GigaOm Radar for Network Observability v5

Network observability is a category of solutions that go beyond device-centric network monitoring to provide truly relevant end-to-end visibility and intelligence for all the traffic in your network, whether on-premises, in the cloud, or anywhere else. Representing a step beyond network performance monitoring, network observability guarantees visibility and distinguishes itself with actionable insights. These insights shift many low-level activities—such as troubleshooting or traffic analysis—from engineers to the network observability tool.

Observability solutions are less about specialization and more about consolidating a comprehensive experience in a single tool. This convergence of functionality brings numerous advantages, including a better user experience, lower costs than those incurred when deploying multiple tools, adaptability for complex IT environments, future-proofing, and cohesiveness across IT departments. Network observability is a key ingredient for ensuring that a modern, critical infrastructure achieves the required uptime and availability.

While businesses of all sizes can benefit from the end-to-end visibility offered by network observability solutions, those with large, complex networks are likely to see the most improvement. These can be companies with proprietary networks, for which IT plays a supporting role—such as retail or manufacturing—or businesses that sell network services, such as communication service providers. We explore these categories in more depth in the following section.

This is our fifth year evaluating the network observability space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year. 

This GigaOm Radar report examines 19 of the top network observability solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading network observability offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

To help prospective customers find the best fit for their use case and business requirements, we assess how well network observability solutions are designed to serve specific target markets (Table 1).

For this report, we recognize the following market segments:

• Cloud service provider (CSP): These are infrastructure-as-a-service (IaaS) providers that operate a global network of data centers and serve customers worldwide. These providers often have private networks connecting their data centers and work with communication service providers. 

• Edge/content delivery network (CDN): Edge service providers operate a highly distributed global network, often containing hundreds of points of presence (PoPs) across all continents. Their main proposition is to lower latencies for end users, which means they depend heavily on observability solutions for performance assurance.

• Communication service providers/telcos: These are carriers, internet service providers (ISPs), and network service providers (NSPs) that offer network services and often have a very complex national and international physical infrastructure serving both enterprise and consumer customers.

• Regulated industries: These types of networks have comprehensive security requirements and can encompass local authorities (local councils, emergency services), utilities, national public institutions (government, national defense agencies), and international entities (such as the European Council).

• Small-to-medium business (SMB): Solutions in this category are those that meet the needs of small and midsize businesses, which operate a network (physical or virtual) that supports their workforce. These solutions also can serve individual departments or lines of business within a large enterprise.

• Large enterprise: Usually adopted for large or business-critical projects, solutions in this category have a strong focus on flexibility, performance, data services, and features that improve security and data protection. Scalability is another big differentiator, as is the ability to use the same service in different environments.

Table 1. Vendor Positioning: Target Market

In addition, we recognize five solution deployment models and four network probe deployment models. We indicate those in Table 2.

Network observability tools can be delivered via the following deployment models:

• Physical appliance: The tool requires one or more specialized hardware units to be installed on the customer’s network. This approach typically offers the least deployment flexibility (you must physically attach the appliance to your infrastructure) but the highest degree of control and security.

• Virtual appliance: This software tool can be deployed in public clouds, private clouds, or other on-premises infrastructure. It offers greater control while still allowing solid deployment flexibility. The tool’s performance, however, depends on whatever infrastructure the software is running on, as well as the quality of connectivity to the rest of the network.

• Public cloud image: The observability tool is available in public cloud marketplaces and can run within the cloud environment.

• SaaS: The tool can be accessed directly through a web portal with no additional installation. The tool is hosted and managed by the vendor and delivers the benefits of the solution as a service. This is often the simplest and easiest way to leverage network observability. The downside is that it may not meet the security requirements or complex customization needs of some customers.

• Software: This model refers to the solution being available as a software-only solution that can be installed and run on a customer’s own general-purpose servers.
  

Additionally, observability tools can leverage network probes or agents to collect data that can be deployed as one of the following:

• Physical appliance: Some solutions require dedicated physical appliances to be installed on them to tap network data. Typically, this offers packet-level visibility into the network traffic, but it is hard to deploy and manage.

• Virtual appliance: Some network probes can be installed on generic all-purpose hardware or virtual machines rather than on dedicated physical appliances. These can be more easily deployed and decommissioned compared to their physical appliance counterparts.

• Agent-based: An agent-based solution means that a piece of software is installed on relevant appliances or endpoints, such as end-user devices, to collect network data. These can take the form of an extended Berkeley Packet Filter (eBPF) host agent, synthetic private agents, or domain name system (DNS) probes.

• Agentless: An agentless model uses network flow data such as Netflow, Sflow, IPFIX, Jflow, Cflow, or protocols like simple network management protocol (SNMP) and an API to collect network data.

Tables 1 and 2 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Multiple data sources

• Vendor-agnostic orientation

• Contextual visibility

• Network discovery

• Real-time data

Tables 3, 4, and 5 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a network observability solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.
  

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating Network Observability Solutions.”

Key Features

• Dynamic discovery and mapping: This criterion looks at whether and how well the platform can automatically discover and map new network functions and connections. These can be networking devices, new application integrations, third-party SaaS tools, edge locations, data center overlays and underlays, security functions, cloud-native constructs such as VPCs and Vnets, software-defined wide area network (SD-WAN) overlays and controllers, and network as a service (NaaS) and secure access service edge (SASE) deployments.

• Visualization: Observability goes beyond simple visibility and presents data in a way that is easy to navigate and understand. A major aspect of this criterion is the depth and granularity of visualization a solution provides. 

• Validation: This is the process of confirming whether a network configuration or design is fulfilling its intended purpose. Validation should be performed proactively before deploying a network change to determine whether the proposed change violates any predefined (“golden configuration”) policy. Failed checks should automatically abort the deployment process. 

• Traffic analysis: This metric evaluates the insights a network observability platform can extract by looking at historical network behavior. Though this information may consist of something as simple as trend lines based on existing data, leading solutions leverage ML algorithms to learn about usage patterns.

• Troubleshooting and optimization: This metric looks at how well a solution is able to resolve issues by tracing and correcting flaws in a system, and by optimizing the system to prevent further issues. Just as with validation and traffic analysis, troubleshooting has multiple facets. Its main scope is to reduce mean time to respond (MTTR) and network administrators’ workloads. 

• Security observability: Network observability tools are well-positioned to provide observability over security infrastructure as well as network behaviors. For security network infrastructure monitoring, observability tools should include appliances such as Layer 4 firewalls, proxies, Layer 7 firewalls, and VPNs. 

• Application and Layer 7 monitoring: With the network as a supporting function for the application, observability tools also need to provide visibility into application performance and how the network affects it. 

• Microservices network monitoring: Network observability tools can expand their realm of expertise to include monitoring of both microservices and containers. Distributed applications built using serverless computing and container-based microservices will become increasingly important with modern application architectures, and leading solutions will bring observability to these new environments.

Table 3. Key Features Comparison

Emerging Features

• Network modeling and planning: Network observability tools can use their knowledge of a customer’s infrastructure to create a simulated environment where the solution can generate synthetic traffic to emulate how the network will behave in different scenarios or how it would behave following configuration or architectural changes.

• Automated network operations: Compared to the troubleshooting and optimization key feature, this emerging feature evaluates solutions’ capabilities to autonomously identify and resolve issues.

• Extended Berkeley Packet Filter (eBPF): This technology originated in the Linux kernel and can run sandboxed programs in a privileged context such as the operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring any change to kernel source code or loading of kernel modules.

• Large language model (LLM) integrations: Solutions can leverage LLMs to offer administrators a natural language interface for navigating the product. Using an LLM, a solution can write queries to surface relevant information about the network by using everyday language.

• End-user experience monitoring: Network observability tools can go beyond the enterprise network perimeter and measure the performance of applications and services from the end-users’ devices. Using either real-user traffic or synthetic traffic, the solution can gain visibility into client device metrics like bandwidth, latency, jitter, and packet loss. 

• Business intelligence: This feature goes beyond network monitoring from a purely technical point of view and factors in business metrics, which include translating network performance into financials, industry-specific metrics, and customer experience.

Table 4. Emerging Features Comparison

Business Criteria

• Scalability: Network observability is typically required in complex IT systems found in large national or multinational companies or public sector agencies that rely on legacy equipment and multiple vendors, which lowers their visibility and results in operational silos. This metric assesses how well a solution is able to grow to meet the increasing needs of large and dynamic enterprises.

• Flexibility: For network observability, flexibility is determined based on factors such as customization options, interoperability via APIs, and level of vendor support.

• Ease of use: We can assess this metric from the perspective of Day 1 (ease of deployment), navigation (ease of data retrieval), insights (is only data reported on, or does the solution offer actionable insights?), and remediation (does it offer steps for resolution?). Other factors contributing to ease of use include the availability of technical documents and training programs.

• Ecosystem: With the purchase of a large-scale solution like this, customers are essentially joining a family. To determine the network observability solution provider’s viability, it’s important to assess its supply chains and contractual agreements.

• Cost: As with all technical solutions, the up-front subscription cost for a network observability tool might not reflect all expenses required for full operation. For example, open-source software is free, but support staff and ancillary products may be required. 

Table 5. Business Criteria Comparison

The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Network Observability

As you can see in Figure 1, most vendors are positioned in the Platform Play half, which is to be expected considering most solutions aim for as much coverage as possible. The report is largely consistent with previous years, featuring the same selection of vendors and relatively similar distribution.

The vendors in the Feature Play half of the Radar have some distinguishing features, such as focusing on network modeling, pure infrastructure monitoring, or specific market segments. 

The distribution across the Innovation and Maturity quadrants in the Platform Play half is weighted toward the Maturity vendors, whose solutions demonstrate consistent year-over-year development in their core strengths. The Maturity/Platform Play quadrant has a selection of Leaders and a high concentration of Challengers. 

In the Innovation/Platform quadrant, there is a smaller selection of vendors, all of which are positioned in the Leaders circle. These vendors score well on the report’s emerging features, which are novel technologies that are expected to become part of the standard feature set of network operations teams in the years to come.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Auvik: Network Management Software

Solution Overview
Auvik’s Network Management solution has well-developed capabilities for monitoring SMB infrastructure that spans from on-premises equipment to outsourced infrastructure in the cloud and at the edge. The solution also includes automation features that continually scan for network changes and update network documentation, backup device configurations, and alert on network activities. 

Delivered in a SaaS model, Auvik supports functions such as network topology mapping, network traffic visualization, network performance monitoring, network configuration backups, syslog management, end-user experience monitoring, and netflow traffic analysis to provide Layer 7 monitoring.

Catering specifically to the mid-market, Auvik’s solution is easy to use and deploy, and it addresses the most important use cases for organizations managing on-premises networks. 

Auvik is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the Network Observability Radar chart.

