KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Enterprises today often employ various security tools, many of which still emphasize perimeter-focused methodologies such as demilitarized zones (DMZs) and endpoint protection. However, heightened cybersecurity threats necessitate enhanced visibility at the network layer, thus leading many businesses to explore network-oriented tools like Intrusion Detection/Prevention Systems (IDS/IPS) and their successors, Network Detection and Response (NDR) solutions. NDRs are fundamentally designed to monitor and analyze network traffic for unusual activities, aiding in threat detection and response by leveraging metadata, communication patterns, and Machine Learning (ML) for better anomaly discernment. Extended Detection and Response (XDR) advances these capabilities by incorporating diverse security data sources, offering a unified security outlook to combat intricate cyber threats. With the evolutionary rise of both cloud and on-premises hybrid models in enterprises, network security solutions are adapting, reflected in the growing market integration between NDR and XDR platforms. As businesses confront challenges posed by multi-cloud infrastructures and IoT devices, NDR's flexible, scalable solutions, enriched by artificial intelligence (AI) and generative AI tools, come into play, bolstered by market consolidation endeavors with giants like OpenText and Arista Networks sculpting advancements. Despite barriers like cost and complexity, regional markets worldwide are experiencing significant transformation and expansion in adopting network security layers due to inherent cybersecurity needs precipitated by 5G proliferation and stringent regulatory compliance.
Almost all enterprises have many security tools in place already, many of which are still focused on perimeters/demilitarized zones (DMZs) and on hosts, such as servers and endpoints. Endpoint Protection Detection & Response (EPDR) tools are commonplace in enterprises, mid-market, and small-to-medium businesses (SMBs). Many organizations today are looking for security tools that provide additional visibility at the network layer. Some use legacy Intrusion Detection/Prevention Systems (IDS/IPS), sometimes for both hosts and networks. However, these solutions require intensive labor for rule creation, maintenance, and monitoring. IDS/IPS often generate many false positives. Thus, companies conducting request for proposals (RFPs) for network layer security tools are looking for more advanced Machine Learning (ML)-enhanced tools to reduce both the labor needed for analysis and false positives, as well as add value by improving anomaly detection and overall security posture. Most modern enterprises have a mix of on-premises networks and cloud-based resources to cover with network layer security solutions. NDR tools are the newer generation of IDS/IPS-like tools which utilize more comprehensive methods including ML to discover and respond to malicious activities within enterprises.
NDR solutions are specialized for the monitoring and analysis of network traffic, with the objective of detecting and responding to suspicious activities and potential threats. Unlike EPDR tools, which focus on individual devices, NDR solutions operate at the network level to identify anomalies and potential breaches based on traffic patterns, metadata, and communication between devices. This enables NDR tools to identify threats that might bypass endpoint protection or originate from compromised internal systems. Additionally, they are designed to manage the high volume of data present in network traffic, using advanced analytics and ML to identify unusual behaviors that could indicate an attack. For instance, NDR can detect the lateral movement of an attacker across various devices by analyzing network traffic patterns, which endpoint solutions may not be able to identify if they rely solely on local data.
Extended Detection and Response (XDR) solutions build on the capabilities of NDR by integrating data and insights from a range of security domains, such as network, endpoint, cloud, identity, and operational technology (OT). XDR is designed to provide a more unified and comprehensive view of the security landscape, allowing for correlated detection and response across different layers. By aggregating and analyzing data from these diverse sources, XDR can provide a more comprehensive view of threats, reduce the time to detect and respond, and improve overall incident management. In short, while NDR focuses on the network layer, XDR extends these capabilities across the entire security environment and enhances the ability to identify sophisticated, multi-vector attacks that span multiple security domains.
As a result, most vendors now include NDR as part of their XDR suite, recognizing the value of integrating network traffic analysis with security data from other domains. This approach offers a more comprehensive and effective detection and response capability, allowing for better correlation of events and anomalies across different environments. Vendors recognize that a unified approach leveraging NDR within XDR can improve threat detection, reduce response times, and optimize security operations by providing a holistic view of an organization's threat landscape.
NDR solutions are essential for use cases that involve monitoring and securing network traffic to detect advanced threats, such as malware implantation, botnet and fraud activity, lateral movement, DNS tunneling, data exfiltration, zero-day exploits, and other sophisticated TTPs. NDR is also useful for detecting policy violations, insider threats, and unusual behaviors that might indicate potential breaches, as well as facilitating post-compromise investigations and forensic analysis.
In addition to the standard capabilities, today's NDR solutions are expected to include advanced ML and artificial intelligence (AI) algorithms that can analyze high-volume network data in real-time to detect and respond to sophisticated threats. The flexible and scalable deployment options for OT and critical infrastructure environments provide enhanced versatility for NDR solutions. The extensive understanding of protocols, including those utilized in industrial control system (ICS), internet of things (IoT), and industrial internet of things (IIoT) settings, is also an advantage for those solutions which encompass those areas. NDR-as-a-Service or managed detection and response (MDR) offerings provide flexible and affordable management options for organizations that lack extensive in-house IT expertise. The use of generative AI and large language models (LLMs) facilitates the investigative and reporting processes, offering potentially intuitive and detailed insights into network traffic and potential threats.
Organizations that would benefit from acquiring an NDR solution include those with complex or large-scale network environments. These mainly include large enterprises with extensive internal networks, multi-cloud infrastructures, and numerous remote offices. SMBs with rapidly expanding information technology (IT) environments can also benefit from NDR solutions to gain deeper insight into their networks. Organizations in industries with stringent security and compliance requirements, such as finance, healthcare, and critical infrastructure, rely on NDR solutions for their advanced threat detection and response capabilities. Additionally, businesses facing frequent and sophisticated cyber threats should consider NDR solutions. For both SMBs and large enterprises, MDR can serve as an alternative to NDR by providing threat detection and response capabilities without the need for internal deployment of NDR solutions.
For more information on our research approach, see KuppingerCole Leadership Compass Methodology.
The key findings in this Leadership Compass on NDR solutions are:
Enterprises are increasingly recognizing the value of NDR as a standalone solution due to its specialized capabilities in detecting and responding to threats at the network level. This differentiates NDR from other security solutions, such as EPDR and SIEM, which do not fully address the requirements of network-level defense. The need for network-level defenses is driven by the importance of monitoring and securing the data in modern hybrid and multi-cloud environments, particularly as cyber threats continue to grow in both sophistication and frequency.
The increasing sophistication of cyber threats, the widespread digital transformation and cloud adoption, and stringent regulatory and compliance mandates are the key factors driving the NDR market forward. These factors drive organizations to invest in advanced security measures to protect their assets effectively. Furthermore, the emergence of 5G networks and the widespread adoption of IoT devices have significantly influenced the NDR market by increasing the potential attack surface, thus requiring more advanced network monitoring solutions. As a result, many NDR solutions are either being offered as a standalone solution or are being incorporated into XDR platforms to provide a more comprehensive approach to threat detection and response across diverse security layers.
Despite the growth, the NDR market also faces challenges such as deployment complexity and high costs. The implementation of NDR solutions often requires a considerable capital expenditure and the acquisition of specialized expertise, which can present a significant barrier for smaller organizations. Additionally, privacy concerns and regulatory requirements around data management also pose substantial obstacles. Currently, North America holds the largest market share, driven by the region's advanced technological infrastructure and high adoption rates of cybersecurity solutions. Europe and the Asia-Pacific regions are also experiencing significant growth, influenced by increased regulatory pressures and the rising number of cyber threats.
In recent years, the NDR market has seen several notable acquisitions. In 2022, OpenText acquired Bricata, a company with a reputation for its sophisticated NDR solutions. In 2021, Sophos acquired Braintrace, integrating its NDR technology to enhance Sophos' adaptive cybersecurity ecosystem. Arista Networks' acquisition of Awake Security in 2020 also represented a strategic move in the NDR market. Additionally, the market is witnessing the emergence of new, innovative startups, such as Exeon and Corelight. Exeon is receiving recognition for its sensorless solutions that utilize AI/ML to deliver effective NDR capabilities. Meanwhile, Corelight offers promising Encrypted Traffic Analysis (ETA) capabilities and an extensive TTP coverage. It is also worth noting that major players in the market frequently acquire these innovative startups. Despite their technological advancements and contributions, startups often remain within the local market and face challenges in scaling into global competitors independently. This is due to the substantial resources and established market presence of larger companies, which can more easily integrate and scale new technologies globally.
As networks become more diverse with the adoption of cloud services, IoT devices, and remote work environments, traditional sensor deployment methods may not provide adequate coverage for NDR solutions. Advanced deployment strategies, such as edge computing, virtual and cloud-based sensors, and AI/ML integration, enhance the ability to detect and respond to sophisticated threats in real-time. The protocol-specific sensors ensure comprehensive security in environments like ICS, IoT, and IIoT, and addresses the unique requirements of these domains. Modern sensor deployment strategies also focus on minimizing network performance impact through passive sensors that monitor network traffic more efficiently. Embedding AI/ML capabilities directly into sensors enhances the speed and accuracy of threat detection through advanced analytics and anomaly detection at the data collection point. A decentralized and distributed deployment approach prepares sensors for the requirements of fifth generation (5G) networks and the expansive connectivity of IoT devices. Some vendors employ alternative methods to ingest traffic and extract threat intelligence by eliminating the need for sensors. These methods include log analysis and direct integration with network infrastructure for data collection.
To provide visibility and actionability at the network level, there are two different approaches: in-situ sensors and log aggregation and analysis. Sensors may be delivered as physical or virtual appliances, or as containerized code. Sensors should have direct access to network traffic and are deployed off switched port analyzer (SPAN) or test access point (TAP) ports or packet brokers. Sensors are rated for specific line speeds, depending on expected traffic volumes per circuit. They may capture data for offline analysis in extended Berkeley packet filter (EBPF), internet protocol flow information export (IPFIX), NetFlow, packet capture (PCAP), packet capture next generation (PcapNG), or sampled flow (sFlow) formats. Sensors work with the underlying network hardware to terminate suspicious or malicious traffic at the node or network level if it violates NDR policies.
In the log aggregation model, customers configure their networking equipment (and sometimes other systems) to forward logs to NDR collectors, which are deployed on hosts or in containers. Some analysis may occur on the collectors, but most collectors then communicate with centralized NDR consoles.
NDR consoles may be able to reside on-premises, in private clouds, in infrastructure as a service (IaaS), or in the vendor’s software as a service (SaaS) environment. Actual deployment models vary considerably between vendors.
The following functions are considered by KuppingerCole to be foundational for NDR:
The following capabilities are considered innovative in NDR:
Selecting a vendor of a product or service must not only be based on the information provided in a KuppingerCole Leadership Compass. The Leadership Compass provides a comparison based on standardized criteria and can help identify vendors that shall be further evaluated. However, a thorough selection includes a subsequent detailed analysis and a Proof of Concept of pilot phase, based on the specific criteria of the customer.
Based on our rating, we created various Leadership ratings. The Overall Leadership rating provides a combined view of the ratings for
Figure 1: Overall Leadership in the NDR market
The Overall Leadership chart is linear, with Followers appearing on the left side, Challengers in the center, and Leaders on the right. The rating provides a consolidated view of all-around functionality, market presence, and financial security.
However, these vendors may differ significantly in terms of product features, innovation, and market leadership. Therefore, we recommend considering our other leadership categories in the sections covering each vendor and their products to get a comprehensive understanding of the players in this market and which of your use cases they support best.
In the Overall Leadership category, Cisco is the top-ranked vendor, with Arista Networks closely following. Fortinet, Darktrace, ExtraHop, IBM Security, and Gurucul form a strong cluster behind these two overall leaders. Stellar Cyber is positioned behind this second group as the last Overall Leader in this category. It is notable that Cisco, Arista Networks, Gurucul, and ExtraHop have maintained their leadership positions compared to the 2021 edition of this Leadership Compass.
In the Overall Challengers section, Sophos and NetWitness are positioned close to crossing into Overall Leadership, with WatchGuard also nearing this threshold. Rounding out the list of challengers are Gatewatcher, OpenText, and Exeon. Compared to the previous edition, NetWitness has seen a shift, moving out of the Overall Leadership tier.
There are no Followers in this overall leadership rating.
Overall Leaders are (in alphabetical order):
Product leadership is the first specific category examined below. This view is mainly based on the presence and completeness of the required features as defined in the required capabilities section above. The vertical axis shows the product strength plotted against the combined/overall strength on the horizontal axis. The Product Leadership chart is rectangular and divided into thirds. Product Leaders occupy the top section. Challengers are in the center. Followers are in the lower section.
Figure 2: Product Leadership in the NDR market
In the Product Leadership category, Cisco and Arista Networks maintain their leading positions. Following these leaders are Gurucul and ExtraHop, with Darktrace, NetWitness, Fortinet, IBM Security, Sophos, and Stellar Cyber clustered just below them as product leaders. Compared to the previous edition, Cisco, Arista Networks, Gurucul, NetWitness, and ExtraHop have all maintained their leadership in this category, with Arista Networks closing the gap with Cisco.
