GigaOm Radar for Network Detection and Response (NDR) Solutions v3

Network Detection and Response (NDR) solutions provide continuous monitoring and analysis of network traffic to identify and respond to cybersecurity threats in real time. These solutions leverage advanced technologies such as artificial intelligence, machine learning, and behavioral analytics to detect both known and unknown threats across on-premises, cloud, and hybrid environments.

NDR solutions analyze north-south (inbound/outbound) and east-west (lateral) traffic, providing comprehensive visibility into network activities and enabling security teams to detect sophisticated attacks that may evade traditional security measures.

As cyber threats evolve in complexity and frequency, NDR solutions have become increasingly important for organizations across various industries, including financial services, healthcare, retail, and government sectors. By offering continuous monitoring, rapid threat detection, and automated response capabilities, NDR helps organizations minimize the impact of potential security incidents and maintain the integrity of their digital assets in an increasingly complex threat landscape.

For businesses seeking to enhance their cybersecurity posture, NDR offers several key benefits:

• Early threat detection and rapid response capabilities

• Improved network visibility across on-premises, cloud, and hybrid environments

• Enhanced compliance with regulatory requirements

• Reduced risk of data breaches and associated costs

• More efficient allocation of security resources

Furthermore, the NDR market is experiencing rapid growth and innovation. Key trends shaping its future include:

• Deeper integration with AI and machine learning: Advanced AI and ML algorithms are enhancing threat detection capabilities, enabling more accurate identification of subtle anomalies and potential threats in real time.

• Cloud-native solutions: As organizations increasingly adopt hybrid and multicloud environments, NDR solutions are evolving to provide seamless visibility and protection across diverse infrastructures.

• Integration with zero trust architecture: NDR tools are aligning with zero trust principles to ensure continuous verification of users and devices, reducing lateral movement risks.

• Increased automation: The adoption of automated incident response features is helping organizations mitigate threats faster and reduce manual intervention.

• Expansion into IoT and OT security: NDR solutions are extending their capabilities to address vulnerabilities in connected ecosystems, including internet of things (IoT) and operational technology (OT) devices.

As the NDR landscape evolves, organizations should prioritize solutions that offer scalability, flexibility, and adaptability to accommodate the growing volume and diversity of network traffic. By focusing on these areas, businesses can position themselves to leverage the full potential of next-generation NDR solutions and enhance their overall security posture in an increasingly complex digital ecosystem.

This is our third year evaluating the NDR space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year. 

This GigaOm Radar report examines 29 of the top NDR solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading NDR offerings, and help decision-makers evaluate these solutions to make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

To help prospective customers find the best fit for their use case and business requirements, we assess how well NDR solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Cloud service providers (CSPs): Providers delivering on-demand, pay-per-use services to customers over the internet, including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).

• Network service providers (NSPs): Providers selling network services—network access and bandwidth—provide entry points to backbone infrastructure or network access points (NAP). In this report, NSPs include data carriers, ISPs, telcos, and wireless providers.

• Managed service providers (MSPs): Providers delivering application, IT infrastructure, network, and security services and support for businesses on customer premises, in the MSP’s data center (hosting), or in a third-party data center.

• Large enterprises: Enterprises of 1,000 or more employees with dedicated IT teams responsible for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.

• Small-to-medium businesses (SMBs): Small businesses (fewer than 100 employees) to medium-sized businesses (100 to 1,000 employees) with limited budgets and constrained in-house resources for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a colocation facility.

In addition, we recognize the following deployment models:

• Stand-alone hardware sensors: Network data is collected by installing dedicated physical hardware sensors at critical junctions across the network.

• Embedded hardware sensors: Network data is collected by embedding sensors such as routers or switches in network equipment throughout the network.

• Virtual sensors: Network data is collected by installing dedicated virtual sensors on IaaS platforms or in VMs at critical junctions in the network.

• Endpoint sensors: Network data is collected by embedding sensors in endpoints of the network, including user devices.

• Third-party infrastructure: Network data is collected from preexisting third-party infrastructure logs or via packet visibility APIs throughout the network.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Comprehensive threat detection

• Non-signature-based threat detection

• North-south and east-west monitoring

• Out-of-the-box analysis

• Built-in incident response

• Intelligent anomaly detection

• Metadata threat detection

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating an NDR solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating NDR Solutions.”

Key Features

• Core network integrations: Core network integrations enable NDR solutions to seamlessly connect with existing network infrastructure and security tools. This integration enhances overall visibility, streamlines data sharing, and enables coordinated threat detection and response across the entire network environment. 

• Deep packet inspection: Deep packet inspection (DPI) allows NDR solutions to analyze both packet headers and payloads, providing granular visibility into network traffic. This capability is crucial for detecting sophisticated threats hidden within seemingly benign traffic.

• Encrypted traffic analysis: Encrypted traffic analysis allows NDR solutions to detect threats within encrypted network traffic without decrypting it. This capability is essential for maintaining data privacy while still identifying potential security risks in an increasingly encrypted network landscape.

• Integrated flow data analysis: Integrated flow data analysis allows NDR solutions to process network flow records for comprehensive visibility into communication patterns. This capability is vital for efficiently detecting anomalies and potential threats across large-scale networks.

• Contextualized visibility: Contextualized visibility provides a comprehensive view of network activities, including user behavior, device interactions, and data flows. This holistic perspective enables security teams to detect threats, trace their origins, and understand their impact within the broader network ecosystem.

• Historical forensics: Historical forensics capabilities enable NDR solutions to store and analyze historical network data for post-incident investigation and threat hunting. This feature is crucial for understanding the full scope of security incidents and identifying long-term patterns of malicious activity.

• Automated response: Automated response capabilities enable NDR solutions to take immediate action to contain and mitigate detected threats. This feature is essential for reducing response times and minimizing potential damage from security incidents.

• Regulatory compliance: Regulatory compliance features in NDR solutions provide detailed network visibility, logging, and reporting capabilities. These features help organizations meet data protection standards, adhere to industry regulations, and simplify audit processes.

Table 2. Key Features Comparison 

Emerging Features

• Zero-network footprint: Zero-network footprint NDR leverages cloud-delivered analytics to monitor and analyze network traffic without on-premises hardware or agents. This approach minimizes network performance impact and infrastructure requirements while providing comprehensive threat detection capabilities.

• Custom data lake integration: Custom data lake integration allows NDR solutions to connect with centralized repositories for storing and analyzing large volumes of network data. This capability enhances threat correlation and forensic investigations by providing a unified view of security-related information across diverse sources.

• Generative/predictive AI: Generative and predictive AI in NDR solutions simulate potential attack scenarios and forecast future threat patterns. This capability enables proactive and adaptive cybersecurity by identifying emerging risks and enhancing detection through synthetic data generation.

• Automated response playbooks: Automated response playbooks in NDR solutions standardize and streamline incident handling by executing predefined, context-aware actions. This capability ensures rapid and consistent threat mitigation, reducing response times and minimizing potential damage from security incidents.

• Framework support: Framework support in NDR solutions maps detected threats to established frameworks like MITRE ATT&CK, aligning with industry best practices. This capability enables security teams to identify, understand, and respond to attacks with precision, enhancing overall threat detection and response effectiveness.

• C2 detection over public infrastructure: C2 detection over public infrastructure analyzes network traffic patterns, behaviors, and metadata to identify malicious communications between compromised devices and attacker-controlled servers. This capability is crucial for detecting and disrupting advanced persistent threats that leverage legitimate services for command and control.

• Managed NDR: Managed NDR outsources continuous network monitoring, threat detection, and incident response to specialized security teams or service providers. This approach ensures expert protection against advanced threats while minimizing in-house resource requirements and operational complexity.

Table 3. Emerging Features Comparison

Business Criteria

• Configurability: Configurability in NDR solutions allows security teams to customize detection rules, response actions, and integration parameters. This flexibility ensures the solution aligns precisely with an organization's unique network architecture, risk profile, and security requirements.

• Interoperability: Interoperability in NDR solutions enables seamless integration with existing security tools and network infrastructure. This capability is crucial for creating a cohesive security ecosystem that can effectively detect and respond to threats across the entire network environment.

• Manageability: Manageability in NDR solutions provides intuitive, centralized control over configuration, monitoring, and optimization processes. This feature is essential for reducing operational complexity and administrative overhead, enabling security teams to focus on critical threat detection and response tasks.

• Observability: Observability in NDR solutions provides real-time, contextual insights into network traffic, threat behaviors, and security events. This capability is crucial for enabling deep understanding and rapid decision-making in complex network environments.

• Performance: Performance in NDR solutions refers to the ability to monitor and analyze network traffic with minimal latency and low computational overhead. This capability is essential for maintaining effective threat detection without degrading network speed or introducing processing bottlenecks.

• Resiliency: Resiliency in NDR solutions ensures continuous operation and threat detection capabilities, even during system disruptions or infrastructure challenges. This feature is crucial for maintaining uninterrupted network security and minimizing potential vulnerabilities during critical periods.

• Support: Support for NDR solutions encompasses comprehensive assistance, including technical guidance, troubleshooting, and ongoing optimization. This service is essential for ensuring the effective implementation, maintenance, and continuous improvement of the NDR platform to address evolving security challenges.

• Cost: Cost considerations for NDR solutions include transparent pricing based on usage metrics and a clear outlining of additional expenses. This clarity is crucial for accurate budgeting and ensuring that the chosen solution provides the best value for the organization's specific needs.

Table 4. Business Criteria Comparison 

The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for NDR

As you can see in Figure 1, Arista, Corelight, Darktrace, ExtraHop, Lumu Technologies, Trellix, and Vectra AI are Leaders based on their high scores across the decision criteria evaluated in this report. In addition, all of them except Arista and Trellix are recognized as Outperformers based on their pace of innovation compared to the industry in general. 

It should be noted that Maturity does not exclude Innovation. Instead, it differentiates a vendor enhancing existing capabilities from one innovating by adding new capabilities. Furthermore, with different approaches available for capturing and analyzing network traffic, positioning in each quadrant is determined as follows:

• Maturity/Platform Play: The vendor’s solution provides robust DPI, encrypted traffic analysis, and metadata threat detection from data captured using physical and virtual appliances or sensors, third-party network flow, and sub-flow data.

• Innovation/Platform Play: The vendor’s solution provides evolving DPI, encrypted traffic analysis, and metadata-based threat detection from data captured using a mix of physical and virtual appliances or sensors, third-party network flow, and sub-flow data.

• Innovation/Feature Play: The vendor’s solution provides metadata threat detection captured exclusively using third-party network flow or sub-flow data without the use of physical or virtual appliances or sensors but does not provide DPI or encrypted traffic analysis.

• Maturity/Feature Play: The vendor’s solution provides DPI for encrypted traffic analysis and metadata-based threat detection captured exclusively using physical appliances or sensors.

The color of the arrow (Forward Mover, Fast Mover, or Outperformer) is based on customer adoption and execution against roadmap and vision (based on vendor input and in comparison to improvements made across the industry in general).

Gatewatcher is a new addition to the list of vendors. IronNet filed for bankruptcy and has been removed from this year’s report.

In reviewing solutions, it’s essential to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Arista: Arista NDR*

Solution Overview
Founded in 2004, Arista is an industry leader in data-driven, client-to-cloud networking solutions, specializing in multilayer network switches for large data center/AI, campus, and routing environments. In October 2020, Arista acquired Awake Security and launched Arista NDR, a network detection and response platform that combines AI with human expertise to autonomously hunt and respond to insider and external threats.

Arista NDR's architecture comprises five key components: Analyst Portal, AVA (Autonomous Virtual Assist), Console/UI, Nucleus, and Sensors. Sensors—available as hardware, virtual, cloud-based, and software extensions on Arista Campus switches— perform full packet capture, store forensic packet logs, parse and extract data from over 3,000 network protocols from Layer 2 through Layer 7, summarize activities, and forward them to the Nucleus. It conducts deep packet inspection, including encrypted traffic analysis without decryption, and uses AVA to handle large amounts of traffic, make associations, find patterns, and identify situations requiring attention.

Arista takes a focused approach to NDR, innovating with AI-driven detection capabilities while continuously enhancing its platform with incremental improvements and emerging features like unified visibility across hybrid networks and specialized security workflows.

Arista is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the NDR Radar.

Strengths
Arista NDR scored well on several decision criteria, including:

• Deep packet inspection: Arista NDR parses data deeper than many competitors do, analyzing full network packets through Layer 7 rather than just headers or NetFlow. The platform inspects over 3,000 protocols and can analyze encrypted traffic without decryption. This capability is enhanced when deployed on Arista campus switches, allowing the detection of lateral movement and credential abuse closer to the source, making it more effective at identifying east-west threats than perimeter-based security devices.

• Integrated flow data: Arista NDR processes both full packet data and flow information, extracting richer signals like user information from Kerberos packets that wouldn't appear in basic protocol headers or NetFlow. This comprehensive approach improves detection fidelity, enables better entity tracking, and helps the solution scale to large, complex networks while maintaining high accuracy and a signal-to-noise ratio of 95%—almost fifteen times better than competitors.

• Historical forensics: The platform stores "activity records" of actual transactions between network entities rather than just protocol metadata. This forensic data allows investigators to retrospectively detect behaviors that weren't initially recognized as malicious, providing crucial context for investigations while maintaining a smaller storage footprint than full packet captures.

Opportunities
Arista NDR has room for improvement in a few decision criteria, including:

• Core network integration: While Arista NDR can deploy on campus switches, it may not fully integrate with all core network infrastructure components beyond Arista's own ecosystem. The platform requires specific deployment on leaf switches to be effective, potentially creating gaps in visibility when deployed in heterogeneous network environments with non-Arista equipment. This limits its ability to provide seamless data sharing and highly coordinated threat detection across all integrated systems.

• Encrypted traffic analysis: Arista NDR analyzes encrypted protocols without decryption, which inherently limits the depth of inspection possible compared to solutions that can decrypt and fully inspect encrypted traffic. This approach relies on inferential analysis and metadata examination rather than direct content inspection, potentially missing sophisticated threats that hide within encrypted payloads.

• Contextualized visibility: The platform focuses on autonomously discovering and profiling entities but may not fully correlate encrypted communication patterns with broader network activities and user behaviors across all scenarios. It lacks real-time, bidirectional data flow among all integrated systems across the entire network ecosystem, limiting its ability to provide comprehensive context for every detected anomaly in complex environments.

Purchase Considerations
Arista NDR employs a subscription-based pricing model, offering annual licenses with no extra fees for standard features. The subscription model allows flexible scaling based on customer needs, with multiyear agreements offering potential discounts. Customers can choose from various deployment options, including physical hardware sensors, virtual sensors, cloud-based sensors, and software extensions integrated into Arista Campus switches. The platform is designed to minimize migration complexity by enabling rapid deployment without lengthy machine learning training periods or operational overhead. Proof of concept (PoC) capabilities are available to demonstrate the platform’s ability to autonomously detect threats across traditional, IoT, and cloud networks.

Key purchase considerations include the ease of integration with existing security tools such as security and information event management (SIEM), endpoint detection systems, and orchestration platforms via API support. While the platform integrates seamlessly within Arista's ecosystem, compatibility with non-Arista infrastructure may require additional configuration. Additionally, Arista NDR’s autonomous triage and response capabilities significantly reduce analyst workloads, ensuring faster detection and response times while maintaining high signal-to-noise ratios. Customers should consider the platform's ability to analyze encrypted traffic without decryption and its focus on providing "answers, not alerts" when evaluating its fit for their security operations. Arista also offers a managed NDR service through Awake Labs, providing 24/7 monitoring and threat hunting for organizations with limited security resources. 

Use Cases
Arista NDR addresses a broad range of use cases, including digital forensics, incident response, insider threat protection, non-malware threat detection, situational awareness, and threat hunting across various network environments. The platform targets organizations requiring high-performance network-based detection, particularly those already using the Arista ecosystem. It serves multiple sectors, including cloud networks, consumer finance, and enterprises with complex environments spanning perimeter, core, IoT, and cloud networks. Arista NDR is especially valuable for security teams needing visibility into encrypted traffic, IP-based communications, and dynamic workloads, helping reduce operational burdens while enabling effective threat detection and response.

Broadcom: Symantec Security Analytics

Solution Overview
Founded in 1991, Broadcom is a global technology leader that designs, develops, and supplies a wide range of semiconductor and infrastructure software solutions. Broadcom completed its acquisition of VMware (which owned Carbon Black) in November 2023 and, in March 2024, merged Carbon Black and Symantec (acquired in 2019) into a new Enterprise Security Group business unit tasked with combining network and data telemetry with endpoint detection and response (EDR) technologies.

Symantec Security Analytics employs a multitiered architecture with hardware and virtual sensors that perform lossless full packet capture at up to 10 Gbps. The solution features next-generation deep packet inspection across Layers 2-7, classifying over 2,800 protocols and applications while extracting thousands of metadata attributes. Key components include Security Analytics Appliances, a Central Manager providing aggregated views from over 200 sensors, and an Indicators and Rules engine that enables real-time threat detection through advanced DPI.

Broadcom takes a focused approach to NDR, incrementally improving existing features while adding AI capabilities, enhanced hardware, and network connectivity improvements to its comprehensive packet capture and analysis solution.

Broadcom is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the NDR Radar.

Strengths
Symantec Security Analytics scored well on several decision criteria, including:

• Deep packet inspection: Symantec Security Analytics employs advanced DPI across layers 2-7, classifying over 3,100 applications and thousands of metadata attributes. Unlike basic packet filtering that only examines headers, Symantec's solution performs comprehensive payload analysis to detect sophisticated threats, including APTs, polymorphic malware, and zero-day exploits. The system can differentiate between legitimate and malicious traffic even when using non-standard ports, providing granular visibility into encrypted communications when deployed with SSL Visibility.

• Historical forensics: The platform delivers comprehensive retrospective analysis capabilities by storing captured network traffic in an optimized file system for rapid analysis and instant retrieval. It scales to multiple petabytes of historical data, allowing security teams to reconstruct full sessions from packet data and conduct thorough forensic investigations weeks or months after an incident. This detailed record enables organizations to resolve breaches in a fraction of the time compared to conventional processes.

• Regulatory compliance: Symantec Security Analytics supports compliance requirements through its ability to monitor sensitive information in transit, establish policies to selectively decrypt SSL traffic, and provide detailed audit trails. The solution offers customizable security assessments to support internal security standards and align with IT operations' SLAs and performance objectives, enabling sustainable compliance programs across multiple regulatory frameworks. 

Opportunities
Symantec Security Analytics has room for improvement in a few decision criteria, including:

• Core network integrations: Symantec Security Analytics lacks deep integration capabilities with core network infrastructure components, offering limited automated data collection from various sources. While it can connect with some security tools, it doesn't demonstrate seamless integration with a wide range of network devices. The solution shows gaps in coordination and response automation across the security ecosystem and lacks bidirectional data flow between integrated systems, preventing it from forming a cohesive security fabric.

• Integrated flow data: Symantec Security Analytics demonstrates limited support for external flow protocols like NetFlow, sFlow, and IPFIX, focusing primarily on its own packet capture capabilities rather than aggregating flow data from multiple sources. The solution lacks advanced machine learning algorithms specifically designed for flow data analysis that would identify subtle patterns indicative of advanced threats or novel attack techniques and doesn't show evidence of continuous learning to improve flow-based anomaly detection over time.

• Automated response: Symantec Security Analytics relies heavily on predefined rules and manual intervention for threat mitigation, lacking advanced AI-driven decision-making capabilities for automated responses. The system doesn't demonstrate adaptive response capabilities based on specific threat context, asset criticality, and user roles. While it offers some rule-based actions through its Indicators and Rules engine, it falls short in the autonomous execution of complex mitigation actions and lacks sophisticated playbook orchestration across multiple security tools. 

Purchase Considerations
Symantec Security Analytics has transitioned to an enterprise licensing model that separates hardware and software purchases, basing costs on usage rather than per-instance licensing. This usage-based approach measures the average volume of network traffic analyzed daily, eliminating the need to pay for idle licenses or purchase unused capacity in advance. The model includes an Intelligence Services subscription for real-time threat intelligence (previously sold separately) and offers potential tax benefits by separating CapEx (hardware) from OpEx (software subscription).

Key purchase considerations include multiple deployment options (on-premises, cloud, and virtual appliance) with the ability to transition between environments using the same license. The solution supports public cloud deployments on Oracle, AWS, Azure, and Google Cloud. When planning deployments, customers should consider their network traffic volume, required retention periods, and disaster recovery needs. The platform offers half the rack space of previous generations while maintaining performance, making it easier to scale across the organization without changing licenses. Proof of concept options are available through time-limited evaluation licenses.