Strengths
Auvik scored well on a number of decision criteria, including:

• Dynamic discovery and mapping: Auvik can discover and map new network appliances and services automatically as they are added. Moreover, Auvik integrates asset management capabilities such as detecting and capturing full details for every device on the network, including make and model, serial number, IP address, and the physical switchport where the device is connected. Auvik pulls lifecycle data from supported devices to show whether they are on current or expired support contracts, whether there are more up-to-date software versions available, whether the devices are eligible to receive critical security updates, and whether the devices are still available for purchase. 

• Validation: Auvik scans network devices for configuration changes every hour, backing up the latest configurations automatically. The configuration backups are available for a side-by-side comparison review. Auvik can easily restore configurations using a restore button or, alternatively, allow export so the configuration can be applied to a new device. While this approach falls short of achieving true validation, Auvik provides the opportunity to correlate network performance changes with configuration changes.

• Traffic analysis Auvik extracts flow data and uses ML and traffic classification to highlight which applications or protocols are using the bulk of the network’s bandwidth, allowing users to investigate network traffic spikes retroactively or in real time. Customers can identify applications in use, application category, device names, and geolocation. 

Opportunities
Auvik has room for improvement in a few decision criteria, including:

• Application and Layer 7 monitoring: The application has limited capabilities to monitor application-to-application connectivity paths and traces, Layer 7 requests such as HTTP/S and gRPC, API calls, and requests to third-party services.

• Microservices and containers monitoring: Currently, Auvik does not offer this feature. 

Purchase Considerations
Auvik has a strong offering for mid-market customers with a good level of end-to-end network observability. Its developed traffic analysis capabilities and SaaS-based offering make it an attractive option in the network observability market. The lower overhead associated with deploying and managing the solution makes it a suitable choice for midsize organizations that need visibility of enterprise networks.

Use cases
Auvik’s network observability solution is suitable for organizations that need to monitor data centers, LANs, and campus Wi-Fi and wireless networks. With high scores for ease of use and licensing methods, the solution is a suitable choice for midsize organizations that require a solution with low overhead and a short time-to-value.

BlueCat (LiveAction)

Solution Overview
In late 2024, LiveAction was acquired by BlueCat Networks, a provider of DNS, DHCP, and IP address management (DDI). The acquisition is meant to combine LiveAction’s network observability features with BlueCat’s DNS-level insights to provide comprehensive traffic flows and performance monitoring across all network protocols. 

LiveAction Network Observability and Intelligence is made up of four key components. LiveNX provides network visibility using flow data, APIs, SNMP, OpenTelemetry, and cloud telemetry sources. LiveWire delivers enterprise-wide network forensics through high-density packet capture. LiveAssurance functions as a knowledge expert system that helps identify, troubleshoot, and remediate errors and misconfigurations in firewalls and load balancers. LiveNCA offers full-featured network configuration management, including change detection, policy violation alerts, configuration comparisons, rollback capabilities, and periodic validation.

Since the BlueCat acquisition of LiveAction, new BlueCat capabilities are delivered via LiveNX Assurance. These include proactive detection and prescriptive remediation steps for network and security infrastructure; identifying, troubleshooting, and remediating errors and misconfigurations in firewalls and load balancers before they disrupt the network; and the ability to proactively identify and resolve issues across firewalls and load balancers.

LiveNX offers visibility into the network, including SD-WAN, data centers, edge locations, and web-based applications. It supports a server node architecture, with each virtual or physical node supporting 1,000 devices and 500,000 flows per second. Customers can add multiple nodes to scale horizontally. 

The LiveNCA module provides full-featured network configuration management, including change detection, policy violations, configuration differences, rollback, and periodic validation.

LiveWire provides local packet analysis for deep performance views. This real-time and detailed telemetry is seamlessly fused into LiveNX’s integrated view. LiveWire simultaneously provides the ability to drill down into deep-packet forensic analysis when necessary.

BlueCat is positioned as a Challenger and Outperformer in the Maturity/Platform Play quadrant of the Network Observability Radar chart.

Strengths
BlueCat scored well on a number of decision criteria, including:

• Traffic analysis: The solution supports ML-based features such as application usage baselining, performance baselining, and anomaly prioritizations. It learns the usage patterns of the top network applications, baselines them on a per-device/per-direction basis, and detects anomalies when the usage and performance deviates from learned normal behavior. Top anomalies and insights can be quickly understood in context per app, per site, and per device. This allows contextually relevant drill-down to anomaly details. LiveAction’s alerting engine has an optional GPU-based ML engine for high-capacity data analytics for baselining, anomaly detection, forecasting, and correlation workflows. 

• Security observability: BlueCat scores high on security observability, with the solution detecting and correlating network-related threats using the ML capabilities available in the platform, and workflows being specifically developed for the network and security analyst to identify, investigate, and support root cause analysis of network-based threats. BlueCat can validate network design and intent by integrating with prominent SD-WAN vendors. It allows clients to view and analyze the results of dynamic changes to traffic patterns in the context of the full end-to-end network. LiveNX can also create, push, and validate QoS policies in near real-time.

• Validation: The solution can verify configurations against gold standards to avoid system outages proactively and automatically verify the device state before and after maintenance, whether it’s a major upgrade, minor patch release, or configuration change. Comparing the device state pre- and post-maintenance provides the operations team with confidence in the success of the update. The LiveNCA module provides full-featured network configuration management including change detection, policy violations, configuration diff, rollback, and periodic validation.

BlueCat was classified as an Outperformer given the acquisition, integrations between the two portfolios, and comprehensive development pipelines.

Opportunities
BlueCat has room for improvement in a few decision criteria, including:

• Troubleshooting and optimization: Following the BlueCat acquisition of LiveAction, the tool can conduct automatic root cause analysis and present network administrators with potential solutions, create tickets, and or provide  workflow-based or script-based automation capabilities with out-of-the-box content. However, the vendor can develop these capabilities further by identifying network optimization opportunities. 

• Microservices and containers monitoring: While the vendor can monitor API calls or IP-based entities that include containers, it does not have awareness of container and microservices concepts such as CNIs, API gateways, or ingress controllers to provide low-level visibility into how containers and microservices communicate.

• Network modeling and planning: The solution does not currently offer network modelling or planning capabilities.

Purchase Considerations
Though BlueCat’s network observability solution is composed of three products, customers can choose to deploy only the modules they are interested in. For example, if a customer does not need validation and configuration management, they do not require the LiveNCA product. LiveAction is licensed on a per-device basis, while detailed packet forensic analysis is licensed on an appliance (physical/virtual/cloud) basis.

Use Cases
BlueCat’s network observability solution can support a variety of use cases, such as monitoring data center networks, LANs, campus networks, and WANs, and it can do end-user digital experience monitoring. The solution can also monitor virtualized and overlay networks, such as SD-WAN and public cloud networks. In addition to monitoring network performance, the solution is aware of applications, including cloud-hosted applications, SaaS, and web services. It can also support latency-sensitive use cases by monitoring quality of service for live voice and video. 

Broadcom: Network Observability by Broadcom

Solution Overview
Combining AppNeta’s and DX NetOps’ capabilities, the Network Observability by Broadcom solution expands traditional operational visibility beyond the network edge and out to ISP, SaaS, and cloud provider networks. With these solutions, enterprises can leverage end-user experience metrics to track and optimize end-to-end network performance. 

Network Observability by Broadcom provides comprehensive visibility across traditional and software-defined architectures, with strong capabilities for network fault detection, performance, flow, configuration management, log analysis, and AI insights. Network Observability by Broadcom is further enhanced by Broadcom’s AIOps solution, which leverages AI and ML for full-stack correlations, predictions, and algorithmic analysis of alarms, metrics, logs, and topologies.

Network Observability by Broadcom offers SaaS-based network and end-user experience monitoring that provides insights into network performance from the end-user perspective across infrastructures that customers do not own, such as the internet, middle mile, cloud, and SaaS environments. The solution’s proprietary TruPath technology provides granular insight into the network delivery paths through any network by using packet-train dispersion. 

Network Observability by Broadcom is a very good candidate for carriers, system integrators, managed service providers (MSPs), and large enterprises. Broadcom also boasts an excellent partner ecosystem, leveraging industry-leading vendors for comprehensive visibility across all network segments.

Broadcom is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the Network Observability Radar chart.

Strengths
Broadcom scored well on a number of decision criteria, including:

• Application and Layer 7 monitoring: Broadcom uses AppNeta’s near real-time, hop-by-hop, active testing of the entire network delivery experience to validate performance from controllers against the actual network delivery performance, validate overlay performance, identify patterns in performance over time, and identify problematic transports or service providers by looking at deviation from normal baselines and projections. This network delivery validation can be used for pre- and post-production deployments like SD-WAN and multicloud adoption.

• End-user experience monitoring: Broadcom brings user experience metrics into the NOC for a better understanding of the managed and unmanaged network delivery performance impact on applications and users. By correlating network path metrics with network device performance, root cause and end-to-end network path health are surfaced, enabling the operations teams to get a better perspective of user experience impact. Broadcom’s Volatility analytics monitors instability in the network by assessing metric variability inflicted by external forces on the overall market performance. Monitoring Policies are an AppNeta feature that enables administrators to define what and how to monitor, with the solution applying the policies for new users or networking constructs.

• Troubleshooting and optimization: The AIOps solution provides root cause analysis, significant alarm noise reduction, “situations to watch,” self-healing and predictions with machine-driven parameterization of automation, and integration with chat/collaboration tools. It determines usage domains across security, configuration, and release pipelines, including prediction of the future state, multivariate prediction, capacity prediction, business KPI and resource planning using AI/ML inference. 

Broadcom was classified as an Outperformer given its consistent year-on-year feature releases and extensive development pipeline.

Opportunities
Broadcom has room for improvement in a few decision criteria, including:

• Microservices and containers monitoring: Broadcom can further improve these capabilities by monitoring API requests across microservices, their payloads, and container-specific appliances such as CNIs, load balancers, service meshes, API gateways, and ingress controllers. 

• Validation: While the solution offers comprehensive validation capabilities, it can improve these capabilities by implementing digital twin and modeling features that can simulate how changes will affect performance before being deployed in production.

• LLM integrations: Currently, Broadcom’s solution does not offer any out-of-the-box LLM integrations and requires customers to manually configure their own integrations via APIs.

Purchase Considerations
Following the VMware acquisition, Broadcom’s network observability solution could benefit from lower-level integrations with VMware’s SD-WAN, NSX, Tanzu, and VCF. Current observability capabilities for VMware environments include SD-WAN performance validation that covers the Application Performance Index (Apdex) and Mean Opinion Score (MOS) indicators, and NSX performance validation, which collects inventory data, alarms, and performance metrics from VMware NSX data centers, as well as underlay network metrics.

Network Observability by Broadcom licensing is based on the device count monitored on the corporate network, data centers, and cloud and SaaS applications with active network and web monitoring.