In the Product Challengers section, Gatewatcher and WatchGuard are positioned close to crossing into Product Leadership. Rounding out the list of challengers are OpenText and Exeon.
There are no Followers in this product leadership rating.
Product Leaders (in alphabetical order):
Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require innovation to meet evolving and even emerging business requirements. Innovation is not about delivering a constant flow of new releases. Rather, innovative companies take a customer-oriented upgrade approach, delivering customer-requested and other cutting-edge features, while maintaining compatibility with previous versions.
This view is mainly based on the evaluation of innovative features, services, and/or technical approaches as defined in the Required Capabilities section. The vertical axis shows the degree of innovation plotted against the combined/overall strength on the horizontal axis. The Innovation Leadership Chart is rectangular and divided into thirds. Innovation Leaders occupy the top section. Challengers are in the center. Followers are in the lower section.
Figure 3: Innovation Leadership in the NDR market
Innovation Leaders are those vendors that are delivering cutting-edge products, not only in response to customers’ requests, but also because they are driving the technical changes in the market by anticipating what will be needed in the months and years ahead. There is a correlation between the Overall, Product, and Innovation Leaders, which demonstrates that leadership requires feature-rich products that are looking over the horizon to bring advancements to help their customers.
In the Innovation Leadership category, Gurucul, Arista Networks, and Cisco are recognized as the most innovative vendors. Stellar Cyber is positioned just below these leaders, followed by ExtraHop and Fortinet, which cluster together, with Darktrace and Sophos rounding out the group of innovation leaders. Compared to the previous edition, Cisco, Gurucul, Arista Networks, and ExtraHop have maintained their leadership, though Arista Networks has ascended to the top spot, while ExtraHop has seen a slight decline.
In the Innovation Challengers section, IBM Security and Exeon are positioned near the Leadership threshold, followed by Gatewatcher. Subsequently, WatchGuard and NetWitness form a cluster, representing the final challenger vendors. It is worth noting that NetWitness has retained their challenger status since the previous edition of the report.
OpenText is the only follower in this innovation leadership rating. Despite acquiring Bricata, a company that was recognized as a follower in the Innovation Leadership category in the 2021 edition, OpenText has not made significant progress and remains outside the ranks of challengers in this category.
Innovation Leaders (in alphabetical order):
Finally, we analyze Market Leadership. This is an amalgamation of the number of customers, the number of transactions evaluated, the ratio between customers and managed identities/devices, the geographic distribution of customers, the size of deployments and services, the size and geographic distribution of the partner ecosystem, and the financial health of the participating companies. Market Leadership, from our point of view, requires global reach.
In this chart, the vertical axis shows the market strength plotted against the combined/overall strength on the horizontal axis. The Market Leadership Chart is rectangular and divided into thirds. Market Leaders occupy the top section. Challengers are in the center. Followers are in the lower section.
Figure 4: Market Leaders in the NDR Market
In the Market Leadership category, Cisco and IBM Security are positioned as the leading vendors, followed closely by Fortinet and Darktrace. Completing the list of leaders are NetWitness, Arista Networks, and ExtraHop. Compared to the previous edition, Cisco has maintained its top position, while NetWitness has seen a decline. Meanwhile, Arista Networks and ExtraHop have retained their relative positions in the market.
In the Market Challengers section, WatchGuard and Sophos are on the verge of becoming a market leader, although it remains a challenger. They are closely followed by Stellar Cyber. The list of market challengers is rounded out by Gurucul, OpenText, and Gatewatcher. Notably, Gurucul has retained their status as market challenger in comparison to the previous edition.
Exeon is the only follower in this market leadership rating.
Market Leaders (in alphabetical order):
This section provides an overview of the various products we have analyzed within this Leadership Compass. Aside from the rating overview, we provide additional comparisons that put Product Leadership, Innovation Leadership, and Market Leadership in relation to each other. These allow identifying, for instance, highly innovative, but specialized vendors or local players that provide strong product features, but do not have a global presence and large customer base yet.
Based on our evaluation, a comparative overview of the ratings of all the products covered in this document is shown in Table 1. Since some vendors may have multiple products, these are listed according to the vendor’s name
| Vendor | Security | Functionality | Deployment | Interoperability | Usability |
|---|---|---|---|---|---|
| Arista Networks |  |
|
 |
|
|
| Cisco | |
|
|
|
|
| Darktrace | |
|
|
|
|
| Exeon |  |
|
|
|
|
| ExtraHop | |
|
|
|
|
| Fortinet | |
|
|
|
|
| Gatewatcher | |
|
|
|
|
| Gurucul | |
|
|
|
|
| IBM | |
|
|
|
|
| NetWitness | |
|
|
|
|
| OpenText | |
|
|
|
|
| Sophos | |
|
|
|
|
| Stellar Cyber | |
|
|
|
|
| WatchGuard | |
|
|
|
|
Table 1: Comparative overview of the ratings for the product capabilities
In addition, we provide in Table 2 an overview which also contains four additional ratings for the vendor, going beyond the product view provided in the previous section. While the rating for Financial Strength applies to the vendor, the other ratings apply to the product.
| Vendor | Innovativeness | Market Position | Financial Strength | Ecosystem |
|---|---|---|---|---|
| Arista Networks | |
|
|
|
| Cisco | |
|
|
|
| Darktrace | |
|
|
|
| Exeon | |
 |
|
|
| ExtraHop | |
|
|
|
| Fortinet | |
|
|
|
| Gatewatcher | |
|
|
|
| Gurucul | |
|
|
|
| IBM | |
|
|
|
| NetWitness | |
|
|
|
| OpenText | |
|
|
|
| Sophos | |
|
|
|
| Stellar Cyber | |
|
|
|
| WatchGuard | |
|
|
|
Table 2: Comparative overview of the ratings for vendors
This section contains a quick rating for every product/service we have included in this KuppingerCole Leadership Compass document. For many of the products there are additional KuppingerCole Product Reports and Executive Views available, providing more detailed information.
In addition to the ratings for our standard categories such as Product Leadership and Innovation Leadership, we add a spider chart for every vendor we rate, looking at specific capabilities for the market segment researched in the respective Leadership Compass. For this market segment, we look at the following categories:
Platform Support - For on-premises environments, NDR solutions are offered as physical and virtual appliances. These appliances can be deployed in-line, or, in some cases, out-of-band, relying completely upon other security components for collection telemetry from network devices and execution of responses. Direct access to network traffic and the ability to interdict has advantages. This category includes support for IaaS platforms. Having images for Amazon AWS, Microsoft Azure, Google Cloud Platform (GCP), Oracle, and other IaaS platforms that can collect cloud-hosted network telemetry is essential for many organizations today. The more platforms supported, the better the score.
Network Traffic Analysis - Network Traffic Analysis (NTA) is often a precursor to being able to perform more sophisticated security analytics. NTA techniques include identification of traffic by application type, association of user identity to traffic flows, file and device fingerprinting, application and site profiling, aggregated network traffic volume analysis, examination of source/destination communication frequencies, host/endpoint to application utilization profiling, and NetFlow/IPFIX collection and analysis.
Encrypted Traffic Analysis - ETA is becoming the most common approach for detecting network threats. Success with ETA requires that solutions use multiple techniques (HASSH, JA3/JA3S, Mercury, SSLBL, etc.), have a variety of indicator of compromise (IoC) sources, and can recognize common enterprise network protocols. Higher scores here also reflect more complete utilization of all available ETA methods and better coverage of attributes and protocols.
Detection - To detect suspicious and malicious activities on networks and in the cloud, a variety of capabilities are needed. Detection requires visibility, primarily. Coverage for all network segments and all IaaS instances is needed. Some solutions use IDS style rules, based on Suricata, yet another recursive acronym (YARA), or other formats. Full NDR solutions use detection models powered by ML algorithms: unsupervised ML for anomaly discovery, supervised for categorization of possible threats, and Deep Learning (DL) for more rapid combination, discovery, and self-sorting to identify previously unknown threats. This rating considers how products utilize ML and DL for higher quality detections and reduction of false positives. Better scores are given for those that use a well-thought-out set of unsupervised and supervised ML and DL algorithms and detection models. Model training methods, sources of data sets, and model update frequency are also considered. NDR solutions should assist with automating the correlation of events, adding threat intelligence, creating cases for analysts to review, and generating IoCs for analysts to use for threat hunting. This category rates the functionality that enables autonomous detection of suspicious events.
Threat Hunting - A mix of certain features needs to be in place for analysts to perform threat hunting: command line interface (CLI) and/or graphical user interface (GUI) query capability; structured or natural language query capabilities preferred, the ability to conduct regular expression searches, the ability to write static rules in YARA, Suricata, or other formats, being able to define or prioritize IoCs and search all assets for them, and the ability to activate recording and playback on suspicious network conversations. Solutions that help the human analyst by assembling relevant events into a timeline and topology map enriched by threat intelligence are preferred. Analysts should be able to use NDR products to conduct threat hunts for malware implantation, botnet and fraud activity, command & control (C2) traffic, lateral movement, reconnaissance, domain name system (DNS) tunneling, data exfiltration, and other sophisticated tactics, techniques, and procedures (TTPs). This category considers the amount and quality of features that facilitate threat hunting.
Playbooks & Responses - In order for automated responses to be triggered, NDR solutions either must be placed in-line or have good API interoperability with other security tools such as firewalls, virtual private networks (VPNs), routers, switches, email gateways, endpoint protection, endpoint detection & response (EPDR) systems, web proxies, API gateways, security information and event management (SIEM) and SOAR systems. Some NDR solutions have packaged connectors for common security tools to make this easier. NDR tools deployed in-line may not need as many connectors for external security tools. A minimum set of automated response includes session termination, node isolation, and forensic evidence collection. Playbooks are essentially scripts that can execute when certain trigger conditions are encountered, either manually or programmatically. Some vendors ship many playbooks with their NDR solutions and allow for easy customization using the analyst interface. Other vendors’ playbooks may require scripting or light coding. A few vendors in this Leadership Compass do not support the playbook concept but can allow API interoperability to build some response capabilities. This category considers the methods used for designing and executing automated responses as well as the number and variety of response actions and playbooks available.
Integrations - NDR tools must work well with other components in security architectures. Two major approaches exist: the development and support of “integrations” or “connectors” by vendors, and bi-directional accessibility via APIs. Integrations are packages of functionality that can link the NDR system to other security solutions. Integrations are generally installed and require little configuration. Many if not most security tools offer inbound and outbound connectivity through APIs and communication standards. APIs may expose all functions within a management console. In other cases, a subset of functions may be available. APIs themselves must be properly secured to prevent abuse. Using standard communication protocols can be sufficient in some limited cases, e.g., sending event data over syslog to SIEMs. Integrations may allow enhanced features. Examples where integrations are preferred are connections to SOAR systems, which allows more functionality with less customization than invoking APIs.
Network Insights & Reporting – In order to maintain network security and comply with industry standards, it is essential to have access to comprehensive network insights and reporting. The role of compliance reporting is fundamental to achieving organizational network security. It ensures that organizations adhere to regulatory requirements and industry standards. These reports frequently incorporate frameworks such as MITRE ATT&CK categorizations to better understand TTPs. Furthermore, the integration of network insights with advanced analytics tools allows for the extraction of actionable intelligence from vast amounts of data. The out-of-the-box reporting capabilities and diverse reporting types provide valuable insight into the current status of networks. Reporting capabilities are often complemented by industry-specific reporting, which tailors insights to the unique challenges and requirements of different sectors. To assist analysts in making informed decisions, descriptions of ML analysis should be provided. These descriptions break down complex ML findings into clear, actionable insights and make them easier for security teams to interpret and take actions. The analyst interface features should provide intuitive dashboards, customizable views, and real-time data visualizations.
Arista Networks, founded in 2008 and headquartered in Santa Clara, California, is a leading provider of high-performance switches and other networking solutions. Arista's NDR solution, an integral part of their broader security portfolio, leverages AI-driven capabilities to enhance network security across various environments, including campuses, data centers, IoT devices, and cloud networks. Arista NDR is built around zero trust security maturity model in line with National Institute of Standards and Technology (NIST) 800-207 framework. Arista Networks offers a range of plans and packages designed to meet the specific needs of organizations, including options for hardware, software, professional services, and sensors.