Use Cases
Symantec Security Analytics addresses a broad range of use cases, including compliance management across multiple regulatory frameworks (HIPAA, ISO 27001, PCI-DSS, SOC 2), identity analytics for cloud environments, and predictive analytics with user entity behavior analytics (UEBA). It provides comprehensive network forensics for security operations centers, enabling rapid incident response through full packet capture and classification across layers 2-7, with machine learning-based anomaly detection that establishes baselines of normal network behavior against which to identify suspicious activities.

Cisco: Cisco Secure Network Analytics

Solution Overview
Founded in 1984, Cisco provides networking hardware, telecommunications equipment, and IT services, specializing in routers, switches, wireless systems, security solutions, data center products, and collaboration tools. Cisco acquired Splunk, a cybersecurity and observability vendor, in March 2024, and Isovalent, a leader in open-source cloud-native networking and security, in April 2024. 

Cisco Secure Network Analytics provides enterprise-wide network visibility using a distributed architecture with the Manager, Flow Collectors (gathers telemetry), optional Flow Sensors, and Data Store nodes (aggregates data). It captures network flow data (NetFlow, IPFIX, sFlow, Zeek logs, firewall connection logs, and public cloud logs) and endpoint telemetry through hardware appliances or virtual editions. The solution primarily analyzes flow-based metadata rather than using deep packet inspection, employing dynamic entity modeling to classify network devices based on behavior and detect anomalies. However, with the recently supported Zeek and firewall logs, packet visibility is now available in the product.

Cisco takes a focused approach to NDR, incrementally improving existing features while integrating capabilities like attack sequencing, firewall log detection, and IPv6 support to strengthen its network detection and response platform.

Cisco is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
Cisco Secure Network Analytics scored well on several decision criteria, including:

• Encrypted traffic analysis: Cisco Secure Network Analytics employs Encrypted Traffic Analytics (ETA) to analyze encrypted traffic without decryption, using enhanced telemetry from Cisco networks and applying a combination of behavioral modeling, machine learning, and global threat intelligence. The solution teams with Talos Threat Intelligence, a cloud-based service that analyzes traffic to determine whether it is malicious, offering machine learning on a global scale to improve detection fidelity within encrypted sessions.

• Integrated flow data: Cisco Secure Network Analytics features a comprehensive Data Store architecture that provides a central repository to store network telemetry collected by Flow Collectors. The solution supports multitelemetry ingestion from diverse sources, including on-premises networks, remote workers (via Cisco Secure Client/AnyConnect Network Visibility Module), Cisco firewall log data, and public clouds (AWS and Azure). A single Flow Collector can ingest multiple telemetry types, and the Data Store architecture enables independent scaling of flow collection and storage functions.

• Automated response: The solution integrates with existing security controls to enable automated threat response without business disruption. It prioritizes alarms by threat severity, providing actionable intelligence enriched with context such as user, device, location, timestamp, and application information. When integrated with the Cisco Identity Service Engine, it can trigger Adaptive Network Control policies to automatically mitigate threats by modifying network access. Integration with Cisco XDR and Splunk’s SOAR platform provides automated and configurable response actions.

Opportunities
Cisco Secure Network Analytics has room for improvement in a few decision criteria, including:

• Core network integrations: Cisco Secure Network Analytics faces challenges with hybrid configurations, particularly when mixing Data Store and non-Data Store domains. The solution also experiences integration problems when there are mismatches in rollup patches, making it challenging to add Data Stores/Nodes to environments with different patch levels or custom certificates.

• Deep packet inspection: Cisco Secure Network Analytics primarily relies on flow-based analysis rather than deep packet inspection. The solution focuses on analyzing metadata and telemetry from network flows instead of examining the full contents of packets. This approach limits its ability to perform comprehensive content inspection, which is essential for detecting sophisticated threats hidden within packet payloads. While the addition of support for firewall telemetry and Zeek logs has mitigated this limitation to some extent with packet inspection-based detections, it is still not a substitute for full packet inspection.

• Zero-network footprint: Cisco Secure Network Analytics requires significant on-premises infrastructure, including Flow Collectors, Data Store nodes, and Manager components. The traditional distributed architecture poses design challenges when deployments scale across many Flow Collectors or when flow rates reach more than three to five million flows per second, necessitating substantial hardware resources. A minimal deployment requires at least one physical or virtual appliance with local storage. 

Purchase Considerations
Cisco Secure Network Analytics employs a subscription-based pricing model with licenses typically spanning one to three years. The pricing structure is based on flow rate capacity and deployment size, with separate licensing for core components (Manager, Flow Collector) and optional add-ons like Threat Intelligence. Customers can choose among hardware appliances, virtual machines (for VMware, Nutanix AHV, or KVM environments), or Cisco XDR (the SaaS version includes native network-based detection capabilities). The solution scales from small businesses to large enterprises, with pricing tiers corresponding to network complexity and monitoring requirements.

Key purchase considerations include deployment flexibility (on-premises, cloud, or hybrid), integration capabilities with existing Cisco security tools (particularly Cisco XDR and Splunk’s core and Enterprise Security platforms), and migration complexity when upgrading from legacy Stealthwatch implementations. Customers should evaluate their telemetry sources (NetFlow, IPFIX, sFlow) and consider future growth requirements, as scaling may require additional licenses or hardware. The solution offers agentless monitoring, which reduces deployment complexity but may impact visibility in specific environments. Before purchasing, organizations should request a PoC to validate the solution's effectiveness in their network environment and ensure it delivers the expected visibility and threat detection capabilities.

Use Cases
Cisco Secure Network Analytics addresses a broad range of use cases, including compliance monitoring, corporate governance enforcement, data exfiltration detection, encrypted malware detection, insider threat detection, network segmentation, policy violation monitoring, real-time threat detection, remote worker monitoring, and threat response automation. The solution is designed for organizations across various industries requiring enterprise-wide network visibility, particularly those with complex environments spanning on-premises, cloud, and hybrid infrastructures. 

Comcast Technology Solutions: BluVector*

Solution Overview
A division of Comcast Corporation, Comcast Technology Solutions was created in 1994 to provide a wide range of media and entertainment technology solutions, including content aggregation, distribution, and security. In March 2019, Comcast acquired BluVector, an AI-driven network security technology company.

BluVector is an AI-driven network security platform that employs hardware and virtual sensors to perform deep packet inspection on network traffic. The architecture includes a patented machine-learning classification engine called Hector that analyzes full packet captures from FTP, HTTP, and SMTP protocols. It processes millions of packets per second, inspecting all files entering or leaving the network in real time at speeds up to 10 Gbps while providing comprehensive content-layer logging integrated with Zeek for complete network visibility.

Comcast Technology Solutions is positioned as a Challenger and Forward Mover in the Maturity/Platform Play quadrant of the NDR Radar.

Strengths
BluVector scored well on several decision criteria, including:

• Core network integrations: BluVector offers strong integration capabilities with existing security infrastructure through its OpenAPI nature, allowing seamless connection with SIEM tools like Splunk and QRadar, endpoint solutions like Carbon Black and CrowdStrike, threat intelligence platforms like ThreatConnect, and most next-generation firewalls. It can operate in line with network traffic for real-time remediation or as a retrospective tool, supporting both IPv4 and IPv6 environments, including IoT and SCADA-rich networks.

• Deep packet inspection: BluVector performs comprehensive DPI by analyzing millions of packets and thousands of objects per second, examining files from HTTP, SMTP, and FTP protocols in milliseconds using its patented Hector machine-learning classification engine. It extracts features from each file to calculate malicious probability, providing analysts with findings and associated network metadata for response decisions.

• Encrypted traffic analysis: BluVector employs advanced machine learning and AI-powered detection to identify sophisticated threats even in encrypted traffic. Its patented Speculative Code Execution engine analyzes content used by fileless malware techniques to determine malignancy, while its machine-learning technology leverages content classifiers that are resilient against zero-day and polymorphic malware, enabling detection without prior knowledge. 

Opportunities
BluVector has room for improvement in a few decision criteria, including:

• Integrated flow data: BluVector lacks explicit support for standard flow protocols like NetFlow, sFlow, and IPFIX. While it provides Zeek logs for network visibility, the solution doesn't demonstrate advanced capabilities for correlating multiple flow data sources or leveraging machine learning specifically for flow-based anomaly detection. Its architecture focuses primarily on deep packet inspection rather than comprehensive flow data analysis across diverse infrastructure components.

• Contextualized visibility: BluVector provides basic application-layer visibility and user/device correlation through Zeek logs but lacks advanced entity relationship mapping that would automatically identify connections between users, devices, and applications across the network. The solution doesn't offer AI-driven pattern recognition for subtle multifactor anomalies or advanced visualization tools for mapping attack vectors and understanding the full scope of security incidents.

• Zero-network footprint: BluVector maintains a significant on-premises footprint, requiring dedicated hardware appliances or virtual machines for deployment. It lacks a fully cloud-native architecture with minimal local components, instead relying on hardware-based network appliances or VMs that process traffic locally. The solution doesn't implement agentless data collection techniques that would leverage existing infrastructure without additional hardware requirements.

Comcast Technology Solutions is classified as a Forward Mover because it has not announced any significant new features, capabilities, or innovations for BluVector. There is also no public information about its current product roadmap or release cadence to indicate it's keeping pace with or outperforming the rapidly evolving NDR market. 

Purchase Considerations
BluVector offers a flexible pricing model based on network size, traffic volume, and management preferences. Customers can choose between self-managed deployments or a hosted solution whereby BluVector experts help train users, optimize detection engines, and remediate threats. For MSPs, BluVector-as-a-Service provides a turnkey option with pricing based on processed traffic volume rather than the number of virtual machines under management. The solution can be deployed as a hardware-based network appliance or virtual machine, with options for grid deployment across networks.

Key purchase considerations include deployment flexibility (on-premises hardware appliances or virtual machines), air-gapped operation capabilities for high-security environments, and integration with existing security infrastructure. BluVector operates without connection to the public internet, ensuring customer data remains private. The solution offers rapid implementation, with BluVector-as-a-Service activating almost immediately after contract signing compared to the previous one-month to one-year timeline. When evaluating the solution, customers should consider their network defense needs, including visibility requirements, advanced malware detection capabilities, and threat-hunting resources. BluVector's AI-powered technology is particularly valuable for organizations that must comply with requirements such as NIST, PCI, and HIPAA.

Use Cases
BluVector is an AI-driven network security platform designed for mid-sized to large organizations. It addresses a broad range of use cases, including advanced threat detection, compliance monitoring, fileless malware detection, network visibility, and zero-day attack prevention. The solution detects sophisticated threats before execution and impact, enabling security teams to respond within minutes rather than months. BluVector's air-gapped intrusion detection system is particularly applicable to organizations requiring protection against nation-state and polymorphic malware threats without a connection to the public internet.

Corelight: Open NDR Platform

Solution Overview
Founded in 2013, Corelight specializes in providing cybersecurity solutions. In June 2020, Corelight launched the Open NDR Platform, which integrates two influential open-source projects, Suricata and Zeek, into a seamless solution that enables rapid pivoting from Suricata alerts into rich network metadata.

Open NDR Platform combines dynamic network detections, AI, IDS, network security monitoring (NSM), static file analysis, and PCAP in a single architecture powered by Zeek and Suricata. It employs standalone hardware and virtual sensors to transform raw network traffic into structured evidence through deep packet inspection. The platform performs full packet analysis with selective Smart PCAP technology, analyzes encrypted traffic without decryption using JA3/JA3S fingerprinting, and leverages machine learning models for threat detection across more than 80 MITRE ATT&CK TTPs.

Corelight takes a focused approach to Open NDR, innovating rapidly with an aggressive roadmap reflecting emerging features like generative AI integration, containerized sensors, and YARA file analysis while adding NetFlow/VPC Flow support to fill feature gaps.

Corelight is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
Open NDR Platform scored well on several decision criteria, including:

• Deep packet inspection: Open NDR Platform leverages Zeek and Suricata to transform raw packet data into structured, high-fidelity network evidence that exposes subtle indicators of compromise, like encrypted command-and-control channels and data exfiltration attempts. The platform's single-sensor architecture consolidates NSM, IDS, and PCAP functionality while providing full transparency into the inspection process through direct access to underlying data.

• Encrypted traffic analysis: The platform employs JA3 and JA3S TLS fingerprinting to identify and track encrypted traffic patterns across SSH, SSL, RDP, and VPN protocols, detecting over 300 VPN types and various encrypted threats without requiring decryption. For organizations needing deeper inspection, it integrates with Mira Security's Encrypted Traffic Orchestrator for selective decryption while maintaining privacy for sensitive traffic through category-based bypass rules.

• Historical forensics: Corelight's innovative SmartPCAP technology extends packet-based forensic windows to weeks or months by selectively capturing only investigation-relevant packets, enabling cost-effective long-term retention while preserving critical evidence. The platform supports up to seven years of historical data storage for federal customers, with one of the fastest query platforms for searching this data through integration with CrowdStrike LogScale's 15x data compression capabilities. 

Corelight is classified as an Outperformer due to its industry-first LLM integration for SOC assistance, pioneering Smart PCAP technology that extends forensic capabilities, and an ambitious roadmap that includes unified flow visibility, an evasive threat detection engine specifically targeting EDR-evasive attacks, and an AI-driven analyst sidekick.

Opportunities
Open NDR Platform has room for improvement in a few decision criteria, including:

• Integrated flow data: Open NDR Platform lacks native ingestion of NetFlow, sFlow, or IPFIX records, relying instead on deep packet inspection and network traffic analysis using Zeek. While NetFlow and VPC Flow integration are planned for 2025, the absence of flow data ingestion limits its ability to provide comprehensive insights into communication patterns and anomalies across diverse environments.

• Automated response: The platform does not offer native automated response playbooks but relies on integrations with SOAR platforms for automated workflows. Current capabilities include basic actions like host isolation through integrations with CrowdStrike and Microsoft EDR, as well as firewall blocking via Palo Alto Networks, but it lacks sophisticated context-aware or multistep automated response capabilities.

• Zero-network footprint: Open NDR Platform requires network TAPs or traffic mirroring for deployment, making operating in environments without such capabilities challenging. Although NetFlow and VPC Flow support are on the roadmap for 2025 to enable TAP-less deployments, reliance on sensor appliances prevents the platform from achieving a zero-network footprint.

Purchase Considerations
Corelight's Open NDR Platform uses a flexible, usage-based licensing model primarily metered on the throughput of network traffic analyzed after filtering out unnecessary flows like video or bulk backups. This ensures customers pay only for the data they need to analyze, with costs aggregated across their entire environment (on-premises and cloud, all locations worldwide). The pricing structure includes software subscription, optional one-time costs for hardware appliances (if purchased), hardware maintenance, and any training or professional services. Corelight employs a five-minute average to flatten traffic peaks, reducing utilization compared to strict maximum measurements and helping customers avoid unexpected costs from normal fluctuations.

Key purchase considerations include deployment flexibility (stand-alone hardware sensors, virtual sensors, or cloud-based deployments), integration capabilities with existing security tools, and professional services requirements. The platform can be deployed quickly (typically within hours) with a technical account manager service (included in subscriptions) to help ensure proper solution alignment with security initiatives. When evaluating the solution, organizations should consider their network visibility requirements, existing security infrastructure, and traffic volumes. SIEM ingestion costs can be significant depending on data volume, although Corelight's 99:1 data reduction capabilities help mitigate this concern.

Use Cases
Open NDR Platform targets large enterprises, government agencies, cloud service providers, and managed service providers across multiple sectors. The solution addresses a broad range of use cases, including cloud migration security, compliance management, supplementing EDR visibility for detecting evasive threats, threat detection and response, threat hunting and forensics, and zero trust validation. Corelight's platform identifies sophisticated attacks that evade endpoint detection, provides comprehensive visibility from cloud to edge environments, and enables deep forensic investigations with its ability to store network evidence for up to seven years while maintaining query performance.

Cryptomage: Cryptomage Cyber Eye

Solution Overview
Founded in 2016, Cryptomage provides network anomaly detection and cybersecurity solutions, specializing in real-time network-based anomaly detection and prediction through its flagship product, Cryptomage Cyber Eye. Cryptomage is being acquired in phases by Atende SA.

Cryptomage Cyber Eye is a dedicated hardware probe built on Intel FPGA technology, featuring proprietary AI and ML circuitry. The 1U physical appliance performs full packet capture with 4TB SATA storage, generating proprietary flow metadata for deep packet inspection and metadata analysis. It combines protocol behavior, packet inspection, and host communication analysis to detect threats such as botnet C2 communication, malware activity, and zero-day attacks while providing GDPR compliance features.

Cryptomage takes a focused approach to NDR, innovating with specialized capabilities like network steganography detection, protocol behavior analysis, and proprietary AI/ML algorithms for low-level network traffic analysis.

Cryptomage is positioned as a Challenger and Forward Mover in the Maturity/Feature Play quadrant of the NDR Radar.

Strengths
Cryptomage Cyber Eye scored well on several decision criteria, including:

• Deep packet inspection: Cryptomage Cyber Eye performs deep inspection of every single network packet, including transported data, using machine learning algorithms and network protocol discovery for proactive risk scoring. It specializes in detecting hidden or modified protocols and unusual low-level network behaviors, providing comprehensive insights beyond traditional user and host behavior monitoring.

• Integrated flow data: The solution generates proprietary flow metadata formats that surpass traditional NetFlow analysis, enabling advanced protocol behavior statistics and anomaly detection. Its passive mode ensures operations do not interfere with network traffic, allowing seamless integration with SIEM, security orchestration, automation and response (SOAR), and next-generation firewall (NGFW) systems for enhanced threat detection.

• Contextualized visibility: Cryptomage Cyber Eye offers unique visibility into network traffic by combining protocol behavior analysis, packet analysis, and host communication behavior analysis. Its groundbreaking network steganography expertise detects hidden communications and modified TCP/IP protocols, providing enriched context for security events through integration with Recorded Future’s threat intelligence platform.

Opportunities
Cryptomage Cyber Eye has room for improvement in a few decision criteria, including:

• Core network integrations: Cryptomage Cyber Eye offers limited integration with core network infrastructure, focusing primarily on SIEM, SOAR, and NGFW connections rather than deep integration with network devices themselves. While it can be deployed alongside other security systems, it operates more as a complementary tool than a deeply integrated network component, with no evidence of bidirectional data flow among all integrated systems.

• Encrypted traffic analysis: Cryptomage Cyber Eye lacks advanced encrypted traffic analysis capabilities, with no specific mention of TLS/SSL inspection or decryption features. While it can detect anomalies through metadata and behavioral analysis, its deep packet inspection capabilities are limited when dealing with encrypted communications, focusing instead on protocol behavior and network steganography.

• Historical forensics: Cryptomage Cyber Eye provides basic forensic capabilities limited to extracting high-risk network traffic and storing processed traffic metadata in an extended format. The solution offers 4TB SATA storage for PCAP data but lacks advanced forensic toolsets with comprehensive packet capture retention, AI-driven forensic analysis, and sophisticated visualization capabilities for mapping attack vectors.

Cryptomage is classified as a Forward Mover because while it offers innovative capabilities like network steganography detection and AI/ML-based analysis, there is no evidence of recent feature releases or a published product roadmap since Atende acquired a 20% stake in April 2023, indicating a slower pace of innovation compared to the broader NDR market.

Purchase Considerations
Cryptomage Cyber Eye offers flexible pricing models, including monthly or annual subscriptions, perpetual licensing, and custom pricing options. The pricing structure is based on several parameters: license period (12, 24, or 36 months), bandwidth capacity (up to 20 Gbps), and number of hosts monitored (1,000-50,000). There is also an option for a one-time payment, providing customers with multiple ways to align the solution with their budgetary preferences. The solution is available through direct sales and system integrators, with Atende specifically mentioned as a partner.

Key purchase considerations include the hardware-based nature of the solution, as Cryptomage Cyber Eye is custom network equipment based on Intel FPGA technology, with two primary deployment options: on-premises Linux environments and virtual machines. The probe can be implemented in either active mode with configurable automation or passive mode, which analyzes a copy of network traffic without interfering with connections. Both modes work out-of-the-box without requiring additional configuration to become fully operational, suggesting straightforward deployment. 

