Competitive Landscape: Network Detection and Response

ARCHIVED
6 March 2024 - ID G00793684 - 29 min read
By Christian Canales, Thomas Lintemuth
NDR adoption continues to rise amid stiff vendor competition, with growing emphasis on capabilities leveraging AI engines. Technology and service providers should assess which growing or emerging use cases provide the most opportunity and the differentiation needed to remain competitive.

Overview

Key Findings

  • Network detection and response (NDR) solutions delivered as SaaS are becoming more popular. Public cloud traction is driving NDR deployments for advanced security in infrastructure as a service (IaaS) environments, even though the majority of NDR investments remain for protection of corporate networks.
  • While extended detection and response (XDR) has emerged as a competing technology to NDR, large enterprises will broadly continue to deploy stand-alone NDR solutions for full network visibility. And we are seeing a shift in interest among SMBs from XDR to managed detection and response (MDR) services.
  • Growing demand from organizations to outsource security and an aim to consolidate security vendors are driving adoption of MDR services. MDR adoption provides opportunities to NDR providers, which can either offer MDR services themselves or engage in third-party partnering.
  • Even though operational technology (OT)/Internet of Things (IoT) protection remains a limited opportunity for NDR, cost optimization and the benefits of using more-sophisticated IT security solutions for OT/IoT use cases provides opportunities to broaden the scope of NDR.

Recommendations

  • Have a well-defined strategy for NDR to be cloud-agnostic. Reducing false positives in the cloud is as important as in corporate networks, and providing context to speed up forensics is critical.
  • Continue to prioritize third-party integrations with endpoint detection and response (EDR) and XDR vendors, which for end users enhance the value being received from their NDR solution (e.g., through broader aggregation of telemetry sources and augmented cyberattack chaining encompassing endpoint).
  • Target providers of MDR services as a channel option to resell your NDR solution.
  • Incorporate support assessment of industrial protocols in your OT/IoT strategy, since these are complex networks, and many protocols are proprietary. Otherwise, you will be greatly limited to third-party integration for logs and telemetry visibility.

Strategic Planning Assumptions

By 2029, more than 50% of incidents discovered by NDR technology will come from cloud network activity, up from less than 10% today.
By 2027, implementation of automated responses to network anomaly detection will remain below 40% of the anomalies detected.

Analysis

Market Definition

Network detection and response (NDR) detects abnormal system behaviors, notably by applying behavioral analytics to network traffic data. NDR solutions include detection, hunting, forensics and response capabilities. NDR is often delivered as a combination of virtual appliances and cloud-based services, although hardware appliances are also available. In particular, organizations with high security needs (like government and finance) tend to use NDR.
Gartner has forecast worldwide NDR end-user spending in constant currency (both on-premises and cloud-based) to grow to $2.63 billion by 2027, virtually doubling compared to 2022 ($1.38 billion) and exhibiting average yearly growth of 14% from 2022 to 2027 (see Forecast: Enterprise Network Equipment by Market Segment, Worldwide, 2021-2027, 4Q23 Update).
Based on our vendor market share statistics (see Market Share: Enterprise Network Equipment by Market Segment, Worldwide, 3Q23), global market revenue amounted to $1.03 billion for the period 1Q23 through 3Q23, equivalent to an increase of 18.7% year over year.

Key Trends Impacting End-User Adoption and Shaping Market Growth

Adoption Drivers/Opportunities

  • Growing interest in NDR. Many large organizations with mature security processes continue to invest in NDR, across all verticals. Government and finance continue to have the strongest interest in NDR, and the energy and utilities industry has also accelerated its interest, though traditionally smaller in spend comparatively. Beyond these “traditional” NDR target markets, a growing number of enterprises with a mature EDR program are considering network visibility as an important complementary use case.
  • NDR for advanced security in IaaS and SaaS environments. Gartner sees more enterprises interested in monitoring network behavior in IaaS deployments or benefiting from behavioral analytics for SaaS connections. This monitoring use case stretches the NDR definition as it relies on API integration and not on traffic interception.
  • Emerging OT/IoT use cases. Organizations with a sizable deployment of OT/IoT devices often embark on a process of IT/OT convergence. Gartner sees more organizations considering NDR providers for both segments, driven by the appeal of having a single monitoring dashboard for network activities for OT/IoT and IT.
  • NDR providers exploiting the XDR “value proposition” through third-party integration with EDR providers. Emerging NDR providers are generally doing better in this compared to the incumbents. By natively ingesting signals from multiple EDR providers into NDR, XDR can deliver improved detection, visibility and incident response (IR) workflows for endpoint and network components.