Arista NDR can be deployed on-premises, as a cloud service, or as a managed service, with the management console available via the cloud, virtual appliances, and SaaS. Managed NDR offering is available as an additional service. In order for customers to use their own IdPs, Arista requires AWS Cognito for SAML support and supports most security keys. The analyst interface features risk scores, drop-down lists, RegEx searches, natural language queries, timeline and network map views, annotation, and playbook launching. The standard plan includes 24/7 support services. On-site and remote support services are available worldwide. The solution offers integration with third-party sandboxes, SIEM, secure access service edge (SASE), SOAR solutions, and ServiceNow for information technology service management (ITSM), as well as connectors for some CTI sources. Various API protocols such as simple object access protocol (SOAP), representational state transfer (REST), JavaScript object notation-remote procedure call (JSON-RPC), and Webhooks are also supported. Sensors offered as physical and virtual appliances perform deep packet inspection (DPI) and are deployed over SPAN/TAP ports or packet brokers. Their maximum throughputs range from 100 Mbps to 10 Gbps. Sensors communicate with the console over TLS 1.3 protocol. Arista NDR supports full packet capture in PCAP format, with no restrictions. While most compliance standards are not supported, Arista Networks is a SOC 2 Type 1 and 2 certified vendor.
Arista NDR is compatible with a range of CTI standards, including malware information sharing platform (MISP), structured threat information expression (STIX), and trusted automated exchange of intelligence information (TAXII). Threats are mapped to the MITRE ATT&CK framework, however the solution has not yet undergone any MITRE evaluation exercise. The platform enables the import and utilization of IoCs from users' threat intelligence feeds, as well as the creation of custom IoCs for threat hunting. Arista NDR automatically generates risk level scores and entity tracking information, which can be overridden by administrators when required. The platform supports interactive querying of IoCs across managed networks and offers centralized management of multiple setups. The solution includes natural language search capabilities for various parameters and supports adversarial modeling language (AML) queries. Autonomous virtual assist (AVA) performs real-time and historical triage and investigations, integrating human analyst input. Full packet capture capabilities enable forensic analysis, with replay possible using Arista DANZ monitoring fabric (DMF). Arista NDR presents details of an attack, along with investigation and response options, while correlating threat intelligence that includes attribution details. However, the platform does not autonomously determine attribution to a specific threat actor. Alerting is available via e-mail. Integrations with ticketing solutions, SIEM, and SOAR tools help facilitate alerting even further.
Arista NDR supports the analysis of over three thousand enterprise IT and OT protocols, including IP, streaming, and mobile application protocols. Regarding IoT, IIoT, and ICS protocols, a comprehensive range of protocols, including BACnet, CoAP, Modbus, OPC-UA, CIP, DNP3, IPMI, MQTT, and S7, is supported, as well. Arista NDR performs the majority of NTA use cases, except for NetFlow/IPFIX collection and analysis. Moreover, Arista utilizes its own proprietary techniques to employ most methods for ETA. Arista NDR collects four types of metadata for NTA: network-level metadata, such as source and destination addresses and ports; open-source intelligence (OSINT), such as domain reputation; device and destination metadata; and ML insights metadata. Arista NDR can identify a wide range of TTPs. Users can override the system's risk ratings to reassign confidence and priority levels. Arista employs its own proprietary supervised and unsupervised ML models, as well as DL algorithms. Unsupervised ML models are employed to identify and track entities such as users, devices, and applications. Proprietary supervised ML is used to identify patterns of activity that relate to attacker TTPs. DL is used for several encrypted traffic analysis purposes. Users have full access to ML outputs through the AML functions. In addition, several techniques for reducing false positives are included in the AML-based model. Playbooks are used for investigation and response actions and can be modified. Playbook actions include most of the major automated prevention and response actions, including the ability to initiate full packet capture, terminate network session, and isolate host/network. However, it does not currently include the capability to manage transmission control protocol (TCP) resets.
Arista NDR, a solution offered by the publicly listed company Arista Networks, caters predominantly to large enterprises with a global footprint. The company has a strong market presence in North America and is making significant gains in the Asia-Pacific (APAC) and Europe, the Middle East and Africa (EMEA) regions. Supported by a network of system integrators worldwide, Arista NDR is an option for organizations with complex networks requiring comprehensive network detection and response. It integrates with existing security environment, automates the detection and response process while monitoring users, devices, and applications.
| Ratings | Security |  |
| Functionality | |
|
| Deployment |  |
|
| Interoperability | |
|
| Usability | |
Table 3: Arista Networks’ rating
| Strengths |
|
| Challenges |
|
| Leader in |  |  |  |  |
Cisco is a global network and security leader, founded in 1984, and headquartered in the Bay Area. Cisco is well-known for networking products, and has solutions for mobile, cloud, and IoT. Their NDR solutions are Secure Network Analytics (SNA) and Secure Cloud Analytics (SCA), formerly known as Stealthwatch Enterprise and Cloud. SCA component has recently become part of Cisco XDR. Cisco SNA, one of its flagship security platforms, provides comprehensive network visibility and advanced threat detection. Cisco offers flexible purchasing plans for Secure Network Analytics, including subscription-based models that scale with the organization's needs, with pricing determined by the size of the network, the number of devices monitored, and the deployment model chosen.
SNA/XDR offers versatile deployment options, including on-premises, cloud, and hybrid environments. ISO images are also available for on-premises deployments. MDR services are available but are sold as part of the Premier license tier. The management console can be deployed on physical or virtual infrastructure and supports integration with existing cloud environments. Users can authenticate with SAML federated authentication, with support for customer-selected authenticator applications such as Google Authenticator and Okta Mobile. Security keys, including Google Titan, YubiKey, and Duo hardware tokens, are supported as well. The management console features risk scores, drop-down lists, RegEx searches, timeline, and network map views. SNA customers receive 24/7 technical support from Cisco's Technical Assistance Center (TAC) and have access to dedicated customer support resources. Additional advanced services are available at additional cost. The solution integrates with Splunk for SIEM and SOAR, and ServiceNow for ITSM, and further customization is facilitated through REST, SOAP, and Google remote procedure calls (gRPC) protocols. Sensors are available for both physical and virtual environments, with deployment options including SPAN, TAP, or direct telemetry ingestion from network devices. In terms of maximum throughput, individual Cisco appliances can manage up to one hundred Gbps of network traffic. Communication between sensors and the management console is secured using internet protocol security (IPSec), secure shell (SSH), and TLS protocols. The solution does not natively support full packet capture but focuses on enriched flow data and metadata for comprehensive network analysis. The XDR component uses IaaS platform APIs to get flows from AWS, Azure, and GCP. The solution is ISO 27001 and SOC 2 Type 2 certified and complies with General Data Protection Regulation (GDPR).
Cisco Secure Network Analytics supports industry-standard CTI formats like STIX, TAXII, MISP, and YARA, allowing integration with external threat intelligence platforms. The platform includes embedded MITRE ATT&CK mapping, providing users with a view of detected threats within the context of known adversarial TTPs. Unlike traditional signature-based detection methods, Cisco Secure Network Analytics primarily relies on behavioral analysis and anomaly detection, though IoCs can be imported via the API for enhanced monitoring and response. The platform categorizes events based on severity, and users can filter these events based on custom criteria, including the Concern Index (CI), a metric used to track and quantify potentially harmful behaviors observed in network hosts. Advanced search capabilities are supported through integration with Elasticsearch. The platform generates a range of alerts, including emails, Microsoft Teams, and SNMP, for unusual network activities, which can be integrated with third-party systems like Splunk and ServiceNow for extended analysis and incident management. Additionally, Cisco's ML algorithms provide automated insights and summaries, allowing security teams to conduct in-depth forensic investigations and respond to potential threats.
Cisco SNA/XDR offer comprehensive support for a wide range of IP-based, streaming, mobile application protocols, as well as essential IoT, IIoT, and ICS protocols such as BACnet, CoAP, Modbus, DNP3, IEC 61850, IEEE 11073, IPMI, XMPP, OPC-UA, and MQTT. The platform's NTA capabilities facilitate the collection and analysis of flow data from network devices to establish behavioral baselines. This process includes normalization, enrichment, and behavioral analysis. Cisco also supports a broad range of ETA methods, such as analyzing packet lengths, inter-packet timings, and TLS handshake sequences. The platform is equipped to detect and respond to a variety of TTPs including botnet activity, lateral movement, reconnaissance, active directory (AD) enumeration, and DNS tunneling. Cisco's detection is powered by seven analytical engines and utilizes both supervised and unsupervised ML models for clustering, anomaly detection, event classification, and principal component analysis. Additionally, the platform reduces false negatives through contextual awareness, threat intelligence integration, dynamic risk scoring, and peer group analysis. Playbook actions such as TCP resets, terminating network sessions, and isolating hosts or networks are supported, but it does not currently initiate full packet capture.
Cisco is a public company and a global leader in network and cybersecurity solutions. It is particularly well-suited for mid-to-large enterprises but offers solutions that can scale to businesses of all sizes. Cisco has a strong and balanced market presence worldwide, and the recent acquisition of Splunk highlights the company's strategic focus on enhancing its cybersecurity capabilities. Cisco SNA/SCA is an option for those concerned with encrypted traffic. Its ETA technology enables threat detection without decryption, making it a competitive solution for highly secure environments. The platform's AI-driven behavioral analysis, global-to-local threat correlation, and integration with Cisco Talos threat intelligence make it a great choice for customers seeking real-time detection and automated response capabilities across complex networks.
| Ratings | Security | |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 4: Cisco’s rating
| Strengths |
|
| Challenges |
|
| Leader in | | | | |
Darktrace, founded in 2013 in Cambridge, UK, is a publicly traded cybersecurity solutions company. Darktrace's ActiveAI Security Platform supports security operations by facilitating the elimination of alert triage, conducting investigations, and enabling the rapid detection and response to both known and unknown threats. The ActiveAI Security Platform consists of various components to help organizations prevent, detect, respond, and recover from cyber threats. Detection and respond modules are designed to protect cloud, email, endpoints, networks, OT, and identities. Darktrace provides products that can be purchased individually, all built on a unified architecture. The two primary licensing models are based on either per IP or per user. Pricing for NETWORK varies depending on the number of IP addresses to be monitored.
The platform offers flexible deployment options including on-premises, cloud, and managed services. Managed detection and response services for networks are optional and sold separately. The management console can run on physical or virtual infrastructure, in cloud environments, or via SaaS. The console also supports SAML federated authentication as well as customer-selected authenticator applications such as Google Authenticator, Microsoft Authenticator, and Okta Mobile. The management console provides analysts with risk scores, drop-down lists, RegEx searches, timeline and network map views, annotation, and playbook launching. While 24/7 support services are included with every deployment at no additional cost. On-site and remote support services are available worldwide. The solution supports integration with various SIEM solutions, including IBM QRadar, LogRhythm, Microsoft Sentinel, and Splunk; ITSM platforms like ServiceNow and Jira; and multiple SOAR solutions such as CrowdStrike, IBM QRadar, Palo Alto Cortex, ServiceNow, and Splunk. However, no CTI sources are integrated out of the box. Further integration is enabled through a REST API. Darktrace sensors are available for VMs and containerized environments. Virtual sensors can be deployed as a standalone VM, which receives packets from a virtual or physical switch. When deploying sensors, common traffic ingestion methods are via a SPAN from the physical network switch, via a virtual TAP, or via Darktrace's OS Sensors. In terms of maximum throughput, individual Darktrace appliances are capable of ingesting between 3 and 20 Gbps of sustained traffic. Sensors support most public IaaS instances and can communicate with the console using HTTPS and TLS 1.2 & 1.3 protocols. The solution supports full packet capture in PCAP format, using bytes per second and connections per minute as core metrics. Compliance is maintained with standards such as ISO27001, ISO27018, FIPS 140-2, US FedRAMP, and Cyber Essentials, although Darktrace is not SOC 2 certified.
Darktrace NETWORK supports CTI standards like STIX and TAXII, enabling it to connect to any open threat exchange (OTX) platform and import STIX XML files for threat intelligence. MITRE ATT&CK mapping is an embedded feature in the Darktrace user interface (UI). Unlike traditional methods, Darktrace does not rely on detection signatures or IoCs for threat identification, though IoCs can be added to a watched domain list via the API to trigger a model alert and blocking by the respond module upon connection. The platform sorts and filters events in its user interface using the threat tray, categorizing them into informational, compliant, suspicious, and critical, with filtering options based on priority scores. The Cyber AI Analyst tray presents escalated incidents analyzed by Cyber AI Analyst and groups related threats from Darktrace platform and third-party sources. Advanced search functionality is built on Elasticsearch and Kibana, making all captured data searchable and visualizable by using standard queries. Darktrace triggers various alerts for unusual network incidents, which can be exported to third-party systems or platforms like Splunk, Jira, Microsoft Sentinel, and others. The Cyber AI Analyst investigates initial alerts and provide timelines and summaries for security teams to carry out forensic level investigations into network data. The Cyber AI Analyst investigates every relevant alert similarly to how a Level 2 SOC analyst would. It forms and validates a hypothesis, organizing any related alerts within the investigation process. Darktrace offers a range of alerting options, including email, syslog, and HTTP. The platform export alerts in standard formats and integrates with platforms, including ticketing systems, SIEMs, and instant messaging systems. The alerts can be tailored to specific severity threshold when required.