The solution is designed to complement existing security infrastructure, working alongside IDS, unified threat management (UTM), and NGFW systems rather than replacing them. Prospective customers should consider requirements for integration with their SIEM, SOAR, and NGFW platforms and their specific needs for network traffic analysis, threat detection, and compliance reporting capabilities.

Use Cases
Cryptomage Cyber Eye addresses a broad range of use cases, including botnet C2 communication detection, DDoS attack prevention, hidden network traffic (network steganography) identification, malware activity monitoring, suspicious network traffic analysis, unauthorized device connection detection, and zero-day attack protection. The solution is designed for organizations managing large, complex networks requiring protection against non-signature and advanced threats like APT attacks. Target industries include financial services (banking, insurance), government, healthcare, manufacturing, military, pharmaceutical, telecommunications (operators, providers), and utilities (including critical infrastructure). Cryptomage Cyber Eye is particularly applicable for organizations needing real-time anomaly detection with automated threat response capabilities.

Cynamics: Cynamics NDR

Solution Overview
Founded in 2019, Cynamics specializes in AI-driven threat prediction and network visibility using standard sampling protocols, patented algorithms, and machine learning. Launched in 2020 via a SaaS model hosted on AWS, Cynamics NDR analyzes less than 1% of network traffic samples to provide complete network visibility and threat prediction.

Cynamics NDR is a cloud-based solution that analyzes network metadata without requiring hardware or software sensors, agents, or appliances. Instead, it collects less than 1% of network traffic using standard sampling protocols (IPFIX, NetFlow, NSG, sFlow, and VPC FlowLogs) built into existing network gateways. Rather than using DPI, Cynamics analyzes only IP header metadata fields through hidden pattern recognition, employing patented AI technology to infer complete network visibility and predict attacks and threats before they hit.

Cynamics takes a focused approach to NDR, innovating to add emerging features like AI-driven analysis, CynLLM for threat investigation, mitigation, and reporting, and flow-based metadata analysis without agents or sensors.

Cynamics is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the NDR Radar.

Strengths
Cynamics NDR scored well on several decision criteria, including:

• Integrated flow data: Cynamics NDR collects and analyzes flow data using industry-standard protocols such as IPFIX, NetFlow, NSG, sFlow, and VPC FlowLogs across diverse network environments. Its patented AI-driven technology creates a "network blueprint" that infers complete network visibility from less than 1% of traffic samples, providing detailed root-cause analysis and contextual insights into anomalous behaviors without requiring full packet inspection.

• Contextualized visibility: Cynamics’ Device Center connects firewalls, switches, and cloud infrastructure in a unified view, automatically identifying and classifying critical network assets. The solution works across on-premises, VPC, and hybrid environments, providing end-to-end coverage of the entire network while detecting suspicious communications and potential threats through AI-driven pattern analysis.

• Zero-network footprint: Cynamics operates entirely as a cloud-native solution without requiring any appliances, agents, sensors, probes, span ports, or TAPs to be deployed in the client environment. Analyzing metadata from existing network gateways via sampling protocols ensures minimal resource demand with no impact or overhead on network performance while maintaining comprehensive threat detection across legacy, hybrid, and cloud-native environments.

Opportunities
Cynamics NDR has room for improvement in a few decision criteria, including:

• Encrypted traffic analysis: Cynamics NDR employs a basic flow-based approach that examines only IP header metadata rather than analyzing packet payloads and encrypted protocol behaviors. The solution cannot detect protocol-specific anomalies like SSL stripping attacks, abnormal certificate usage, or suspicious TLS negotiations. While its sampling technique is agnostic to encrypted traffic and does not require decryption, the approach is primarily limited to statistical anomaly detection without deep protocol-level insights or context-aware correlation across broader network activities.

• Historical forensics: Despite claiming "potentially unlimited data retention" due to its sampling approach, Cynamics NDR lacks advanced search, filtering, and timeline visualization tools for comprehensive forensic investigations. While it provides basic root-cause analysis, it does not include full packet capture capabilities, sophisticated attack vector mapping, or advanced AI-driven pattern recognition precisely for historical data analysis, limiting security teams' ability to conduct thorough post-incident investigations.

• Automated Response: Cynamics NDR depends heavily on third-party integrations for mitigation actions rather than providing robust built-in response capabilities. The solution lacks context-aware automation that would consider factors like asset criticality or user roles when determining appropriate response actions. While it employs AI for detection, it currently does not leverage machine learning algorithms to analyze threat patterns, predict potential impacts, or recommend optimal response strategies. An update addressing this is expected to be announced soon.

Purchase Considerations
Cynamics NDR offers a transparent, subscription-based pricing model which determines pricing by the number of primary edge network devices (firewalls and switches) sending network samples to its SaaS platform. This approach aligns with its zero-footprint architecture that requires no appliances, agents, or sensors. The solution is designed to be cost-effective compared to traditional NDR solutions, providing full network visibility and threat detection while analyzing a small percentage of network traffic. This sampling-based approach significantly reduces computational and storage requirements, lowering operational costs while maintaining comprehensive coverage.

Key purchase considerations include Cynamics' self-service deployment model, allowing customers to onboard without vendor assistance in less than one hour. The solution integrates with any network size or type across legacy, cloud-native, and hybrid environments through standard sampling protocols built into existing network gateways. Migration complexity is minimal since no hardware installation or network reconfiguration is required beyond enabling flow data collection. Proof of concept is straightforward with a "risk-free deployment" approach that creates no additional attack surface. Customers should consider that while Cynamics offers third-party integrations for auto-mitigation, the solution focuses primarily on detection rather than providing comprehensive built-in response capabilities.

Use Cases
Cynamics NDR addresses a broad range of use cases, including asset discovery, compliance management, incident response and forensics, intelligent anomaly detection, metadata-based threat detection, and network visibility. The solution detects threats in real time using AI-driven analysis of flow metadata, providing detailed root-cause analysis and predictive insights to mitigate risks before they escalate. It is particularly effective for identifying unusual patterns and monitoring north-south and east-west communications. Designed for organizations of all sizes, its zero-footprint architecture and ease of deployment make it ideal for complex networks seeking scalable cybersecurity solutions without the overhead of hardware sensors or appliances.

Darktrace: Darktrace / NETWORK

Solution Overview
Founded in 2013, Darktrace provides cybersecurity AI solutions specializing in threat detection and response using artificial intelligence. In January 2025, Darktrace announced the acquisition of Cado Security, a UK-based incident investigation and response firm specializing in cloud investigation capabilities across multicloud, container, serverless, SaaS, and on-premises environments.

Darktrace / NETWORK employs a distributed architecture that leverages both full packet capture and flow data analysis. It uses hardware sensors for core network monitoring and software-based sensors for extended visibility. The solution performs deep packet inspection on raw network traffic to produce metadata for analysis while also supporting on-demand packet captures for detailed investigation. It can analyze both encrypted and decrypted traffic, including protocols inside encrypted connections such as HTTP/2, and ingests NetFlow v9 records for enhanced visibility.

Darktrace takes a focused approach to NDR, innovating to add emerging features like Attack Path Finder, Custom Routes for Autonomous Response, and Expanded Protocol Analysis for WebSocket to enhance detection, scalability, and SOC efficiency in modern enterprises.

Darktrace is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
Darktrace / NETWORK scored well on several decision criteria, including:

• Core network integrations: Darktrace / NETWORK features an open architecture that makes it easy to "bring AI to your data" and extend autonomous response capabilities. It accepts virtually every data format and typically works with core internal network traffic collected through port spanning of existing equipment, in-line network taps, or accessing existing repositories of network data. The solution can also deploy C-Sensor agents for devices that can't be captured by network traffic from a core switch, ensuring comprehensive coverage.

• Contextualized visibility: Darktrace / NETWORK provides complete network traffic analysis capabilities with extensive analysis of components like application use/type, fingerprinting, and source/destination communication. Its Self-Learning AI understands what is normal across each network entity by examining behaviors rather than applying static rules, enabling it to surface novel threats that cannot be anticipated while providing a straightforward interface with advanced filtering and analytical tools for security analysts.

• Automated response: Darktrace / NETWORK delivers autonomous response capabilities that can directly isolate compromised devices, halt malicious traffic, or restrict abnormal network activity without interrupting normal working practices. The AI makes precise decisions by analyzing device behavior, threat type, and unusual patterns, enabling faster response times that are critical to preventing breaches before they cause more damage.

Darktrace is classified as an Outperformer because it consistently delivers significant innovations to its NDR platform, including recent recent advances in automating detection engineering, scalability for large and distributed networks, increasing SOC efficiency with AI-led triage and investigation of alerts, and autonomous containment of network threats, while maintaining approximately one-fifth of the global NDR market share.

Opportunities
Darktrace / NETWORK has room for improvement in a few decision criteria, including:

• Integrated flow data: Darktrace / NETWORK supports NetFlow v9 integration to enhance visibility over areas of networks that might otherwise go unmonitored, but it has limited support for other flow protocols like sFlow or IPFIX. The solution focuses more on its Self-Learning AI capabilities for anomaly detection rather than providing comprehensive support for diverse flow protocols or advanced machine learning algorithms optimized explicitly for flow data correlation across multiple sources. Its ability to detect sophisticated threats through flow analysis is constrained by its primary focus on full packet analysis rather than comprehensive multiprotocol flow analysis.

• Historical forensics: Darktrace / NETWORK retains DPI metadata and general device activity data for approximately 30 days in most deployments, falling short of the 6+ months retention period offered by more comprehensive forensic solutions. While the platform provides an advanced search interface and packet capture generation capabilities, it currently relies on third-party technology from Endace or the recently acquired Cado Security for deeper forensic investigation capabilities rather than offering fully integrated native forensic tools. The system lacks advanced AI-driven pattern recognition specifically for historical data analysis.

• Regulatory compliance: While Darktrace / NETWORK offers dedicated compliance model stacks that detect compliance issues in real time, it lacks advanced, built-in AI-driven predictive compliance risk assessment capabilities and real-time compliance scoring with trend analysis. However, this functionality is available via an additional module, Darktrace / Proactive Exposure Management (PEM). While the solution supports multiple regulatory frameworks, including GDPR, HIPAA, and PCI DSS, it doesn't provide automated recommendations of specific remediation actions for compliance gaps beyond basic alerting and reporting.

Purchase Considerations
Darktrace / NETWORK uses a subscription-based pricing model based on the number of monitored IPs. Customers can choose from various contract durations, with pricing typically structured as an annual subscription. The solution offers a 30-day free Proof of Value (PoV) before purchase commitment. Key purchase considerations include evaluating the total cost of ownership against hiring dedicated security talent, as Darktrace positions itself as a way for security teams to make better use of their existing resources and avoid the costs associated with hiring additional staff, particularly with its Cyber AI Analyst.

The solution requires ongoing tuning to reduce false positives, with several customers noting a significant learning curve. However, Cyber AI Analyst can automate the triage and investigation process, reducing false positives and only raising genuine threats to the attention of security teams. While Darktrace provides comprehensive visibility, it complements rather than replaces existing security tools like SIEM, EDR, and network monitoring. Organizations should also assess the required internal resources for investigation and response, as the platform generates detailed alerts requiring analysis.

Use Cases
Darktrace / NETWORK addresses a broad range of use cases, including credential stuffing detection, crypto-mining prevention, insider threat detection, IoT device security, mergers and acquisitions security, phishing attack response, ransomware prevention, and zero-day attack detection. Its Self-Learning AI continuously monitors network traffic and user behavior to identify both known threats via signatures and threat intelligence, along with novel and unknown threats through anomaly detection. 

Exeon: ExeonTrace

Solution Overview
Founded in 2016, Exeon Analytics protects IT infrastructures through AI-driven security analytics. The company's flagship product, ExeonTrace, is based on over ten years of academic research at ETH Zürich and offers network monitoring capabilities that detect cyber threats without requiring agents or sensors.

ExeonTrace is a software-only NDR solution that analyzes metadata from existing network infrastructure (firewalls, switches, routers, and secure web gateways) without requiring sensors or agents. It processes NetFlow, IPFIX, sFlow, proxy logs, DNS logs, and cloud flow logs through its platform components: Correlation Engine, Graph-based SecurityDB, Alerting System, Incident Handling, Incident Assessment, Dashboard & Reporting, and Visualizations. ExeonTrace deliberately avoids deep packet inspection, focusing on behavioral analysis to detect threats even in encrypted traffic.

Exeon takes a focused, innovative approach to NDR, deliberately avoiding DPI and hardware sensors while developing AI-driven metadata analysis capabilities that address encrypted traffic challenges with quarterly feature enhancements.

Exeon is positioned as a Challenger and Forward Mover in the Innovation/Feature Play quadrant of the NDR Radar.

Strengths
ExeonTrace scored well on several decision criteria, including:

• Integrated flow data: ExeonTrace ingests and analyzes multiple flow protocols (NetFlow, IPFIX, sFlow) without requiring hardware sensors, using AI-driven behavioral analytics to detect anomalies across distributed environments. Its graph database approach reduces data volume by up to 50x compared to raw logs, enabling efficient processing and storage while maintaining comprehensive visibility across on-premises, cloud, and OT networks.

• Historical forensics: ExeonTrace stores historical network metadata in specialized graph databases that reduce storage requirements by up to 100 times while preserving analytical capabilities. This efficient storage approach enables extended retention periods and comprehensive forensic investigations with AI-driven analysis tools that help security teams trace attack vectors, understand attack propagation, and identify previously undetected threats across hybrid environments.

• Regulatory compliance: ExeonTrace supports multiple regulatory frameworks (GDPR, HIPAA, NIST, DORA, NIS2, ISO 27001) through detailed network visibility, robust logging, and comprehensive reporting. Its metadata-based approach provides granular insights without compromising privacy, while flexible deployment options support data sovereignty requirements. The solution combines real-time monitoring, historical data retention, and automated policy enforcement to maintain continuous compliance. 

Opportunities
ExeonTrace has room for improvement in a few decision criteria, including:

• Deep packet inspection: ExeonTrace deliberately avoids DPI as a core architectural decision, relying exclusively on metadata analysis instead of inspecting packet contents. Exeon positions this as a feature rather than a limitation, highlighting that its "algorithms are unaffected by encrypted payloads since they are built to detect attack patterns based on metadata and not deep packet inspection." However, this approach eliminates the ability to perform protocol-aware inspection, content analysis, or payload examination available in DPI-based solutions.

• Encrypted traffic analysis: ExeonTrace analyzes metadata and flow characteristics without examining encrypted content, limiting its ability to detect sophisticated threats hidden within encrypted communications. While it can identify anomalies based on traffic patterns, timing, and frequency, it cannot perform protocol behavior analysis or decode encrypted protocols like TLS/SSL to detect protocol abuse, abnormal certificate usage, or suspicious protocol negotiations that more advanced encrypted traffic analysis solutions offer.

• Automated response: ExeonTrace offers limited automated response capabilities with basic predefined policies and actions like blocking malicious IPs or isolating compromised devices. The documentation acknowledges "enhancing automated response capabilities" as an area for improvement on its roadmap, indicating current limitations. The solution lacks sophisticated context-aware automation that would consider factors like asset criticality and user roles when determining responses and doesn't demonstrate advanced AI-driven decision-making for optimizing response strategies.

Exeon is classified as a Forward Mover because it demonstrates steady quarterly updates with incremental improvements rather than revolutionary changes, focusing on enhancing its core metadata-based approach rather than on market-leading innovation that would significantly accelerate its competitive position.

Purchase Considerations
ExeonTrace uses a subscription-based pricing model determined by the size of the monitored network rather than by the number of users or devices. The solution is sold as a unified product with a single user interface, though specific pricing details are available only upon request. While Exeon claims transparent pricing with no hidden fees, potential customers should be aware that costs may vary based on network coverage scale, deployment complexity, and integration requirements. Additional costs apply for premium analytics, extended data retention, or enhanced support options.

Key purchase considerations include ExeonTrace's flexible deployment options (cloud, on-premises, or hybrid) and agentless approach that leverages existing infrastructure without requiring hardware sensors or traffic mirroring. This significantly reduces migration complexity with rapid deployment measured in hours rather than days. The solution supports PoC implementations and integrates with existing security tools, including SIEM platforms like Splunk and Elasticsearch. Customers should note that ExeonTrace deliberately avoids deep packet inspection, focusing instead on metadata analysis, which may impact certain use cases.

Use Cases
ExeonTrace addresses a broad range of use cases, including advanced threat detection, compliance monitoring for regulations like DORA and NIS2, lateral movement detection, network security visibility, ransomware attack mitigation, and zero-trust network security. ExeonTrace is particularly applicable for organizations requiring comprehensive visibility and monitoring of highly virtualized and distributed networks, with specific strength in analyzing encrypted traffic through its metadata-based approach rather than deep packet inspection.

ExtraHop: RevealX

Solution Overview
Founded in 2007, ExtraHop provides AI-based network intelligence to stop advanced threats across cloud, hybrid, and distributed environments. In 2018, ExtraHop released RevealX (originally called Reveal(x)), followed by the launch of SaaS-based Reveal(x) 360 in 2020.

RevealX NDR is a cloud-native network detection and response platform with a distributed architecture comprising multiple sensor types: Flow sensors for VPC flow logs, IDS sensors for signature-based detection, packet sensors for full packet capture, Packetstores for continuous packet capture, and Recordstores for transaction storage. The platform performs deep packet inspection through real-time stream processing that transforms unstructured packets into structured wire data, with full-stream reassembly, flow grouping, transaction identification, and device classification capabilities.

ExtraHop takes a focused approach to NDR, innovating with emerging features like AI search assistant, cloud-based record storage, and natural language processing capabilities while incrementally improving its core network visibility and threat detection capabilities.

ExtraHop is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the NDR Radar.

Strengths
RevealX scored well on several decision criteria, including:

• Deep packet inspection: RevealX captures complete packets across OSI Layers 2-7 at line rate speed, providing richer context than competing solutions that only analyze partial packets, NetFlow, or inspect traffic in Layers 3 and 4. The platform decodes more than 90 application, database, network, and internet protocols in real time, including critical Microsoft protocols like Kerberos, MSRPC, LDAP, WINRM, SMBv3, and NTLM, enabling the detection of sophisticated attacks targeting Active Directory and authentication systems.

• Encrypted traffic analysis: RevealX combines encrypted traffic analysis (ETA) with industry-leading decryption capabilities for both TLS 1.3 and proprietary Microsoft protocols. It performs "real-time, out-of-band decryption" without adding latency or security risk, allowing security teams to inspect encrypted traffic that other NDR solutions cannot access. This capability is particularly valuable for detecting threats hiding in encrypted traffic that follows normal behavior patterns, when ETA alone would be insufficient.

• Automated response: RevealX offers "push-button response by automating investigation with full context and guided workflows" that enable "3-click investigation from detection to root cause." The platform enriches every detection with attack timelines, risk scores, and drill-down capabilities while providing turnkey integrations with over 230 security tools, including CrowdStrike, Splunk, and Palo Alto Networks, to automate remediation actions. 

ExtraHop is classified as an Outperformer due to its rapid innovation cadence with quarterly releases that have introduced significant capabilities, including AI Search Assistant for natural language queries, Automated Retrospective Detection for historical threat hunting, and planned enhancements like network file carving & detection and expanded integrations with market leaders like CrowdStrike and Netskope.

Opportunities
RevealX has room for improvement in a few decision criteria, including:

• Integrated flow data: RevealX primarily ingests and analyzes VPC flow from Amazon cloud environments, with limited support for other flow data types like NetFlow, sFlow, or IPFIX. The platform acknowledges that flow data "can provide limited investigation support, suffer from gaps in visibility due to sampling rates, and limited support when customers need full forensics," indicating a preference for packet analysis over comprehensive flow data integration.

• Historical forensics: While RevealX offers up to 365 days of cloud-stored records, this falls short of the 18 or more months that would qualify it as comprehensive historical forensics. The solution's Automated Retrospective Detection can search through historical network data only as far back as 30 days for indicators of emerging threats, limiting the ability to investigate long-term advanced persistent threats that may have remained dormant for extended periods.

• Zero-network footprint: Although RevealX is described as cloud-native, it still requires physical sensors for many deployments, limiting its true zero-network footprint capabilities. ExtraHop acknowledges that "some deployments will require physical sensors," indicating that it cannot operate solely through cloud-based or agentless collection methods in all environments. This hardware dependency increases deployment complexity and reduces flexibility compared to fully cloud-native alternatives.

