Wednesday, June 19 2024


What is Network Detection and Response?

Network Detection and Response (NDR) products are cybersecurity solutions that focus on monitoring and analyzing network traffic to identify and address potential threats. Although NDR does not prevent cyberattacks from happening, NDR products focus on catching ongoing attacks before they cause harm.


How does Network Detection and Response work?

NDR effectively identifies new threats by examining raw data like proxy and access logs within network or cloud systems. It relies on its established baseline behavior to detect any irregular activity, even if the threats are new and lack known signatures or patterns. NDR accomplishes this without requiring additional tools, such as endpoint agents or sensors.

These baseline behaviors are developed through various methods, including NetFlow analysis, which monitors the flow of data across network devices like routers and switches. Whenever NDR detects anything diverging from the norm, such as unusual traffic patterns, unexpected connections or anomalous data transfers, it raises an alert as a potential security concern.

NDR can also prioritize alerts based on the level of risk, allowing security teams to focus on addressing the most critical threats. Although not all NDR can decrypt network traffic, some NDR tools decode encrypted data to uncover hidden threats.

NDR is different from Intrusion Detection Systems (IDS), which are designed only to monitor network traffic for predefined signatures of known threats. For example, while an IDS might spot viruses it already knows about, like the computer worm CodeRed, it might miss new ones, such as Advanced Persistent Threats (APTs) and Zero-day threats.


Why is Network Detection and Response useful?

NDR is effective because it relies on network-based detection, which threat actors cannot manipulate. The fact that networks are manipulation-resistant makes network-based detection a challenging space for attackers to hide their actions in, unlike with endpoint or log data, which can be altered or evaded.

Additionally, attackers cannot determine if they are being monitored on a company’s network. As a result, NDR can identify any device communicating over the network without alerting cybercriminals.

While attackers may trick firewalls and traditional IDS by pretending to be legitimate users and services and bypassing signature-based detection, they cannot evade NDR because NDR can detect critical activities on the network that attackers cannot avoid if they are attempting to undermine a company’s digital infrastructure. Consequently, even seemingly legitimate processes may trigger alerts if the behavior is deemed unusual by an NDR offering’s systems.

The accessibility of cloud based NDR offerings also brings practical advantages to businesses. With its scalability, it adapts to fluctuations in network traffic, ensuring smooth operations without the need for complex hardware adjustments. Its flexibility also enables remote deployment and management, which is vital in remote and hybrid work landscapes. Finally, its often subscription-based pricing makes it cost-effective by eliminating the need for upfront hardware payments, making it a viable choice for organizations of any size.


What companies provide NDR services? How do they differ from each other?

Companies offering NDR solutions stand out due to their unique approaches to threat detection. For instance, ExtraHop uses real-time wire data analysis to give a clear view of network traffic. Darktrace depends on artificial intelligence (AI) and machine learning to spot and deal with threats automatically. Each company’s special way of doing things addresses various parts of threat detection and response, giving customers different choices to meet their cybersecurity requirements. The following lists are based on general customer sentiment across multiple review websites.


Vectra AI

Vectra AI Threat Detection and Response by Vectra AI is often praised for its robust threat detection capabilities, but some express concerns about its expensive price.


●  Good Managed Detection and Response Sidekick (MDR) support

●  Needs little human intervention to work well.

●  User-friendly experience

●  AI threat detection with behavioral analysis

●  Fast insights report for investigations


●  Hard to get detailed data without buying more features or modules

●  Alerts can be noisy and need manual adjustments.

●  Lack of customization

●  Limited focus on endpoints or cloud assets

●  Expensive



Darktrace Detect by Darktrace is liked for its advanced threat detection algorithms, yet some users find its interface complex and its deployment challenging.


●  Alerts are based on AI detection.

●  Breach event logs use colors for quick spotting of issues.

●  Supports “fuzzy searches” (fuzzy searching helps find similar results even if there are small mistakes in the search terms)

●  Visual graphs help understand assets and connections better.

●  Has continuous self-learning capabilities for evolving threats


●  Unable to decrypt traffic

●  Overwhelming amount of information without clear guidance

●  Has only a cloud-based solution.

●  Complex to set up

●  Pricing model is complicated as all network devices, including VPNs and smartphones, need licenses.


ExtraHop Reveal(X) by ExtraHop provides extensive visibility into network activities, yet many users encounter challenges in refining alerts and customizing rules.


●  Analyzes past network data to solve problems after incidents

●  Finds all devices on the network

●  Gives live updates on network traffic and app performance

●  Provides simple-to-read dashboards, reports, alerts, and detections

●  Scalable for various network sizes


●  Complex user interface

●  Unclear documentation

●  Challenges with customer support

●  Limited integration with Cisco products

●  Requires extensive research and development to use automated actions



FortiNDR by Fortinet provides advanced threat detection and simplified network security management. Yet, as a young product, it’s still evolving and requires further development for a full and effective range of features.