Darktrace operates across OT and IT environments and analyzes all major protocols used in such environments. In addition, the majority of the most widely used protocols for the IoT, IIoT, and ICS, including BACnet, Modbus, CIP, IEC 61850, OPC-UA, MQTT, and S7, are supported. The system status displays a list of active protocols and their last seen times. The system's detection module employs NTA techniques to analyze TCP/ UDP traffic, conduct DPI, and extract relevant metrics. NTA is applied to network events, connection data, user activities, and other configured inputs using approaches such as Bayesian meta-classification, graph theory, and proprietary transformer-based LLM. The threat visualizer offers detailed review capabilities through an advanced search interface. Darktrace supports a broad range of ETA methods and is capable of processing decrypted traffic from third-party appliances. Darktrace NETWORK can identify various malicious behaviors, including malware implantation, botnet activity, lateral movement, reconnaissance, AD enumeration, and DNS tunneling. The detect model engine integrates outputs from multiple Darktrace modules and leverages supervised and unsupervised ML models, as well as DL. The platform's user interface provides accessible insights into the ML classifications. The Cyber AI Analyst function is responsible for reviewing and investigating all relevant breaches and alerts to stop active threats with appropriate response actions. In addition, the Cyber AI Analyst can relate existing incidents with new activities to reduce alert fatigue. Darktrace autonomously responds to and contains threats in real-time using both native and integrated methods, such as terminating network connections, directing firewalls, and isolating endpoint agents. Additional incident response playbooks to assist with remediation and recovery are available in the optional "Incident Readiness & Response" module.
Darktrace, a public company, has established a strong market presence in North America and EMEA, reflecting its capability to cater to a diverse range of business sizes and sectors. The company provides cybersecurity solutions that meet the needs of medium to large enterprises across various industries. Darktrace NETWORK is an effective solution for detecting and responding to sophisticated attacks, providing actionable insights with minimal manual intervention. It is an option for organizations with dynamic environments where automation is essential.
| Ratings | Security | |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 5: Darktrace’s rating
| Strengths |
|
| Challenges |
|
| Leader in | | | | |
Exeon Analytics, established in 2016 in Zurich, Switzerland, uses advanced AI algorithms based on over a decade of research for enterprise network protection. The company is a late-stage startup with multiple investors. Their network security monitoring product, ExeonTrace, originated from research conducted at the Swiss Federal Institute of Technology in Zurich and the ETH Zurich. The ExeonTrace platform offers a unified view of distributed networks, endpoints, and applications through intuitive visualizations, providing users with insights into the overall network communications and security status. To identify vulnerabilities and malicious attack patterns, visibility can extend to the entire IT and OT network and interfaces. The product offering is comprised of three modules: network, web, and extended logs. The licensing models are designed to be customizable based on the specific needs of the organization, considering factors such as size, requirements, and deployment needs. The licensing cost is calculated based on the number of active IP addresses being monitored and the number of modules being utilized.
ExeonTrace offers deployment options on premises, cloud, or as a managed service. Managed detection and response services are available through security operation center (SOC) provider partners. The management console can operate on various operating systems, web browsers, public cloud environments, and as SaaS. The solution supports security keys, including Duo hardware tokens, Google Titan, Kensington security keys, RSA SecureID, and YubiKey but lacks federated authentication. The analyst interface features such as risk scores, natural language queries, timeline and network map views, and annotation. The standard plan includes 24/7 support services, with on-site support available in most parts of Europe. Remote support is offered. Integration with various third-party sandboxes, SIEM, ITSM, SOAR solutions, and most CTI sources is supported, alongside REST API for further integration. ExeonTrace uses indirect access to examine network traffic. Metadata and logs are collected from customer network sources without the use of physical sensors or agents. Exeon Analytics complies with ISO27001 standards, but it is not SOC 2 certified.
ExeonTrace offers comprehensive support for a range of CTI standards, including MISP, STIX, TAXII, Sigma, Snort, Suricata, and YARA. The platform's Investigation AI correlates threat intelligence across data sources to optimize investigation and guided threat hunting tailored to specific use cases. ExeonTrace's core threat alerting system integrates with external systems like ticketing systems and SOC platforms. Additionally, algorithm-driven incident scoring and prioritization help security teams focus on critical cases. ExeonTrace supports email and syslog alerting.
ExeonTrace is designed to support most IP based protocols. The majority of the most widely used protocols for the IoT, IIoT, and ICS, including BACnet, CAN/CAN-Bus, CoAP, Modbus, OPC-UA, CIP, DNP3, IEC 61850, IEEE 11073, IPMI, XMPP, LonTalk, MQTT, 5G GSMA, and S7, are supported, as well. While ExeonTrace can manage most NTA use cases, it does not support file fingerprinting, but it can employ most of the methods for ETA. The solution performs ETA on metadata, capturing essential information such as source and destination IP addresses, ports, protocols, packet sizes, and timestamps. ExeonTrace detects and responds to a range of TTPs, including botnet activity, lateral movement, AD related traffic, DNS tunneling, and distributed denial of service (DDoS) attacks. Users can configure and reassign confidence and priority levels to each event. The platform utilizes supervised and unsupervised ML algorithms to analyze network interactions and communications to identify malicious activities. It correlates disparate events and allows analyzer tuning to reduce false positives. Email and syslog are the only supported alerting mechanisms. ExeonTrace can execute many of the typical NDR actions such as session termination, host, and network isolation, blocking by IP/hostname/URL, and DNS sinkholing; however, playbooks are only accessible via the REST API.
Exeon Analytics, a private Swiss company with strong connections to ETH Zurich and leading research institutions, has rapidly expanded its customer base over the past year. The company has a significant market presence in the DACH and Benelux regions and is optimally suited for mid-sized to large organizations across various industries. Their growth and specialization highlight Exeon Analytics' role as a player in the European NDR market. ExeonTrace is an option for organizations that require lightweight traffic metadata analysis instead of traditional traffic mirroring.
| Ratings | Security |  |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 6: Exeon Analytics’ rating
| Strengths |
|
| Challenges |
|
ExtraHop, established in 2007 and headquartered in Seattle, Washington, offers an NDR solution through its RevealX platform. ExtraHop provides detection and response capabilities that stand out in the competition with automated asset discovery and cloud-scale ML capabilities. The NDR module is equipped with a suite of network performance, IDS, and full packet capture capabilities, all integrated into a unified platform. The platform enables triage and response through manual intervention and automated processes. The RevealX platform's NDR and network performance monitoring (NPM) modules employ a subscription band pricing strategy. Pricing is customized based on factors such as deployment model, network size, and additional feature requirements.
RevealX offers versatile deployment options, including SaaS, on-premises, and managed services through partnerships with major managed security service providers (MSSPs). The platform is natively compatible with AWS, GCP, and Azure, and can be deployed in other cloud service providers that support hypervisors like kernel-based virtual machine (KVM) and open virtual appliance (OVA). The management console is available either as a separate on-prem appliance or as a SaaS-based solution. It features risk scores, drop-down lists, natural language queries, and timeline view. 24/7 support services are available across different regions at no additional cost. However, incident management is not included in the standard plan and is instead managed through partners. The platform supports SAML federated authentication, and authenticators such as Google Authenticator, Microsoft Authenticator, and Okta Mobile. It integrates with most of the major SOAR, SIEM, and ITSM tools and provides connectors to major CTI sources, with support for all major API protocols, including REST, GraphQL, and Webhooks. However, it lacks integration with third-party sandboxes. The sensors used by RevealX platform can be deployed as physical appliances or virtual instances, offering a high throughput capacity of up to one hundred Gbps. These sensors are always deployed out-of-band via SPAN ports, network packet brokers, or packet forwarders. The platform supports full packet capture in various formats, including PCAP, IPFIX, and NetFlow. ExtraHop’s encryption module has been certified for FIPS 140-3. Although the platform is not yet ISO 27001 certified, it does comply with regulations such as GDPR, Health Insurance Portability and Accountability Act (HIPAA), SOC 2 Type 2, and SOC 3.
RevealX supports a variety of CTI standards and frameworks, including MISP, Snort, Suricata, STIX, and TAXII, while also aligning with the MITRE ATT&CK framework to map and categorize threats. In addition, RevealX includes threat intelligence features, with feeds from ExtraHop and CrowdStrike Falcon. The platform leverages automatic software identification to enhance metadata analysis to enable more accurate detection and response to potential threats. ExtraHop sensors collect and store different levels of network interaction data, including aggregated metrics and raw packet data. Metrics provide aggregated insights into endpoint interactions over time, while packet stores and record stores capture and store detailed records of network transactions, including time-stamped metadata, IP addresses, and error messages. These metrics and records can then be customized using JavaScript-based triggers. “Threat Briefings” within the platform offer real-time detections of scans, exploits, and IoCs to provide information on emerging threats. The solution provides a range of query options, from simple searches to complex queries. Also, ExtraHop has recently introduced an AI search assistant that assists in generating queries and filtering results, although it does not yet have the capability to take automated response actions.
ExtraHop supports over ninety IT and OT protocols, though it does have some limitations in its support for certain IoT, IIoT, and ICS protocols, except for CoAP, Modbus, and MQTT. The solution addresses most major NTA use cases, including real-time monitoring of network flows, device fingerprinting, and threat identification. RevealX also supports various ETA methods to enable detection and response to threats even within encrypted communications. ExtraHop extracts metadata from packets, reassembles it into streams, and maps relationships among network devices, applying the analysis to specific use cases. RevealX's coverage of TTPs is extensive, encompassing critical threat activities such as lateral movement, command and control operations, and data exfiltration. It lists and focuses on every event related to an attack technique. Alert fatigue is reduced through smart investigations, a risk-based incident response approach that prioritizes events, aggregates related detections, and facilitates investigation workflow. Additionally, it employs a risk scoring system that prioritizes threats based on their severity and potential impact. The RevealX interface also visualizes attack maps to enhance the understanding of correlated analytics. Email, Microsoft Teams, SMS, Slack, and SNMP can be used to alert customer admins to problems and cases. Playbooks are offered as automated bundles that can be configured as needed. Available response actions run the gamut from session termination, host, and network isolation, blocking communications to IPs and domains, to DNS sinkholing.
ExtraHop, a private company, is particularly well-suited to the large enterprises seeking comprehensive visibility into their network attack surfaces. The company has established a strong presence in North America and is actively pursuing expansion into other regions. A significant portion of ExtraHop's customer base comes from the finance sector. RevealX NDR is an option for organizations requiring visibility and security across their networks, including IoT devices. With automated retrospective threat detection and AI-powered Smart Triage, RevealX optimizes security workflows and provides recommended mitigation strategies.
| Ratings | Security | |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 7: ExtraHop’s rating
| Strengths |
|
| Challenges |
|
| Leader in | | | | |
Founded in 2000 and based in Sunnyvale, California, Fortinet is a global company known for its extensive range of cybersecurity solutions. Fortinet offers advanced NDR solutions through FortiNDR and FortiNDR Cloud as part of the Fortinet Security Operation (SecOps) Platform. FortiNDR is deployed on-premises, making it an option for critical infrastructure, air-gapped, and OT environments. It provides network detection and response capabilities within isolated systems. Meanwhile, FortiNDR Cloud is a SaaS offering that delivers unified network traffic visibility across multi-cloud and hybrid environments. FortiNDR Cloud operates on a cloud-based pricing model where users are charged based on the aggregate throughput through FortiNDR Cloud sensors, billed per Gbps. For FortiNDR On-Premises, customers have the option to purchase hardware or full-featured virtual appliances, along with additional service offerings, to suit their specific deployment needs.
Fortinet offers a range of deployment options, including on-premises, cloud, hybrid cloud and managed services. Managed services and incident response are not part of their standard service support. Fortinet Technical Success Manager service is available to users when they require remote support for NDR Cloud. The management console supports multiple operating systems and public cloud environments and is also available as SaaS. The management console supports MFA and federated authentication via. The analyst interface features risk scores, drop-down lists, and investigation searches. 24/7 support services are included in the standard plan. On-site and remote support services are available globally. The solution integrates with Microsoft Sentinel, IBM QRadar and Splunk for SIEM and some CTI sources, while orchestrating with FortiSOAR. Support for REST API and Webhooks protocols provides flexibility for integration with other third-party solutions. Available as physical and virtual appliances, sensors can be deployed on customer-supplied hypervisors or in public clouds such as AWS and Azure. SPAN ports, TAPs, and packet brokers deployments are also supported. Throughput limits per sensor range from 1.5 Gbps to 20 Gbps. They support IaaS instances such as Alibaba, AWS, Microsoft Azure, and GCP. Sensors communicate with the console using TLS 1.2 or IPSec protocols. FortiNDR supports full packet capture in PCAP format on an ad-hoc basis using Berkeley packet filter (BPF). Fortinet is a Payment Card Industry Data Security Standard (PCI-DSS) and HIPAA compliant and SOC 2 Type 2 certified vendor.