Purchase Considerations
RevealX NDR offers a subscription-based pricing model with options for both SaaS (RevealX 360) and on-premises (RevealX Enterprise) deployments. The SaaS pricing is based on three key factors: number of discovered devices, daily record ingest capacity, and record lookback period (30, 90, or 180 days). For on-premises deployments, pricing is primarily based on the number of discovered devices without including record capacity. The solution supports various throughput configurations with enterprise appliances scaling from 1 Gbps to 100 Gbps throughput, virtual sensors for cloud environments, and SaaS-based solutions. 

Key purchase considerations include deployment flexibility across physical sensors, virtual sensors for cloud environments, and hybrid options that combine the two approaches. Customers should evaluate their environment complexity, as RevealX offers different sensor types (Flow, IDS, Packet) for various monitoring needs, including network traffic mirroring configuration for comprehensive visibility. Organizations should evaluate their hybrid environment requirements, as the solution supports both on-premises and cloud deployments with nearly identical capabilities. When planning a PoC, organizations should consider which critical assets and network segments to monitor and which integrations with existing security tools (SIEM, SOAR, EDR) would deliver the most value.

Use Cases
RevealX NDR targets large enterprises, managed service providers, and cloud service providers, with a secondary focus on network service providers and SMBs. The solution addresses a broad range of use cases, including audits and compliance, cybersecurity for remote workforces, intrusion detection, network performance monitoring, packet forensics, and threat detection and response. RevealX is particularly valuable for organizations that require comprehensive visibility across hybrid environments to detect threats that evade traditional security controls like EDR and SIEM solutions.

Fidelis Security: Fidelis Network

Solution Overview
Founded in 2002 and acquired by Partner One in August 2023, Fidelis Security (previously Fidelis Cybersecurity) specializes in proactive cyber defense with detection, deception, response, cloud security, and compliance capabilities. In January 2017, Fidelis Security launched Fidelis Network, which was later enhanced with cloud delivery through Fidelis Cloud. 

Fidelis Network leverages patented Deep Session Inspection (DSI) technology, which reassembles network sessions rather than examining individual packets, enabling comprehensive content analysis across all ports and protocols. The platform includes direct, internal, mail, web, and cloud sensors (available as hardware or virtual appliances) that can analyze traffic at up to 20 Gbps per sensor. It collects over 300 metadata attributes, enabling real-time and retrospective analysis with protocol and application decoding capabilities.

Fidelis Security takes a focused approach to NDR, incrementally improving existing features with enhanced machine learning algorithms, OT security capabilities, and session-based inspection rather than traditional packet analysis.

Fidelis Security is positioned as a Challenger and Forward Mover in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
Fidelis Network scored well on several decision criteria, including:

• Core network integrations: Fidelis Network provides seamless integration with NGFWs and SIEMs through out-of-the-box connectors and a REST API for custom integration, enabling coordinated actions across networks, cloud services, and devices. The solution works with Fidelis Elevate XDR to create unified workflows, automates responses via integration with endpoint solutions, and supports both on-premises and multicloud environments, including AWS, Azure, and Google Cloud.

• Deep packet inspection: Fidelis Network goes beyond traditional DPI with its patented DSI technology that reassembles entire network sessions rather than examining individual packets. This approach enables comprehensive protocol and application decoding, deep content analysis across all ports and protocols, and the ability to detect threats hidden within complex, multilevel archive files that traditional DPI systems would miss.

• Encrypted traffic analysis: Fidelis Network can analyze encrypted traffic patterns without decryption by examining metadata and behavioral characteristics while also offering decryption capabilities when needed for deeper inspection. The solution collects over 300 metadata attributes from network sessions, applies machine learning to detect anomalies in encrypted communications, and can identify suspicious encrypted transfers while maintaining privacy compliance.

Opportunities
Fidelis Network has room for improvement in a few decision criteria, including:

• Integrated flow data: Fidelis Network focuses primarily on its own DSI technology rather than integrating with third-party flow data sources like IPFIX or NetFlow. While it collects over 300 metadata attributes from its own sensors, it lacks robust capabilities to ingest, correlate, and analyze flow data from existing network infrastructure, requiring organizations to deploy Fidelis sensors instead of leveraging their current flow collection systems for comprehensive visibility.

• Contextualized visibility: Despite analyzing network behavior across five contexts (external, internal, application protocols, data movement, and events), Fidelis Network provides limited user-centric visibility and device interaction context. The solution emphasizes traffic and content analysis rather than comprehensive asset classification, detailed network topology visualization, or cross-domain correlation capabilities that would provide a richer contextual understanding of user activities and device relationships.

• Zero-network footprint: Fidelis Network requires dedicated hardware or virtual sensors processing up to 20 Gbps of traffic, creating a substantial network footprint. The deployment model relies on physical or virtual appliances rather than agentless data collection from existing infrastructure, necessitating additional hardware investment and potential network reconfiguration for traffic mirroring and collection.

Fidelis Security is classified as a Forward Mover because while it continues to make incremental improvements to Fidelis Network, the company has undergone significant organizational changes following its acquisition by Partner One that appear to have slowed its pace of innovation compared to the broader NDR market.

Purchase Considerations
Fidelis Network offers a tiered pricing structure based on network bandwidth and deployment model, with options for both cloud-based and on-premises implementations. The solution is delivered as a SaaS package for cloud deployments, including maintenance, processing power, and storage space. On-premises deployments incur additional costs for annual support and threat feeds, typically calculated as a percentage of the annual license fee. 

Key purchase considerations include evaluating bandwidth requirements as pricing tiers scale with network size. Customers should assess deployment preferences (cloud vs. on-premises) and factor in the additional costs for on-premises support. While the solution offers comprehensive capabilities, including deep packet inspection and advanced threat detection, organizations should consider conducting a PoC to validate detection rates compared to existing solutions, with customers citing improved detection through side-by-side testing. The dashboard provides abundant high-level data with intuitive policy and rule building, making implementation more straightforward, though migration complexity will vary based on existing security infrastructure.

Use Cases
Fidelis Network addresses a broad range of use cases, including conducting real-time risk analysis of networked assets, detecting and preventing network-based attacks, identifying threats and data leakage in real-time, improving threat intelligence across networks, endpoints, and cloud, neutralizing network-based attacks, profiling TLS encrypted traffic, securing email at the network level, and unpacking deeply embedded files to detect data exfiltration attempts. The solution leverages DSI technology to provide contextual metadata across file formats and content, enabling organizations to reduce response time from hours to seconds while maintaining visibility across both north-south and east-west traffic.

Fortinet: FortiNDR (on-premises)

Solution Overview
Founded in 2000, Fortinet provides cybersecurity solutions, specializing in network security products, including firewalls, endpoint protection, and network detection and response tools. Fortinet has two NDR offerings: FortiNDR, developed in-house and deployed on-premises, and FortiNDR Cloud, a SaaS solution built on Gigamon ThreatINSIGHT, a cloud-native NDR solution acquired by Fortinet in January 2023.

FortiNDR (on-premises) is an AI-powered network detection and response solution with a distributed architecture comprising standalone, center, and sensor modes supporting up to 20 sensors. Available as physical appliances (FortiNDR-1000F, FortiNDR-3500F) or virtual machines (VM08/16/32), it captures raw network traffic via SPAN ports, NetFlow, IPFIX, and SFlow data, and file submissions. It performs deep packet inspection using GPU-accelerated artificial neural networks (ANN) for malware analysis and employs One-Class SVM machine learning for traffic profiling.

Fortinet takes a focused approach to NDR, incrementally improving existing features while innovating to add emerging capabilities, as evidenced by its ANN-based malware scanning, centralized management capabilities, OT protocol support, and traffic profiling with machine learning.

Fortinet is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the NDR Radar.

Strengths
FortiNDR (on-premises) scored well on several decision criteria, including:

• Deep packet inspection: FortiNDR employs patented artificial neural networks (ANN) to extract and scan files from raw network traffic in real-time, providing malware classification into more than 20 attack scenarios rather than just hash analysis. This DPI capability enables the solution to detect zero-day threats through file extraction and analysis while maintaining all data on-premises, making it particularly suitable for OT, government, and air-gapped environments.

• Integrated flow data: FortiNDR ingests NetFlow, IPFIX, and SFlow data from routers, switches, and firewalls, combining flow-based anomaly detection with machine learning traffic profiling without requiring data to leave the customer network. This dual-analysis approach allows FortiNDR to detect threats from both packet-level inspection and flow metadata, with machine learning capabilities for NetFlow data planned for future releases to enhance anomaly detection.

• Framework support: FortiNDR provides extensive MITRE ATT&CK framework mapping for enterprise threats and is developing support for the MITRE ICS matrix specifically for OT environments. The solution integrates natively with the Fortinet Security Fabric for automated response actions. It supports third-party integrations via REST API, SYSLOG, and ICAP protocols, enabling comprehensive security orchestration across diverse environments.

Opportunities
FortiNDR (on-premises) has room for improvement in a few decision criteria, including:

• Core network integrations: FortiNDR's integration capabilities are primarily limited to Fortinet Security Fabric products (FortiGate, FortiNAC, FortiSwitch, FortiAnalyzer, and FortiSIEM). A few third-party integrations are available only through REST API, SYSLOG, and ICAP protocols. The solution lacks native integrations with many common network devices and security tools outside the Fortinet ecosystem, requiring custom development for comprehensive coverage. Its CEF (Common Event Format) support is still in the roadmap phase rather than currently available.

• Regulatory compliance: While FortiNDR keeps all data on-premises, it lacks built-in compliance reporting templates for major regulations like GDPR, PCI-DSS, or HIPAA. The solution doesn't provide automated compliance assessment capabilities or pre-configured policies aligned with specific regulatory frameworks, requiring security teams to manually map detections to compliance requirements and create custom reports for audits and assessments.

• Zero-network footprint: FortiNDR requires dedicated hardware appliances (FortiNDR-1000F) or virtual machines with substantial resource requirements (VM16/VM32), creating deployment complexity in resource-constrained environments. The solution's reliance on tap/span ports for traffic capture limits deployment flexibility in networks without appropriate mirroring capabilities, and its high-performance requirements for real-time ANN-based malware scanning necessitate significant computing resources.

Purchase Considerations
FortiNDR (on-premises) employs a subscription-based pricing model with licenses available for one, three, or five-year terms based on deployment components rather than user count or bandwidth. Pricing factors include the number and type of sensors (hardware appliances or virtual machines with 8/16/32 CPU options), optional central management appliance or VM (available for managing up to 10 sensors or unlimited sensors), and add-on licenses for NetFlow analysis and OT/SCADA security services. The hardware sensors are sized according to network traffic throughput requirements, while VM options support various public cloud deployments (AWS, Azure, GCP, Alibaba).

Key purchase considerations include determining the appropriate sensor deployment strategy based on network architecture and traffic volume. The solution supports both standalone and centrally managed configurations, with the latter providing centralized configuration, logging, and reporting capabilities. FortiNDR integrates natively with the Fortinet Security Fabric, enabling automated response actions with FortiGate, FortiNAC, and FortiSwitch. For organizations with data sovereignty requirements, FortiNDR on-premises keeps all data within the customer network and supports offline updates for air-gapped environments. The solution's unlimited device/user licensing model simplifies capacity planning compared to competitors' per-device pricing approaches.

Use Cases
FortiNDR (on-premises) addresses a broad range of use cases, including air-gapped environments, critical infrastructure protection, data sovereignty compliance, east-west traffic monitoring in data centers, government/military deployments, malware detection and classification using artificial neural networks, network anomaly detection through machine learning, OT/SCADA security with industrial IPS capabilities, and threat hunting without data leaving customer networks. The solution supports environments requiring complete data privacy, featuring patented ANN-based real-time file extraction and malware classification into over 20 attack scenarios, JA3 fingerprinting for encrypted traffic analysis, and comprehensive integration with the Fortinet Security Fabric for automated response actions.

Fortinet: FortiNDR Cloud

Solution Overview
Founded in 2000, Fortinet provides cybersecurity solutions, specializing in network security products, including firewalls, endpoint protection, and network detection and response tools. In October 2023, Fortinet acquired Gigamon's ThreatInsight business and launched FortiNDR Cloud, a SaaS network security monitoring platform facilitating rapid detection, investigations, and threat hunting in customer environments.

FortiNDR Cloud is a SaaS-based network detection and response solution that ingests north-south and east-west network traffic via sensors deployed throughout customer environments. These sensors, available as hardware appliances or virtual machines (supporting ESXi and KVM), capture full packet streams from TAPs/SPANs and use Zeek, Suricata, and proprietary technology for stream reassembly and metadata extraction. The solution performs Layers 2-7 metadata analysis, enriching network data with entity and event context while supporting encrypted traffic analysis through JA3 hash extraction.

Fortinet takes a general approach to NDR, incrementally improving existing features while innovating to add emerging features like GenAI, expanded OT detection capabilities, and FortiSOAR playbooks as a service based on its monthly SaaS and quarterly sensor software release cadence.

Fortinet is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
FortiNDR Cloud scored well on several decision criteria, including:

• Core network integrations: FortiNDR Cloud integrates with existing network infrastructure by ingesting north-south and east-west traffic via TAPs/SPANs using open-source (Zeek, Suricata) and proprietary technologies for stream reassembly and metadata extraction. The solution supports multiple deployment options, including hardware appliances, virtual machines (ESXi, KVM), and cloud workloads (AWS, Azure, GCP), with free virtual sensors to ensure comprehensive coverage across hybrid environments.

• Contextualized visibility: FortiNDR Cloud performs Layers 2-7 metadata analysis, enriching network data with entity context (user, hostname, MAC) and event context (WhoIs, file hash, VirusTotal). The solution maps detections directly to the MITRE ATT&CK framework (covering over 90% of techniques), provides explicit detection logic with query-based evidence, and leverages JA3 hash extraction for encrypted traffic analysis without decryption.

• Historical forensics: FortiNDR Cloud offers 365-day metadata retention, enabling comprehensive retroactive investigations when new threats are discovered. The solution includes built-in playbooks, guided next steps, and parallel investigation capabilities to streamline the investigatory process, allowing security teams to trace attacker behavior across extended timeframes without the hidden costs of traditional NDR solutions. 

Opportunities
FortiNDR Cloud has room for improvement in a few decision criteria, including:

• Deep packet inspection: FortiNDR Cloud does not perform true deep packet inspection but instead relies on metadata extraction using Zeek, Suricata, and proprietary technology for stream reassembly. The solution analyzes Layers 2-7 metadata rather than inspecting the full packet payload, limiting its ability to detect threats embedded within packet contents. While FortiGate NGFWs can perform DPI by decrypting and re-encrypting traffic, FortiNDR Cloud lacks this capability, instead focusing on network metadata analysis.

• Encrypted traffic analysis: FortiNDR Cloud's approach to encrypted traffic analysis is limited to JA3 hash extraction without decryption capabilities built into the platform. The solution requires integration with FortiGate NGFWs or third-party packet brokers like Gigamon to perform "man in the middle" inspection for decrypting SSL/TLS traffic. This dependency on external components creates potential gaps in visibility when analyzing encrypted traffic, especially with certificate pinning increasingly being implemented by major services.

• Automated response: FortiNDR Cloud offers limited native automated response capabilities, primarily relying on integrations with third-party tools like CrowdStrike EDR and Cisco SecureX for actual response actions. While it provides "Guided Next Steps" and pre-built playbooks to assist analysts, it lacks comprehensive automated response mechanisms within the platform, requiring customers to implement additional solutions for full automated remediation capabilities.

Purchase Considerations
FortiNDR Cloud employs a dual-component pricing model based on the number of sensors deployed throughout the customer environment and the total aggregate throughput being analyzed. Hardware sensors are available in two sizes (FNRC-500F, small and FNRC-900F, large) with corresponding annual subscriptions, while virtual sensors for ESXi, KVM, and public cloud deployments (AWS, Azure, GCP) are provided free of charge to ensure comprehensive coverage. The SaaS platform is licensed in Gbps throughput increments with subscription terms of one, three, or five years. It includes the "Guided SaaS" approach with dedicated technical success managers who assist with onboarding, training, and day-to-day operations.

Key purchase considerations include deployment flexibility across on-premises, cloud, and hybrid environments with no device limits. Customers should evaluate migration complexity, especially if transitioning from another NDR solution, and consider starting with a focused proof of concept to validate the solution's effectiveness in their environment. The platform's 365-day metadata retention capability enables comprehensive historical forensics without additional storage costs. Potential customers should note that while FortiNDR Cloud provides extensive integration with the Fortinet Security Fabric, its automated response capabilities primarily rely on third-party integrations for actual remediation actions.

Use Cases
FortiNDR Cloud addresses a broad range of use cases, including advanced persistent threat detection, breach prevention, east-west traffic monitoring, encrypted traffic analysis, historical forensics with 365-day metadata retention, insider threat detection, lateral movement detection, malware detection, network anomaly identification, north-south traffic monitoring, and zero-day threat detection. The SaaS-based solution ingests full packet streams from TAPs/SPANs throughout customer environments, using open-source technologies (Zeek, Suricata) and proprietary technology for stream reassembly and metadata extraction.

Gatewatcher: AIonIQ

Solution Overview
Founded in 2015, Gatewatcher provides advanced cybersecurity solutions, specializing in advanced intrusion and threat detection using artificial intelligence. In 2019, the company launched AIonIQ, which identifies malicious actions and suspicious behaviors based on the mapping of assets present on information systems, offering a 360° modeling of cyber risk associated with connections between IT and OT assets and users.

AIonIQ's architecture consists of a GCenter management server and GCap probes for network monitoring. The GCap probes capture full packet data via SPAN ports or TAPs, reconstructing, sorting, and transmitting files, codes, and events to the GCenter for analysis. AIonIQ employs multiple detection engines, including static, heuristic, and machine learning models that analyze both packet metadata and behavioral patterns, enabling threat detection even in encrypted traffic.

Gatewatcher takes a focused approach to NDR, incrementally improving existing features while innovating with AI capabilities, such as its Generative AI Assistant and Large Threat Behaviour Model, for conversational threat detection.

Gatewatcher is positioned as a Challenger and Forward Mover in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
AIonIQ scored well on several decision criteria, including:

• Integrated flow data: AIonIQ optimizes threat detection and incident response based on internal and public network flows, combining multiple automated engines that apply behavioral analytics. Its supervised machine learning engines are oriented explicitly toward threat use case detection, enabling the identification of zero-day suspicious activities, post-breach investigation, insider threat hunting, and detection of lateral movements even in encrypted traffic.

• Historical forensics: AIonIQ enables SOC experts to intuitively pivot between handling security incidents and proactively searching for intrusions, providing comprehensive access to all data and metadata resulting from network analysis. The platform's ability to conduct post-breach research, such as ransomware investigation, demonstrates its forensic capabilities, while its internal threat intelligence capacities enrich engines and metadata to support both active and retrospective threat hunting.

• Automated response: AIonIQ facilitates seamless integration with existing security ecosystems through API connectivity, allowing organizations to automate and accelerate security incident management. The platform enables pushing alert notifications with enrichment data to SOC teams, collecting additional information to enhance events, and automatically engaging mitigation actions based on AIonIQ outcomes, significantly streamlining response workflows.

Opportunities
AIonIQ has room for improvement in a few decision criteria, including:

• Deep packet inspection: AIonIQ relies primarily on metadata analysis rather than full DPI capabilities (available via Gatewatcher's network traffic monitoring solution, Deep Visibility), which restricts its ability to inspect and analyze the data section of packets thoroughly. This approach is particularly limiting for encrypted traffic analysis, as modern encryption protocols like TLS 1.3, DNS over HTTPS, ESNI, and ESH require advanced DPI techniques combining machine learning, deep learning algorithms, and high-dimensional data analytics that AIonIQ doesn't fully implement.

• Contextualized visibility: AIonIQ lacks advanced entity relationship mapping that automatically identifies and visualizes connections between users, devices, and applications across the network. The platform doesn't offer AI-driven pattern recognition capabilities that can identify subtle, multifactor anomalies and present them in intuitive visual formats, limiting its ability to provide the contextual intelligence needed for rapid, informed decisions in complex threat scenarios.

• Regulatory compliance: AIonIQ doesn't implement automated compliance monitoring and assessment capabilities that continuously evaluate network activities against regulatory requirements. The platform lacks AI-powered compliance tools that can generate accurate real-time reports on regulatory adherence, forecast future compliance needs through predictive analytics, or dynamically adapt to regulatory changes through machine learning.

Gatewatcher is classified as a Forward Mover because it shows steady but incremental innovation through its AI-driven NDR platform without breakthrough features or significant M&A-driven capabilities that would position it ahead of industry trends.