Adoption Inhibitors

  • Organizations struggling to get value from NDR due to costs and complexity. Most NDR solutions, especially by the incumbent vendors, are often viewed as expensive and complex to deploy and maintain, including dealing with a large number of false positives.
  • Remote and hybrid working potentially reducing the network attack surface for organizations. The growth in work-from-anywhere initiatives is creating shifts in network traffic monitoring from east-west (to monitor lateral movements) to north-south (to inspect traffic crossing the perimeter). While hybrid working (on the basis of workers going to the office at least some of the time) does not eliminate the attack surface, it reduces on-premises network traffic and as such the value proposition of investing in NDR.
  • Market confusion surrounding XDR. We see a number of providers moving to position XDR as a technology that can compete and displace NDR. At the same time, XDR is not well-placed to perform behavioral analysis as dedicated NDR does, since XDR technology is not natively based on network sensors.

Competitive Situation and Trends

NDR Product Differentiation That Will Create Market Opportunities

Figure 1 summarizes the key market opportunities based on NDR product differentiation and use cases.
Figure 1: NDR Market Opportunity
Network detection and response (NDR) market opportunities highlight emerging areas like GenAI use and NDR for OT/IoT with high differentiation. Mature areas include automated IR capabilities and multifunction sensors. The focus is on enhancing visibility and cloud identity integration.
Note: Managed detection and response (MDR) services were not included in this figure because product differentiation is dependent on the NDR vendor/solution deployed to deliver that service, and as such the high/low product differentiation axis does not apply.

IaaS and SaaS NDR Opportunities

NDR for IaaS Environments

Gartner is seeing growing client interest in deploying NDR for advanced security use cases in IaaS environments (e.g., Amazon Web Services [AWS], Google Cloud and Microsoft Azure), with virtual NDR sensors deployed to protect workloads and applications in the public cloud. This interest goes beyond blocking and containment, as NDR can provide incident response, too. A strategy must be in place for NDR providers to be IaaS-agnostic, as more and more organizations use multiple cloud providers.
NDR adds a layer of security to IaaS firewalls for cloud protection. Cloud-native IaaS firewalls can have limitations in their ability to perform decryption, and payload inspection can be a visibility gap. As the threat vectors shift with, for instance, cyberattacks targeting software development environments, signature-based detection becomes less relevant.
A number of technical requirements will help NDR providers to capitalize on this opportunity:
  • They must have the scalability/capacity to deal with cloud “bursts,” aka spikes in computing demand.
  • Regulatory/compliance standards must be met when storing workload network telemetry in the cloud, including data sovereignty, anonymity and security standards.
  • AI/machine learning (ML)-driven detections (supervised ML and/or unsupervised ML) are a top NDR requirement. Anomalous behavior detection becomes more important in the cloud when cyberattacks are not based on malware or things that would be identified by payload inspection.

NDR for SaaS and Cloud Identity Applications

NDR enables customers to monitor user activity and detect threats in cloud identity and SaaS applications, including Microsoft 365 and Microsoft Entra ID. Cloud identity can be exploited as the path for cyberattacks to SaaS applications, and NDR analytics can look into complex identity and SaaS configurations.
Several key trends are shaping NDR demand:
  • Increased attack surface of SaaS applications. The growing use of cloud-based applications such as Microsoft 365, partly driven by hybrid and remote working, is a target area for malicious actors. These aim to exploit vulnerabilities of legitimate SaaS services that are often unable to detect camouflaged or sophisticated malicious activity, aimed at delivering malware to users or at gaining access to internal systems. An example is the use of Microsoft Teams to send a phishing message with a link, which downloads malware that exploits the use of legitimate files, opening the door for data exfiltration.
  • Identity-based cyberattacks. Any Microsoft cloud business application (e.g., OneDrive, SharePoint, Teams), as well as Microsoft Entra ID, is based on account authentication and therefore a growing target for sophisticated cyberattacks that evade endpoint and network security monitoring. NDR can increase security in these environments by detecting threats such as attackers performing admin-level operations in Microsoft Entra ID, redundant access creation and abnormal Microsoft 365 operations and download activity.
  • Growing awareness of the shared responsibility implications of the public cloud service model. Shared responsibility implies that, while the cloud provider is responsible for network controls and applications, data stored in the cloud is owned by the customer. Hence, the customer is responsible for securing that data and for identity management, to prevent leakage and insider threats.
Sample NDR vendors in this category: Arista Networks, Cisco, Corelight, Darktrace, ExtraHop, Gatewatcher, Plixer, Stamus Networks, Tencent, Trellix, Trend Micro, Vectra AI, VMware