Use Cases
Broadcom’s network observability solution can be used for a wide range of use cases, including monitoring data center, LAN, and campus WAN and internet, virtualized networks for cloud and edge environments, Wi-Fi, wireless, and cellular and radio networks, and digital experience monitoring. With such a broad platform scope, Broadcom’s network observability solution is suitable for large enterprises with complex environments.

Cisco: Provider Connectivity Assurance

Solution Overview
In late 2023, Cisco completed the acquisition of network observability provider Accedian. The solution, Provider Connectivity Assurance, delivers high-performance network and user-experience monitoring across virtualized, cloud, software-defined, and physical network infrastructures, as well as service and application chains. Provider Connectivity Assurance provides end-to-end network and application performance visibility and control over user experience. 

Accedian’s network observability is achieved with the following products:

• Cisco Provider Connectivity Assurance (SaaS deployment) is the main tool for viewing and analyzing network performance data.

• Assurance software and hardware sensors (physical and virtual deployment) are designed for capturing all network traffic between users and infrastructure (north-south) and between virtualized infrastructure resources (east-west). These can be deployed as software microservices on open compute platforms (x86, vCPE or uCPE, cloud servers) and public cloud platforms.

The Provider Connectivity Assurance platform is highly scalable, able to monitor multinational networks, and caters to the complex environments of CSPs or businesses with highly distributed networks. 

Cisco is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the Network Observability Radar chart.

Strengths
Cisco scored well on a number of decision criteria, including:

• Application and Layer 7 monitoring: The platform uses sensors to monitor real user experience and generate synthetic data orchestrated from a single solution. The platform’s sensors, available as software or containers, provide active test traffic from Layers 2 through 7. The sensors can generate performance data on Layer 2 Ethernet, Layer 3 IP, Layer 4, and Layer 7 protocols. The Assurance “capture sensor” provides lightweight passive analysis of network traffic from Layer 2 to Layer 7 on physical, virtualized, and cloud infrastructures. The capture sensor collects network traffic between users and infrastructure (north-south) and between virtualized infrastructure resources (east-west). 

• Traffic analysis: Provider Connectivity Assurance performance analytics leverage ML to conduct network traffic analysis. It provides predictive analysis to identify performance-related issues such as latency, jitter, congestion, and dropped packets. 

• Validation: Provider Connectivity Assurance has developed intent-based assurance features that support baseline performance to ensure the network fulfills business needs and outcomes. Baseline performance metrics can be used pre- and post-configuration change and validate that change management is done successfully. The solution couples baseline data and metadata, which allows Provider Connectivity Assurance to create a contextual relationship between service fulfillment and configuration. 

Opportunities
Cisco has room for improvement in a few decision criteria, including:

• Dynamic discovery and mapping: The solution can improve its discovery capabilities by asynchronously updating visualizations and dashboards as new network appliances are spun up.

• Security observability: The solution has limited capabilities to monitor security appliances such as firewalls, detect suspicious traffic, highlight unpatched network appliances, or offer network detection and response (NDR) features.

• Microservices and containers monitoring: Currently, the vendor can support basic container monitoring based on IP addresses.

Purchase Considerations
We expect the solution to become more tightly integrated with the rest of the Cisco portfolio over time. Some use cases might be integrations with Cisco ACI and network dashboard fabric controller (NDFC) for data center and cloud networking.

Use cases
Cisco Provider Connectivity Assurance can deliver on a wide range of use cases, such as enterprise network monitoring, cloud network monitoring, WAN, and internet. It can also monitor cellular and radio networks, which is a capability offered by only a few vendors featured here. The solution is also able to monitor end-user experience.

Datadog: Network Performance Monitoring & Network Device Monitoring*

Solution Overview
Datadog offers a modern take on network observability through its two products, Network Performance Monitoring (NPM) and Network Device Monitoring (NDM). 

NPM provides visibility into network environments, such as on-premises, cloud, and hybrid environments—including public cloud constructs like virtual private clouds (VPCs) and cloud services. NPM data collection is done using eBPF, meaning the solution requires monitored platforms to have Linux kernel versions of 4.4.0+ or have eBPF features backported. NPM also supports Windows. 

Datadog NDM monitors and troubleshoots routers, firewalls, switches, load balancers, and other network devices by supporting SNMP, Netflow, syslog, and other data formats. 

In addition to its network monitoring, buyers should also consider Datadog’s application performance monitoring (APM) solution, which provides insight into issues at the application layer of containerized environments. With APM, if a container running on EC2 is experiencing high request latency, it can have the networking component investigated to view all network connections that are related to that service and determine whether the problem stems from an upstream service.

Leveraging its background in data ingestion and analytics, Datadog offers a modern approach to network performance monitoring that’s based on eBPF, a capability that’s generally not available with other solutions in the market. Datadog NPM supports visibility for the large public cloud providers, AWS, Azure, and GCP. NPM automatically maps network calls to AWS services such as S3, RDS, Kinesis, ELB, and ElastiCache. It can also map API calls to AppEngine, Google DNS, Gmail, and other Google Cloud services. The solution can also monitor AWS load balancers, NAT gateways, VPC internet gateways, and VPC endpoints.

For business intelligence, the solution’s analytics capabilities can help investigations into cloud cost reduction, such as for cross-availability-zone (cross-AZ) traffic by discovering which services make up most of the cross-AZ traffic. This can also be applied to other use cases, such as cross-team, cross-cloud provider, or cross-region traffic.

The solution supports troubleshooting through Datadog’s query language. Administrators are able to easily start investigations using templated queries that surface relevant network information without the need to search for or group the traffic. 

Datadog is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the Network Observability Radar chart.

Strengths
Datadog scored well on a number of decision criteria, including:

• Microservices and containers monitoring: Datadog offers some of the most comprehensive and sophisticated monitoring of microservices and container networking. The solution has awareness and visibility over CNIs such as Cilium, service meshes such as Istio, proxy services such as Envoy, and managed Kubernetes services. 

• Visualization: Datadog NPM visualizes the architecture and performance of containerized and orchestrated environments, with support for Docker, Kubernetes, ECS, and other container technologies. Datadog’s container integrations enable organizations to aggregate traffic by entities, such as containers, tasks, pods, clusters, and deployments, with out-of-the-box tags. NPM can map network communication between containers, pods, and services over the Istio service mesh. It tags Envoy sidecars as containers, which means administrators can use the network map to visualize the underlying container traffic and determine whether it’s a service mesh issue.

• Dynamic discovery and mapping: The network map provides a topology view of the network to help visualize network partitions, dependencies, and bottlenecks. In addition to providing an overview of the network’s physical connections, administrators can investigate individual devices to understand their connections, flows, and overall status. Hovering over a device displays its overall status and key metrics. 

Opportunities
Datadog has room for improvement in a few decision criteria, including:

• Validation: The solution can further improve its validation capabilities by correlating performance degradations with configuration changes, enabling alerting or automatic rollbacks, implementing synthetic traffic to simulate how changes would behave in production, or offering digital twin features.

• Security observability: The solution has limited capabilities to monitor security appliances such as firewalls, detect suspicious traffic, highlight unpatched network appliances, or offer NDR features. It is worth noting that Datadog has a comprehensive security monitoring portfolio, which is a separate set of products compared to network monitoring.

• LLM integrations: Datadog does not currently integrate with large language models to allow network administrators to interact with the solution using natural language.

Purchase Considerations
Datadog is distinguished from the rest of the vendors featured in this report due to its wider data ingestion and analytics capabilities, which go beyond network data. Organizations that deploy Datadog NPM also have access to a wide range of its infrastructure and service monitoring, which is unavailable from other vendors featured here. NPM is perhaps best suited for organizations that already have a Datadog deployment and require a network observability product.

Use cases
Datadog can deliver on a good range of use cases, but it has particularly good capabilities for monitoring containers, microservices, applications, and services. It can also monitor enterprise networks, data centers, and cloud networks. Currently, the solution can monitor Cisco SD-WAN only using Meraki or a Netnology integration, and it does not support radio networks.

Forward Networks: Forward Enterprise Platform

Solution Overview
Forward Networks’ Enterprise platform provides a novel take on network observability by generating a vendor-neutral software abstraction—a digital twin—that models the entire network infrastructure, including switches, routers, firewalls, load balancers, and SD-WAN solutions, both on-premises and in the public cloud. 

By producing a digital twin of a network, the solution enables end-users to search network behavior, configuration, and state network-wide. The solution can discover any device on the network, including its connections and all forwarding behavior for end-to-end path analysis across the network for both on-premises and multicloud infrastructure.

The Forward Enterprise platform's digital twin serves as a powerful troubleshooting platform, offering a suite of applications such as search, inventory, verification, and network query engine (NQE). These applications unveil comprehensive configuration and connectivity insights, empowering operators to proactively pinpoint configuration errors, connectivity inefficiencies, or potential causes of security breach. In the event of detecting such anomalies, the platform can be configured to dispatch notifications and alerts or generate or update ServiceNow tickets, expediting reporting and subsequent remediation efforts. This robust functionality streamlines network management processes and enhances overall operational efficiency.

Its digital twin approach distinguishes it from most other vendors. While this approach has specific advantages, the solution does not offer all the features supported by solutions on the Platform Play side, such as traffic analysis.  

Forward Networks is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the Network Observability Radar report. 

Strengths
Forward Networks scored well on a number of decision criteria, including:

• Validation: The solution specializes in validation. It can verify that the network is configured and behaving as intended across on-premises, cloud, and virtual overlay networks by delivering automated pre- and post-deployment checks. The solution offers a full network digital twin that can simulate how infrastructure and configuration changes will behave before being deployed in production. The Forward Enterprise Behavior Diffs feature surfaces what has changed at different layers in the network stack by showing changes in the topology (devices, links, interfaces), the changes at Layer 2 (VLANs) and Layer 3 (routing), the changes around security (ACL, NAT), and what effects the changes have on the network intent policies defined by the network operators. It offers a side-by-side comparison in one quick view of configuration file and state changes for any device and between any two points in time, and it can identify what policy rules and behavior checks have changed between snapshots. 

• Security observability: Forward Enterprise is able to address security use cases such as attack surface management, which provides detailed information on all devices connected to a compromised host, in a single intuitive interface; vulnerability management; security posture management for validating that global network security posture complies with zero-trust design goals for multicloud and on-premises networks; and exposure analysis to identify which end hosts impacted by critical vulnerabilities can be accessed from any exposure point. 

• Visualization: The tool can display network layer 2–4 topology and all possible traffic paths within a single pane of glass, including on-premises, cloud, and virtualized environments. It can then drill down to specific devices and traffic flows, including configuration and state data, and view the global network in a single view or drill down to a single device.

Opportunities
Forward Networks has room for improvement in a few decision criteria, including:

• Traffic analysis: The solution does not provide traffic analysis features, which rely on observing real-world traffic rather than using a simulated instance of the network.