Purchase Considerations
AIonIQ by Gatewatcher uses a simple subscription model based on active assets deployed on the customer network to provide predictable costs. The solution does not offer a freemium version, using a try-and-buy model with no setup fee. The pricing structure likely varies based on deployment scale, network size, and specific feature requirements. Potential customers should request detailed pricing information directly from Gatewatcher’s authorized partners to receive a customized quote for their organization's unique security needs.

Key purchase considerations include AIonIQ's API-based integration capabilities with existing security ecosystems (EDR, XDR, SIEM, SOAR, and NextGen Firewall), which may impact implementation complexity. The solution's machine learning-based detection engines support various use cases, including zero-day threat detection, post-breach investigation, and lateral movement identification, even in encrypted environments. Prospective buyers should inquire about PoC opportunities, migration paths from existing solutions, and integration requirements with their current SOC ecosystem. Organizations should also consider AIonIQ's modular architecture, which is designed to adapt to unique organizational characteristics and constraints when evaluating the total cost of ownership.

Use Cases
AIonIQ addresses a broad range of use cases, including the detection of zero-day suspicious activities on the network, hunting insider threats, identification and characterization of threats for global remediation actions, investigation of post-breach scenarios such as ransomware, mapping of user assets and behaviors, minimizing business disruption from cyberattacks, and spotting shadow IT. AIonIQ detects possible lateral movements even when raw network packets are encrypted, providing behavioral visibility of cyber threats and simplifying investigations through MITRE ATT&CK framework integration. The platform enables SOC experts to pivot intuitively between handling security incidents and proactively searching for intrusions.

GREYCORTEX: Mendel*

Solution Overview
Founded in 2016, GREYCORTEX specializes in cybersecurity solutions focusing on NDR technology that uses advanced artificial intelligence, machine learning, and data mining methods to help organizations secure their IT and OT networks. 

GREYCORTEX Mendel employs a distributed architecture with sensors and collectors that analyze network traffic via mirrored ports (SPAN or TAP). It both captures flow-based data (NetFlow v5/9 and IPFIX for IPv4/IPv6) and performs deep packet inspection (DPI) on network traffic. The solution's Advanced Security Network Metrics (ASNM) protocol tracks over 70 flow attributes—providing richer analysis than standard NetFlow—with bi-directional flow recording and application protocol metadata for numerous protocols. Analysis capabilities include intrusion detection, network behavior analysis using AI, and encrypted traffic analysis.

GREYCORTEX takes a general approach to NDR, innovating to add emerging features like AI-based network behavior analysis, deep packet inspection, and OT network monitoring while incrementally improving its Mendel platform.

GREYCORTEX is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the NDR Radar.

Strengths
Mendel scored well on several decision criteria, including:

• Encrypted traffic analysis: Mendel employs a multifaceted approach combining behavioral modeling with machine learning, statistical methods, fingerprinting, threat intelligence, and deep packet inspection for encrypted data. It can detect anomalous patterns and repetitive communications indicative of C2 traffic, analyze SSL/TLS protocols and certificates to identify blacklisted connections, implement JA3 fingerprinting for client identification, and optionally decrypt traffic with private RSA keys or integrate with external decryption tools for deeper inspection.

• Integrated flow data: Mendel leverages both flow-based and content-based monitoring, collecting network flow data at near real-time intervals (one minute) while extending this with comprehensive contextual metadata, including user identity and application protocols. Its Advanced Security Network Metric protocol captures over 70 attributes of each flow, providing significantly richer analysis than standard NetFlow while maintaining low storage requirements.

• Historical forensics: Mendel generates and stores extensive network traffic metadata with full contextual awareness (source, destination, user identity, application protocol) while requiring minimal storage capacity compared to full packet capture solutions. This approach enables long-term retention of detailed network history, allowing security teams to investigate incidents across extended timeframes with complete visibility into historical network behavior.

Opportunities
Mendel has room for improvement in a few decision criteria, including:

• Deep packet inspection: Mendel's DPI capabilities are limited to extracting metadata for only about 30 application protocols, even in tunneled traffic, which is significantly fewer than leading solutions. While it does employ DPI as part of its detection technology stack, the solution relies more heavily on its NBA (network behavior analysis) and ASNM protocol for threat detection rather than comprehensive packet content analysis, suggesting DPI is not its primary strength.

• Contextualized visibility: Mendel provides basic contextual information, including source, destination, user identity and application protocol, but lacks advanced entity relationship mapping that automatically identifies connections between users, devices, and applications across the network. Its visualization capabilities are primarily focused on individual device communications rather than providing a comprehensive view of the entire network ecosystem with cross-domain correlation.

• Automated response: Mendel's response capabilities primarily focus on integrating with other security tools rather than providing native automated response actions. The system allows for incident management and can export events to SIEM systems but requires manual intervention for most threat mitigation efforts, with limited evidence of sophisticated response workflows or context-aware automation that can adapt responses based on threat severity.

Purchase Considerations
GREYCORTEX Mendel offers two primary pricing models: perpetual licensing based on sensor throughput and flows per second or subscription licensing using the same metrics but with support included. The solution doesn't provide a free trial or freemium version and requires no setup fee. Deployment considerations should include hardware specifications, as Mendel can be implemented on dedicated hardware. Organizations should budget for both the software license and ongoing maintenance, with the possibility of adding proactive security monitoring services as an optional component.

When evaluating Mendel, customers should consider their network monitoring requirements (throughput, flows per second, monitoring ports, and storage needs), as these directly impact pricing. The solution offers integration capabilities with other security tools via API extensions, which is valuable for organizations with existing security ecosystems. Migration complexity appears manageable, with Mendel's new network inventory module providing immediate visibility. While specific PoC information isn't available, the solution's ability to customize log processing rules allows for tailoring to specific environments. Organizations should also consider whether they need the industrial OT monitoring capabilities Mendel offers for specialized environments.

Use Cases
GREYCORTEX Mendel addresses a broad range of use cases, including advanced threat detection, application and performance monitoring, asset inventory management, automated incident response, compliance verification (GDPR, ISO27000, PCI DSS), industrial network security, network visibility and traffic analysis, OT network monitoring, policy breach identification, and threat hunting. The solution detects sophisticated threats like APTs, botnets, command-and-control attacks, data leaks, malware, and ransomware through its combination of deep packet inspection, behavioral analysis, and artificial intelligence. Mendel provides comprehensive visibility across both IT and OT environments, enabling organizations to visualize all network communications while identifying anomalous behavior that might indicate security incidents or operational issues.

Lumu Technologies: Lumu Defender

Solution Overview
Founded in 2019, Lumu Technologies provides cybersecurity software designed to measure compromise in real-time, specializing in continuous compromise assessment technology that helps organizations illuminate threats and attacks. In July 2021, Lumu Technologies launched Lumu Defender, which operates as a cloud-based solution that collects and standardizes metadata from across the network then applies artificial intelligence to correlate threat intelligence to isolate confirmed points of compromise.

Lumu Defender is a cloud-native NDR solution that employs virtual appliances, hardware sensors, and endpoint agents to collect network metadata from DNS queries, NetFlows, proxy logs, firewall logs, and email intelligence. Rather than relying on full packet capture, it primarily analyzes metadata through its patent-pending Illumination Process, combining known IoC correlation, AI-driven anomaly detection, and deep correlation analysis with selective DPI capabilities through Gigamon integration.

Lumu Technologies takes a focused, innovative approach to NDR, rapidly developing emerging features like advanced deployments, analytics view, and autopilot while incrementally improving core metadata analysis capabilities and filling gaps.

Lumu Technologies is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
Lumu Defender scored well on several decision criteria, including:

• Integrated flow data: Lumu Defender excels in flow data analysis by ingesting NetFlow v5, v9, and v10/IPFIX protocols through multiple collection methods, including virtual appliances and direct cloud integrations. It applies machine learning models that continuously update as data is ingested, establishing network baselines to detect issues when assets deviate from normal communication patterns. This approach enables the detection of lateral movement and adversary activity while correlating flow data with other metadata sources like DNS queries and proxy logs for comprehensive threat visibility.

• Contextualized visibility: Lumu provides rich contextual intelligence through its compromise context feature, which delivers actionable insights about detected threats, including affected devices, contact patterns, attacker information, and MITRE ATT&CK mapping. The analytics view visualizes network behavior patterns across geography, data types, and time periods, while the compromise radar shows how assets communicate with adversarial infrastructure, enabling security teams to understand both the scope and impact of threats.

• Automated response: Lumu Defender offers over 40 pre-configured integrations with security tools, enabling API-driven actions rather than outdated TCP resets. Autopilot automatically analyzes incidents using network signals, security stack data, and threat intelligence, then monitors, mutes, closes, or escalates threats based on real-time assessment. Customers can customize response actions based on threat type, severity, and context. 

Lumu Technologies is classified as an Outperformer due to its rapid innovation pace, recent introduction of significant features, ambitious roadmap, and weekly release cadence for its SaaS platform while delivering product updates monthly and quarterly.

Opportunities
Lumu Defender has room for improvement in a few decision criteria, including:

• Deep packet inspection: Lumu Defender employs a metadata-focused approach rather than comprehensive DPI, using selective DPI only where needed through integrations with Gigamon. The solution deliberately avoids full packet capture and inspection due to the challenges of modern encryption protocols like TLS 1.3, which limit DPI effectiveness. Lumu analyzes network metadata, including DNS queries, NetFlows, and proxy logs, supplemented by JA3/JA3S fingerprinting, SNI analysis, and Cipher Suite evaluation for encrypted traffic.

• Encrypted traffic analysis: Lumu's current deployment does not encourage encrypted traffic analysis, but it provides the option if requested. The solution acknowledges the limitations of decryption in modern environments where end-to-end encryption is prevalent, instead focusing on behavioral analysis of encrypted communications through metadata patterns. While Lumu offers partnerships with Mira Security and Gigamon for organizations requiring deeper inspection, its core approach prioritizes metadata over packet-level analysis.

• Historical forensics: Lumu's capabilities focus on metadata retention rather than full packet capture, limiting the depth of available forensic information. While the solution differentiates itself by storing network metadata for up to two years through its playback feature, it lacks advanced AI-driven forensic analysis that would automatically identify patterns in historical data and provide predictive insights. The query capabilities are limited to endpoint-focused and destination-focused investigations rather than comprehensive packet-level forensics.

Purchase Considerations
Lumu Defender employs a straightforward asset-based monthly or annual subscription model by which customers pay per device connected to their network, with the per-asset cost decreasing as the number of assets increases. Lumu offers three tiers: Lumu Free (limited capabilities with no cost), Insights (enhanced visibility), and Defender (full capabilities including automated response). The Defender tier includes unlimited virtual appliances, two years of incident retention, and telephone support.

Key purchase considerations include Lumu's flexible deployment options through virtual appliances, hardware sensors, endpoint agents for remote workers, and third-party infrastructure integrations—eliminating the need for extensive hardware investments. The solution offers rapid time-to-value, with many customers implementing within minutes or hours, making PoC testing straightforward. Migration complexity is minimal due to Lumu's cloud-native architecture and extensive integration ecosystem. Customers should consider that while the base pricing is transparent, some advanced features may require additional configuration. 

Use Cases
Lumu Defender addresses a broad range of use cases, including automated threat response, counter-evasion of security controls, network threat visibility for on-premises, hybrid, and cloud environments, retrospective threat hunting, security operations, and threat detection. Lumu Defender's metadata-focused approach is designed to detect threats that bypass traditional endpoint security, making it applicable for organizations seeking to close security gaps and automate incident management without requiring heavy integration or expensive add-ons.

NETSCOUT: Omnis Network Security

Solution Overview
Founded in 1984, NETSCOUT specializes in visibility technology that unites performance, security, and availability on a common data foundation. In August 2023, NETSCOUT launched Omnis Network Security, a DPI-based NDR solution that provides real-time, multidimensional threat detection and investigation with full packet-based visibility.

Omnis Network Security comprises multiple integrated components: CyberStream network sensors (available as hardware or virtual appliances), Omnis Cyber Intelligence (central management console), Omnis AI Streamer (data export engine), and nGenius Decryption Appliance. The solution captures full packets at speeds up to 100 Gbps, converting raw packets into Layer 2-7 metadata using patented NETSCOUT’s Adaptive Service Intelligence (ASI) technology rather than relying on traditional flow data like NetFlow or IPFIX.

NETSCOUT takes a focused approach to NDR, incrementally improving existing features through annual major releases with minor updates that enhance detection algorithms, MITRE ATT&CK integration, and investigation workflows.

NETSCOUT is positioned as a Challenger and Forward Mover in the Maturity/Platform Play quadrant of the NDR Radar.

Strengths
Omnis Network Security scored well on several decision criteria, including:

• Deep packet inspection: Omnis Network Security leverages patented Adaptive Service Intelligence (ASI) technology to transform raw packets into comprehensive Layer 2-7 metadata at speeds up to 100 Gbps while, independent of detections, providing continuous packet capture before, during, and after attacks with local storage of hundreds of terabytes on CyberStream sensors, enabling both real-time threat detection and historical forensic investigation without performance degradation.

• Encrypted traffic analysis: The solution combines multiple complementary approaches, including the nGenius Decryption Appliance (nDA) for TLS/SSL and SSH traffic decryption, encryption strength analysis during handshakes, certificate validation (detecting self-signed, expired, and revoked certificates), fingerprinting techniques like JA3, and behavioral analysis that can identify anomalous patterns even in encrypted communications without compromising compliance.

• Contextualized visibility: Omnis Network Security provides comprehensive north-south and east-west visibility visibility across physical and hybrid-cloud infrastructure through its "visibility without borders" approach, delivering packet-level visibility into all seven OSI layers while mapping detected threats to the MITRE ATT&CK framework, enabling host investigations that show critical and questionable interactions, and supporting both guided contextual and ad hoc unguided investigations to determine breach extent. 

Opportunities
Omnis Network Security has room for improvement in a few decision criteria, including:

• Core network integrations: Omnis Network Security relies primarily on network TAPs, switch mirror/SPAN ports, public cloud virtual mirroring or taps, and packet brokers for data collection, with limited native integration capabilities for network infrastructure devices beyond basic connectivity, while bi-directional integration capabilities focus mainly on security tools (SIEM/SOAR/XDR) rather than deep integration with network management systems, SDN controllers, or comprehensive API frameworks that would enable more sophisticated orchestration with diverse network components.

• Integrated flow data: The solution does not ingest or analyze traditional flow data such as NetFlow, sFlow, or IPFIX. Instead, it generates metadata exclusively from deep packet inspection, which prevents integration with existing flow collection infrastructure and limits visibility in environments where packet capture isn't feasible.

• Automated response: Omnis Network Security lacks native automated response capabilities, relying instead on integrations with third-party tools like firewalls and EDR systems for blocking or quarantining threats. While it provides pre-built playbooks and supports SIEM/SOAR/XDR workflows, it does not offer AI-driven or fully automated remediation mechanisms, requiring manual intervention for complex responses.

NETSCOUT is classified as a Forward Mover because it maintains a steady pace through annual major releases and minor updates, focusing on enhancements to existing features rather than rapidly introducing cutting-edge technologies or acquiring new capabilities such as advanced predictive analytics.

Purchase Considerations
Omnis Network Security offers both perpetual and subscription purchase options, with pricing based on the number of CyberStream network sensors managed rather than the number of IP addresses monitored. CyberStream sensors are available as hardware appliances with various monitoring speeds (1G to 100 Gbps) and storage capacities (32TB to 384TB) or as software-only options for certified Dell hardware platforms or virtual machines. Omnis Cyber Intelligence is priced according to the number of sensors it manages, with an annual maintenance and support subscription fee calculated as a percentage of the list purchase price.

Key purchase considerations include deployment flexibility across on-premises, colocation, and public cloud environments (AWS, Azure, Google Cloud), with both hardware and virtual options available. The solution scales linearly since analysis is performed within the probe rather than at an offline collection point, allowing unlimited scaling based on analyzed throughput. Customers should consider that a single CyberStream sensor and Omnis Cyber Intelligence console can provide full line-rate packet capture, local storage, multidimensional threat detection, and historical investigation capabilities that might require multiple components from competitors, potentially reducing overall deployment complexity and costs.

Use Cases
Omnis Network Security addresses a broad range of use cases, including compliance and auditing with regulations such as GDPR and HIPAA, continuous network monitoring with north-south and east-west packet-level visibility, critical infrastructure protection for utilities, healthcare, and financial institutions, enterprise security for protecting sensitive data and intellectual property, historical investigation and hunting using locally stored packets and metadata, real-time threat detection using multiple methods (behavioral analysis, custom policies, Suricata rules, threat intelligence), service provider network security, and third-party integration to enhance existing security stacks by feeding network data into and conducting investigation or hunting from SIEM, SOAR, and XDR platforms.

NetWitness: NetWitness Network*

Solution Overview
Conceived in 1997 as a US intelligence agency research project and spun out in 2006, NetWitness delivers comprehensive and highly scalable threat detection and response capabilities based on a unified data architecture. After several years of transition between RSA, EMC, and Dell, NetWitness became an independent business unit of RSA Security in 2023.

NetWitness Network is built on a distributed architecture comprising Decoders (packet/log collectors), Concentrators (aggregators), Brokers (data bridge points), and a central NetWitness Server. It supports hardware and virtual sensors for full packet capture, metadata extraction, and NetFlow (v5, v9, and IPFIX) collection. The platform performs deep packet inspection across hundreds of protocols, employs patented parsing technology for real-time metadata enrichment, and provides protocol-aware analysis, including SSL/TLS fingerprinting for encrypted traffic.

NetWitness takes a focused approach to NDR, incrementally improving its core capabilities while innovating with SASE integration, JA3/JA4 fingerprinting updates, and threat intelligence to address evolving security challenges in hybrid environments.

NetWitness is positioned as a Challenger and Forward Mover in the Maturity/Platform Play quadrant of the NDR Radar.

Strengths
NetWitness Network scored well on several decision criteria, including:

• Deep packet inspection: NetWitness Network provides deep inspection of hundreds of network protocols combined with a powerful forensic toolkit, employing signature- and behavior-based DPI to maximize threat detection. It offers native decoding support, integrates with third parties for decryption, and allows analysts to create custom DPI rules tailored to their organization while providing optimization tools to balance security with performance.

• Contextualized visibility: The solution dynamically parses and enriches network data with business context, identity information, threat intelligence, and MITRE ATT&CK mapping in real time at the point of packet capture. This enrichment creates human-readable and navigable metadata that accelerates analysis across on-premises, cloud, and virtual environments, while the platform's interactive nodal diagrams visually represent relationships between network elements with hover functionality to reveal additional context.

• Historical forensics: NetWitness Network captures and retains original network traffic for session and payload reassembly based on flexible, multitier retention policies configurable by traffic type or geographic location. The platform can reconstruct entire network sessions, including spearphishing emails and fake websites, while preserving comprehensive forensic evidence that can be tracked independently during threat hunting or packaged as incidents. 

Opportunities
NetWitness Network has room for improvement in a few decision criteria, including:

• Encrypted traffic analysis: NetWitness Network relies primarily on basic SSL/TLS fingerprinting, certificate hashing, and entropy validation techniques to analyze encrypted traffic without decryption. While it offers native decoding support and third-party integration for decryption, it lacks advanced machine learning algorithms designed explicitly for encrypted traffic analysis. The platform plans to upgrade from JA3 to JA4 fingerprinting, but it currently lacks sophisticated correlation between encrypted traffic patterns and the broader network context.

• Integrated flow data: The solution supports basic NetFlow v5, v9, and IPFIX collection but lacks advanced machine learning-enhanced flow analysis capabilities. The platform stores flow data as sessions for historical purposes and baselining, enabling statistical comparison between normal and anomalous flows. However, it doesn't leverage AI to identify subtle patterns in flow communications or demonstrate continuous learning capabilities that improve flow-based anomaly detection over time.

• Automated response: NetWitness Network requires integration with NetWitness Orchestrator rather than providing native functionality for automated response capabilities. While it offers preconfigured playbooks and over 150 security integrations, it lacks AI-driven decision-making for autonomous response actions and doesn't demonstrate adaptive learning capabilities that optimize response strategies based on historical effectiveness.

NetWitness is classified as a Forward Mover because its semi-annual platform updates focus on incrementally improving core features rather than introducing groundbreaking capabilities or rapidly incorporating emerging technologies like generative AI.