NDR/XDR Opportunity

Gartner inquiry data shows growing interest from end users in a consolidated “platform” with multiple security products, driven by risk posture improvements and reduced operational complexity. Extended detection and response (XDR; see Emerging Tech: Security — Adoption Growth Insights for Extended Detection and Response) is emerging as an expansion of EDR and as a competing technology to NDR. Dominated by endpoint technology, XDR delivers unified security incident detection and automated response capabilities. XDR and NDR can complement each other, and both have advantages and limitations. Market push/interest is from NDR to XDR, with NDR technology potentially becoming a component of XDR solutions in the future.
As defined by Gartner, XDR products must offer a minimum of two native security sensors: one must be an endpoint sensor (mandatory), and other/s can be NDR, firewalls, identity, email security, mobile threat detection and cloud workload protection. This can assist in driving consolidation of multiple security components, integrating, correlating and contextualizing data and alerts. However, XDR does not provide full network visibility as NDR does, nor do XDR vendors seem interested in developing native NDR capabilities. Rather, most often we find XDR vendors partnering with NDR vendors.
NDR can contribute to XDR by detecting network-based anomalies. Gartner sees this NDR/XDR demand unfolding as follows:
  • The majority of NDR evaluations are for stand-alone deployments today, but this could change as XDR platforms make progress, especially for midmarket buyers.
  • Larger enterprises have broadly resisted adopting XDR products. They will broadly continue to deploy NDR as a stand-alone monitoring solution, further limiting XDR from becoming the natural evolution of NDR in the future.
A key behind the interest in XDR is that it can provide an immediate response to the endpoint (as EDR does). NDR can deliver advanced network visibility and protection, but relies on XDR/EDR integration to trickle down a response to the endpoint. This, combined with the expectation that XDR can deliver richer telemetry from multiple types of sensors, has contributed to the shift in buyer interest. However, we are also starting to see signs of XDR appeal fading away, from large enterprises sticking to stand-alone NDR solutions to SMBs reverting to MDR services.
Conversely, NDR vendors are adding third-party integrations to expand their visibility. Some NDR vendors boast hundreds of integrations with third-party vendors allowing the NDR vendor to natively ingest and correlate signals from many different sources of alerts. Such integrations allow the customer to enhance the value being received from the current products without the expense and complexity of ripping and replacing.
The topic of consolidation of multiple security components/technologies is exploited as a value proposition of XDR. Many incumbents have also made their centralized (overarching) cybersecurity management platform a requirement to use NDR, with higher costs for customers often failing to see improved security benefits.
Another discussion among Gartner clients concerns the overlap between NDR and security information and event management (SIEM). While most SIEM vendors claim to do detection, SIEM detection is largely poor, so buyers demand NDR or XDR. As such, SIEM and NDR do not really compete, and most NDR buyers already deploy SIEM. By enriching alerts to provide better context and applying ML to semiautomate the incident response process, NDR vendors encourage large security operations center (SOC) teams to rely more on the NDR console, rather than forwarding alerts directly to SIEM.
Sample NDR vendors in this category: Cisco, Fidelis Security, Stamus Networks, Trellix, Trend Micro, Vehere