Regarding CTI standards, Fortinet offers support for a range of protocols, including STIX, TAXII, and YARA. Furthermore, Fortinet is a founding member of the Cyber Threat Alliance. In FortiNDR, detections related to MITRE ATT&CK techniques are marked with a unique icon, which appears both in the technique block and when such a detection is triggered. The platform optimizes investigations and threat hunting by providing contextual data per event. The FortiGuard monitor displays details such as URL categories, IoCs, anomaly severity, the frequency of the anomaly, and the initial timestamp. Users can customize detection severity by adjusting specific settings. FortiNDR/NDR Cloud enables email and SNMP alerting and provide logs to FortiSIEM and FortiSOAR. FortiNDR/NDR Cloud also supports query-based searches by utilizing playbooks and neural networks to compare detections and identify root causes.
FortiNDR/NDR Cloud supports most IP-based and streaming protocols, as well as those commonly used for IoT, IIoT, and ICS platforms, including BACnet, CoAP, Modbus, CIP, DNP3, IEC 61850, IPMI, OPC-UA, OPC-DA, LonTalk, MQTT, and S7, but lacks protocol support for mobile platforms. It addresses all major NTA use cases, including sFlow analysis for on-premises deployments. The solution also employs various methods for ETA. FortiNDR can analyze encrypted traffic by integrating with third party packet brokers and FortiGate, a next-generation firewall solution offered by Fortinet. The solution collects metadata from protocols like HTTP, DNS, Flow, SSL, SMTP, and SSH for NTA. Depending on customer preferences, network metadata can be sent to a SaaS data lake or retained on-premises for threat detection, threat hunting, and ML-based analysis. FortiNDR/NDR Cloud detects and responds to approximately 90% of the TTPs covered in the MITRE ATT&CK framework. It automatically configures and assigns confidence and priority levels to risk scores. It utilizes proprietary supervised and unsupervised ML and DL algorithms for malware analysis. FortiGuard Labs retrains ML models based on new threats and customer feedback to minimize false positives. Additionally, the solution includes more than twenty playbooks for investigations and incorporates features such as network session termination and host/network isolation, with FortiSOAR to orchestrate different security tasks.
Fortinet is a publicly traded company with a global market presence and a large international customer base. FortiNDR and FortiNDR Cloud solutions are suitable for organizations in different sizes. From small businesses to large enterprises, Fortinet provides tailored security solutions that effectively meet the diverse needs of its clients. FortiNDR and FortiNDR Cloud are options for organizations with distributed workforces or critical infrastructure. Leveraging AI, ML, and FortiGuard Labs threat intelligence, these solutions offer high-throughput malware scanning, automated investigations, and integration with the Fortinet Security Fabric.
| Ratings | Security | |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 8: Fortinet’s rating
| Strengths |
|
| Challenges |
|
| Leader in | | | | |
Gatewatcher, founded in 2015 and headquartered in Paris, France, is a cyber threat detection vendor. Gatewatcher’s NDR solution provides visibility into threats, applications, and users within the network. The NDR suite is comprised of three main products. AIONIQ enables the early categorization of malicious activities and triggers remedial actions, GTAP supports optical and copper TAP needs, and GAIA assists SOC teams with generative AI to detect, analyze, and respond to cybersecurity incidents. Gatewatcher’s licensing is primarily subscription-based, with pricing determined per IP address.
Gatewatcher NDR offers customers a range of deployment options, including on-premises, hybrid cloud, multi-tenant, and managed services. The management console is compatible with Debian, VMs, cloud environments like Gatewatcher IaaS, and SaaS. The console supports MFA and federated authentication. The analyst interface includes most major features, including risk scores, drop-down lists, RegEx searches, natural language queries, timeline and network map views, annotation, and playbook launching. 24/7 support services are available and included in the standard plan. On-site and remote support services are available globally. The solution integrates with IBM QRadar, Microsoft Sentinel, and Splunk for SIEM, with ServiceNow for ITSM, and with Palo Alto Cortex for SOAR, as well as utilizes its own CTI feed. Further integration is supported via a range of API protocols, including SOAP, REST, JSON-RPC, and XML-RPC, as well as their Reflex module, which enables integration with third party firewalls, sandboxes, CTI sources, and custom integrations upon the client’s request. Sensors, available in both physical and virtual appliance formats, offer comprehensive deployment options, apart from in-line deployment, which has a throughput limit of 40 Gbps. They can be deployed on IaaS instances from providers such as AWS, Microsoft Azure, and GCP. The solution supports full packet capture in EBPF, NetFlow, PCAP, and XML data package (XDP) formats. Sensors communicate with the console over IPSec protocol only. Compliance support is currently limited to the ANSSI standard, which is specific to French companies.
Gatewatcher NDR is compatible with several CTI standards, including MISP, Sigma, STIX, Suricata, TAXII, and YARA. The platform employs MITRE ATT&CK techniques to identify threat progression, however their focus has primarily been on endpoints so far. The Gatewatcher Cyber Threats Barometer offers a monthly report of detected cyber threats, leveraging automated collection, analysis, and correlation from different data sources, including social networks, specialized sites, dark web, and deep web. This approach provides threat information in advance, enabling operational response teams to take a proactive approach. Additionally, AIONIQ aggregates alerts for rapid triage against evolving risk scores to facilitate decision-making for SOC experts. Email, Microsoft Teams, SMS, and Slack alerting are available, along with Mattermost support.
Gatewatcher NDR provides comprehensive support for a range of IP-based protocols, as well as some of the major IoT, IIoT, and ICS protocols such as Modbus, CIP, DNP3, OPC-UA, OPC-DA, MQTT, and S7. However, it does not support streaming and mobile platform protocols. It addresses most of the major NTA use cases and employs a variety of methods for ETA. The solution conducts ETA on metadata, utilizing detection engines supported by ML, behavioral, static, and heuristic analysis. Gatewatcher NDR can detect and allow for automated responses to some set of TTPs. The solution is equipped with the capability to automatically configure and assign confidence and priority levels to evolving risk scores. Gatewatcher NDR features a range of ML and DL algorithms, including those for supervised and unsupervised learning, as well as for tasks such as ransomware detection, beacon detection, network behavior analytics, and asset identification and classification. Users can adjust each analytics engine's sensitivity to reduce false positives. The Reflex module includes pre-configured playbooks for remediation actions such as initiating full packet capture, terminating network session, and isolating host/networks, which can be edited at a later stage using the Reflex playbook editor.
Gatewatcher, supported by venture capital, offers a specialized portfolio that includes NDR and CTI. This combination makes it a compelling choice for mid-to-large enterprises seeking comprehensive cybersecurity solutions. Gatewatcher has established a significant presence in Europe, particularly in France, and Africa where it has penetrated deeply into the healthcare, public, and finance sectors. Gatewatcher NDR is an option for organizations needing proactive threat detection across IT and OT environments, leveraging generative AI for real-time insights and conversational interactions.
| Ratings | Security | |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 9: Gatewatcher’s rating
| Strengths |
|
| Challenges |
|
Gurucul, established in 2010, is a security analytics company. Headquartered in Los Angeles, California, Gurucul has established itself as an innovative security analytics platform that leverages advanced ML algorithms to provide various detection and response capabilities for enterprises. The product has a modular architecture, featuring components like SIEM, user behavior analytics (UBA), and identity analytics. The pricing model for NTA is based on the volume of data ingested and the number of modules deployed. The licensing is determined by the number of entities or nodes, such as devices, users, endpoints, or networks, that the platform monitors.
Gurucul NTA offers flexible deployment across cloud, on-premises, hybrid-cloud, multi-cloud environments like Azure, AWS, GCP, and as a SaaS solution. The management console can be run on Windows or most Linux variants, physical and virtual machines, and in any IaaS. Most well-known authenticator apps and hardware tokens, in addition to FIDO authentication, are compatible with NTA. It features RBAC for all UI functionality and data access. The management console provide analysts with risk scores, drop-down lists, RegEx searches, natural language queries, timeline view, annotation, and playbook launching. Gurucul also provides 24/7 global support services at no additional cost, though incident management services are available through Gurucul Labs for an additional fee. Gurucul NTA offers integration with the majority of the well-known third-party SIEM, ITSM, SOAR, and sandbox solutions. The platform also offers extensive support for all widely used CTI standards as well as connectors to major CTI sources. Further integration is enabled through a variety of API protocols, including REST, SOAP, JSON, gRPC, GraphQL, and Webhooks. Gurucul offers comprehensive support for sensor deployment, including options for span ports, network packet brokers, and in-line deployment. Furthermore, Gurucul enables the sensor deployment through a collector and forwarder mechanism, allowing physical, virtual appliance, or agent forwarders deployments. Virtualization is supported in Amazon Machine Image (AMI), OVA, and ISO formats. Gurucul also supports full packet capture in all major formats. Sensor communication is secured via TLS 1.2 and TLS 1.3 protocols. While the platform complies with most major regulations and standards, it is not yet compliant with ISO 27001 and SOC 2 Type 2.
Gurucul NTA offers extensive support for widely used CTI standards. It integrates behavior-based ML models developed by Gurucul Labs to automatically detect adversarial tactics and techniques as defined by the MITRE ATT&CK framework. The platform correlates events, enriches them with relevant CTI, and generates cases for analysts to review while also creating IoCs for threat hunts. The console allows users to create custom queries, set up query-based alerts, and utilize natural language queries. In addition to third-party platforms such as Opsgenie and PagerDuty, Gurucul offers email, Microsoft Teams, SMS, Slack, and SNMP alerting.
The platform offers comprehensive support for a wide range of protocols, including IP-based, streaming, mobile application, IoT, IIoT, and ICS protocols such as BACnet, CAN/CAN-Bus, CoAP, Modbus, OPC-UA, OPC-DA, CIP, DNP3, IEC 61850, IEEE 11073, IPMI, XMPP, LonTalk, MQTT, 5G GSMA, and S7. The platform addresses most major NTA use cases, except for file fingerprinting, and supports an extensive set of ETA methods. By analyzing raw network packet traffic in real-time, including NetFlow and specific network telemetry, the solution monitors both north-south and east-west network traffic to detect external and internal threats. The platform employs a combination of ML, behavior analysis, IoC, and retrospective analysis to identify and respond to a broad range of TTPs. The solution enables security analysts to prioritize threats through risk-ranked alerts and contextual visibility. Gurucul NTA performs metadata analysis by aggregating and analyzing telemetry data from various sources across the IT environment. Gurucul also offers a library of pre-packaged ML models including unsupervised, supervised, and deep learning algorithms. Analysts can review activity and threat analytics on UI to interpret the results of the ML models. Additionally, the platform offers over six hundred playbooks such as initiating full packet capture, network session termination, host/network isolation, and TCP resets, together with others. It also provides a canvas-driven orchestration workflow engine to automate these response actions.
Gurucul is a private company that is particularly well suited to serving medium-to-large enterprises across a range of industries. The company has a strong market presence in North America and is actively expanding its reach into Europe and the APAC regions. The platform is also an option for small to medium organizations through its managed services that are offered separately by MSSPs.
| Ratings | Security | |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 10: Gurucul’s rating
| Strengths |
|
| Challenges |
|
| Leader in | | | | |
IBM Corporation is a publicly listed multinational technology and consulting company founded in 1911 and headquartered in the US in Armonk, New York. With over one hundred years of history, IBM has evolved from a computing hardware manufacturer to offer a broad range of software solutions and infrastructure, hosting, and consulting services in such high-value markets as business intelligence, data analytics, cloud computing, virtualization, and cybersecurity. IBM’s offerings include a sophisticated NDR solution as part of its broader security products suite. IBM Security QRadar NDR is equipped with a range of technologies to facilitate real-time analysis of network activity. IBM's NDR solution is comprised of five main modules. IBM QRadar Flows ingests data from multiple sources to provide network visibility. By extracting metadata and application content, IBM offers two pricing models: a predictable enterprise pricing model based on customer environment size, and a usage-based pricing model that depends on the number of users, flows, and endpoints. Both models provide access to QRadar Suite functions, including EDR, NDR, SIEM, and SOAR. However, IBM's X-Force Incident Response Services are sold separately.