Purchase Considerations
NetWitness Network uses a tiered throughput-based pricing model based on the volume of network traffic collected by its sensors. Customers can choose between full packet capture or metadata-only licensing to optimize costs for specific use cases, such as east-west traffic monitoring. Additional licensing models include UEBA and optional support tiers, ranging from basic maintenance to 24/7 enhanced support. Deployment costs vary depending on whether customers opt for NetWitness-provided hardware, BYOD configurations, or cloud-based virtual sensors.

Key purchase considerations include the complexity of migration and deployment, as NetWitness is tailored for enterprise-level organizations with experienced security teams. PoC capabilities are available to demonstrate detection and forensic features across hybrid environments. Customers should evaluate the platform's modular architecture, which allows incremental adoption of additional components like SIEM, eEDR, and SOAR for extended visibility and response capabilities. While NetWitness excels in scalability and integration with third-party tools, potential buyers should consider the upfront investment required for hardware or cloud infrastructure and the operational expertise needed to manage its advanced features effectively.

Use Cases
NetWitness Network addresses a broad range of use cases, including advanced persistent threat detection, compliance monitoring (SOX, PCI, HIPAA, NERC), forensic investigations, incident response, insider threat detection, malware identification, network behavior monitoring, network forensics, network visibility across hybrid environments, ransomware detection, SASE-enabled traffic monitoring, threat hunting, and zero-day exploit detection. Its real-time enrichment with business context, identity information, and threat intelligence enables security teams to quickly detect, investigate, and respond to known and unknown threats traversing the network.

NextRay: NextRay NDR*

Solution Overview
Founded in 2021, NextRay specializes in network security. In 2022, NextRay launched its only product, NextRay NDR, an agentless solution that connects to networks using Garland Technology’s Network TAPs as an out-of-band security tool installed between network devices to copy full-duplex traffic and send it to the NextRay NDR, enabling threat detection without interfering with the original network traffic. 

NextRay NDR is an agentless solution that captures and analyzes both north-south and east-west traffic. It employs deep packet inspection to analyze the full content of network communications in real time, revealing application and session details. The solution sees network traffic across various segments—including hard-to-see devices like IoT, OT, legacy devices, and sensitive endpoints that may not support traditional endpoint agents—analyzing both packet content and flow data (NetFlow and IPFIX).

NextRay takes a general approach to NDR, innovating to add emerging features like AI-driven behavioral analysis, four-angle anomaly detection, and agentless visibility across both north-south and east-west traffic.

NextRay is positioned as an Entrant and Forward Mover in the Maturity/Feature Play quadrant of the NDR Radar.

Strengths
NextRay NDR scored well on several decision criteria, including:

• Core network integrations: NextRay NDR offers deep integration with third-party security platforms, allowing it to work seamlessly with SIEM and SOAR tools, firewalls, and other security tools through APIs. This creates a unified security response system while providing comprehensive visibility across north-south and east-west traffic. It integrates seamlessly into existing infrastructure without requiring agents, giving access to hard-to-see IoT, OT, legacy devices, and sensitive endpoints.

• Deep packet inspection: NextRay NDR leverages live packet data and deep packet inspection to analyze the full content of network communications in real time. By digging deeper than basic traffic analysis, NextRay can detect deviations from normal patterns across a wide range of traffic, enabling the identification of threats like lateral movement that traditional tools might miss. This comprehensive packet analysis enables NextRay to identify previously unseen threats without signatures and detect sophisticated attack patterns like lateral movement.

• Automated response: NextRay streamlines incident response through automation capabilities, including endpoint lockdown, SOAR-enabled workflow automation, and AI-driven user profile refinement. The solution continuously adapts to evolving threat patterns, allowing organizations to respond before damage occurs and significantly reducing incident response times across the telecommunications, aviation, and financial sectors.

Opportunities
NextRay NDR has room for improvement in a few decision criteria, including:

• Encrypted traffic analysis: NextRay NDR encounters difficulties detecting threats within encrypted network traffic, particularly with the widespread use of TLS. As encryption becomes more prevalent across networks, the solution's effectiveness diminishes without advanced decryption capabilities, potentially missing crucial indicators of attacks hidden in encrypted communications that comprise an increasing percentage of modern network traffic.

• Historical forensics: NextRay NDR prioritizes real-time detection over comprehensive historical data retention, limiting its ability to provide detailed forensic analysis of past security incidents. The solution lacks sophisticated timeline views and event sequencing capabilities needed for thorough post-breach investigations, forcing security teams to rely on complementary solutions for root cause analysis and threat hunting through historical data.

• Regulatory compliance: NextRay NDR provides minimal automated compliance reporting features tailored to specific regulatory frameworks, requiring significant manual effort to generate compliance documentation. The solution lacks comprehensive audit trails and compliance-specific dashboards that would streamline regulatory verification processes across financial and healthcare sectors and other highly regulated industries.

NextRay is classified as a Forward Mover because it focuses on incrementally improving existing features, such as anomaly detection and agentless visibility, rather than introducing disruptive innovations or acquiring transformative capabilities.

Purchase Considerations
NextRay NDR offers a subscription-based pricing model based on network coverage requirements rather than by data volume, allowing for predictable budgeting without surprise costs as traffic increases. However, prices can vary widely based on the scale of deployment. Prospective customers should contact NextRay for specific pricing details.

The subscription includes regular updates, technical support, and access to NextRay's advanced threat detection capabilities. 

Key purchase considerations include NextRay's agentless deployment model, simplifying implementation and providing comprehensive visibility into north-south and east-west traffic without endpoint agents. The solution integrates seamlessly with existing security infrastructure, including SIEM, SOAR, and EDR, minimizing migration complexity. Customers maintain control over where their data is stored and processed, addressing data residency concerns. Before purchasing, organizations should evaluate NextRay's AI capabilities, real-time alerting functionality, and compatibility with their network environment, particularly for visibility into IoT, OT, and legacy devices. NextRay offers deployment assistance and integration support to ease the onboarding process, though specific PoC capabilities aren't explicitly detailed in the available information.

Use Cases
NextRay NDR addresses a broad range of use cases, including advanced threat detection beyond signature-based approaches, anomaly detection for identifying unusual network behaviors, compliance enforcement particularly for GDPR requirements, critical infrastructure protection for national security, east-west traffic monitoring to catch lateral movement, insider threat identification, IoT and OT device monitoring where agents cannot be installed, legacy device visibility, network traffic analysis through deep packet inspection, and real-time incident response. The solution supports the financial and telecommunications sectors, providing comprehensive visibility across network segments without requiring agents, enabling security teams to detect previously unseen threats, command and control communications, and data exfiltration attempts.

OpenText: OpenText Network Detection & Response*

Solution Overview
Founded in 1991, OpenText is an enterprise information management company providing software products and services for managing information assets. In November 2021, OpenText acquired Bricata, rebranding its NDR offering as OpenText Network Detection & Response. In May 2024, OpenText acquired Pillr, a managed detection and response (MDR) platform from Novacoast, strengthening OpenText's cybersecurity portfolio with enhanced threat hunting, monitoring, and response capabilities.

OpenText NDR leverages a hardware-agnostic architecture with physical and virtual sensors, enabling full packet capture and metadata generation for comprehensive network visibility. It provides 360-degree protection, fusing signature inspection, stateful anomaly detection, and machine learning-powered analysis to analyze encrypted and unencrypted traffic using heuristic methods and behavioral analytics to defend against known and hidden threats.

OpenText takes a focused approach to NDR, incrementally improving existing behavioral analytics capabilities while filling feature gaps in cloud integration, flow analysis, and generative AI based on its quarterly release cadence.

OpenText is positioned as a Challenger and Forward Mover in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
OpenText NDR scored well on several decision criteria, including:

• Deep packet inspection: OpenText NDR captures and analyzes network packets in real time, enabling thorough inspection of traffic for malicious activity through a multifaceted suite combining signature inspection, stateful anomaly detection, and machine learning-powered malware conviction. The solution fuses detection methods to defend against known threats and illuminate those otherwise unseen while providing heuristic analysis of encrypted flows without requiring decryption.

• Historical forensics: The solution maintains a full packet capture buffer of all traffic, collects SmartPCAP data during any alert, and provides configurable and deeply expandable metadata storage for all network sessions. This multilayered approach enables security teams to conduct retrospective network traffic analysis and historical data testing to determine if threats infiltrated the network before known indicators became available, with all data stored in an easily scalable repository.

• Managed NDR: OpenText delivers NDR through multiple service models, including traditional on-premises managed software and fully outsourced managed services bundled with expert security operations support. Seamless integration with OpenText MxDR enables better correlation and analysis of network security events with other security data, providing comprehensive cyber resilience and improved security posture.

Opportunities
OpenText NDR has room for improvement in a few decision criteria, including:

• Core network integrations: OpenText NDR offers integration into network devices with automated capture methods across physical ports and tunneled traffic, but it lacks the deeper automation capabilities required for comprehensive network infrastructure integration. The solution provides basic optimization of inbound data with configurable filters. However, advanced software defined network (SDN) integration and automation features are still in development, with deeper automation capabilities on the roadmap for CY2025 rather than currently available.

• Encrypted traffic analysis: OpenText NDR currently employs heuristic analysis of encrypted flows in both signature and behavioral analytics but lacks more sophisticated capabilities for analyzing encrypted communications. The solution does not yet offer endpoint-assisted selective decryption capabilities, which limits its ability to thoroughly inspect encrypted traffic for potential threats. These enhanced detection methods for encrypted traffic are still in development and scheduled for implementation in future releases.

• Integrated flow data: OpenText NDR explicitly acknowledges its limited ingestion capabilities for network flow data. The solution focuses primarily on packet capture and metadata generation rather than comprehensive flow analysis. Full flow data capabilities, essential for monitoring high-speed network segments and providing visibility where packet capture is impractical, are still being developed and on the roadmap for staged implementation over future releases.

OpenText is classified as a Forward Mover because, while it maintains a quarterly release cadence, several critical NDR capabilities, including full flow data integration, generative AI, and endpoint sensors, are still in development and currently unavailable.

Purchase Considerations
OpenText NDR offers a consumption-based pricing model with yearly or multiyear subscriptions structured either by total inspection throughput or on a per-user basis for service providers. The solution includes all features in the base subscription without hidden fees or optional feature charges, making it transparent and predictable for budgeting. Customers can deploy the software on their existing hardware infrastructure, significantly reducing TCO compared to competitors that require proprietary appliances. 

Key purchase considerations include flexible deployment options (virtual machines, physical devices, or cloud appliances), integration capabilities with existing security tools, and the ability to scale based on organizational needs. The solution can be bundled with various service levels, including full-time on-site support in certain regions. Customers should consider their network visibility requirements, as OpenText NDR currently has limited flow data ingestion capabilities (planned for enhancement in upcoming releases). When evaluating, organizations should assess their existing hardware infrastructure compatibility, integration requirements with SIEM/SOAR tools, and decide whether they need managed services options, which range from traditional on-premises software to fully outsourced security operations.

Use Cases
OpenText NDR addresses a broad range of use cases, including advanced threat detection across encrypted and unencrypted traffic, behavioral anomaly identification, comprehensive network visibility across both north-south and east-west traffic, forensic investigation of security incidents, historical threat hunting through stored metadata and SmartPCAP data, lateral movement detection, malware conviction through machine learning, real-time alert correlation with existing security tools, retrospective network traffic analysis to find threats that infiltrated before known indicators were available, and seamless integration with SIEM/SOAR workflows. 

Plixer: Plixer One Enterprise

Solution Overview
Founded in 1999, Plixer specializes in technology that leverages NetFlow/IPFIX data for traffic analysis and security monitoring. In February 2025, Plixer launched Plixer One Enterprise, an AI-powered network observability and defense platform that evolved from the Scrutinizer product, extending the capabilities of Plixer One Security.

Plixer One Enterprise leverages a distributed architecture with a central reporting server and unlimited collectors. It ingests and analyzes flow data (NetFlow, IPFIX, sFlow, jFlow) and cloud flow logs from existing network infrastructure without requiring additional hardware sensors. The platform performs deep packet inspection through its FlowPro component, which offers selective packet capture and application-layer traffic analysis. Plixer One Enterprise uses AI-driven anomaly detection, machine learning models, and behavioral analytics to identify threats and performance issues.

Plixer takes a focused approach to NDR, innovating to add emerging features such as AI-driven anomaly detection, encrypted traffic analysis, and MITRE ATT&CK framework mapping while maintaining a flow-based architecture leveraging existing infrastructure.

Plixer is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the NDR Radar.

Strengths
Plixer One Enterprise scored well on several decision criteria, including:

• Integrated flow data: Plixer One Enterprise processes over one million flows per second and analyzes more than 9,000 unique information elements, normalizing multiple flow types (NetFlow, IPFIX, sFlow, jFlow, AWS, Azure) into a consistent format. The platform employs advanced ML with seasonality modeling that differentiates between weekday, evening, and weekend traffic patterns to reduce false positives. It also correlates flow telemetry with threat intelligence feeds to identify command-and-control activity and data exfiltration attempts.

• Contextualized visibility: The solution delivers rich contextual insights by integrating user identity from Active Directory and RADIUS with device telemetry and network flow data, enabling security teams to track access patterns and detect insider threats. Plixer Endpoint Analytics enhances this visibility by identifying and monitoring all connected devices, including IoT and unmanaged endpoints. It assigns risk scores based on the correlation of user behavior, device activity, and network traffic to accurately prioritize threats.

• Zero-network footprint: Plixer achieves a zero-network footprint by leveraging existing network infrastructure data (NetFlow, IPFIX, SNMP) without requiring additional hardware probes or sensors. This agentless, probe-free approach eliminates the need to install, maintain, or scale hardware sensors while providing comprehensive visibility across on-premises, cloud, and hybrid environments without introducing performance bottlenecks.

Opportunities
Plixer One Enterprise has room for improvement in a few decision criteria, including:

• Deep packet inspection: Plixer One Enterprise relies on selective packet capture through its FlowPro component rather than comprehensive DPI, focusing on triggered packet analysis around security events instead of continuous deep inspection. The platform explicitly balances DPI with flow-based analytics, acknowledging that full DPI is less practical in large-scale environments and primarily uses Suricata for signature-based detection rather than implementing sophisticated protocol-aware content inspection capabilities.

• Encrypted traffic analysis: Plixer's approach to encrypted traffic analysis focuses on metadata examination without decryption capabilities, primarily using JA3/JA3S fingerprinting, DNS query pattern analysis, and FQDN tracking rather than more sophisticated techniques. While the platform can identify anomalies in encrypted traffic patterns, it lacks advanced protocol-specific behavior analysis for encrypted communications and depends heavily on flow characteristics rather than deeper inspection of encrypted protocols, limiting its effectiveness against sophisticated threats using encryption.

• Automated response: Plixer One Enterprise offers limited native response capabilities, explicitly stating it does not provide prebuilt playbooks and instead relies on customers to use third-party SOAR products for orchestrated response. The platform's automation primarily focuses on integration with external tools like Microsoft Defender and ServiceNow rather than providing sophisticated built-in response workflows with context-aware decision-making or AI-assisted response orchestration.

Purchase Considerations
Plixer One Enterprise employs a subscription-based licensing model structured around the number of flow-exporting devices and/or cloud VPCs, allowing for scalability as organizations expand their network visibility. The license includes multiple components: Scrutinizer for advanced flow analytics, Replicator for flow data distribution, FlowPro for threat detection and application monitoring, Endpoint Analytics for asset identification, and AI Engine for anomaly detection. Plixer offers volume-based discounts as customers add more exporting devices, reducing per-device costs as deployments grow. The platform can be deployed on hardware provided by Plixer, as virtual machines (VMware, Hyper-V, and KVM), or in public clouds (AWS, Azure, GCP, and OCI).

Key purchase considerations include evaluating the number of flow exporters needed, which directly impacts licensing costs. Customers should assess flow volume requirements, as collectors can handle up to 100,000 flows per second, with the platform scaling to process over one million flows per second. Existing Scrutinizer customers can migrate to Plixer One Core at no additional cost as a first step toward Enterprise adoption. Plixer offers 30-day PoC deployments, allowing organizations to test the solution before purchasing. Customers should also consider infrastructure requirements for storage and compute resources, representing additional costs beyond licensing.

Use Cases
Plixer One Enterprise addresses a broad range of use cases, including abnormal activity detection across IT environments, application dependency mapping, asset discovery and profiling, cloud visibility and threat detection, compliance validation, digital experience monitoring, encrypted traffic analytics, endpoint analytics for device monitoring, internal and external threat detection, MITRE ATT&CK framework mapping, network performance monitoring and diagnostics, risk assessment and device hardening, threat intelligence feed correlations, threat investigation and forensics, traffic forecasting, and zero trust network access validation. The platform combines network performance monitoring with security analytics in a single vendor-agnostic solution, providing visibility across on-premises, hybrid, and multicloud environments while leveraging existing network infrastructure to detect and respond to security incidents with speed and scale.

Progress: Flowmon

Solution Overview
Founded in 1981, Progress provides enterprise software products specializing in application development, data integration, and data analysis solutions. Kemp Technologies acquired Flowmon Networks in November 2020, with Kemp (including Flowmon) subsequently acquired by Progress in September 2021.

Flowmon is an AI-powered solution that analyzes network traffic for security threats and performance issues. Its architecture consists of Collectors (management, analytical, and storage units) and optional Probes (sources of enriched network data). Flowmon primarily uses metadata-based analysis rather than full DPI, extending traditional flow data with L7 parameters. It supports all major flow formats (NetFlow, IPFIX, sFlow, jFlow, cflowd, and NetStream) and cloud-native FlowLogs, with on-demand packet capture capabilities through Flowmon Packet Investigator.

Progress takes a focused approach to NDR, incrementally improving existing features with AI-assisted analysis, MITRE ATT&CK integration, and enhanced event visualization while maintaining a semi-annual release cadence.

Progress is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
Flowmon scored well on several decision criteria, including:

• Core network integrations: Flowmon integrates seamlessly through a fully documented REST API, supports multiple integration methods, including Syslog, SNMP, email, and custom scripts, and can ingest data from diverse sources, including cloud environments (AWS, Azure, GCP), firewalls, routers, switches, and load balancers, making it fully interoperable with existing technology stacks while providing out-of-the-box scripts for Checkpoint and Fortinet firewalls.

• Encrypted traffic analysis: Flowmon analyzes encrypted traffic without decryption by extracting and analyzing metadata such as TLS versions, cipher suites, certificate details, and JA3/JA3S fingerprints to identify anomalies and malicious traffic, detects protocol misuse and tunneling techniques like domain name systems (DNS) over HTTPS abuse and SSH tunneling, and employs machine learning models to analyze encrypted session patterns, providing a privacy-preserving approach that is 100-500 times more scalable than packet analysis while maintaining compliance monitoring for expired certificates and encryption strength.

• Integrated flow data: Flowmon ingests all major flow formats (NetFlow, IPFIX, sFlow, jFlow, cflowd, and NetStream) and cloud-native FlowLogs, normalizes and stores this data in a unified database regardless of the source, extends traditional flow data with Layer 7 parameters for deeper insights, and provides unsampled forensic-level visibility with the ability to store detailed network traffic data for months or years without aggregation or loss of detail.

Opportunities
Flowmon has room for improvement in a few decision criteria, including:

• Deep packet inspection: Flowmon primarily focuses on metadata-based analysis rather than full deep packet inspection. While it extends traditional flow data with additional Layer 7 parameters for protocols like DNS and HTTP(s), it lacks comprehensive payload analysis across all traffic. Packet-level visibility is available only through on-demand capture via Flowmon Packet Investigator rather than continuous full packet inspection, limiting its ability to detect sophisticated threats hidden within packet payloads and perform real-time content reconstruction.

• Historical forensics: Flowmon lacks AI-driven forensic analysis capabilities that would automatically identify patterns in historical data, doesn't provide predictive insights based on historical attack patterns, and doesn't demonstrate capabilities for hypothesis-driven investigations to uncover previously unknown security incidents. While Flowmon stores unsampled flow data for extended periods and offers on-demand packet capture with pre-event buffering, it doesn't employ advanced AI techniques for proactive threat hunting that adapt to emerging threats through continuous analysis of historical data.

• Automated response: Flowmon doesn't provide built-in automated response playbooks but relies on third-party tools and custom scripts for response actions. Progress states it does not currently provide built-in automated response playbooks based on the lack of “sufficient customer appetite.” The solution lacks context-aware automation that considers factors like asset criticality and user roles, doesn't leverage AI for response decision-making, and focuses more on detection than sophisticated automated response workflows.

