectra Match for signature-based IDS support, and Vectra MDR for managed detection and response services. Supporting air-gapped deployments, the platform provides attack coverage across cloud, SaaS, identity, and network attack surfaces, monitoring for attack TTPs throughout the entire cyber kill chain and across hybrid multicloud attack vectors. Vectra NDR’s patented ASI and Al-driven detection, triage, and prioritization capabilities minimize noise and provide signal clarity on real attacker behaviors. Additionally, Vectra NDR’s shared responsibility model enables Vectra analysts to collaborate with customer analysts to hunt, detect, prioritize, investigate, and respond to hybrid and multicloud attacks.

Challenges
Vectra NDR, while offering robust threat detection and response, does not decrypt packets, which means it cannot analyze encrypted traffic for threats. Additionally, Vectra NDR’s initial baselining process takes about five days, which could be a challenge for organizations needing immediate threat detection. Moreover, Vectra NDR relies on third-party security tools for executing remediation steps, which could be a limitation for organizations looking for an all-in-one solution. Furthermore, while Vectra NDR supports real-time analysis, the volume of metadata generated could potentially overwhelm security teams with too much data to analyze effectively. Lastly, Vectra NDR’s contracts are based on deployed hardware, GB/day of metadata, and storage charges for the Recall module (a cloud-based service for storing historical network metadata), which could be a financial challenge for some organizations.

Purchase Considerations
Vectra AI offers a subscription model based on the number of concurrent IPs monitored. Optional features include longer retention periods for network metadata, with pricing based on volume and retention period, and visibility into AWS, Azure AD, M365, and other cloud and identity providers at an additional cost based on IP count and data stored.

Vectra NDR’s use cases include threat detection and response, incident investigation, and compliance reporting, as well as monitoring for attack TTPs throughout the entire cyber kill chain and across hybrid multicloud attack vectors.

Radar Chart Overview
Vectra AI is a Leader in the Innovation/Platform Play quadrant. Vectra NDR is a cutting-edge platform leveraging patented Attack Signal Intelligence to detect, respond to, and prioritize cyberthreats across cloud, SaaS, identity, and network environments. It captures rich network metadata, employs AI-driven analytics for high-fidelity threat detection, covers over 90% of MITRE ATT&CK techniques, reduces alert noise by over 80%, and integrates with a wide range of security tools.

WatchGuard: ThreatSync+

Solution Overview
Founded in 1996, WatchGuard specializes in network security solutions for safeguarding networks from external threats, such as malware and ransomware. WatchGuard acquired CyGlass, a cloud and network-centric threat detection and response solution provider, in September 2023, incorporating CyGlass’s Network Defense as a Service (NDaaS) into WatchGuard’s ThreatSync+ XDR and hybrid NDR solution.

ThreatSync+ is an integrated set of products that work together to provide detection and response capabilities across physical networks, cloud networks, and SaaS applications. Delivered as a cloud-native service within WatchGuard’s Unified Security Platform architecture, its virtual sensors collect NetFlow or sFlow data. For packet collection, they can be connected to either a network tap or SPAN port. In addition, WatchGuard’s CyGlass Native NetFlow Collector can collect NetFlow from a firewall without any sensor by routing the NetFlow directly from the firewall through an IPSec tunnel to the cloud.

Designed for flexibility, ThreatSync+ can be deployed entirely within the cloud, making it accessible and manageable from any location without the need for extensive on-premises infrastructure, ensuring that security updates and new features are seamlessly integrated without disrupting existing security operations. However, for organizations with specific security or regulatory requirements, ThreatSync+ supports hybrid deployments with data processed and stored locally while benefiting from cloud-managed threat intelligence and analytics.

ThreatSync+ applies unsupervised and semi-supervised detection techniques to identify sophisticated cyberthreats, including zero-day attacks and advanced persistent threats, correlating and prioritizing anomalies and alerts across all network telemetry sources. Furthermore, its analytics engine provides actionable insights and automated incident response capabilities to mitigate risks promptly, ensuring that threats are identified and mitigated efficiently across the entire enterprise.

Strengths
WatchGuard ThreatSync+ is a cloud-native NDR solution that leverages advanced AI/ML to deliver enterprise-level cyber defense for hybrid networks. It continuously monitors and analyzes both north-south and east-west traffic without requiring physical sensors, leveraging NetFlow and sFlow logs for detailed analysis and threat detection to provide detection and response for authentication attacks, network and cloud risks, cyberattacks, and file and data threats. ThreatSync+ correlates these events to deliver actionable intelligence through a network threat score, helping prioritize remediation actions. It is an open solution supporting WatchGuard Fireboxes, third-party switches, and firewalls. Additionally, ThreatSync+ offers executive summary and ransomware protection reports, with an optional compliance reporting license for continuous compliance monitoring.

Challenges
As a cloud-based solution, WatchGuard ThreatSync+ requires a stable internet connection for optimal performance and real-time threat intelligence sharing. Moreover, ThreatSync+ relies primarily on network flow data like NetFlow and sFlow for threat detection rather than analyzing the full packet contents, which may result in missing certain threats that require deep packet inspections. Furthermore, since its ability to detect threats relies heavily on the quality and timeliness of the telemetry data it receives from network devices and cloud services log data, inaccuracies or delays can hinder its ability to promptly detect and respond to threats. Any gaps in log coverage could lead to reduced visibility. In addition, ThreatSync+ does not automatically retain the raw log data it ingests for extended periods to keep storage costs down, which could limit historical forensic investigations unless the customer chooses a longer retention period.