IBM QRadar NDR offers asset and sensitive data protection, along with endpoint security, as part of a managed services package. IBM Security experts are prepared to collaborate with managed service customers regardless of which QRadar solutions they have. The management console supports operation on physical and virtual machines and in most public cloud environments. QRadar console supports all major authenticator apps and security keys, as well as SAML and OIDC federated authentication. The analyst interface offers features such as risk scores, drop-down lists, RegEx searches, timeline and network map views, and annotation capabilities. The playbook launching and natural language queries are currently under development. 24x7 support services are available for an additional fee. IBM provides on-site and remote support services on a global scale. The solution integrates with Microsoft Sentinel and Splunk for SIEM, ServiceNow and NinjaOne for ITSM, and most of the major SOAR systems and sandboxes. IBM utilizes its own CTI feed through X-Force and provides connectors to other major feeds. For additional integration options, SOAP, REST, JSON-RPC, Webhooks, and XML-RPC API protocols are supported. QRadar NDR is capable of ingesting and processing flow data from network devices and dedicated sensors, including QNI. QNI can be deployed as software or appliance-based sensors across on-premises, virtual, and cloud environments for full packet network analysis. QNI can analyze full packet data from network taps, packet brokers/managed switches, and SPAN/Mirror ports. QNI offers a range of appliances that provide connectivity and capture for 1 Gbps, 10 Gbps, and 40 Gbps. The Network Packet Capture feature can capture in various formats for forensics. The solution supports sensors packages for most public IaaS instances. Sensors communicate with the console using IPSec, SSH, TLS 1.2, and TLS 1.3 protocols. IBM supports major regulations, including key and encryption standards, and is working towards US FedRAMP certification. However, it is not yet SOC 2 Type 2 audited.
IBM QRadar NDR supports the majority of the widely used CTI standards. Furthermore, it has been shown to achieve 100% visibility across all the evaluated stages of the MITRE ATT&CK framework in the most recent evaluation. Working in conjunction with QRadar, IBM X-Force Exchange, a cloud-based threat intelligence platform, enables users to conduct research on global security threats, aggregate actionable intelligence, and consult with experts. IBM QRadar manages IoCs through its reference sets, which allow the system to store, search, and correlate threat data. IoCs can be imported via a web interface from external sources, such as threat intelligence feeds and MISP. The system correlates these indicators with network activity, thus triggering alerts and automated responses that can be configured in magnitude. QRadar Incident Forensics assists users in the detection of emerging threats, the identification of root causes, and the prevention of recurrences. It is applicable in a variety of investigative scenarios, including network security, insider analysis, fraud and abuse, and evidence gathering.
IBM QRadar NDR supports a wide range of IP-based protocols but lacks support for streaming and mobile application protocols. For OT/ICS/IIoT, it only supports IPMI, XMPP, Modbus, and MQTT. The solution addresses most major NTA use cases and most methods for ETA. QNI gathers data from a variety of protocols, sources, destinations, authentication mechanisms, proxies, and applications. This information is then analyzed to identify applications, extract key metadata, and detect potential threats. This metadata is then utilized by ML analytics to identify anomalous behaviors, which can be leveraged for threat hunting, and investigations. QRadar NDR can detect and automate responses to numerous TTPs. The solution generates analytical and adaptive threat scoring to prioritize threats for investigation and response. The solution includes supervised and proprietary unsupervised ML engines to analyze network threats. ML analysis allows for investigation down to specific attributes identified as new or unusual within the application context. Risk score mechanisms minimize false positives. Email, Microsoft Teams, and Slack alerts are supported, and these alerts can be tailored to specific needs. QRadar integrates NDR alert data with other SIEM data sources to enhance threat detection capabilities. The solution provides thirteen out-of-the-box incident response playbooks, including such initiating full packet capture, network session termination, host/network isolation, and TCP resets, as well as over two-hundred templates for privacy regulations, which can be customized for specific incident types.
IBM is a global and publicly traded company that plays a significant role in the cybersecurity market. The company offers an extensive range of tools and solutions that are tailored to meet the various needs of organizations. With a strong presence in North America and Europe, IBM offers a comprehensive range of security services that address the diverse challenges faced by organizations of all sizes. IBM QRadar NDR is an option for organizations requiring advanced network detection and visibility, particularly those focused on products with strong threat hunting capabilities. IBM recently sold its QRadar SIEM SaaS business to Palo Alto Networks. They retain their on-premises QRadar NDR product.
| Ratings | Security | |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 11: IBM’s rating
| Strengths |
|
| Challenges |
|
| Leader in | | | | |
NetWitness focuses on network threat detection and cybersecurity monitoring. The company was established in 1997 and is based in Bedford, Massachusetts. NetWitness Threat Detection, Investigation & Response suite unifies network and endpoint analysis, behavioral analytics, data science, and threat intelligence on a single platform. The solution gathers data from capture points such as user, endpoint, and cloud, and then enriches it with threat intelligence and business context. The suite includes the following components: NetWitness Network for real-time network traffic visibility, NetWitness Endpoint for deep endpoint activity monitoring, NetWitness Orchestrator for automated incident management, NetWitness UEBA for behavior analytics, NetWitness Insight for asset discovery and categorization, and NetWitness Logs and Cloud SIEM for comprehensive log management and analytics. NetWitness employs several pricing models based on different factors. The data volume pricing model charges based on usage, with NDR Network priced per terabyte per day. The standard plan includes proactive threat hunting, traditional incident response, and general incident response enablement.
NetWitness NDR Network's modular design allows for flexible deployment options, making it suitable for on-premises, cloud, and hybrid environments. Cloud SaaS visibility can be achieved through a log decoder located either in the cloud or on-premises. NetWitness partners provide managed service offerings. The console is compatible with AlmaLinux, virtual appliances, cloud environments, and SaaS. The management console supports SAML and OIDC federated authentication. Google Authenticator and Microsoft Authenticators are also supported. The analyst interface includes functions such as risk scores, drop-down lists, RegEx searches, timeline and network map views, annotation, and playbook launching. 24/7 support services are provided but are available at an additional cost. On-site and remote support services are available worldwide. The solution integrates with various third-party sandboxes and SIEM solutions, as well as Jira and ServiceNow for ITSM, and Palo Alto Cortex and Splunk for SOAR. NetWitness utilizes their own CTI feed through ThreatConnect and provides connectors to other major CTI sources. For additional integration options, REST API is supported. Sensors can be deployed as software or appliance-based sensors, across on-premises, virtual, and cloud environments. The NetWitness Platform is compatible with OVA/virtual hard disk (VHD), which can be run on either VMware or Microsoft Hyper-V. NetWitness Network is deployed off a SPAN or TAP port on the network. It can also be deployed with third-party qualified virtual TAPs and other network brokers. The system is capable of full packet capture in various formats up to 10 Gbps, with partial capture up to 40 Gbps. Sensors packages are available for most public IaaS instances. Sensors communicate with the console over SSH and TLS1.2 protocols. Compliance support includes FIPS 197, FIPS 140-2, NIST 800-57, and ISO 15408 standards. NetWitness is not yet SOC 2 Type 2 or ISO 27001 certified.
NetWitness NDR Network is compatible with several CTI standards, including MISP, Snort, STIX, TAXII, and YARA. NetWitness has recently verified their MITRE ATT&CK coverage. Access for users to the framework and mapping capabilities are currently a work in progress. NetWitness Orchestrator centralizes the aggregation and management of threat data from various CTI sources, as well as known threat signatures, vulnerabilities, IoCs, and TTPs. The platform enables the creation of custom IoCs for threat hunting and utilizes MITRE ATT&CK TTPs to identify behaviors across different environments. It enables direct queries using specific subnets or attributes, and correlates data points such as network, endpoint, logs, and threat intelligence to present a comprehensive view of threat relationships and timelines. The solution supports email, Slack, and SNMP alerts. Analysts can automatically view correlated alerts and hunt for specific TTPs or entities. NetWitness captures and retains original network traffic for session and payload reassembly based on a configurable, multi-tier retention policy. Network metadata can be stored for various durations. This allows customers to adjust retention according to security goals, regulatory compliance, and storage limits. Forensic evidence and contextual details can be tracked, packaged for incident response, or exported for external distribution.
NetWitness NDR Network can analyze a wide range of IP-based and streaming protocols. However, the solution does not currently offer support for mobile application protocols or some of the more prominent IoT, IIoT, and ICS protocols such as BACnet, CAN/CAN-Bus, CoAP, DNP3, OPC-UA, OPC-DA, LonTalk, MQTT, and S7. However, NetWitness has established strategic partnerships with IoT/OT providers. The solution addresses most major NTA use cases and employs various ETA methods. NetWitness correlates metadata from multiple data sources, including L2/L3 network details, TLS header abnormalities, payload entropy, certificate anomalies, geo-location, non-standard encryption ports, and known threat intelligence. ML techniques are used to draw further insights and detections from this metadata, which can then be utilized by NetWitness Orchestrator to automate threat responses. By working in conjunction with endpoint agents, UEBA, and malware analysis components, the solution detects and automates responses to a variety of TTPs. The FirstWatch threat intelligence team focuses on identifying new TTPs as they emerge. NetWitness uses unsupervised ML models that are periodically trained and updated daily. The solution reduces false positives through its Event Stream Analysis (ESA) and UEBA components, aggregates alerts, and groups similar detections, leveraging user feedback to further minimize false positives. Pre-configured and template playbooks for response actions such as network session termination and host/network isolation are available and can be customizable to meet specific organizational needs.
NetWitness, funded by Symphony Technology Group, is a vendor that caters primarily to mid to large enterprises. NetWitness has established a well-balanced market presence globally. With its strong focus on NDR, NetWitness addresses the complex security needs of businesses across various regions. NetWitness NDR Network is an option for organizations seeking to identify high-priority threats, including those in encrypted traffic, using automated detection and forensic tools.
| Ratings | Security | |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 12: NetWitness’ rating
| Strengths |
|
| Challenges |
|
| Leader in | | | | |
Founded in 1991 and headquartered in Waterloo, Ontario, OpenText, a leader in information management solutions, offers its NDR as part of its cybersecurity portfolio. OpenTextTM NDR integrates detection, forensic analysis, and proactive threat-hunting to provide security teams with network visibility. OpenText offers a structured pricing model for its NDR solution. For MSSP customers, licensing is available on a per-user basis. The standard licensing term is set for one year, with costs determined by the inspection throughput aggregated across all deployed sensors. OpenText offers a range of professional services, including technical account management (TAM), digital forensics and incident response (DFIR), and managed security services. Additionally, customers can design a customized cyber resilience program (CRP) to enhance their in-house capabilities. These services are available separately from the standard plan.
The OpenText NDR is compatible with on-premises, cloud, and managed service deployments. Managed services can be subscribed to via a Technical Account Manager or a fully outsourced managed security service. The management console can be run on premises on Debian or in IaaS. They do not currently host it as SaaS. The solution supports federated authentication, as well as Okta Mobile and OATH tokens to provide secure access to the console. The analyst interface features risk scores, drop-down lists, timeline view, and annotation. The standard plan includes 24/7 global support services. Third-party integration is supported with most major SIEM solutions as well as Cuckoo and Cylance Infinity for sandboxes and Splunk for SOAR systems. The Zeek intel framework allows for CTI source integration. The REST API provides users with additional integration options. Sensors can be delivered in three forms: as host-based software, as virtual appliances, or as appliance-based sensors. They are available for deployment on-premises, in virtual environments, and in the cloud. Virtual appliances are delivered in the OVA format or as cloud images. OpenText sensors can be deployed in a variety of settings, including off SPAN ports, TAPs, packet brokers, virtual traffic management infrastructure, and in-line. While they support full packet capture in PCAP format, maximum throughput is limited to 10 Gbps for physical sensors and 5 Gbps for virtual sensors. Sensors packages are available for most public IaaS instances. Sensors communicate with the console over IPSec, SSH TLS 1.2, and TLS1.3 protocols. OpenText does not support compliance reporting, and it is not ISO 27001 certified.
OpenText NDR supports various CTI standards, including Snort, Suricata, and MISP. It offers managed services through OpenText Security Services for threat hunting and anomaly identification. The threat hunting interface enables querying of metadata fields to search for IoCs. IoCs are then used by threat hunters to conduct unstructured hunting to search for patterns in network activity both before and after an IoC detected. The platform also allows for the creation of custom IoCs. Alerts in the system are available as email and SNMP and come with modifiable severity levels. The implementation of natural language type queries is a roadmap item.
OpenText NDR supports the analysis of most IP-based protocols, excluding streaming and mobile application protocols, with the option to manually add new protocols through Zeek as needed. For OT/ICS/IIoT environments, DNP3, IPMI, Modbus, MQTT, and XMPP are understood. The solution addresses several major NTA use cases using signatures and employs most ETA methods. Behavioral analytics in Zeek or their UEBA tool can perform NTA on metadata by including session attributes like timestamp, IP/port, protocol, and duration. OpenText NDR can enable automated responses to many major TTPs via SOAR integrations. The system allows users to configure severity levels based on the details of an alert. The solution utilizes a combination of supervised ML models with proprietary unsupervised models. DL algorithms are in development. The supervised ML models they use help to minimize false positives. Further reduction of false positives is also a roadmap item. The solution does not provide playbooks out-of-the-box. Response actions must be orchestrated via SOAR integrations.