• Application and Layer 7 monitoring: While the vendor can add Layer 7 filters on the path analysis feature, it does not currently offer application and Layer 7 monitoring.

• Microservices and container networking: Currently Forward Networks does not monitor microservices and containers. 

Purchase Considerations
Forward Network’s observability solution is inherently different from those of the rest of the vendors featured in this report. It allows enterprises to take a much more proactive approach to managing how the network performs, compared to the reactive approach that monitors real traffic to identify degradations after they take place. What the solution can’t provide in terms of traffic analysis, it compensates for with very comprehensive validation features and associated security posture monitoring. 

Forward offers a yearly licensing model per physical or virtual network device used on-premises, while for cloud monitoring, the licensing is per compute instances. 

Use Cases
Forward Networks’ comprehensive digital twin engine can model a wide range of type overlay and underlay networks. The solution can model network devices such as switches, routers, firewalls, and load balancers, as well as SD-WAN and wireless solutions, data center networks, and virtualized cloud environments. It does not currently support radio networks. Modeling for containers and microservices will be supported in future releases. 

Kentik: Network Observability Platform

Solution Overview
The Kentik network observability solution provides comprehensive observability of networks across infrastructures, including data centers, private and public clouds, WAN and SD-WAN edge, CDNs, ISPs, and the various service provider networks on the internet. 

The Kentik offerings include a unified, intuitive map and topology view that shows intra- and inter-infrastructure traffic flows and provides real-time and historical traffic, performance, and health information for immediate assessment, issue identification, and troubleshooting. The solution is fully delivered as SaaS but can also be deployed physically within the customer’s control if needed to support compliance requirements. In this case, the solution is managed by Kentik and delivered in a similar SaaS fashion.

Kentik’s network observability solution supports monitoring for very large networks. It includes excellent security monitoring capabilities from its broad partner ecosystem as well as built-in threat-intelligence data that can correlate with customer-supplied data. 

Kentik Kube uses a kernel-based eBPF agent to generate flow records and performance characteristics such as session latency and TCP retransmit statistics. The eBPF nature of the agent means it is lightweight and offers very high performance, generating flow records for 10Gb/s of traffic consuming a single CPU core. Kentik is currently developing eBPF features to generate records identical to VPC Flow Logs from traffic generated in cloud provider environments, typically done to avoid the flow log charges.

Kentik has developed a natural language interface, called Journeys AI, that leverages GPT-4 under the hood for network troubleshooting and investigation, while other LLMs can be substituted in the future. Users can ask questions about their network in natural language, using the full breadth of Kentik’s platform to deliver an answer. 

Another differentiating feature in Kentik’s solution is the visibility of network spending. Customers can input their connectivity service provider’s pricing model into Kentik, and based on traffic attributes, Kentik can provide spending estimates. This information allows enterprises to forecast OpEx spending for network usage and scenario-based budget planning.

Kentik also caters to NetDevOps audiences, with integrations for infrastructure as code (IaC) tools, such as Terraform, and a full Python software development kit (SDK). The solution can write API calls from queries written in its interface. Kentik also manages several open source projects, including tooling that facilitates integration with third-party tools and eBPF-based Kubernetes observability.

Kentik is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the Network Observability Radar chart.

Strengths
Kentik scored well on a number of decision criteria, including:

• Dynamic discovery and mapping: Kentik can identify and visualize cloud networking elements and their associated context, Kubernetes nodes, pods, and connections, along with CDN PoPs, internet applications, and upstream connectivity providers. While these capabilities are extensive, Kentik’s solution also lets customers add devices through the API, which the solution then automatically discovers.

• Troubleshooting and optimization: Kentik provides advanced insights with autodetection of anomalies and emerging issues, using built-in diagnosis and potential root cause analysis (RCA) with a combination of semantically enriched algorithmic learning. The solution uses AI to generate and surface emerging network events for proactive diagnostics, helping to battle brewing performance issues, network attacks, and/or traffic anomalies. Kentik can also generate synthetic traffic that can help with digital experience monitoring and proactive troubleshooting, allowing network administrators to zoom into specific tests and learn details about the traffic’s path or application response times from anywhere in the global agent network.

• Visualization: With intuitive and easy-to-navigate network representations, Kentik provides a granular level of detail across third-party infrastructures. Kentik enables the analysis of traffic paths throughout cloud virtual network constructs with trace-route and path views, including all nodes and test result metrics. This functionality lets administrators see nodes, links, and paths along a route and quickly find performance issues.

Opportunities
Kentik has room for improvement in a few decision criteria, including:

• Validation: Kentik deliberately chose to limit its capabilities around network validation. This means the solution has limited awareness of device and network configuration and its impact on performance, and it does not use intent-based mechanisms for defining networking constructs. Kentik is partnering with third-party companies like Itential and has begun exploring the use of LLM capabilities to make configuration suggestions that can help mitigate misconfiguration-related risks and performance degradations.

• Security observability: While Kentik can ingest flow data for security processing, the tool does not currently offer an inventory management or configuration management feature that identifies unpatched devices or NDR features that can identify suspicious behavior.

• Application and Layer 7 monitoring: Kentik can further improve these features by offering monitoring for Layer 7 load balancers and web application firewalls (WAFs), and by providing visibility into protocols such as HTTP/S and gRPC.

Purchase Considerations
Kentik’s licensing model comes in three tiers that are publicly documented. Each tier includes an initial number of flows per second, which includes VPC Flows, synthetic testing credits, and metrics per second. Customers can purchase additional flow, VPC Flow, metrics, and synthetic credits using “Paks” and pay only for what they use.

Use Cases
Kentik’s network observability solution can be used for a wide range of use cases, including monitoring data center, LAN, campus, WAN, and internet. The solution supports both on-premises and cloud environments, distinguishing between overlays and underlays. The solution’s cloud network monitoring is well-developed and also provides good features for monitoring containers and microservices. Kentik also offers synthetic monitoring, which allows customers to monitor the digital experience of their environment. 

LogicMonitor

Solution Overview
LogicMonitor’s SaaS-based observability platform offers extensive infrastructure monitoring and provides comprehensive visibility into dynamic IT environments from on-premises data centers to public clouds. Data correlation capabilities within the platform provide insights for intelligent troubleshooting and predicting bottlenecks. LogicMonitor’s agentless infrastructure monitoring delivers an extensible solution with over 3,000 integrations, customizable dashboards, and automated discovery.

LogicMonitor’s modular observability solution allows customers to select products to match their requirements. Products include LM Infrastructure Monitoring, LM Cloud, LM Container Monitoring, LM Logs, LM Application Performance Monitoring, and Edwin AI.

LogicMonitor is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the Network Observability Radar chart.

Strengths
LogicMonitor  scored well on a number of decision criteria, including:

• Automated operations: LogicMonitor’s AIOps capabilities can be used for dynamic thresholds, anomaly detection, forecasting, RCA, and unbalanced service detection. For a given alert condition, LM Intelligence can correlate data points among various metrics, traffic flows, configuration changes, logs, and topology. Future LM Intelligence developments will include metric-to-metric correlations and metric/log/tracing correlation for applications.

• Dynamic discovery and mapping: The LogicMonitor solution features a well-developed network discovery function by which collectors use its NetScan feature to discover network devices. NetScans can be executed via the internet control message protocol (ICMP). Native algorithms provide automatic tech-stack discovery via tools such as WMI, Perfmon, SNMP/SSH, JDBC, HTTP/S, PowerShell, and Groovy APIs for virtual infrastructure.

• Traffic analysis: The solution offers good traffic analysis capabilities, which achieve use cases such as extracting DNS info graphically based on traffic source, predictive analytics for fault pattern detection, capacity planning and forecasting, identifying and forecasting usage depending on seasons or events, and detecting link failures by identifying the increased number of connections on the backup link.

Opportunities
LogicMonitor  has room for improvement in a few decision criteria, including:

• Validation: While the platform can detect configuration changes and automatically identify the associated impact on network performance metrics, and generate synthetic traffic, the solution can further improve its validation capabilities by offering digital twin capabilities.

• Microservices and containers monitoring: LogicMonitor can monitor ingress controllers, API gateways, and service meshes, but it can further improve this by monitoring container networking interfaces for pod-to-pod monitoring.

• Network modeling and planning: The solution does not currently offer network modelling or planning capabilities.

Purchase Considerations
LogicMonitor's solution is sold through a variety of licensing models, including a tiered service approach with add-ons and premium services. Licensing is based on the number of devices or resources monitored per month and is organized by standard resource licenses, MSP licenses, cloud monitoring licenses, and MSP licenses for cloud monitoring.

Use Cases
LogicMonitor’s network observability solution can deliver on a wide range of use cases, which include Wi-Fi and wireless monitoring, digital experience monitoring for end users, and performance monitoring for both overlay and underlay networks in data centers, LAN, and campus networks. The solution can also monitor WAN and internet performance, along with virtualized cloud networks.

ManageEngine: OpManager Plus and Site24x7

Solution Overview
ManageEngine OpManager Plus is a comprehensive network observability solution that helps monitor and manage network devices and virtual infrastructure as well as network traffic, configuration changes, security appliances, and applications. OpManager Plus can be deployed in physical appliances, virtual appliances, or as a public cloud image. Site 24x7, a wide-ranging monitoring solution for applications, websites, servers, cloud services, and networks, is available as a SaaS solution.

Besides the comprehensive OpManager Plus platform, ManageEngine also offers dedicated standalone solutions for network performance monitoring, network traffic management, network configuration, change management, and application performance management. A separate network performance monitoring solution is tailor-made for MSPs.

A distinguishing aspect of the ManageEngine solution is its visualization capabilities. The platform goes beyond topological and geographical maps to provide 3D server room and virtual device views.

ManageEngine is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the Network Observability Radar chart.

Strengths
ManageEngine scored well on a number of decision criteria, including:

• Visualization: A distinguishing aspect of the ManageEngine solution is its visualization capabilities. The platform provides topological and geographical maps and can also generate 3D server room representations that can be used by on-site engineers to diagnose and fix hardware-related issues. 

• Dynamic discovery and mapping: OpManager Plus dynamic discovery enables it to discover new locations, physical appliances, and virtual appliances and update network visualizations such as Layer 2 topology maps, inventory, and reports. For troubleshooting, ManageEngine offers workflows that help IT teams automate routine tasks based on predefined conditions. These workflow actions include stopping processes to bring down CPU usage and restarting devices. Workflows can be scheduled for routine maintenance or executed automatically based on user-defined conditions.

• Validation: ManageEngine’s Network Configuration Manager provides excellent validation. It enables users to push configuration changes through “configets” (configuration scripts), allowing deviations to be identified using compliance rules and corrective actions to be taken. ManageEngine’s solution provides visibility into end-user experience with real-time data on availability, performance, and packet loss, using application performance index scores that help measure customer satisfaction based on speed and application transactions. Synthetic transaction monitoring can simulate user experience on a website or web application from 130 global monitoring locations or from behind the firewall to ensure application availability and high performance.