Purchase Considerations
Flowmon offers flexible pricing models, including perpetual licenses for hardware appliances and perpetual and subscription options for virtual and cloud deployments. Pricing is based on performance (flows per second) and storage capacity, with separate licensing for core components like Collectors, Probes, and extension modules such as anomaly detection system (ADS) and Packet Investigator. Tiered support services are available: standard support (included with subscriptions) with software updates and NBD hardware support, and extended support with 24/7 phone support and four-hour hardware repair. Pricing typically scales with organization size, with different packages available for network and security operations use cases.

Key purchase considerations include deployment flexibility (hardware, virtual, or cloud), with options to leverage existing infrastructure for flow data collection rather than deploying proprietary sensors. Flowmon offers rapid deployment with minimal configuration required, using a wizard-based setup process that configures detection methods based on basic network information. The solution supports PoC deployments and offers optional professional services for onboarding and education. Customers should consider their hybrid environment requirements, as Flowmon provides unified visibility across on-premises, private cloud, and public cloud infrastructures, with multitenancy capabilities for MSPs serving multiple customers from a single appliance.

Use Cases
Flowmon addresses a broad range of use cases, including anomaly detection, encrypted traffic analysis, insider threat detection, network behavior analysis, ransomware detection, threat hunting and forensic analysis, and unknown threat detection. Flowmon categorizes detected security events according to the MITRE ATT&CK framework, giving users clear insight into attack severity, scope, and potential development. It employs over 40 detection methods and more than 200 algorithms, including behavior analysis, machine learning, reputation databases, and threat intelligence.

Stamus Networks: Clear NDR

Solution Overview
Founded in 2014, Stamus Networks provides Suricata-based network security solutions. In December 2024, Stamus Networks launched Clear NDR as the successor to its flagship Stamus Security Platform (SSP) and open-source SELKS offerings, unifying the code bases into a streamlined open-core architecture to enable accelerated innovation.

Clear NDR is an open-core solution with a unified architecture comprising Clear NDR Central Server and Clear NDR Probes (available as hardware appliances or virtual sensors). It performs deep packet inspection on raw network traffic to generate extensive flow data and protocol transaction logs rather than ingesting third-party flow data. The solution captures full packets around security events, extracts files associated with events, and employs advanced encrypted traffic analysis using JA3/JA4 fingerprinting and machine learning.

Stamus Networks takes a focused approach to NDR, innovating with features like Declarations of Policy Violation, dynamic code updates, and transparent detection algorithms while maintaining its open-source foundation and Suricata expertise.

Stamus Networks is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
Clear NDR scored well on several decision criteria, including:

• Deep packet inspection: Clear NDR employs a single unified DPI engine for parsing network traffic, matching against signatures and IoCs, and generating session logs and flow records, operating nearly twice as efficiently as competing systems that use separate engines for different functions. The solution can simultaneously evaluate 50 million IoCs and over 100,000 signatures at line rate, even on high-speed 40 Gbps and 100 Gbps probes, while maintaining records on tens of millions of hosts in a 1RU form factor.

• Historical forensics: The solution captures extensive forensic evidence, including protocol transaction logs, detailed attack timelines showing threat progression through the cyber kill chain, host insights with dozens of attributes for each network entity, packet captures (PCAPs) before/during/after security events, and extracted files associated with events. The attack timeline, built-in threat-hunting interface, and host insights features are unique to Stamus Networks and unavailable from competitors.

• Automated response: Clear NDR generates ultra-high-confidence Declarations of Compromise (DoCs) and Declarations of Policy Violation (DoPVs), providing the confidence needed to automate response actions through webhook integrations with security tools. These high-fidelity events can trigger actions ranging from Slack notifications to EDR quarantine commands with rich contextual information in the webhook payload. 

Opportunities
Clear NDR has room for improvement in a few decision criteria, including:

• Integrated flow data: Clear NDR explicitly does not ingest third-party flow data (NetFlow, sFlow, IPFIX), generating its own flow data and protocol transaction logs through deep packet inspection. This architectural choice prevents integration with existing flow collection infrastructure and limits visibility to only the network segments where Clear NDR probes are deployed. While the vendor argues this approach ensures accuracy and immediate correlation between flow logs and security events, it creates a significant limitation for organizations with established flow collection systems.

• Regulatory compliance: The solution lacks built-in mappings between detected events and specific regulatory requirements, offering no automated compliance monitoring or assessment against predefined regulatory standards. The solution's Declarations of Policy Violation feature requires manual creation and tuning of policy violation templates rather than providing out-of-the-box compliance frameworks. While Clear NDR can be deployed in private environments to satisfy data sovereignty requirements, it requires manual effort to translate its findings into compliance-specific contexts.

• Zero-network footprint: Clear NDR requires the deployment of dedicated hardware or virtual appliances at each monitoring point, necessitating physical or virtual probes connected to network TAPs, packet brokers, or SPAN/mirror ports, creating infrastructure overhead. Clear NDR deliberately rejects the flow-based approach necessary for true zero-network footprint operation in favor of deep packet inspection.

Purchase Considerations
Clear NDR employs a straightforward, flat-rate pricing model based on the number and speed of network links being monitored (100 Mbps, 1 Gbps, 10 Gbps, 40 Gbps, with 100 Gbps coming soon) rather than charging per device, IP address, or user. This approach provides unlimited hosts, IPs, and users, giving organizations predictable costs regardless of network growth. The annual license includes the Clear NDR Central Server, daily threat intelligence updates, enterprise customer support, software maintenance, and regular updates every two to four months. For high-performance deployments (40 Gbps or 100 Gbps), Stamus Networks requires network appliances to be bundled into the pricing in a hardware-as-a-service model with hardware replacement during the license period.

Key purchase considerations include deployment flexibility (private cloud, public cloud, dedicated hardware, or hybrid environments) and the option for turnkey appliances that come pre-configured and fully supported with next-business-day replacement. Customers should note that the current architecture requires systems to be scoped at deployment without dynamic scaling, though Kubernetes-based cloud-native deployment is planned for 2025. Organizations using the Community edition can upgrade to Enterprise without data loss, ensuring a smooth transition. While Clear NDR offers extensive customization options and API access, it doesn't ingest third-party flow data, which may impact integration with existing flow collection infrastructure.

Use Cases
Clear NDR addresses a broad range of use cases, including automated compliance management, incident response and forensics, network-based threat detection, policy violation monitoring, proactive threat hunting, and standalone threat detection and response. The solution particularly excels at providing rich network security telemetry to feed third-party SIEM or XDR platforms, serving as the foundation for AI-driven autonomous security operations centers, and supporting post-breach incident response teams by quickly amassing vast amounts of network activity evidence to identify patient zero and determine attack blast radius. Clear NDR's transparent detection approach delivers high-confidence alerts that enable automated response actions.

Stellar Cyber: Stellar Cyber NDR

Solution Overview
Founded in 1993, Stellar Cyber provides a unified security operations platform. It specializes in Open XDR, NG-SIEM, and NDR solutions that deliver comprehensive cybersecurity without complexity for midmarket organizations and MSSPs. 

Stellar Cyber NDR combines physical and virtual sensors with a centralized data processor to monitor network traffic. It includes Security Sensors with DPI capabilities supporting over 4,000 applications, integrated IDS with tens of thousands of signatures updated daily, File Anti-Virus for reconstructing files over the wire, and Malware Sandbox for detonating suspicious files. It extracts Layers 2-L metadata from network packets using Interflow technology, analyzes NetFlow, sFlow, and IPFIX data, and employs multi-layer AI (supervised ML, unsupervised ML, Graph ML) for threat detection.

Stellar Cyber takes a general approach to NDR, innovating with emerging features like AI Investigator, GenAI chatbot capabilities, and multilayer AI while incrementally enhancing its integrated platform through regular six-to-eight-week release cycles.

Stellar Cyber is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the NDR Radar.

Strengths
Stellar Cyber NDR scored well on several decision criteria, including:

• Core network integrations: Stellar Cyber NDR leverages an API framework that enables nearly 500 existing integrations with bi-directional capabilities for tools like CrowdStrike, Microsoft, and SentinelOne. The platform can ingest data from dedicated sensors, firewalls, IPS/IDS, and other network sources while normalizing and enriching all data through its Interflow technology. A dedicated parser and connector API team can build new integrations in less than two weeks, ensuring comprehensive coverage across on-premises, cloud, and hybrid environments.

• Integrated flow data: Stellar Cyber NDR supports multiple flow protocols through its proprietary Interflow data model. The platform analyzes network traffic metadata, NGFW and IDS logs, Sysmon data, and flow records to provide comprehensive visibility. Its multi-layer AI (supervised ML, unsupervised ML, and Graph ML) automatically correlates this flow data with other security telemetry to identify threats while reducing alert fatigue.

• Contextualized visibility: Stellar Cyber NDR delivers enhanced context by combining network data with log, endpoint, vulnerability, and threat intelligence information. The platform automatically correlates related alerts into cases rather than presenting isolated alerts, providing immediate investigation context. Its case mapping screen combines data from any tool or location, enabling efficient threat analysis across the entire attack surface.

Opportunities
Stellar Cyber NDR has room for improvement in a few decision criteria, including:

• Deep packet inspection: Stellar Cyber NDR includes DPI capabilities through its Security Sensors, which can analyze over 4,000 applications and extract Layer 2-7 metadata. However, its DPI implementation relies on OEM integration for IDS functionality, limiting differentiation and advanced payload analysis compared to competitors offering proprietary DPI engines. The platform focuses more on metadata extraction than comprehensive content inspection, reducing its ability to perform sophisticated protocol decoding and advanced content reconstruction.

• Encrypted traffic analysis: The solution analyzes encrypted traffic patterns using JA3 fingerprinting and TLS/SSL handshaking metadata but does not decrypt traffic. It relies on partnerships with third-party tools like Gigamon for decryption, which restricts its ability to analyze encrypted payloads independently. While it can extract metadata such as server certificates, IP addresses, domain names, and session duration, the solution lacks advanced machine learning models specifically optimized for encrypted traffic analysis and cannot identify sophisticated threats hidden within encrypted communications.

• Historical forensics: Stellar Cyber NDR provides configurable retention periods for hot and cold data and different retention policies for various data types. However, the platform focuses on metadata rather than full packet capture, potentially limiting the depth of forensic investigations. It lacks specific retention period details and prioritizes data reduction over comprehensive storage. While it offers visualization tools like timeline views, it doesn't demonstrate sophisticated pattern recognition capabilities based on historical data analysis.

Purchase Considerations
Stellar Cyber NDR employs a flexible pricing model with a single license and multiple security capabilities (NG-SIEM, NDR, and Open XDR) under one price point. Customers can choose between asset-based pricing or ingestion-based pricing, with the option to model both approaches before deciding. The solution targets midmarket organizations with 500-10,000 PCs, with an average annual recurring revenue significantly lower than enterprise-focused competitors. This simplified pricing approach eliminates hidden fees and complex licensing structures, making it particularly attractive for lean security teams with limited budgets.

Key purchase considerations include deployment flexibility (on-premises, cloud, or hybrid) with physical sensors for on-premises environments and virtual sensors for cloud deployments. Migration complexity is minimized through rapid deployment capabilities (under 10 minutes for virtual environments) and over 500 pre-built integrations that preserve investments in existing security tools. The platform offers immediate value through out-of-the-box detections and automated response playbooks, making it ideal for PoC evaluations. Prospective customers should consider that while Stellar Cyber doesn't directly offer managed NDR services, it partners with MSSPs, who can provide these capabilities if needed.

Use Cases
Stellar Cyber NDR addresses a broad range of use cases, including account takeover detection, anomalous traffic flow identification, corrupted credentials discovery, OT/IT convergence monitoring, phishing exploit detection, ransomware detection, legacy SIEM replacement, and serving as a comprehensive SOC platform complementing existing SIEM deployments and supporting zero-trust implementation. The solution offers early threat detection by analyzing network traffic patterns that logs alone might miss. Its integration capabilities with over 500 security tools and multi-layer AI approach make it especially valuable for lean security teams in midmarket organizations and MSSPs seeking comprehensive visibility across their entire attack surface without deploying multiple point solutions.

Trellix: Trellix Network Detection and Response

Solution Overview
Launched in January 2022, Trellix provides extended detection and response solutions, specializing in threat detection and response supported by machine learning and automation technology. It emerged from the merger of McAfee Enterprise and FireEye, which created a comprehensive cybersecurity solution provider with a strong focus on EDR, NDR, and XDR.

Trellix NDR delivers extended visibility and multi-layered threat detection across complex networks through a flexible architecture comprising a management console, Network Investigator (NI) for SOC workflow optimization, hardware, virtual, or cloud detection and collection network sensors, with Trellix NX scaling to 40 Gbps and Trellix IPS scaling to 240 Gbps, and an optional forensic packet capture add-on, Trellix PX. The solution offers full packet data (PCAP), performs deep packet inspection across over 2,000 protocols with TLS decryption capabilities, Layer 7 metadata, and flow data, and employs ML-powered detection for beaconing and data exfiltration.

Trellix takes a focused approach to NDR, incrementally improving existing features by enhancing AI-powered detection capabilities, expanding MITRE ATT&CK framework alignment, and strengthening integration with its broader XDR platform.

Trellix is positioned as a Leader and Forward Mover in the Maturity/Platform Play quadrant of the NDR Radar.

Strengths
Trellix NDR scored well on several decision criteria, including:

• Core network integrations: Trellix NDR integrates seamlessly with multiple network components through its flexible architecture that accommodates on-premises, cloud, and hybrid environments. It connects with third-party network nodes, including firewalls and web gateways, to provide incremental detections while integrating with Skyhigh SWG (secure web gateway) and OT sensors. The solution is a key component of Trellix's broader XDR platform, consuming alerts, NetFlow records, and Layer 7 metadata from high-throughput sensors (NX, IPS, and PX) to provide a unified investigation interface.

• Deep packet inspection: Trellix NDR performs deep packet inspection across over 2,000 applications and protocols, enabling comprehensive visibility into network traffic. Its multi-layered detection approach combines signatures, signature-less detection, machine learning, and behavioral analysis techniques to produce high-fidelity detections across the cyber kill chain. The solution captures and analyzes full PCAP data, Layer 7 metadata, and flow data, providing detailed forensic evidence for investigations.

• Encrypted traffic analysis: Trellix NDR includes robust encrypted traffic analysis capabilities with TLS Onboard functionality in its sensors. It detects encrypted command and control traffic using multiple techniques, including JA3 fingerprinting, domain reputation with Global Threat Intelligence, and IOC matching from extracted server name indication (SNI) information. The platform's IPS "NDR Ready" sensors are scheduled to receive TLS Onboard capabilities in Q2 2025. 

Opportunities
Trellix NDR has room for improvement in a few decision criteria, including:

• Integrated flow data: Trellix NDR relies primarily on Layer 7 metadata and network flow records for basic asset discovery and identification of critical nodes but lacks advanced flow-based analytics capabilities. While it collects flow records from sensors, the solution emphasizes full packet capture and deep packet inspection over sophisticated flow data analysis. The platform's approach to flow data appears more focused on supplementing other detection methods rather than leveraging flow data as a primary analysis vector.

• Contextualized visibility: The solution provides basic correlation of multiple data sources but offers limited context-aware analysis capabilities. It struggles to deliver comprehensive user-centric visibility that associates network activities with specific user identities across the environment. While it can map threats to the MITRE ATT&CK framework, it lacks advanced entity relationship mapping and sophisticated visualization tools that would provide a deeper contextual understanding of network behaviors and security events.

• Zero-network footprint: Trellix NDR requires dedicated hardware or virtual appliances for deployment, including Network Security (NX) sensors, IPS "NDR Ready" sensors, and Network Forensics (PX) components. The solution's architecture demands significant infrastructure with sensors that must be deployed as hardware, virtual, or cloud appliances, creating a substantial network footprint compared to more lightweight, agentless approaches that leverage existing infrastructure.

Trellix is classified as a Forward Mover because while it continues to enhance its NDR solution with AI-driven detection capabilities, it offers gradual improvements rather than frequent feature releases or an aggressive product roadmap.

Purchase Considerations
Trellix NDR follows a tiered pricing model (Essential, Core, and Enterprise) based on throughput, allowing customers to choose the NDR feature and sensor bundle that is right for them, together with the corresponding level of throughput. Some advanced features, like forensics and third-party add-ons, are priced individually. The solution is available through direct purchase, AWS Marketplace, and channel partners like CDW, with annual subscription contracts being the standard offering.

Key purchase considerations include evaluating which components are necessary for your specific environment, as Trellix NDR comprises multiple integrated products (Network Security, Network Forensics, and Intrusion Prevention System). Customers should contact Trellix sales representatives before purchasing to receive the correct product mix and applicable discounts through mechanisms like AWS Private Offers. Free trials are available for select products. Potential buyers should consider the deployment complexity across data centers, hybrid cloud environments, branch offices, and corporate campuses, as well as integration requirements with the broader Trellix ecosystem.

Use Cases
Trellix NDR addresses a broad range of use cases, including adding value to existing EDR deployments by providing enhanced network visibility for unmanaged devices and network-level threat activities, detecting and disrupting ransomware attacks across the cyber kill chain through multi-layered detection aligned with the MITRE ATT&CK framework, identifying both known and emerging threats, investigating and hunting threats through streamlined SOC workflows and automated alert enrichment, and protecting against sophisticated lateral movement within enterprise networks.

Trend Micro: Trend Vision One - Network Security*

Solution Overview
Founded in 1988, Trend Micro is a cybersecurity service provider that develops and markets internet and computer content security and threat management solutions. In June 2024, Trend Micro launched Trend Vision One - Network Security as part of its unified cybersecurity platform, offering inline technology as a part of Trend Vision One.

Trend Vision One - Network Security is a component of Trend Micro's cybersecurity platform that delivers network security capabilities through virtual network sensors that feed network activity data to the central platform. The solution performs deep packet inspection across Layers 3-7, analyzing headers and payloads to detect anomalies in network traffic. It enriches other sensor data with network context to provide insights beyond endpoint detection limitations.

Trend Micro takes a focused approach to NDR, innovating to add emerging features, such as Inline NDR for decryption, while filling feature gaps with capabilities like asset visibility and automated response.

Trend Micro is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
Trend Vision One - Network Security scored well on several decision criteria, including:

• Core network integrations: Trend Vision One - Network Security delivers comprehensive integration with network infrastructure through its extensive third-party integration ecosystem that connects to cloud services, firewalls, and network protection technologies. The platform's native sensor coverage spans endpoint, identity, email, network, and cloud workloads while offering built-in automation and integration with AWS services, including CloudTrail, System Manager, and Security Hub. This multi-layered approach enables security teams to bridge comprehensive threat prevention across diverse hybrid IT environments from a single console.

• Contextualized visibility: The solution provides enhanced contextual understanding by correlating data across multiple security layers with full context and understanding, and not just detection data. This native-first, hybrid approach to XDR delivers richer activity telemetry across security layers, enabling earlier and more precise risk and threat detection with more efficient investigation. The platform's ability to contextualize risk helps continuously and proactively reduce false positives and noise within the environment.

• Automated response: Trend Vision One orchestrates and automates risk mitigation, threat response, and zero trust access control from a single console, accelerating detection and response time. The platform's integrated automation capabilities enable teams to respond using containment actions for email, endpoints, cloud/server workloads, and networks from one location, significantly reducing dwell time and minimizing attack repropagation. 

Opportunities
Trend Vision One - Network Security has room for improvement in a few decision criteria, including:

• Deep packet inspection: Trend Vision One's DPI capabilities lack advanced pattern and signature matching capabilities for comprehensive threat detection. While the platform can analyze network traffic, it doesn't provide the sophisticated content inspection required to identify complex threats hidden within packet payloads. The solution's approach to making "smart decisions on what data should be sent" indicates selective rather than comprehensive packet analysis, limiting its ability to detect sophisticated threats that require full packet content examination.

• Encrypted traffic analysis: The platform offers limited capabilities for analyzing encrypted traffic without decryption. While Trend Vision One can identify some anomalies in encrypted communications, it lacks advanced protocol-specific behavior analysis for encrypted protocols like TLS/SSL. The solution doesn't implement machine learning algorithms optimized explicitly for encrypted traffic analysis or provide context-aware analysis that correlates encrypted traffic patterns with broader network activities.

• Integrated flow data: Trend Vision One lacks advanced flow data integration, particularly with third-party infrastructure supporting protocols like IPFIX or NetFlow. The platform must make selective decisions about what network data to process rather than analyzing all available flow data, suggesting limitations in handling the entire volume of network telemetry. The solution lacks evidence of machine learning algorithms specifically designed for flow data analysis at scale.