Purchase Considerations
WatchGuard offers a transparent user-based subscription model. A user is an employee, staff member, or contractor using the organization’s network. One user license covers every three active network devices for large IoT device deployments.

Associating user identity with traffic flows, ThreatSync+’s use cases include attack surface management, compliance, cyber insurance, risk reduction, threat detection and response, threat hunting and investigation, and traffic identification by application.

Radar Chart Overview
WatchGuard is a Challenger in the Innovation/Platform Play quadrant. ThreatSync+ delivers NDR as a SaaS on WatchGuard’s Unified Security Platform. It integrates products for physical, cloud, and SaaS network environments, leveraging cloud-native capabilities to perform threat detection without on-premises hardware. ThreatSync+ captures traffic using NetFlow and sFlow logs, using advanced AI to analyze network and cloud traffic. The platform offers automated remediation and continuous compliance monitoring and supports a zero-network footprint by analyzing traffic flows without physical sensors.

6. Analyst’s Outlook

NDR solutions are experiencing increased adoption as organizations look for new ways to enhance their cybersecurity posture and address the limitations of traditional security tools like firewalls, IDS/IPS, and SIEM solutions. While still emerging, the NDR market will mature and potentially consolidate as vendors strive to offer comprehensive cybersecurity solutions, with an evolving threat landscape—including sophisticated attacks and the rise of remote/hybrid work environments—driving the need for innovative NDR capabilities.

Organizations can ensure that a NDR solution is a good fit for their needs by considering the following factors:

  • Visibility and coverage: Evaluate the NDR solution’s ability to provide comprehensive visibility across the entire network infrastructure, including cloud environments, remote workers, and IoT devices. Ensure it can monitor all network traffic, protocols, and ports relevant to your organization.
  • Detection capabilities: Assess the NDR tool’s detection capabilities, such as its ability to identify anomalous behavior, unauthorized devices, lateral movement, and advanced persistent threats (APTs). Look for solutions that leverage ML and behavioral analytics for accurate threat detection with low false positives.
  • Data inspection approach: Organizations can choose between DPI and flow/metadata analysis based on network architecture, performance requirements, and the level of visibility needed.
    • DPI: Some NDR solutions perform DPI, analyzing the entire packet payload to detect threats and anomalies. This approach provides granular visibility but can be resource-intensive and may impact network performance for high-traffic environments depending on the architecture.
    • Network flow data/metadata analysis: Other NDR solutions analyze network flow data or metadata (such as IPFIX, NetFlow, and sFlow) rather than full packet payloads. This approach is less resource-intensive and can scale better for high-traffic networks but may lack visibility into encrypted traffic or provide less granular insights.
  • Integration and automation: Consider the NDR solution’s integration capabilities with existing security tools like SIEM, EDR, and firewalls. Seamless integration can streamline security operations and provide a unified view of threats. Automation features can help reduce manual effort and accelerate incident response.
  • Scalability and performance: Evaluate the NDR solution’s scalability to handle your organization’s current and future network traffic volumes and complexity. Ensure it can perform real-time analysis without impacting network performance or introducing latency.
  • Deployment and management: Assess the ease of deployment and management of the NDR solution. Consider factors like the complexity of installation, configuration requirements, and the availability of professional services or managed services options.
  • Vendor reputation and support: Research the vendor’s reputation, experience, and expertise in the NDR market. Evaluate the quality of its customer support, training resources, and ongoing product development and updates.

By considering these factors, including the data inspection approach (DPI versus flow/metadata analysis), organizations can ensure that the chosen NDR solution aligns with their specific network architecture, security requirements, and operational needs, ultimately enhancing their overall cybersecurity posture.

To learn about related topics in this space, check out the following GigaOm Radar reports:

7. Methodology

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Key Criteria and Radar reports, please visit our Methodology.

8. About Ivan McPhee

Formerly an enterprise architect and management consultant focused on accelerating time-to-value by implementing emerging technologies and cost optimization strategies, Ivan has over 20 years’ experience working with some of the world’s leading Fortune 500 high-tech companies crafting strategy, positioning, messaging, and premium content. His client list includes 3D Systems, Accenture, Aruba, AWS, Bespin Global, Capgemini, CSC, Citrix, DXC Technology, Fujitsu, HP, HPE, Infosys, Innso, Intel, Intelligent Waves, Kalray, Microsoft, Oracle, Palette Software, Red Hat, Region Authority Corp, SafetyCulture, SAP, SentinelOne, SUSE, TE Connectivity, and VMware.

An avid researcher with a wide breadth of international expertise and experience, Ivan works closely with technology startups and enterprises across the world to help transform and position great ideas to drive engagement and increase revenue.

9. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

10. Copyright

© Knowingly, Inc. 2024 "GigaOm Radar for Network Detection and Response (NDR)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.

Interested in more content like this? Check out GigaOm Research Reports Subscribe Now