Opportunities
ManageEngine has room for improvement in a few decision criteria, including:

• Troubleshooting and optimization: ManageEngine can further improve its troubleshooting feature by identifying and proposing optimization techniques such as traffic engineering. 

• Traffic analysis: While the solution can analyze traffic, it could develop other features, such as detecting an incorrect application configuration revealed by an increase in the number of error codes within application connections.

• Network modeling and planning: ManageEngine does not currently offer network modeling and planning capabilities.

Purchase Considerations
OpManager Plus and Site24x7 need to be purchased separately. ManageEngine offers various tiers for its products. The solutions can be purchased either as a perpetual license or via a subscription model based on the number of devices being managed, and there’s a dedicated plan for MSPs, with no additional costs for deploying probes. 

Use Cases
OpManager Plus can monitor a wide range of network types, which include on-premises overlays and underlays for data centers, LAN, campus, and WAN networks as well as Wi-FI and wireless monitoring. It can also monitor virtualized public cloud networks and microservices. The Site24x7 solution provides end-user experience monitoring using both real user traffic and synthetic traffic.

Motadata: Network Monitoring Software*

Solution Overview
Motadata consolidated its network observability features within its AIOps product, bringing ML-based insights and automation engines to an end-to-end infrastructure visibility platform. 

Motadata is a unified observability platform for the network, infrastructure, and application stack that enables organizations to gather actionable insights at scale. The solution leverages ML algorithms for anomaly detection, forecasting, and capacity planning, and it is able to reduce MTTR by limiting noise from alerts and generating tickets with more context.

Motadata is positioned as an Entrant and Fast Mover in the Maturity/Platform Play quadrant of the Network Observability Radar chart.

Strengths
Motadata scored well on a number of decision criteria, including:

• Security observability: Motadata monitors appliances such as Layer 4 firewalls, proxies, Layer 7 firewalls, and virtual private networks. It can also monitor and visualize network segmentation and microsegmentation, offering network analysts visibility over how the security architecture is laid out. It also offers inventory management or configuration management features that identify unpatched devices. 

• Visualization: Motadata can provide the virtual device mapping of all guest/host machines in virtualized and containerized environments. It also provides detailed representations of all the nodes, interconnected layers, and port-to-port connectivity of network devices.  

• Dynamic discovery and mapping: Motadata automatically discovers the network devices whenever a new network and security functions are created in the network environment. The reports and visualization dashboards also get updated based on discovery of new locations and appliances. Motadata can conduct scans at regular intervals, such as daily or weekly. It discovers the assets asynchronously as new devices are provisioned and automatically updates topology maps, service maps, and reporting dashboards to reflect the changes. It also discovers applications and other services, including databases and SaaS applications. 

Opportunities
Motadata has room for improvement in a few decision criteria, including:

• Validation: The platform can automate network configuration management for configuration changes, backups, and restores. These are mature features that provide the capabilities of asset management software. However, the platform isn’t able to achieve validation, which entails correlating configuration with network performance impact and offering automated remediation. 

• Traffic analysis: While Motadata uses machine learning algorithms to analyze the traffic patterns for predictive analytics for fault pattern detection, the solution does not offer advanced capabilities such as detecting link failures by identifying the increased number of connections on the backup link, incorrect application configuration revealed by an increase in the number of error codes within application connections, and server overload when there’s a decrease in QoE.

• Security observability: Despite being able to ingest security logs, the platform doesn’t provide security analysis or more advanced features such as NDR. The solution can be deployed only as a virtual appliance because the vendor doesn’t offer a SaaS or on-premises deployment model. 

Purchase Considerations
Prospective customers should evaluate the vendor’s medium-term strategy, as it has a very strong opportunity to develop mature AIOps features by leveraging its existing automation engine—consisting of script and workflow builders—and its ML-based analytics engine that extracts actionable insights to create features such as intelligent self-healing and auto-remediation. Network observability tools are large and important deployments, so growing organizations may find that Motadata’s solution capabilities can grow at the same time, preventing any future tool displacement.

Use Cases
The solution is able to monitor a good range of networking use cases. For on-premises networks, it can monitor underlays and overlays for data centers, LAN, campus, and WAN networks. The solution also has awareness of public cloud networking constructs and can monitor these within the same product. Motadata can also monitor Wi-Fi and wireless networks.

NetBrain: Next-Gen

Solution Overview
NetBrain Next-Gen is a network automation platform that relies on a strong observability foundation to provide its no-code automation features. Its approach to observability, achieved by creating a live digital twin of the hybrid-cloud, multivendor network that is used to validate the network and preserve policies during key operation workflows, differentiates it from most other solutions featured here.

The solution can assess the network continuously using no-code automation for rules, policies, and vulnerabilities to identify deviations from the expected golden configuration or state. NetBrain’s Replication Wizard applies intents as automation to the entire multivendor hybrid cloud network to scale no-code automation. It identifies, replicates, and scales automation across the entire network. The solution can discover and visualize real-time traffic flow based on routing and forwarding tables, overlay and underlay network topology, and device and operating details. These form the baseline to create a live digital twin that is a representation of a customer’s network.

NetBrain is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the Network Observability Radar chart.

Strengths
NetBrain scored well on a number of decision criteria, including:

• Visualization: The Flow Layer is used to create an edge-to-cloud control plane with live, historical, and baseline application paths. The Topology Layer provides real-time Layer 2, Layer 3, and VPN overlay and underlay detail for all devices and neighbors and supports end-to-end visibility for public cloud and software-defined networks (SDNs). Lastly, the device layer offers real-time inventory of device configuration, state, and interface details of multivendor networks.

• Validation: NetBrain’s Triple-Defense network protection produces a shareable automation dashboard for each change. It evaluates the network in three phases: before, during, and after a change. Before a change, the solution assesses the desired change against all of the rules and policies to ensure no violations would occur. During the change, it assesses the impact of each requested change on the network. Finally, after the change, NetBrain confirms the network is delivering services properly, then adds this new configuration requirement to the automation library to verify a future change’s impact on current requirements. It also offers a built-in rollback mechanism that allows administrators to mitigate unexpected changes by quickly undoing them to prevent outages and downtime.  

• Automated network operations: NetBrain’s solution captures the knowledge of subject matter experts as automation without coding. This includes information about network state, condition, design, configuration, and policies. The Intent technology allows administrators to define how to measure the success of all network conditions and continuously assess them against those desired conditions, such as resiliency, application performance, capacity, latency, security rules, and controls. 

Opportunities
NetBrain has room for improvement in a few decision criteria, including:

• Security observability: While the solution can help define security boundaries, access control, and configuration detail, it does not monitor security appliances or traffic for security anomalies.

• Application and Layer 7 monitoring: The solution’s Layer 7 capabilities include path-level assurance of conditions, which could be further improved by offering monitoring for Layer 7 load balancers and WAFs, and providing visibility into protocols such as HTTP/S and gRPC.

• Microservices and containers monitoring: While the vendor can monitor IP-based entities that include containers, it does not have awareness of container and microservices concepts such as CNIs, API gateways, or ingress controllers to provide low-level visibility into how containers and microservices communicate.

Purchase Considerations
The subscription is annual, with a three-year term as the default. Licensing is per managed device, per concurrent user, and is also based on extended feature modules used. NetBrain includes its robust assessment library with hundreds of the most common assessments that network professionals need to maintain production. Its ready-to-use network assessment templates can be customized into rich drill-down dashboards. 

Use Cases
NetBrain’s no-code automation and modeling engine can be deployed to observe a wide range of overlay and underlay networks. The solution can model networking hardware and security appliances such as switches, routers, firewalls, and load balancers, as well as SD-WAN solutions, data center networks, and virtualized cloud environments. It does not currently support containerized, microservice, Wi-Fi, wireless, or radio networks. 

NETSCOUT: nGeniusOne

Solution Overview
NETSCOUT is a key player in the network observability space, with established solutions developed over 30 years of working with some of the largest network operators in the world. Its network observability suite, nGenius, is a mature and well-rounded solution that is tailored to customers based on varied industry requirements—such as carriers, public sector, finance, healthcare, or MSPs. 

NETSCOUT’s flagship product, nGeniusOne, is highly scalable and supports a good selection of data sources, making it a versatile tool for CSPs and for large enterprises with complex networks. nGeniusONE is offered as an on-premises solution featuring the nGeniusONE server unit, or as a virtual appliance for both private clouds. It also provides network visibility as a managed service with its nGeniusVaaS (visibility as a service) offering.

A key aspect of NETSCOUT’s solutions is its patented Adaptive Session Intelligence (ASI) technology, which performs real-time data mining of user and application traffic at the network source. The ASI metadata includes key traffic and performance indicators and Layer 4 through 7 problem indicators for the discovered applications and servers, with no need to install device agents. NETSCOUT’s ASI technology supports over 1,000 applications out-of-the-box, providing monitoring for voice, video, web/URL-based, server-based, SaaS, unified communications as a service (UCaaS), and custom applications.

NETSCOUT is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the Network Observability Radar chart.

Strengths
NETSCOUT scored well on a number of decision criteria, including:

• Traffic analysis: NETSCOUT’s Omnis Analytics product uses ML to detect business impact by correlating KPIs with network performance and performing outlier detection. At the time of writing, Omnis Analytics is currently available for Wi-Fi, 5G, multiple-access edge computing (MEC), and voice networks. The product supports other types of networks, such as LAN, WAN, cloud, and edge.

• Security observability: The vendor ranks high on traffic security, with its Omnis Cyber Intelligence solution supporting use cases such as verification of zero-trust policies, retrospective analysis using new threat intelligence against historical metadata and packets, threat hunting, and threat blocking via integrations with security service providers. NETSCOUT Arbor Sightline can gather and analyze multiple versions of NetFlow to identify baseline behavior and detect anomalies. It can also provide data associated with attacks, such as source address, target addresses, and protocols used, which can be used for automated attack mitigation.

• Application and Layer 7 monitoring: NETSCOUT can monitor applications via the nGeniusPULSE product. Using synthetic testing, nGeniusPULSE can monitor the performance of SaaS applications and remote users using an active synthetic testing solution for instrumentation at remote edges. It performs tests, including on business transactions, network SLAs, VoIP, Wi-Fi, and infrastructure performance management. nGenius PULSE is integrated with ISNG/vSTREAM and nGeniusONE and can capture packets on synthetic transactions for smart data triage.

Opportunities
NETSCOUT has room for improvement in a few decision criteria, including:

• Visualization: The solution can further improve its visualization capabilities by adding features such as outsourced infrastructure flows, which provide a view of traffic in areas such as cloud environments and middle mile, available in observability platforms as more and more of enterprise infrastructure is being hosted by third parties. It could also add traceroutes, which provide a hop-by-hop analysis as a request traverses the network from one endpoint to the other.