Managed Detection and Response (MDR) Services

MDR services (see Emerging Tech: Security — Adoption Growth Insights for Managed Detection and Response) provide customers with SOC functions. Also driven by consolidation of security solutions and processes, MDR uses a technology stack that commonly covers endpoint, network, logs and cloud. Key implications for NDR providers:
Opportunities:
  • Growing demand from organizations to outsource security. Gartner projects that by 2025, 60% of organizations will be actively using remote threat disruption and containment capabilities delivered directly by MDR providers, up from 30% today. This encompasses organizations of all sizes, from SMBs with lack of personnel resources to large enterprises looking to outsource threat detection, investigation and response operational delivery. NDR vendors can offer MDR services themselves or partner with detection and response service providers. As clients with larger size and increased security maturity consider the adoption of MDR, Gartner sees more MDR providers willing to support wider compatibility with existing technology investments.
  • Vertical-market synergies. Interest in MDR services stands out in government, finance and healthcare, which are also key verticals for NDR. This means that similar types of organizations are attracted by the outsource or “shared responsibility” model of MDR.
  • Tapping into the OT opportunity. This industry has a business requirement to protect critical business processes in the “detect and respond” aspect of operational technology (OT), in many cases under heavy regulatory compliance requirements. OT environments require specialization of security talent and technologies themselves. Thus, Gartner sees MDR’s differentiation in this area as a key to OT sales and service line targeting (see Emerging Tech: Security — Leverage Emerging MDR Trends to Grow Your Security Service Revenue).
Challenges:
  • Growing competition. Gartner estimates that there are more than 600 providers claiming to offer MDR services.
  • Value proposition. While many MDR providers will openly advertise the NDR technology that they use (e.g., from Corelight, Darktrace, ExtraHop), others competitively position their MDR offering against specific NDR solutions. However, there is a fundamental difference in the delivery of technology capability and the functional extent of a human-driven service. In addition to advertising a broader package and feature differentiation, a key value proposition from these MDR providers is 24/7 monitoring/threat hunting and expert analysis (in essence the benefits of outsourcing).
Sample NDR vendors used to deliver MDR services: Cisco, Corelight, Darktrace, ExtraHop, Fortinet, Vectra AI

NDR for OT/IoT

Some NDR providers are looking at OT/IoT security as an adjacent area to potentially expand to. The opportunity is limited today, as we rarely see OT/IoT protection as a requirement in NDR shortlists. However, the ongoing convergence of OT and IT systems and the specific security needs of industrial networks has potential to broaden the scope of NDR.
Opportunities:
  • Time-sensitive networking (TSN) capabilities creating opportunities to move away from industrial protocols. The emergence of TSN in wired switching and in wireless as part of the upcoming 802.11be standard (aka Wi-Fi 7, expected to be ratified in 2024) is creating opportunities for organizations to move away from proprietary industrial protocols, with cost optimization being a driver.
  • IT security tapping into the OT/IoT space. The convergence creates a need to move away from specific OT security solutions to the broader tools used in IT systems. These tools are the same monitoring tools, network access control (NAC)-based authentication including 802.1X, Lightweight Directory Access Protocol (LDAP), the use of tunneling capabilities with VXLAN encapsulation to address the Layer 2 limitations of microsegmentation, and so on.
Challenges:
  • Complexity. OT/IoT networks are generally complex environments, as there are over 100 proprietary protocols used in industrial networks. NDR greatly lags compared to cyber-physical systems (CPS) protection platforms, which can offer vast support of industrial communication protocols — up to several hundred — including proprietary OT protocols (e.g., Emerson ROC, Siemens S7 Communication, Schneider Electric TriStation).
  • Limitations of standard Ethernet networks. We still see many industrial networks designed based on Token Ring, a LAN topology from the 1980s, due to the limitations of traditional “best-effort” 802.3 Ethernet to assure adequate network latency and low jitter for critical industrial applications.
We believe NDR vendors looking at this opportunity must first address the vast protocol support requirement of OT/IoT, at least key ones including proprietary. Otherwise, this limitation greatly forces NDR to third-party integration, relying on partnerships for OT-specific logs and telemetry visibility.
Sample NDR vendors in this category: Arista Networks, Cisco, Darktrace, Exeon Analytics, Fortinet, Ordr, Stamus Networks, Vectra AI