Purchase Considerations
Trend Vision One - Network Security employs a credit-based pricing model, whereby customers purchase credits to access features and services. Credits are consumed differently depending on the type of sensor or application, such as endpoint protection or sandbox analysis. While this model offers flexibility, customers must calculate credit requirements carefully as costs vary based on usage. Contracts are available for 12 months, with options for upfront or installment payments, and a free 30-day trial is provided to evaluate the platform. Pricing transparency is a noted challenge, as detailed cost breakdowns are not readily available on Trend Micro's website.

Key purchase considerations include deployment complexity and flexibility, as the solution supports virtual sensors and integrates with existing infrastructure via APIs and third-party tools. Its centralized console and guided setup process reduce migration complexity, but the sprawling feature set may require time to master. PoC capabilities are robust, with a free trial offering 28 credits to test features like XDR and automated response workflows. Customers should also consider the platform's modular nature, which allows for feature expansion through additional apps but requires careful planning to manage credit usage effectively.

Use Cases
Trend Vision One - Network Security addresses a broad range of use cases, including asset discovery, attack surface risk management, cloud security integration, cross-layer threat correlation, detection of unknown cyber assets, endpoint isolation and restoration, network fabric protection, OT/ICS environment security, protection of unmanaged entities, risk-based access control, secure access service edge (SASE) implementation, and threat detection and response across hybrid environments. The solution offers powerful network security capabilities that enable security teams to take a holistic view across both IT and OT zones while providing real-time risk assessment of connections between users, devices, and applications. The platform bridges comprehensive threat prevention with attack surface risk management through an integrated approach that accelerates and simplifies security operations.

Vectra AI: Vectra NDR

Solution Overview
Founded in 2011, Vectra AI provides AI-driven cybersecurity solutions, specializing in hybrid attack detection, investigation, and response for network, cloud, and identity security. In December 2024, Vectra AI partnered with Lumifi to expand its managed security service offerings, enhancing customer visibility and attacker behavior insights.

Vectra NDR employs a distributed architecture with Brain appliances that process metadata from sensors that capture network traffic. It supports physical X-series appliances, virtual sensors (vSensors), and cloud sensors for AWS, Azure, and GCP. Sensors extract 275 metadata attributes from network packets rather than performing traditional DPI, enabling threat detection without compromising privacy. The Brain appliance processes this metadata locally to create detections, leveraging both AI-driven behavioral analysis and the Suricata Engine for signature-based detection.

Vectra AI takes a focused approach to NDR, innovating rapidly with monthly releases that introduce emerging features like advanced C2 detection, CloudTap integration, and SASE/SSE integrations while strengthening AI-driven detection capabilities.

Vectra AI is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
Vectra NDR scored well on several decision criteria, including:

• Core network integrations: Vectra NDR integrates with over 40 leading security technologies across multiple categories (cloud services, SIEM/SOAR platforms, EDR solutions, network infrastructure, SASE providers, and ITSM platforms) through comprehensive API support and standardized protocols. This enables bidirectional data flow between systems, allowing for coordinated threat detection and response across the entire security ecosystem while maintaining a single pane of glass interface for all management functions.

• Contextualized visibility: Vectra's entity-centric approach provides comprehensive visibility by automatically identifying and tracking hosts and accounts through Host-ID (supporting over 20 information sources), extracting 275 metadata attributes from network traffic, and correlating threats across different attack vectors. The AI Prioritization engine combines attack profiles with entity importance to create urgency scores, enabling analysts to focus on the most critical threats.

• Regulatory compliance: Vectra supports multiple regulatory frameworks, including PCI DSS 4.0, DORA, SOC2, GDPR, CCPA, and NIS2 through continuous 24/7 monitoring of network traffic, automated compliance reporting, and detailed audit trails that map security controls to specific compliance mandates. The platform's ability to detect unauthorized access, data exfiltration attempts, and credential compromise without decryption helps organizations maintain compliance while preserving privacy. 

Vectra AI is classified as an Outperformer due to its aggressive monthly feature release cadence (twice monthly for cloud components), continuous AI innovation with over a decade of experience in AI-driven threat detection, and forward-looking roadmap.

Opportunities
Vectra NDR has room for improvement in a few decision criteria, including:

• Deep packet inspection: Vectra NDR prioritizes metadata extraction over full packet analysis, with its DPI implementation split between Suricata (for regex pattern matching) and its own engine (for metadata extraction). This approach limits deep content inspection capabilities, especially for encrypted traffic, where Vectra focuses on analyzing traffic patterns rather than payload content, and requires significant computing resources that can impact performance in high-bandwidth environments.

• Integrated flow data: Vectra states that "relying on flow data alone does not have enough detail to detect modern hybrid cloud attacks" and, therefore, does not consider it a requirement for its solution. While Vectra uses "sub-flow data" to power its AI detections, it does not natively support standard flow protocols like NetFlow, sFlow, or IPFIX, with VPC Flow Data support planned only for future releases rather than currently implemented.

• Zero-network footprint: Despite claiming cloud-only deployment capability, Vectra NDR's architecture requires Brain appliances for processing metadata locally and Sensor appliances for capturing network traffic. The solution's deployment documentation heavily emphasizes physical and virtual appliances installed within customer environments, indicating that the primary architecture relies significantly on on-premises components rather than a true zero-footprint cloud-native approach.

Purchase Considerations
Vectra NDR follows a subscription-based pricing model determined primarily by the number of concurrent IP addresses monitored in the customer's environment. Additional cost factors include extended metadata retention (up to 90 days), hardware requirements (though virtual appliances are available at no additional cost), and optional modules like Cloud Detection and Response for AWS/Azure, Identity Detection and Response for Microsoft 365/Azure AD, and Vectra Match for signature-based detection. The solution can be deployed in various environments, including air-gapped networks, and Vectra offers both standard support (included) and premium support (at additional cost). 

Key purchase considerations include deployment flexibility (physical appliances, virtual sensors for VMware/HyperV/KVM/Nutanix, or cloud sensors for AWS/Azure/GCP), minimal configuration requirements (only internal network ranges needed), and out-of-the-box functionality with over 150 AI detection models enabled by default. When evaluating total costs, customers should consider their specific needs for metadata retention, cloud/identity monitoring, and managed services. The solution's AI-driven approach reduces alert noise by up to 80%, potentially offsetting higher initial investment through operational efficiency gains.

Use Cases
Vectra NDR addresses a broad range of use cases, including advanced C2 attack detection, air-gapped environment protection, compliance and penetration testing, incident response maturation, IT security workflow automation, lateral movement detection across attack surfaces, SOC transformation with reduced SIEM reliance, and threat hunting/forensic investigation. It is designed for both large enterprises and SMBs, and it is particularly strong in environments requiring visibility across hybrid network infrastructures spanning on-premises, cloud, identity, and OT/IoT environments.

VMware (Broadcom): VMware vDefend Network Detection and Response

Solution Overview
Founded in 1998 and acquired by Broadcom in November 2023, VMware provides cloud computing and virtualization technology, specializing in x86 architecture virtualization. VMware vDefend Network Detection and Response (NDR) was released as an integral part of the broader VMware vDefend Advanced Threat Prevention (ATP) portfolio.

VMware vDefend NDR is a virtualized security solution that integrates with VMware Cloud Foundation (VCF). It combines multiple detection technologies with correlation engines, including Distributed IDS/IPS, Distributed Network Traffic Analysis (NTA), and VM-aware Malware Prevention. The architecture leverages virtual sensors at the hypervisor level to capture both full packet captures (PCAPs) for intrusion detection system (IDS) events and flow metadata, enabling deep packet inspection and flow-based analysis across north-south and east-west traffic.

VMware takes a focused approach to NDR, incrementally improving existing features while innovating with GenAI-powered Intelligent Assist, custom IDS/IPS signatures, and on-premises deployment options for regulated environments.

VMware (Broadcom) is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the NDR Radar.

Strengths
VMware vDefend Network Detection and Response scored well on several decision criteria, including:

• Deep packet inspection: VMware vDefend NDR implements robust DPI through its Intrusion Detection/Prevention System (IDS/IPS) component, which inspects all traffic entering or leaving the network to detect known threats. The solution examines packet content using specific rules, identifies where packets originate from, and can determine which applications launched potential threats. This capability allows vDefend to detect specific types of attacks that standard firewalls might miss, particularly in east-west traffic.

• Integrated flow data: VMware vDefend combines Network Traffic Analysis (NTA) with aggregation, correlation, and context engines to provide comprehensive flow data analysis. Depending on sensor type, the solution processes 1-4 Gbps of network traffic, handles up to 100,000 objects per day, and scales to protect up to 200,000 endpoints per manager. This integration enables vDefend to provide a complete view of abnormal behavior across north-south and east-west traffic.

• Contextualized visibility: VMware vDefend NDR consolidates alerts into curated threat campaigns enriched with contextual information and mapped to MITRE ATT&CK techniques. Correlation engines combine multiple related alerts into "intrusion campaigns," while context engines collect data from various sources to add helpful context for security analysts, enabling rapid triage and threat remediation. 

Opportunities
VMware vDefend Network Detection and Response has room for improvement in a few decision criteria, including:

• Core network integrations: VMware vDefend NDR's tight integration with VMware's ecosystem limits its ability to integrate seamlessly with diverse network infrastructures. The solution primarily focuses on VMware Cloud Foundation environments, lacking robust integration capabilities for non-VMware network components. This limitation restricts vDefend's ability to provide comprehensive visibility and threat detection across heterogeneous network environments, particularly in organizations with multivendor infrastructures.

• Encrypted traffic analysis: While vDefend NDR offers some capabilities for analyzing encrypted traffic, its approach is primarily based on metadata analysis and behavioral anomaly detection rather than advanced decryption or protocol-specific analysis techniques. The solution lacks sophisticated features such as TLS fingerprinting, which is crucial for identifying threats in encrypted traffic without decryption. This limitation reduces vDefend's effectiveness in detecting and preventing advanced threats that leverage encryption to evade detection.

• Historical forensics: VMware vDefend NDR's historical forensics capabilities are constrained by limited data retention periods and basic search functionalities. The solution lacks advanced features such as long-term data storage, sophisticated query languages for complex investigations, and AI-driven anomaly detection in historical data. These limitations hinder security teams' ability to conduct in-depth, long-term threat hunting and forensic analysis, particularly for detecting slow-moving or dormant threats that may have been present in the network for extended periods. 

Purchase Considerations
VMware vDefend NDR is available through a subscription-based per-core pricing model. It offers two bundles: VMware vDefend Firewall with Advanced Threat Prevention (comprehensive bundle) and VMware vDefend Advanced Threat Prevention as an add-on bundle for existing customers. This core-based licensing approach aligns with VMware's broader licensing strategy for its infrastructure products, requiring a minimum core count similar to other VMware offerings. Customers can choose between one-year or multiyear subscriptions, with potential discounts based on term length and deployment size.

Key purchase considerations include VMware vDefend's tight integration with VMware Cloud Foundation, making it ideal for organizations already invested in the VMware ecosystem but potentially challenging for heterogeneous environments. Deployment complexity varies based on existing infrastructure, with seamless implementation for VMware Cloud Foundation customers but more complex migration for organizations using other security solutions. PoC capabilities are available but require testing in a VMware environment. 

Use Cases
VMware vDefend NDR addresses a broad range of use cases, including automated incident response, enhanced network visibility, proactive threat management, and regulatory compliance. The solution is designed for enterprises seeking to protect network assets and maintain resilience against sophisticated cyber threats during digital transformation. vDefend NDR leverages machine learning, behavioral analysis, and real-time threat intelligence to identify, block, and remediate threats across data center environments. It integrates seamlessly with VMware's virtualization infrastructure, making it particularly valuable for organizations heavily invested in VMware technology that require advanced network security capabilities.

WatchGuard: ThreatSync+ NDR

Solution Overview
Founded in 1996, WatchGuard specializes in network security solutions for safeguarding networks from external threats, such as malware and ransomware. In June 2024, the company launched ThreatSync+ NDR, automating and simplifying continuous monitoring, detection, and remediation of threats using an advanced AI detection engine. In January 2025, WatchGuard acquired ActZero, which offers managed detection and response (MDR) security defense services.

ThreatSync+ NDR is a 100% cloud-native network detection and response solution that delivers robust DPI, encrypted traffic analysis, and metadata threat detection through a hybrid model that combines physical Firebox appliances, virtual/cloud sensors, and third-party flow data based on customer preferences. It uses virtual sensors to collect NetFlow, sFlow, and IPFIX data from existing network infrastructure, including firewalls, routers, and switches. The solution analyzes flow-based metadata rather than performing deep packet inspection, using AI-driven analysis to detect threats in both north-south and east-west traffic.

WatchGuard takes a focused approach to NDR, integrating features from acquired technologies while innovating with AI-driven threat detection capabilities for mid-market organizations with limited IT resources.

WatchGuard is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the NDR Radar.

Strengths
ThreatSync+ NDR scored well on several decision criteria, including:

• Core network integrations: ThreatSync+ NDR seamlessly integrates with existing network infrastructure, including WatchGuard Fireboxes, third-party firewalls, switches, and routers, without requiring additional hardware. It leverages these integrations to collect comprehensive network telemetry, enabling coordinated threat detection across the entire environment while supporting automated remediation actions through ThreatSync XDR.

• Integrated flow data: The solution analyzes multiple flow data types (NetFlow, sFlow, IPFIX) from various sources to build baseline models for node-to-node traffic, application traffic, and incoming/outgoing node traffic. This approach allows ThreatSync+ NDR to detect anomalies and correlate them with threat intelligence and device/user metadata, providing comprehensive visibility across both north-south and east-west traffic without requiring packet capture.

• Zero-network footprint: ThreatSync+ NDR is a 100% cloud-native solution that requires no physical sensors or on-premises hardware. It leverages existing infrastructure by configuring devices to send flow data directly to the cloud through secure IPSec tunnels, minimizing network performance impact while maintaining comprehensive visibility across distributed environments.

Opportunities
ThreatSync+ NDR has room for improvement in a few decision criteria, including:

• Deep packet inspection: ThreatSync+ NDR relies primarily on flow-based analysis rather than directly performing deep packet inspection. While it can integrate with WatchGuard Fireboxes that support DPI capabilities, the core NDR solution analyzes NetFlow, sFlow, and IPFIX metadata without examining packet contents. This approach limits its ability to detect threats hidden within packet payloads, particularly for traffic that doesn't pass through a WatchGuard Firebox.

• Encrypted traffic analysis: ThreatSync+ NDR uses basic flow-based analysis for encrypted traffic, examining characteristics like packet sizes and timing rather than employing advanced statistical techniques or protocol behavior analysis. While it can detect some anomalies in encrypted traffic patterns, it lacks sophisticated capabilities to identify protocol-specific anomalies or leverage machine learning algorithms designed explicitly for encrypted traffic analysis.

• Historical forensics: ThreatSync+ NDR has essential historical data retention for logs, baselines, alerts, and trend data but lacks advanced forensic tools for detailed historical analysis. The solution does not retain full packet captures or offer sophisticated search and filtering capabilities for historical network activity records. Its forensic capabilities are primarily limited to browsing alerts and supporting data rather than providing comprehensive tools for complex forensic investigations.

Purchase Considerations
ThreatSync+ NDR uses a transparent, user-based subscription pricing model with tiered discounts based on volume. Licenses are sold per user (defined as employees, staff, or contractors using the organization's network), with multi-year purchases offering additional savings. The solution is sold exclusively through WatchGuard's channel partners (VARs, MSPs, and MSSPs), who provide implementation and consulting services. There are no hidden fees, as virtual sensors can be deployed anywhere at no additional cost, and maintenance services are included in the license fee.

Key purchase considerations include ThreatSync+ NDR's cloud-native architecture, which eliminates hardware requirements and simplifies deployment across distributed environments. The solution can be deployed in hours rather than weeks, integrating with existing infrastructure, including WatchGuard Fireboxes and third-party firewalls, switches, and routers. Migration complexity is minimal as the system leverages existing network infrastructure for data collection. PoC capabilities are straightforward due to the solution's cloud-based nature and virtual sensors. Customers should consider that while ThreatSync+ NDR offers comprehensive flow-based analysis, it does not perform deep packet inspection directly, relying on integration with WatchGuard Fireboxes for this capability.

Use Cases
ThreatSync+ NDR addresses a broad range of use cases, including attack surface management, continuous compliance monitoring, network threat detection and response, ransomware detection, risk visibility, and supply chain defense. The solution detects threats bypassing perimeter defenses by monitoring north-south and east-west traffic across on-premises, cloud, and VPN environments. Its AI-driven approach identifies command and control communications, lateral movement, data exfiltration, and other attack stages while providing visibility into network blind spots, rogue devices, and misconfigured systems. The solution also supports compliance reporting for frameworks like Cyber Essentials, FFIEC, ISO 27001, and NIST standards.

NDR solutions are experiencing increased adoption as organizations look for new ways to enhance their cybersecurity posture and address the limitations of traditional security tools like firewalls, IDS/IPS, and SIEM solutions. While still emerging, the NDR market will mature and consolidate as vendors strive to offer comprehensive cybersecurity solutions, with an evolving threat landscape—including sophisticated attacks and the rise of remote/hybrid work environments—driving the need for innovative NDR capabilities. 

Organizations can ensure that an NDR solution is a good fit for their needs by considering the following factors:

• Visibility and coverage: Evaluate the NDR solution's ability to provide comprehensive visibility across the entire network infrastructure, including cloud environments, remote workers, and IoT devices. Ensure it can monitor all network traffic, protocols, and ports relevant to your organization.

• Detection capabilities: Assess the NDR tool's detection capabilities, such as its ability to identify anomalous behavior, unauthorized devices, lateral movement, and advanced persistent threats. Look for solutions that leverage ML and behavioral analytics for accurate threat detection with low false positives.

• Data inspection approach: Organizations can choose between DPI and flow/metadata analysis based on network architecture, performance requirements, and the level of visibility needed.

• DPI: Some NDR solutions perform DPI, analyzing the entire packet payload to detect threats and anomalies. This approach provides granular visibility but can be resource-intensive and may impact network performance for high-traffic environments depending on the architecture.

• Network flow data/metadata analysis: Other NDR solutions analyze network flow data or metadata (such as IPFIX, NetFlow, and sFlow) rather than full packet payloads. This approach is less resource-intensive and can scale better for high-traffic networks but may lack visibility into encrypted traffic or provide less granular insights.

• Integration and automation: Consider the NDR solution's integration capabilities with existing security tools like SIEM, EDR, and firewalls. Seamless integration can streamline security operations and provide a unified view of threats. Automation features can help reduce manual effort and accelerate incident response.

• Scalability and performance: Evaluate the NDR solution's scalability to handle your organization's current and future network traffic volumes and complexity. Ensure it can perform real-time analysis without impacting network performance or introducing latency.

• Deployment and management: Assess the ease of deployment and management of the NDR solution. Consider factors like the complexity of installation, configuration requirements, and the availability of professional services or managed services options.

• Vendor reputation and support: Research the vendor's reputation, experience, and expertise in the NDR market. Evaluate the quality of its customer support, training resources, and ongoing product development and updates.

By considering these factors, including the data inspection approach (DPI versus flow/metadata analysis), organizations can ensure that the chosen NDR solution aligns with their specific network architecture, security requirements, and operational needs, ultimately enhancing their overall cybersecurity posture.

To learn about related topics in this space, check out the following GigaOm Radar reports:

• GigaOm Radar for Network Detection and Response (NDR)

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Formerly an enterprise architect and management consultant focused on accelerating time-to-value by implementing emerging technologies and cost optimization strategies, Ivan has over 20 years’ experience working with some of the world’s leading Fortune 500 high-tech companies crafting strategy, positioning, messaging, and premium content. His client list includes 3D Systems, Accenture, Aruba, AWS, Bespin Global, Capgemini, CSC, Citrix, DXC Technology, Fujitsu, HP, HPE, Infosys, Innso, Intel, Intelligent Waves, Kalray, Microsoft, Oracle, Palette Software, Red Hat, Region Authority Corp, SafetyCulture, SAP, SentinelOne, SUSE, TE Connectivity, and VMware.

An avid researcher with a wide breadth of international expertise and experience, Ivan works closely with technology startups and enterprises across the world to help transform and position great ideas to drive engagement and increase revenue.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2025 "GigaOm Radar for Network Detection and Response (NDR) Solutions" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.