• Validation: While the solution can detect misconfigurations such as QoS misalignment, it can improve on this by offering automatic configuration rollbacks upon performance degradation, or the ability to simulate how traffic patterns will be impacted before being deployed in production.

• Microservices and containers monitoring:  NETSCOUT supports the monitoring of containers and microservices-based applications using packet-level monitoring, but does not integrate with appliances such as CNIs, API gateways, and ingress controllers.

Purchase Considerations
Licensing can be either perpetual or a subscription. NETSCOUT subscription options combine NETSCOUT instrumentation with nGeniusONE performance management software. This subscription enables enterprise performance management customers to eliminate blind spots that have emerged with digital transformations by cost-effectively expanding instrumentation to new vantage points across their network. The subscription option can be used for both physical and software-based instrumentation or for virtual instrumentation. 

Use Cases
NETSCOUT caters to a wide range of network monitoring use cases, which include both on-premises and cloud networks. The solution can differentiate between on-premises underlays and overlays, monitoring data center, LAN, campus, and WAN networks, and WiFi and wireless networks. The solution can also monitor public cloud networking constructs. Moreover, NETSCOUT’s solution is one of the few that can monitor cellular and radio networks, differentiating the solution in this respect.

OpenText: Network Operations Management

Solution Overview
After acquiring Micro Focus in 2023, OpenText entered the network observability space with its Network Operations Management solution. This is a mature and well-featured tool that provides management for enterprise networks, integrating capabilities to monitor fault, performance, configuration, and compliance of physical, virtual, wireless, and SDN infrastructure. 

The Network Operations Management Causal Engine dynamically assesses the root causes of network faults, leveraging analytics against polled data, SNMP traps, and real-time topology data from Spiral Discovery, reducing the volume and noise of incidents up to 50%. Any time the state poller sends updated state values for an object, the causal engine reanalyzes status, conclusions, and incidents, and updates this information if needed. The Network Operations Management Causal Engine defines root cause in terms of symptoms, using a set of rules to define relationships for fault and performance (thresholding) symptoms and root causes. Sources of symptom information include SNMP traps and the monitoring information from the state poller, including an object's state.

The Causal Engine actively solicits symptoms during analysis and reacts dynamically to topology changes. It uses three stages to help determine and display root cause incidents and their related conclusions:

• Condition listener: Collects symptoms from Network Operations Management processes and services.

• Hypothesis engine: Analyzes these symptoms to determine relationships until a root cause is reached.

• Blackboard: Updates a device's status and posts any related incidents, based on the information sent by the hypothesis engine.

Network Operations Management provides real-time security and compliance monitoring to ensure adherence to standards, along with monthly updated vulnerability policy content to help users quickly identify vulnerability issues and secure and prevent threats to the network. If network failures or security threats are detected, automated configuration change, automated provisioning, and automated upgrade capabilities are available for administrators to use to recover or proactively manage the network infrastructure.

OpenText is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the Network Observability Radar chart.

Strengths
OpenText scored well on a number of decision criteria, including:

• Dynamic discovery and mapping: Network Operations Management’s dynamic Spiral Discovery technology continuously gathers information about network inventory, displays the relationships between devices, such as subnets, VLANs, and virtual resource pools, and offers near real-time updates of connectivity maps of devices. Network Operations Management shows operators how device configuration changes might be impacting network performance (which happens frequently) to enable faster MTTR for problems introduced by such changes. Automated configuration changes can then be deployed by Network Operations Management to remediate the problems found.

• Validation: The solution can examine a configuration’s fitness for purpose before deployment by automatically assessing pre-change conditions to validate a change and determine whether it should proceed, deploy the configuration change, and then automatically assess post-change conditions to determine whether an automated rollback action should be triggered. Network Operations Management provides real-time compliance analysis of any changes to any network device configurations detected, any network device running state diagnostics, and network OS patch levels. It also includes automated remediation features regardless of whether those changes were automatically deployed by Network Operations Management or by third-party tools. 

• Troubleshooting and optimization: The Network Operations Management Causal Engine is a mature feature that can generate notifications about problems or issues, including sending conclusions, correlation, or suppression of incidents; closing incidents that are no longer valid; creating parent-child relationships among incidents that are all related to one problem; and creating parent-child relationships between any two incidents that are correlated using the custom correlation configuration. 

Opportunities
OpenText has room for improvement in a few decision criteria, including:

• Traffic analysis: OpenText uses machine learning algorithms to analyze the traffic patterns for predictive analytics for fault pattern detection. The solution does not offer advanced capabilities, such as detecting link failures by identifying the increased number of connections on the backup link, incorrect application configuration revealed by an increase in the number of error codes within application connections, and server overload when there’s a decrease in QoE.

• Application and Layer 7 monitoring: OpenText can further improve these features by offering monitoring for Layer 7 load balancers and WAFs, and providing visibility into protocols such as HTTP/S and gRPC.

• Microservices and containers monitoring: The solution doesn’t integrate with appliances such as CNIs, API gateways, and ingress controllers, and it doesn’t monitor traffic between microservices. This is a strategic decision made by OpenText.

Purchase Considerations
Network Operations Management supports multiple licensing models, including a perpetual license, subscription, and SaaS. The solution is available in three tiers and includes up to six non-production environments along with one production environment. Licenses are available in unit packs adjusted for managed nodes/services, with no additional charge for probes.

Use Cases
Network Operations Management can support a wide range of use cases. For on-premises networks, the solution can monitor both underlays and overlays for data center, LAN, campus, WAN, Wi-Fi, and wireless networks. The solution has awareness of and can monitor cloud-native networking constructs such as VPCs and networking services. Network Operations Management can also monitor end-user experience by deploying intelligent response agent probes on client devices for real user monitoring or deliver synthetic user monitoring via QA iSPI.

Paessler: PRTG

Solution Overview

Paessler’s PRTG (Router Traffic Grapher) is an all-in-one solution for infrastructure monitoring. PRTG is a network monitor that provides low-level visibility into all corners of the infrastructure, from network and applications to cloud, hardware, databases, and services. It has a consistent and comprehensive interface and can visualize data in several different modes, including its signature sunburst map. The solution ranks well on flexibility due to its highly customizable sensors, dashboards, licensing models, and available APIs.

Despite its lack of extended observability features, PRTG has carved out a specialty and is looking to provide its customers with automation and insights through several partnerships. Paessler has a very good partner ecosystem, collaborating with IP Fabric to provide validation and with ScriptRunner for automation workflows, for example.

In terms of deployment, PRTG has two components, a core server and probes. Probes can run locally and do both active monitoring or collection as well as passive data collection, and can run on any device, including lightweight devices such as Raspberry PI. The core server can be run on any Windows installation, container, or SaaS. PRTG can scale out to multiple cores in a single cluster for large scale deployments.

Paessler is positioned as an Entrant and Fast Mover in the Maturity/Feature Play quadrant of the Network Observability Radar report.

Strengths
Paessler scored well on a number of decision criteria, including:

• Application and Layer 7 monitoring: PRTG can monitor a range of applications and cloud services, which include cloud-based applications from AWS and Azure, and a range of SaaS solutions such as Bing, Dropbox, and GitHub. It can also monitor web applications and services using HTTP loading time, response codes, web page rendering, HTTP transactions or activity, and performance stats of an Apache web server. 

• Security observability: PRTG can monitor network security appliances, including firewalls, antivirus software, and other security products. It can perform automated integrity checks of files, folders, and logs to uncover file modifications or unusual log data that might otherwise be overlooked. It notifies users in case of any changes to their data that deviate from the norm, alerting them via custom notifications so they can react as quickly as possible to mitigate the potential threat. PRTG can quickly identify potential network bottlenecks and unusual spikes in traffic, using SNMP, packet sniffing, and flow protocols like NetFlow to detect suspicious activities that can indicate a security breach.

• Visualization: The solution offers some good visualization capabilities, which include PRTG-stable sunburst diagrams, customizable dashboards, network topology diagrams, and map views.

Opportunities
Paessler has room for improvement in a few decision criteria, including:

• Validation: The solution can implement validation capabilities by correlating performance degradations with configuration changes, enabling alerting or automatic rollbacks, implementing synthetic traffic to simulate how changes would behave in production, or offering digital twin features.

• Traffic analysis: PRTG offers both basic analysis, such as port usage, and can continuously analyze historical data to create baselines to detect changes in expected patterns. However, it does not perform more complex types of analysis, such forecasting usage or identifying link failures by correlating an increase in the number of connections on the backup link.

• Troubleshooting and optimization: PRTG provides information for network operators to perform root cause analysis, but does not identify network optimization opportunities, conduct automatic root cause analysis and present network administrators with potential solutions, create tickets, or provide workflow-based or script-based automation capabilities with out-of-the-box content.

Purchase Considerations
PRTG’s licensing model includes five tiers that are based on the size of the organization. Each tier increases the number of sensors available for customers to use, with a sensor representing one metric to be monitored on a device, such as the CPU load on a machine, a port of a switch, a specific URL, or the traffic of a network connection. The licensing options are based on the number of sensors and not the number of devices, with most deployments requiring approximately 10 sensors per device. This means that monitoring 100 devices using PRTG requires an approximate license for 1,000 sensors.

Use Cases
PRTG supports a good variety of use cases, as it is especially proficient in monitoring devices and hardware infrastructure. The solution can be used to monitor data center, LAN, and campus networks, as well as requests made to web services for organizations that use cloud-based or third-party solutions. PRTG can also monitor Wi-Fi and wireless networks. 

Park Place Technologies: Entuity Software

Solution Overview
Park Place Technologies’ network observability platform, Entuity Software, is a comprehensive network performance and analytics software solution built on a distributed multiple-server architecture that acts as a single system to scale from tens to hundreds of thousands of devices, and it is highly configurable. Designed for today’s multivendor, multicloud environments, Entuity enables ITOps teams to more efficiently and effectively monitor, visualize, and manage their infrastructure. By combining its event and configuration management systems, Entuity achieves strong troubleshooting and validation capabilities. The solution also provides good traffic analysis.

The platform has strong troubleshooting capabilities provided by Entuity’s Event Management System (EMS). Automated actions can be defined based on conditions and specific workflows, configured either by network administrators or out of the box, which can process and correlate events to consolidate actionable incidents.

The Entuity Event Management System can both detect anomalous situations and initiate actions to remediate them. Built-in root cause analysis techniques help isolate a device or circuit outage that is preventing access to multiple other devices.

Park Place Technologies is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the Network Observability Radar chart.

Strengths
Park Place Technologies scored well on a number of decision criteria, including:

• Dynamic discovery and mapping: The solution can conduct autodiscovery scans either manually or on a scheduled basis. Newly discovered devices can either be taken under management automatically or added to a list for administrator assessment. The managed devices can be spread across multiple views—hierarchical containers whose contents are not mutually exclusive. Views can be auto-populated so newly managed devices appear in the appropriate view(s) without manual intervention. Dashboards and reports will adopt the latest view updates. Topology maps are automatically populated based on view contents and the links between devices are automatically discovered. Operating system services that underpin application services can be autodiscovered and monitored. 