OpenText, a publicly traded company, has established a strong market presence in both North America and EMEA. To further enhance its capabilities in the cybersecurity space, the company acquired Bricata in November 2021. OpenText caters to businesses of all sizes, offering tools and services that meet the needs of organizations across various industries. OpenTextTM NDR Network is an option for enterprises that have a SOAR solution in place.
| Ratings | Security | |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 13: OpenText’s rating
| Strengths |
|
| Challenges |
|
Sophos, established in 1985 and headquartered in Abingdon, UK, has an NDR solution as part of its cybersecurity portfolio. Sophos NDR is a network security solution that works in conjunction with managed endpoints and firewalls to proactively monitor for suspicious and malicious activity that may otherwise go undetected. When used with Sophos Firewall, it offers automated threat response to block threats and prevent lateral movement. Sophos offers its NDR solution with a pricing model based on the total number of users and servers, allowing the deployment of multiple NDR sensors to be deployed at no additional cost per instance. Incident response and breach response services are provided separately from the Sophos NDR solution and are offered as part of Sophos MDR.
The Intercept X client agent is deployed on endpoint devices, while Sophos Central is the cloud-hosted platform. Sophos MDR, available for purchase separately, is a fully managed service delivered by experts who specialize in detection and response. The console supports federated authentication, and MFA is required for all logins to the Sophos Central admin console. A fast identity online (FIDO)-based passkey authentication system, which will include the use of device-bound authenticators, is currently a work in progress. The management console offers risk scores, drop-down lists, and SQL search functions that support queries created by customers as well as those provided by Sophos. Sophos NDR can be managed either through Sophos Central, a cloud-native application hosted on AWS, or via the NDR Investigation Console, which operates on a virtual appliance within the customer’s local network. The standard plan includes 24/7 support, with on-site and remote services available globally. The solution integrates with IBM QRadar, LogRhythm, Microsoft Sentinel, and Splunk for SIEM; Jira, NinjaOne, and ServiceNow for ITSM; and CrowdStrike, Palo Alto Cortex, ServiceNow, and Splunk for SOAR, and VirusTotal for CTI. Sophos natively integrates with SophosLabs Intelix, their own sandbox solution. Sensors can be delivered as physical or virtual appliances, and can be deployed in on-premises, virtual, or cloud environments. Sophos provides an OVA image that can be deployed on VMware or Hyper-V environments. Sophos NDR is available for purchase in the AWS Marketplace with a bring your own (BYO) license. Additionally, they provide an ISO image for installation on certified hardware. Sophos sensors can be deployed via the SPAN and encapsulated remote SPAN (ERSPAN) port or TAP and packet broker interfaces. Full packet capture is not available. Maximum throughput is limited to 40 Gbps for physical sensors and 1 Gbps for virtual sensors. Sensors communicate with the console over TLS 1.3 protocol. Sophos supports compliance with PCI-DSS and HIPAA regulations. Their solutions are SOC 2 Type 2 and ISO 27001 certified.
Sophos NDR can accept Snort and Sophos-created IDS rules, but it does not support the other CTI standards. Sophos NDR works with Sophos Intercept X, which has been independently evaluated in the MITRE ATT&CK framework. SophosLabs is an affiliate member of CTA. The platform employs a cluster and severity scoring engine, along with a mixture of ML models, to provide aggregated threat scores and lower false positive rates. Sophos Central supports queries via OSQuery to its data lake, which can incorporate data from Sophos (including intel from their Intercept X) and third-party sensors. Sophos NDR also supports recording of network flows for forensic analysis. Sophos only supports email alerts. However, APIs are provided for external platforms such as ServiceNow.
Sophos NDR supports over four hundred protocols, including major IP-based, streaming, and mobile application protocols, as well as most IoT, IIoT, and ICS protocols, including BACnet, CAN/CAN-Bus, CoAP, Modbus, CIP, DNP3, IPMI, OPC-UA, MQTT, and S7. The solution employs five real-time detection engines, encrypted payload analysis, domain generation algorithm, session risk analytics, data detection engine, and DPI, and addresses most of the major NTA use cases, except for NetFlow/IPFIX collection and analysis. The solution also supports almost all ETA methods. NTA involves aggregating network packets into a single communication flow, extracting metadata using DPI, and enriching it with geolocation data and other relevant metrics. The solution can detect and responding to a range of TTPs, though administrative intervention is required for each specific TTP while responding. Severity levels are assigned to alerts, but these are not yet configurable by users. The detection process discovers key contributors to the overall threat score. Sophos NDR employs a combination of supervised ML models and proprietary detection models for encrypted packet analysis. The cluster and severity score engine evaluates events from different ML models to determine a suspicion score and minimize false positives. The solution provides pre-configured playbooks as part of Sophos MDR, and Sophos Factory, sold separately, allows users to create custom playbooks.
Sophos, a private equity firm owned by Thoma Bravo is a cybersecurity company that offers managed security services, software, and hardware, including MDR, XDR, firewalls, incident response, and endpoint security solutions. With a global market presence, Sophos serves a wide range of industries, delivering security solutions that are tailored to SMBs across various sectors. Sophos NDR is an option for organizations that require capabilities to identify and address a wide range of anomalous activities and threats, as well as advanced ETA capabilities.
| Ratings | Security | |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 14: Sophos’ rating
| Strengths |
|
| Challenges |
|
| Leader in | | | | |
Founded in 2015 in Santa Clara, California, Stellar Cyber’s NDR solution is part of their broader suite of security products, the Open XDR platform, which integrates various security tools for comprehensive threat management. It automates much of the network security workflow, enabling users to conduct investigations. Stellar Cyber NDR can operate in both semi-automated and fully automated modes. Security analysts can use predefined playbooks or create custom ones to fully automate detection and response processes. Key components of Stellar Cyber NDR include sensors, detection and correlation engines, a data lake, threat intelligence, AI engine, and UEBA. Stellar Cyber Open XDR customers receive all available capabilities within the platform under a single license, which includes SIEM, NDR, threat intelligence platform (TIP), IDS, security orchestration, and file integrity Monitoring (FIM). Their licensing strategy is "one license, one price". The incident response service is only available through their MSSP partners.
Stellar Cyber NDR provides flexible deployment options for on-premises, cloud, and hybrid environments. The management console operates on-premises, in VMs, in most public cloud environments, and they host it as SaaS. The console is secured by federated authentication and authenticator apps such as Google Authenticator, Microsoft Authenticator, and Okta Mobile. Users can utilize RBAC to control access to Stellar Cyber by assigning scopes and privileges to users. The analyst interface features risk scores, drop-down lists, RegEx searches, natural language queries, timeline and network map views, annotation, and playbook launching. The standard plan includes 24/7 support services. On-site and remote support services are available globally. Integration with most of the major third-party ITSM, SIEM, SOAR, and CTI feeds is supported. Stellar Cyber has its own sandbox solution. For additional integration capabilities, REST APIs and Webhooks are available. Stellar Cyber NDR sensors can be deployed across on-premises, network, and cloud environments. Virtual Network and Security Sensors are deployed as VMs into hypervisors or on a public cloud. Physical network security sensors gain access to traffic by mirroring it off switches and network taps. Stellar Cyber sensors can be deployed via SPAN ports, virtual private clouds (VPCs), and by out-of-line network monitoring. Full packet capture is not available. Maximum throughput ranges between 250 Mbps and 10 Gbps for physical sensors and 200 Mbps and 10 Gbps for virtual sensors. Sensors packages are available for most public IaaS instances. Sensors can communicate with the console over TLS 1.2 and TLS 1.3 protocols.
Stellar Cyber understands Suricata, TAXII, and YARA CTI standards. Its TIP integrates with third-party feeds to collect, parse, and distribute threat intelligence. The solution is aligned with the MITRE ATT&CK framework and has recently launched a MITRE ATT&CK coverage analyzer for visualizing the impact of data source changes on threat detection capabilities. The platform enables the creation of custom IoCs for threat hunting and allows users to construct, store, and execute queries via a query builder. The Lucene search bar facilitates NLP queries. Alerting happens via email, Microsoft Teams, and Slack, with additional alerts possible through Webhooks. Stellar Cyber assigns scores to alerts based on their criticality. Alert scores are calculated using ML and analytics based on fidelity, severity, threat intelligence, and data period.
Stellar Cyber Open XDR supports a wide range of IP-based protocols, along with streaming and mobile application protocols. The solution supports OT/ICS/IIoT protocols such as BACnet, CIP, CoAP, DNP3, IEC 61850, IEEE 11073, IPMI, Modbus, OPC-UA, MQTT, XMPP, and S7. It addresses most of the major NTA use cases and a selection of essential ETA methods. The solution is equipped with the capability to detect and allow for automated responses to major TTPs. Stellar Cyber employs DPI to extract header metadata and monitors the network, collecting data from a variety of sources, including endpoint telemetry, cloud logs, and threat intelligence feeds. Stellar Cyber NDR integrates raw packet collection with next-generation firewall (NGFW), logs, NetFlow, and IPFIX from various instances, facilitating DPI for over four thousand applications, as well as L2-L7 metadata and files from network traffic. The Stellar Cyber AI Engine normalizes, enriches, and correlates the metadata, using both supervised and unsupervised ML algorithms. The solution uses a correlation technique that combines weak and strong signals to identify the criticality of events and reduce false positives. Furthermore, Stellar Cyber provides a library of customizable playbooks, including response actions such as network session termination, host/network isolation. Through a visual editor, these playbooks can be edited for automated response actions.
Stellar Cyber, a venture-backed cybersecurity provider tailored for SMBs, has recently completed its Series C funding round. With a global market presence, Stellar Cyber offers an NDR solution that is suitable for organizations across various sectors. Stellar Cyber NDR is an option for organizations seeking a flexible solution with automated response capabilities.
| Ratings | Security | |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 15: Stellar Cyber’s rating
| Strengths |
|
| Challenges |
|
| Leader in | | | | |
Founded in 1996, Seattle, Washington, WatchGuard Technologies is a provider of network security solutions. ThreatSync + NDR, a cloud-native, AI-powered solution, is an extension of WatchGuard's ThreatSync XDR solution managed in the WatchGuard Cloud. Its open, cloud-native architecture eliminates the need for hardware as it operates within the WatchGuard Cloud. Using AI-driven security policies, ThreatSync + NDR reduces the volume of network traffic into prioritized alerts, investigation views, and compliance reports. WatchGuard offers three licensing plans: ThreatSync Core, ThreatSync+, and compliance reporting. ThreatSync+ licenses can be purchased separately in addition to the core XDR capabilities and also include compliance reporting capabilities out-of-the-box.
WatchGuard’s ThreatSync+ NDR is available for deployment as on-premises software or as a cloud service. The management console operates both on premises and in the cloud and is also available as a SaaS solution. The console offers support for SAML federation, along with IOS and Android biometrics, and they have a mobile app for authentication. The analyst interface includes drop-down lists, network map view, and annotation. WatchGuard MDR is a fully managed service provided by in-house SOC teams, available for purchase as a standalone offering. All WatchGuard plans include 24/7 support, with on-site and remote support available in select regions. While incident response services are included in the standard plan, remote configuration services for initial deployment must be purchased separately. The solution provides third-party integrations with Cylance Infinity and Bitdefender for sandboxes, IBM QRadar, LogRhythm, and Splunk for SIEM, and ServiceNow for ITSM as well as with major CTI feeds. Further integration is supported through REST API. ThreatSync+ NDR collects data via integration agents for routers and switches and directly from firewalls. Physical sensor deployment is not required. The agents can collect NetFlow or sFlow data from any location within the network. Communication between agents and the console is secured via IPSec, SSH, and TLS 1.3 protocols. Full packet capture is supported in various formats to facilitate forensic investigations. While WatchGuard is audited for compliance with ISO 27001 standards, it is not yet audited for SOC 2 Type 2.
WatchGuard ThreatSync+ NDR can take in CTI from MISP, Snort, STIX, and YARA. It has also recently begun participating in the MITRE ATT&CK evaluation. It leverages threat intelligence through WatchGuard EPDR solution, formerly known as Panda Security, as a CTA member, and it also collaborates with other intelligence sources. The IoC Gallery enables users to manage, import, and create IoCs. By using STIX and YARA, users can import third-party IoCs or, alternatively, create a custom IoC manually. Meanwhile, IOAs are highlighted as confirmed events that are highly likely to be an attack. Each threat indicator includes a risk assessment with configurable alert sensitivity. Alerts are available as email and syslog. The solution retains data for forensic analysis, with retention periods adjustable based on the customers’ preferences and budget.
WatchGuard ThreatSync + NDR supports all major IP-based, streaming, and mobile application protocols but lacks support for key IoT, IIoT, and ICS protocols. It addresses most of the major NTA use cases except for file fingerprinting and endpoint application utilization mapping. The solution also employs several major methods for ETA. The metadata baselines built by WatchGuard include traffic and connection attributes, aggregated statistics, and device-to-device and application-to-server activity data. ML models analyze this metadata to detect anomalies, vulnerabilities, and attack behaviors. ThreatSync + NDR can detect and allow for automated responses to a range of TTPs. Threat scores, calculated from threat detection, network visibility, and policy assurance metrics, determine the alert thresholds. In addition to the noise reduction capabilities provided by ML, the solution uses an automated curation process to further minimize false positives. Customer feedback is also collected to ensure higher accuracy levels. Response playbooks such as host/network isolation and disabling user accounts are available and integrated into policy workflows. Policy violations can be configured to trigger various response actions. When required, the playbooks can be edited in the policy editing menus.