●  Set up runs robustly for years without reboots.

●  Delivers value immediately with minimal management overhead

●  Detection mechanisms are sophisticated and effective.

●  Efficiently filters out unnecessary data or false alerts


●  Lacks implementation instructions

●  Consumes significant hardware resources.

●  The user interface lacks Security Assertion Markup Language-based (SAML) authentication.



Threatbook Threat Detection platform by Threatbook offers robust threat detection capabilities and a user-friendly interface, but some users find the reporting features lacking in depth.


●  Low false positive rate

●  Easy to use and practical feature design

●  Top-notch security detection capability

●  Continuous product updates and dedicated support

●  Easy integration with third party applications


●  Lacks flexibility and customization options.

●  Expensive

●  Attack success assessment can be uncertain due to unclear criteria, leading to potential misjudgements.

●  Does not support “fuzzy searching”

●  Does not integrate voice call support


The Future of NDR

The Network Detection and Response (NDR) market has experienced significant growth. It was valued at 2,422.8 million USD in 2023 and is projected to reach 6,957.9 million USD by 2030, according to the “NDR Market Size and Share Analysis: Growth Trends and Forecast (2023 – 2030) report.”

The increase in people working remotely, especially due to COVID-19, has made NDR solutions more necessary than ever. With employees accessing company networks and sensitive information from various places and devices, there are more opportunities for cyber threats to attack. The shift to remote work means that traditional security measures might not be enough to protect against these threats. As a result, there is a greater need for proactive measures, like NDR solutions, to quickly detect and respond to any cyber threats before they cause damage.

The integration of NDR with emerging security methods like zero-trust architectures and Secure Access Service Edge (SASE) technologies also fuels the increased demand for NDR as it enhances cybersecurity capabilities. Zero-trust architectures ensure strict verification of user and device identities while SASE provides a comprehensive cloud-based security framework. Each of these features is appealing for businesses in today’s distributed work environments.

With NDR, zero-trust frameworks and SASE combined, the future of NDR appears promising in ensuring robust cybersecurity on a global scale.


Read more cybersecurity product reviews. Explore CISOstack for in-depth insights, practical tips, and expert interviews on the latest cyber threats. Subscribe for regular updates to keep your company ahead in digital defense. Stay informed and secure with us.


Cloud Security Posture Management (CSPM) Software


Best Data Security Posture Management (DSPM) Products

Check Also


Don’t Miss

Partially closed laptop screen

Best Extended Detection and Response (XDR) Solutions

Lara Oporto

What is Extended Detection and Response and how does it work? Extended Detection and Response (XDR) is a cybersecurity system that gathers information from different places like computers, networks and emails. Unlike other security tools that focus on one area like computers or networks, XDR looks at everything together. The comprehensive approach helps to find […]

Close up of computer chip

Best Managed Detection and Response (MDR) Solutions

Lara Oporto

What is Managed Detection and Response? Managed Detection and Response (MDR) is a cybersecurity service that provides continuous monitoring, threat detection and incident response capabilities. MDR achieves these capabilities through the deployment of advanced technologies such as machine learning and behavioral analytics as well as analysis from security professionals. MDR is a cybersecurity service that […]

Best Hyperconverged Infrastructure Software

Ellie Buscemi

What is Hyperconverged Infrastructure and how does it work? Hyperconverged infrastructure (HCI) is a software that provides computing, storage and network operations for a company from a single point on a company’s hardware. Originally, computing, storage and network operations were divided in a company’s hardware infrastructure and potentially provided by separate vendors with different management […]

One Cloud

Trend Micro Cloud One: A Comprehensive Review

Ellie Buscemi

What is Cloud One by Trend Micro? The Cloud One platform by Trend Micro is a cloud posture security management (CPSM) product that focuses on providing security in the cloud to businesses. Trend One is designed for businesses whose infrastructure relies on a mix of cloud applications and older device-based programs. Examining the security capabilities […]

Best Security Information and Event Management (SIEM) Solutions

Lara Oporto

A Security Information and Event Management system (SIEM) is typically most needed in larger organizations or those with complex IT infrastructures where there’s a high volume of security events and logs generated from various sources. Companies often invest in SIEM when they require comprehensive visibility into their network activities and want to centralize security monitoring […]

Best Browser Security Products

Ellie Buscemi

What is Browser Security and how does it work? Browser Security is a subcategory of cybersecurity that focuses on minimizing a user’s vulnerability to cyber threats while they use the worldwide web. These cyber threats include phishing web pages, session hijacking and malware, which can be injected onto a device by means of tamped-with web […]