• Traffic analysis: The solution uses machine learning to evaluate long-term drift in monitored metrics. This capability can be used both interactively and in the form of planning reports that warn when upward drift indicates the need for intervention before service degradation occurs. Metrics such as bandwidth, CPU, memory, and storage volume use are considered in conjunction with spare port capacity in the LAN switch fabric to report on both current and projected concerns for planning purposes. Hour-by-hour baselines can be auto-generated for circuits, and significant deviation from baseline values can generate alerts. Linear regression analysis of historic behavior can be used either interactively or in reports to provide traffic forecasting.

• Troubleshooting and optimization: The Event Management System within Entuity allows actions to be performed when defined error conditions are detected. These actions can include, but are not limited to, automated CLI-initiated actions such as the shutting down of a port that has been determined to have been continuously flapping for more than a determined period of time. A root cause analytics mechanism correlates patterns of outage with the known routing topology of the network to isolate and identify when a node or port is responsible for multiple observed outages. 

Opportunities
Park Place Technologies has room for improvement in a few decision criteria, including:

• Validation: The solution can further improve its validation capabilities by correlating performance degradations with configuration changes, enabling alerting or automatic rollbacks, and implementing synthetic traffic.

• Microservices and containers monitoring: While the vendor can monitor IP-based entities that include containers, it does not have awareness of container and microservices concepts such as CNIs, API gateways, or ingress controllers to provide low-level visibility into how containers and microservices communicate.

• Application and Layer 7 Monitoring: The vendor can further improve these features by offering monitoring for Layer 7 load balancers and WAFs, and providing visibility into protocols such as HTTP/S and gRPC.

Purchase Considerations
Entuity’s licensing model is based on the number of devices under management, with the exception of NetFlow, which is an enterprise license. An important aspect of the licensing for network devices is that it is based on the number of devices, not the number of ports on those devices. When a full device license is allocated to a network device, all ports are automatically included for monitoring. Entuity SurePath is an agent-based technology for monitoring the network paths being taken by client-server connections. There is no licensing for the SurePath agents, only the individual paths being monitored.

Use Cases
The solution is particularly proficient in monitoring on-premises networks with low-level device information. It can be used to monitor data center, LAN, campus, WAN, Wi-Fi, and wireless networks. Using SurePath, the solution can also monitor the end-user experience of on-premises and cloud/SaaS-based applications, using an agent-based deployment.

Plixer: One Network and One Security

Solution Overview
Plixer’s Network Observability offering includes Plixer One Core and Plixer One Enterprise. It provides a unified network and security observability solution. Plixer Enterprise offers carrier-grade features such as high availability configurations and machine learning capabilities.

Plixer continuously ingests and analyzes a broad range of hybrid IT infrastructure data sources from multiple domains, including NetFlow, IPFIX, SNMP, SD-WANs, Active Directory, LDAP, RADIUS, and DHCP. This process provides comprehensive Layer 2 to Layer 7 visibility and context for RCA without the need to deploy and maintain packet processing technologies. 

Plixer is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the Network Observability Radar chart.

Strengths
Plixer scored well on a number of decision criteria, including:

• Traffic analysis: Plixer’s differentiating feature is its traffic analysis capabilities, which provide a “clear box” that offers detection transparency and visualization of ML models. Traffic analysis can support threshold-based analytic algorithms, both supervised and unsupervised ML, and deep learning. These features are combined with user-customizable detection sensitivity thresholds, baselined seasonality, customizable modeling dimensions, encrypted traffic analytics (ETA), and threat intelligence feed integration. This array of detection techniques also allows Plixer to identify potential “poisoning” attacks on ML learning. 

• Troubleshooting and optimization: Plixer provides prioritized alert monitoring and filtering, event correlation for incident noise suppression, alert visualization timelines to assist with RCA, and dashboard drilldowns. These are supported by various detection techniques. The dashboard UI is designed to highlight alerts by priority and focus the user workflow. Plixer provides out-of-the-box bidirectional integration for remediation with tools such as Microsoft Defender, ServiceNow, and Tenable, as well as a programmatic REST API interface. 

• Visualization: The solution provides end-to-end visibility into the path a flow through the extended network on a router hop-by-hop basis, as well as the ability to completely design a topology by arranging the flow, sending exporters and other types of network devices in a desired format. Adding custom background images, custom objects, and text boxes is also possible. These maps can reflect exactly how the network is laid out by including an image of the wiring closet as a background and then overlaying the flow exporting devices. Connections that represent utilization between the devices can be added. Hierarchies can also be established, which allows alerts to roll up to the top map. Integration with Google Maps is also available to provide a geographical representation of the network. 

Opportunities
Plixer has room for improvement in a few decision criteria, including:

• Validation: The solution can further improve its validation capabilities by correlating performance degradations with configuration changes, enabling alerting or automatic rollbacks, and implementing synthetic traffic.

• Microservices and containers monitoring: While the vendor can monitor IP-based entities which include containers, it does not have awareness of container and microservices concepts such as CNIs, API gateways, or ingress controllers to provide low-level visibility into how containers and microservices communicate.

• Network modeling and planning: The solution does not currently offer network modeling or planning capabilities.

Purchase Considerations
Plixer One Core is the foundation of the Plixer One Platform, which monitors networks in the data center, cloud, branch offices or across SD-WAN. Plixer One Enterprise is a premium package that includes AI and machine learning, network planning, and MITRE ATT&CK®-aligned network detection and response features. Plixer One runs in data centers, public/private clouds, VMs, containers, and on appliances.

Use Cases
Plixer’s network observability solution can be used to monitor enterprise networks across data centers, LAN, campus, and WAN networks, and it has awareness of and monitoring features for cloud networking constructs. However, the solution has limited features for monitoring containers and microservices, and while it can also monitor Wi-Fi and wireless networks, it does not support radio or cellular use cases.

Progress: WhatsUp Gold and Flowmon

Solution Overview
Progress’s observability solution consists of comprehensive infrastructure monitoring provided by Progress WhatsUp Gold and advanced network traffic analysis provided by Progress Flowmon. WhatsUp Gold monitors the infrastructure for visibility of network devices, while Flowmon analyzes network traffic data with deep drill-down capabilities for troubleshooting, RCA, application performance measurement, and network anomaly detection. 

WhatsUp Gold and Flowmon features complement each other, and with deeper integration, they can provide full-stack, end-to-end observability over network infrastructure, security appliances, and applications.

WhatsUp Gold allows administrators to monitor devices, track bandwidth usage, and improve network, server, and application performance. It gives them a complete picture of the network by monitoring and categorizing wired, wireless, and virtual environments. This enables administrators to find and fix problems before users are impacted, ensure that bandwidth is optimized for critical applications and services, and automate configuration, log, and asset management.

Progress is actively developing AI-based functions, such as automated suggestions on tuning the detection engine, turning average users into Flowmon-proficient experts who can maximize detection accuracy without having to involve consultants.

Progress is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the Network Observability Radar chart.

Strengths
Progress scored well on a number of decision criteria, including:

• Troubleshooting and optimization: WhatsUp Gold provides the ability to respond to alerts in several automated ways, including using application performance monitors to specify what actions can be taken when the application or monitored component changes state. Administrators can also quickly generate custom application profiles and modify existing profiles to meet specific monitoring needs with an intuitive profile development utility. In case of network failures or security threats, Flowmon provides automatic detection and data evidence of the threats for network admins to respond to and analyze. The solution can support automated troubleshooting via self-healing actions such as triggering a server reset and activating PowerShell scripts whenever alerts are triggered. 

• Application and Layer 7 monitoring: The platform measures user experience and extracts Layer 7 flow data such as domain name system (DNS), dynamic host configuration protocol (DHCP), and server message block (SMB). Flowmon monitors real user experience by decrypting and measuring web and database application transactions, correlating user-to-web and web-to-database requests, uncovering errors, and differentiating between network versus application response times, transport times, or delays. Session-level performance monitoring without decryption that includes round-trip time, server response time, jitter, delay, retransmissions, and out-of-order packets is available for any IP communication, including third-party and SaaS apps. Flowmon is deployed by another Progress portfolio product called LoadMaster to monitor the performance and effect of the load balancer on application experience. Flowmon also supports synthetic testing of application performance and functionality.

• Security observability: Flowmon Anomaly Detection System (ADS) is a security solution within the Flowmon suite that uses ML to detect anomalies hidden in the network traffic. Its ML-powered detection engine, combining multiple detection mechanisms, identifies malicious behaviors, attacks against mission-critical applications, and data breaches at any point of the threat's lifecycle, allowing it to uncover unknown and insider threats even in encrypted traffic. It also leverages external threat intelligence feeds and community blacklists. 

Opportunities
Progress has room for improvement in a few decision criteria, including:

• Validation: The solution can further improve its validation capabilities by correlating performance degradations with configuration changes, enabling alerting or automatic rollbacks, implementing synthetic traffic to simulate how changes would behave in production, or offering digital twin features.

• Microservices and containers monitoring:  While the vendor can monitor IP-based entities which include containers, it does not have awareness of container and microservices concepts such as CNIs, API gateways, or ingress controllers to provide low-level visibility into how containers and microservices communicate.

• Automated Network Operations: While the solution can automatically look for communication errors and protocol deviations to discover root causes in situations like unresponsive services, it can further expand this capability by performing self-healing actions or triggering pre-determined workflows upon detecting anomalies.

Purchase Considerations
Currently, both WhatsUp Gold and Flowmon can be deployed as virtual appliances. While Flowmon is also directly available from the large public cloud providers, neither solution has a SaaS option.

WhatsUp Gold’s subscription model provides a cost-effective means of software access that offers a lower entry barrier and ensures consistent version and security updates. The subscription package includes continuous maintenance and dedicated customer support, assuring users that any potential issues will be swiftly addressed.

Flowmon offers a subscription similar to WhatsUp Gold. Standard and extended support tiers are comprehensive services that offer different levels of technical support for perpetual licenses.

Use Cases
Progress’s network observability solution is suitable for a wide range of use cases, including data center, LAN, campus, and WAN monitoring, where these on-premises networks can be both overlays and underlays. The solution can also monitor Wi-Fi and wireless corporate networks, as well as cellular and radio networks for service providers, and virtualized cloud networking constructs such as VPCs and VNets. Lastly, the solution can monitor end-user experience using real and synthetic traffic.

Riverbed: Network Observability Suite

Solution Overview
The Riverbed Platform supports full-stack observability across infrastructure, network, cloud, applications, digital experience management, and application acceleration. It applies AI, correlation, and automation. Riverbed IQ integrates data from across observability tools and applies causal AI to identify the root cause of issues, predictive AI to forecast future problems, and generative AI to make smart recommendations.