WatchGuard, a private equity-owned company, has developed an NDR solution designed specifically for small and medium-sized businesses. This makes it an option for smaller teams. The company has a strong market presence in both the EMEA and North America regions. In September 2023, WatchGuard announced the acquisition of CyGlass, a cloud-based threat detection and response company. WatchGuard ThreatSync+ NDR is an option for organizations that requires network visibility, automated threat detection, and dedicated compliance reporting capabilities.
| Ratings | Security | |
| Functionality | |
|
| Deployment | |
|
| Interoperability | |
|
| Usability | |
Table 16: WatchGuard Technologies’ rating
| Strengths |
|
| Challenges |
|
Besides the vendors covered in detail in this document, we observe some other companies in the market that readers should be aware of. These vendors did not participate in the rating for various reasons, but nevertheless offer a significant contribution to the market space.
Symantec Security Analytics offers advanced threat protection through comprehensive network traffic monitoring and analysis. Security Analytics appliances deliver a range of capabilities, including application classification, real-time threat intelligence, anomaly detection, zero-day threat detection, Layer 2-7 analytics, security integrations, context-aware security, and forensic investigations. These appliances enable speed threat identification by providing total network traffic visibility and leveraging DPI to classify over three thousand applications and protocols. They offer real-time threat intelligence through integration with Symantec intelligence services and the global intelligence network.
Why worth watching: Symantec Enterprise Cloud provides a comprehensive suite of network protection, secure web gateway, threat protection, ETA, endpoint protection, and email security solutions, all integrated into a unified platform. The solution offers flexible and scalable on-premises and cloud deployments. Broadcom is a member of the CTA.
Infinity NDR is a plug-and-play solution designed to equip analysts with the tools to detect, investigate, and respond to cyber threats. The solution automates and streamlines security operations, offering contextual visibility for threat investigation and hunting. The Infinity platform employs AI and automation to enhance efficiency and facilitate incident response. AI-powered threat discovery and prevention automate security tasks such as data correlation, log analysis, and incident prioritization, allowing human analysts to focus on more complex tasks.
Why worth watching: Check Point empowers its NDR solution with solid AI and threat hunting capabilities. Check Point is a global provider of network security solutions and a member of the CTA.
Corelight Open NDR platform leverages open-source technologies such as Zeek and Suricata, integrating them with proprietary solutions to enhance network visibility and security. The platform's key capabilities include network detection, IDS, network security monitoring (NSM), and PCAP, all within a single tool. By leveraging a metadata-based approach that incorporates ML analytics and Suricata's IDS engine, the Open NDR platform enhances detection coverage and accuracy. Additionally, Corelight's platform enables the use of custom detections and regular updates from Corelight Labs, facilitating new ways to deepen network insight.
Why worth watching: The solution comes with solid integration options with third-party tools, coverage for over eighty TTPs across hybrid cloud infrastructure, and visibility into more than fifty protocols. ETA capabilities also look promising.
Fidelis Network is an NDR solution that can be deployed as a standalone solution or as part of the Fidelis Elevate XDR platform. The unified solution offers a comprehensive range of security capabilities, including sandboxing, network forensics, DLP, deep session inspection, email security, threat intelligence, and automated security policies. These features aggregate alerts, context, and evidence for threat investigation. Fidelis Network also includes network behavior analysis and ML-based anomaly detection for threat analysis. It maps threats against the MITRE ATT&CK framework and provides high-fidelity alerts.
Why worth watching: Fidelis offers a comprehensive suite of cybersecurity solutions, including Endpoint Security, Network Security, Deception, and AD Protection, all in a single platform. The platform is particularly suited to automated threat detection and hunting. It supports the collection of over three hundred metadata attributes of protocols and files.
GREYCORTEX Mendel is an NDR solution designed to improve cybersecurity for various types of networks, including IT and OT environments. It uses DPI, ML, and advanced AI techniques to detect and respond to cyber threats. Mendel is capable of identifying and mitigating threats in real time, offering features such as sandboxing, network forensics, DLP, and threat intelligence integration. It also supports forensic investigations by providing detailed insight into network activity. The solution is particularly beneficial for critical infrastructure sectors such as manufacturing, energy, healthcare, and government, where both IT and OT networks must be secured.
Why worth watching: GREYCORTEX is a good option for securing both IT and OT environments while ensuring compliance with industry-specific standards and regulations. An actionable overview of network, device, and user behavior is available for those who need visualized network communications.
Group-IB’s NDR solution is integrated into its managed XDR platform. The XDR suite includes NTA, EDR, business email protection (BEP), attack surface management (ASM), and a malware detonation platform (sandbox). Group-IB Managed XDR is available as a cloud service or a managed service through MSSPs. Group-IB’s proprietary Threat Intelligence provides context-rich data on industry-specific threats, risk profiles, threat actors, and attack maneuvers. Moreover, Group-IB shares CTI with organizations such as Europol, Interpol, and national computer emergency response teams (CERTs).
Why worth watching: Group-IB offers some NDR functions as part of its XDR suite. Tailored for SMBs, the company has established a strong presence in both EMEA and APAC, with a particular emphasis on Eastern Europe. Group-IB's AI-driven NDR component, combined with strong threat intelligence, provides actionable insights and unified control for threat hunting, incident response, and security operations.
LinkShadow NDR is an advanced analytics and ML-based solution that provides real-time threat detection and response capabilities within network environments. The solution performs deep packet network traffic inspection and analysis, allowing users to identify the activities and behaviors of devices, applications, and users on the network. The platform provides SOC analysts with the tools they need to conduct effective threat hunting. By interpreting and inspecting various network protocols, it identifies anomalies and potential vulnerabilities associated with specific protocols. The platform helps reduce the mean time to detection and response (MTTDR) by providing proactive monitoring and incident response management tools.
Why worth watching: LinkShadow NDR can automatically identify and proactively respond to potential security threats. The various out-of-the-box reports help ensure compliance with security standards.
LogRhythm NetMon is a network traffic analytics tool that provides real-time visibility and security analytics to monitor an organization's network. It helps detect, prevent, and recover from cyberattacks by leveraging advanced analytical techniques. The platform uses DPI to analyze and categorize network traffic and provides detailed packet metadata. The solution also employs ML and deterministic detection techniques to analyze network as well as user and host activity, generate high-fidelity alarms, and minimize attacker dwell time.
Why worth watching: NetMon offers a comprehensive set of pre-configured detection rules, orchestration with the LogRhythm environment, and interoperability with SIEM, EDR, and other security solutions. LogRhythm recently joined with Exabeam, and the combined offering will be highly competitive.
Lumu provides a platform for network visibility and threat detection. The core product, Lumu Insights, uses network monitoring to identify points of compromise and adversarial communications within the network. The platform incorporates a wide range of metadata collection methods, including DNS requests, firewall logs, and proxy logs, to provide a holistic view of network security. One of Lumu's key features is Autopilot, which automates cybersecurity operations. Autopilot increases efficiency by freeing up cybersecurity teams to focus on higher-level tasks, such as threat hunting.
Why worth watching: Lumu brings SecOps enablement, incident management, and automated response under one unified platform. It provides strong out-of-the-box integration capabilities with more than a hundred well-known third-party tools. It is aligned with the MITRE ATT&CK framework.
NextRay's NDR tool is designed to enhance network security through AI-powered detection. It provides automated and manual responses to threats. By using ML models, it can analyze user behavior, detect anomalies, and prevent data exfiltration. The platform also offers features such as DPI for traffic analysis, advanced threat hunting tools for SOC analysts, and forensic analysis capabilities using historical network data.
Why worth watching: The platform supports various use cases including insider threats, OT/IoT security, and ransomware, making it a versatile tool for different sectors such as telecommunications, manufacturing, government, education, and finance.
Plixer One Security is a non-intrusive network monitoring solution designed to enhance visibility and security across complex IT environments. It detects and responds to threats by utilizing ML, selective packet capture, and ETA. The integrated solution includes features like reporting, endpoint analytics, application, and DNS monitoring, and 24/7 support services. Plixer One Security uses AI/ML, threshold algorithms, and rule-based detections to provide visibility from L2 to L7.
Why worth watching: Plixer One Security is designed to detect a range of TTPs across your network. Leveraging advanced AI/ML analytics, it proactively identifies anomalies and neutralizes attacks before they cause significant damage. It also aligns with the MITRE ATT&CK framework.
Stamus Security Platform consists of two main components: Stamus Network Probes and Stamus Central Server. The network probes perform comprehensive network traffic inspection, capturing protocol transactions, flow data, and full packet captures. The Central Server manages these probes, integrates third-party threat intelligence, and provides a centralized interface for threat hunting and incident investigation.
Why worth watching: Stamus Labs develops innovative algorithms and sophisticated intelligence to enhance threat detection capabilities. The solution is equipped with comprehensive TTP coverage.
Trellix NDR employs behavioral analysis, ML, and advanced analytics to detect network anomalies and analyze traffic and flow records. The solution enables teams to monitor both perimeter and lateral network traffic. Trellix Network Security tool integrates multiple AI, ML, and correlation engines to detect and respond to advanced threats and lateral movements. Trellix Intrusion Prevention System tool offers advanced threat prevention, monitoring networks for malicious activities, and blocking intrusions rapidly. Trellix Network Forensics tool helps quantify the impact of attacks, visualizing events before, during, and after incidents to prevent the recurrence of similar incidents.
Why worth watching: The signatureless threat detection system is designed to identify a range of sophisticated attacks. The solution enables rapid and effective advanced threat mitigation by providing in-depth information about the attack and attacker.
Trend Vision One reveals the chronological order of correlated threat events to visualize the entire lifecycle of an attack by retracing an attack’s entry point, identifying affected individuals, and pinpointing command-and-control communications. The comprehensive data collection allows for in-depth threat hunting and investigation. SOC professionals can prioritize threats using Connected Threat Defense and automated playbooks to mitigate risks. Offered as part of Trend Micro XDR, the NDR platform include tools for network vulnerability protection, network analytics, SASE, and ICS/OT security.
Why worth watching: The unified XDR platform unifies NDR with endpoint, email, cloud, and OT detection and response capabilities. It also employs an identity-centric approach and features a lightweight virtual sensor designed to extract metadata and analyze network anomalies. The orchestration within the Trend Micro ecosystem leverages comprehensive data analysis to effectively identify and mitigate threats.
Vectra AI NDR solution employs AI-driven attack signal intelligence to detect and respond threats across the network environment. The solution provides coverage of MITRE ATT&CK techniques and identifies early indicators of attacker activity. It analyzes and stores network activity without relying on preset rules or pattern detection. Additionally, the solution identifies threats without requiring decryption. Vectra AI NDR also supports targeted responses by integrating with existing security tools and playbooks. The platform enriches metadata, enhancing custom models in SIEM or data lakes with detailed network information. This enriched metadata also empowers analysts and threat hunters with advanced search capabilities. Furthermore, Vectra AI NDR consolidates Suricata signature-based detections and Vectra AI behavior-based detections into a single sensor.
Why worth watching: The solution offers rapid deployment options for a variety of instances. The emphasis on false positive reduction enables customers to focus on the most critical threats. It aligns with the MITRE D3FEND framework. The AI Platform provides a comprehensive solution for detection, prioritization, investigation, and response in a unified suite.
Leadership Compass - Identity Threat Detection and Response (ITDR): IAM Meets the SOC
Leadership Compass – Web Application Firewalls
Leadership Compass - Intelligent SIEM Platforms
Leadership Compass - Cloud-Native Application Protection Platforms (CNAPP)
Leadership Compass – Email Security
Leadership Compass - API Security & Management
Leadership Compass – Attack Surface Management
Leadership Compass - Software Supply Chain Security
Leadership Compass - Cloud Security Posture Management
Leadership Compass - Managed Detection and Response (MDR)
Leadership Compass - Fraud Reduction Intelligence Platforms (FRIP)
Leadership Compass - Data Security Platforms
Leadership Compass - Data Leakage Prevention
Leadership Compass - Security Orchestration Automation and Response (SOAR)
Advisory Note - Strategic Cybersecurity Recommendations for 2024-2033
Advisory Note - Cyber Risk Frameworks in 2024
Advisory Note - Architecting Your SOC to Defend Against Today's Attack Vectors
Advisory Note - Cybersecurity Resilience with Generative AI
Executive View - ExeonTrace NDR
Whitepaper - Secure Software Supply Chains
© 2024 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole's initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaims all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole does not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks ™ or registered trademarks ® of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.
KuppingerCole Analysts AG, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and making better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.
For further information, please contact clients@kuppingercole.com.