Riverbed Network Observability Suite includes full packet capture and storage, network flow monitoring, and infrastructure monitoring. The Unified Agent is a single agent platform for deploying and managing Riverbed end-user experience and network modules. 

Riverbed can be used to model current and future network configurations to plan for network changes and validate them post-deployment. It can also validate device configuration against desired policies of an organization. The solution uses AI-based analytics to correlate events across a variety of data sources to determine whether the configuration performs as intended. 

The solution can analyze traffic patterns, correlate network behavior to seasonal events, and assess current performance against expected or typical levels to highlight unusual traffic loads.

Riverbed’s AI/ML engine can detect anomalies and incidents and populate them with leading indicators or probable root causes. The solution’s ML-based engine continuously watches for new alerts, metrics, and incidents. The output from this engine feeds an automation system that uses a low-code flow builder to codify institutional and expert knowledge in runbooks for issue remediation and resolution. Runbooks can integrate with third-party systems to improve incident lifecycle management. 

Riverbed is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the Network Observability Radar report.

Strengths
Riverbed scored well on a number of decision criteria, including:

• Dynamic discovery and mapping: Riverbed creates a topological view of autodiscovered networks that is continuously updated. Network traffic analyzers collect and examine flows from switches and routers, collecting information that helps to illustrate a view of the network’s topology under observation. 

• Application and Layer 7 monitoring: The solution can monitor web transactions in real time and autodiscover URLs and end-user activity. It can also monitor SQL databases to identify the impact of the database on end-to-end application performance and provide real-time and historical analysis of voice and video performance calls. For other application monitoring features, Riverbed offers a standalone application performance monitoring product.

• Security observability: Riverbed offers comprehensive security observability features that provide analysis such as lateral movement tracking, suspicious behavior detection, traffic decryption and inspection, and DNS threat detection. The solution can also track compliance and integrate with security operations tools such as security information and events management (SIEM) and security orchestration, automation, and response (SOAR).

Riverbed was classified as an Outperformer given its consistent year-on-year feature releases and comprehensive development pipeline.

Opportunities
Riverbed has room for improvement in a few decision criteria, including:

• Visualization: While the solution has good visualization capabilities, it can further improve by offering more advanced features such as flow and traceroute visualizations of traffic across appliances and services hosted in IaaS providers, including awareness of public cloud infrastructure constructs such as VPCs and TGWs in AWS.

• Traffic analysis: While the solution has some basic traffic analysis capabilities, it could include more advanced features, such as detecting network anomalies by contextualizing traffic going through a backup link to detect link failures.

• Microservices and containers monitoring:  Riverbed can further improve these capabilities by monitoring API requests across microservices, their payloads, and container-specific appliances such as CNIs, load balancers, service meshes, API gateways, or ingress controllers. 

Purchase Considerations
Riverbed offers perpetual and subscription-based licenses, tiered licensing based on volume, and a variety of support options with different levels of SLA. Pricing for the AIOps functionality is based on consumption of automation, which includes AI/ML analysis, while pricing for end-user digital experience is based on the number of endpoints monitored. Riverbed has a large professional services organization that can create bespoke solutions.

Use Cases
Riverbed’s solution can monitor a wide range of use cases, which include edge, data center, and cloud environments, as well as campus, LAN, and WAN deployments. The solution can also monitor SaaS applications and managed network solutions such as SASE. The company also offers a digital experience monitoring solution that monitors the end-user experience using real and synthetic traffic.

SolarWinds: SolarWinds Observability

Solution Overview
SolarWinds offers two network observability options: SolarWinds Observability Self-Hosted is optimized for on-premises or self-hosted cloud deployments, while SolarWinds Observability SaaS is a cloud-native as-a-service offering. Both options are powered by the SolarWinds Platform and provide full-stack observability focused on meeting the requirements of a complete IT estate. 

SolarWinds Observability Self-Hosted is designed for on-premises and hybrid networks and infrastructure and commercial cloud apps. SolarWinds Observability SaaS also covers cloud, hybrid, and on-prem networks and infrastructure, and provides additional support for the needs of DevOps, application development teams, and site reliability engineers with code-level observability for in-house custom and cloud-native apps. Its AI/ML-powered health scores provide a holistic view that simplifies troubleshooting of complex modern applications across multiple clouds. 

Both the self-hosted and SaaS-delivered solutions were developed following a “Secure by Design” model, working in collaboration with security experts such as the Krebs Stamos Group, CrowdStrike, and KPMG to devise a secure software development lifecycle and product architecture.

The solution integrates with solutions from Cisco, Palo Alto Networks, Fortinet, and HP-Aruba, and others. Looking at Cisco ACI as an example, the solution surfaces health scores for APIC tenants, spines, and leaves. Cisco ACI information is gathered through a combination of SNMP and API calls. 

SolarWinds Observability Self-Hosted can make bulk configuration changes to wired and wireless devices by designing change templates and creating standardized configurations and can compare configuration changes to adjust and push configurations if needed to remediate any issues. It can also help validate SD-WAN deployments by displaying the control plane and data plane deployments in a single map.

SolarWinds is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the Network Observability Radar report.

Strengths
SolarWinds scored well on a number of decision criteria, including:

• Dynamic discovery and mapping: The solution can automatically discover and map both physical and virtual topologies across different types of infrastructures and services, including cloud environments. The topology maps also include a “time travel” feature, giving users the option to enable historical tracking of the map to determine what occurred prior to an event or to detect related patterns and behaviors. 

• Application and Layer 7 monitoring: SolarWinds Observability provides a visualization of the application stack elements supporting it, including transactions, databases, physical and virtual hosts, network attached storage (NAS) volumes, and APIs. SolarWinds Observability SaaS provides a dashboard of distributed services representing an application built on a microservices-based architecture. The platform also provides application dependency mapping, which polls dependencies and creates maps to monitor incoming network connections for a managed server or application. 

• Container and microservices monitoring: The solution allows users to track details about their container infrastructure, including hosts, host clusters, environment dependencies, and deployments. It also enables the review of metrics for containers, hosts, and other infrastructure elements to plan capacity, analyze container activity in the AppStack Environment, and organize containers on SolarWinds Observability Intelligent Maps. SolarWinds can monitor container networking interfaces, ingress controllers, API gateways, Kubernetes services, and clusters. The solution can also monitor distributed applications built using microservices and API requests made to web services. 

Opportunities
SolarWinds has room for improvement in a few decision criteria, including:

• Validation: The solution can further improve its validation capabilities by correlating performance degradations with configuration changes, enabling alerting or automatic rollbacks, implementing synthetic traffic to simulate how changes would behave in production, or offering digital twin features.

• Traffic analysis: While the solution offers good traffic analysis capabilities, it can include more advanced features such as detecting network anomalies by contextualizing traffic going through a backup link to detect link failures. 

• LLM integrations: SolarWinds is one of the only major vendors featured in the report that does not currently offer out-of-the-box integrations with large language models, requiring customers to write their own integrations.

Purchase Considerations
The self-hosted observability option is licensed by the number of nodes, while the SaaS observability option offers customizable licenses based on a combination of applications, such as APM, DEM networking, logs, infrastructure, and database applications, each measured in its relevant units. 

Both versions of the product are sold via monthly or annual subscription licenses. The license model is fixed rather than consumption-based, meaning that customers can easily predict costs based on their subscription tier. 

Use Cases
SolarWinds’ solutions offer a comprehensive feature set that can deliver on use cases including data center, LAN, campus, and WAN deployments, and can distinguish between underlays and overlays. The solutions can also monitor public cloud networking constructs such as VPCs and VNets, and they are among the few solutions in this report with comprehensive container monitoring capabilities. They can also monitor end-user performance using both synthetic and real-user traffic and can monitor wireless and Wi-Fi networks, but not cellular and radio networks.

Network observability is not revolutionary, but the technology is constantly moving forward. Features such as providing real-time data, discovering and mapping assets, and offering visibility across most types of network infrastructure are becoming the norm in this space. We expect this evolution to continue, with capabilities such as automation becoming the standard rather than a differentiating selling point. How such automation is achieved is another story because it can be static and defined by humans or contextual and actioned by AI. 

ML and AI are the critical elements that will dictate whether vendors remain competitive in the market. We can categorize vendors into three groups depending on how they will implement AI and ML:

• AI-centric: Vendors will develop AI/ML capabilities in-house or work with AI specialists to embed these features within the platform.

• AI-compatible: Vendors will integrate their solutions with third-party AI tools, bearing the risk that these AI tools will not be purpose-built for network observability.

• AI-reluctant: Vendors won’t leverage AI and ML but will continue to develop features around workflow automation.

The most consistent capability across all vendors is visualization. This makes sense as visualization has been a focus of traditional network performance monitoring, with all developments in this area carrying forward into network observability.

Interestingly, most vendors have gone beyond Layers 2 through 4 monitoring to provide Layer 7 and application observability as well. This illustrates a market-wide shift in priorities, by which network teams are no longer siloed but actively involved in supporting business applications. Business leaders acknowledge that application performance is heavily dependent on network performance, and observability tools provide the required insights to support applications via the network.

The widest variance in vendors’ capabilities occurs around validation and dynamic discovery and mapping. Validation is the result of multiple features such as configuration management, network performance, and automation. If a vendor offers all these capabilities independently, they will not be able to perform validation. However, if they can correlate performance changes to configuration while also being able to assess configurations created through automated deployment features, the vendor will be a leading contender for the validation use case.

Dynamic discovery and mapping has a low barrier to entry. With asset discovery as a table stake for observability, a vendor can achieve minimum dynamic discovery and mapping by scheduling discovery scans. The difference becomes apparent with more advanced features, such as discovering SaaS applications and other services, which is not something most vendors support.

SaaS deployments are not yet the industry standard, but this is one aspect recognized as a deal breaker for a growing number of network operators. It is thus unsurprising that most vendors are accelerating SaaS deployment models in their development pipelines.

While network observability is mainly a platform-based solution (that is, the more features supported, the better the offering), a vendor’s capabilities need to go only as far as your requirements and future needs dictate. For example, if you already own a security observability solution, employing a network observability solution with security capabilities may not add any value. This is why modular solutions can be beneficial, allowing you to pick and choose the features you need. Likewise, if you need to deploy the observability solution as a physical appliance on-premises, whether the solution offers a SaaS deployment model is irrelevant. When assessing vendors, we recommend drafting a high-level view of your requirements to help narrow down your network observability vendor selection to a manageable number of prospects.

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Andrew Green is an enterprise IT writer and practitioner with an engineering and product management background at a tier 1 telco. He is the co-founder of Precism.co, where he produces technical content for enterprise IT and has worked with numerous reputable brands in the technology space. Andrew enjoys analyzing and synthesizing information to make sense of today's technology landscape, and his research covers networking and security.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2025 "GigaOm Radar for Network Observability" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.