Use of GenAI in NDR

As an evolution from “traditional AI,” further leveraging predictive and classification ML, GenAI has potential in the NDR space, though it remains embryonic today, amid growing marketing hype.
Opportunities:
  • Enhanced threat hunting capabilities. We see GenAI first developing to assist in incident response use cases. This could encompass large language models (LLMs) contextualizing and accelerating investigation workflows (validation and triage), automation of IR processes, support of more-advanced natural language queries, enhancements in content processing, and so on.
  • Improved defense optimization. Detection based on GenAI techniques can develop to better simulate diverse attack scenarios and suggest optimal defensive strategies, strengthening network security posture.
Challenges:
  • Explainability and transparency. Understanding how GenAI models arrive at certain conclusions can be difficult, creating potential issues with trust and decision making.
  • Biased datasets. Classification ML needs to be highly accurate and reliable for GenAI to deliver value. Biased training data can lead to biased algorithms that misinterpret network activity or overlook certain threats. Careful data curation and monitoring are crucial.
  • Overreliance and trust issues. Potential overdependence on GenAI can lead to neglecting other security measures and potential human error in interpreting its outputs.
Sample NDR vendors in this category: At the time of this research, initiatives and positioning are nascent and do not allow for the creation of a sample list.

Competitive Profiles

This section is not intended to provide an exhaustive list of technology providers in the market. The vendors highlighted in this section are examples of key players in the NDR market (the list is in alphabetical order).

Arista Networks

Product or Portfolio Overview
Arista Networks’ NDR product (Arista NDR) primarily collects data from sensors, which can be stand-alone or embedded in Arista switches. Autonomous Virtual Assist (AVA) Nucleus is the analyst portal and analytics engine, delivering threat detection, network traffic profiling (EntityIQ) and threat hunting and incident triage through AVA. Sensors can also be deployed for IaaS, data center and OT/IoT NDR monitoring.
How Arista Networks Competes
Arista Networks provides differentiation through an NDR offering tightly integrated with its network fabric. Arista NDR can contain threats via the network management plane (CloudVision), by blocking Arista switch ports or through dynamic segmentation. Integration with third-party providers (firewalls, EDR, proxies, etc.) also provides containment. NDR detection does not rely on NetFlow but instead performs deep packet inspection (DPI) to deliver capabilities such as broad visibility that identifies, profiles, and tracks all devices, including OT/IoT. The introduction of CloudVision Arista Guardian for Network Identity (CV AGNI) in 2Q23, a NAC product, complements NDR’s network monitoring with enhanced risk and behavior assessment of endpoints, allowing more dynamic access policy enforcement.
Arista NDR can characterize entity relationships and cluster similar entities via behavioral fingerprints through unsupervised ML. This can enhance outlier detection and reduce false positives by comparing entity behaviors to the peer group (determined by EntityIQ) and the rest of the organization. Arista NDR includes a threat-hunting search engine, based on proprietary language (Adversarial Modeling Language [AML]). The “Situations” feature allows for NDR incident and response use cases, automatically triggering “next steps,” including the ability to customize response playbooks.
Arista offers a managed NDR service, which represents the majority of NDR product opportunities. Enterprises lead with adoption, due to the company’s strategy primarily focused on leveraging its data center customer base, though SMBs are also targeted.

Cisco

Product or Portfolio Overview
Secure Network Analytics (SNA) and Secure Cloud Analytics (SCA) are Cisco’s NDR commercial products, formerly branded as Stealthwatch. SNA is primarily an on-premises tool, and SCA is SaaS-delivered NDR. SCA, rebranded as part of Cisco XDR, provides both private network and public cloud monitoring, the latter for AWS, Google Cloud and Microsoft Azure environments.
How Cisco Competes
Cisco’s portfolio breadth across network and security product lines and large partner ecosystem provides differentiation. This is both from an integration standpoint with NDR as well as a competitive advantage in capturing NDR opportunities at enterprise network refreshes or through licensing upselling. SNA is also sold as part of the Cisco Digital Network Architecture (Cisco DNA) licensing for switching and wireless, which helps trigger a security purchase. Heuristics is a key NDR detection method in Cisco’s product, based on statistical models and ML to identify abnormal behavior patterns, combined with predefined policy violation rules and threshold-based rules.
The rebranding of SCA as part of Cisco XDR (end of sale of SCA was announced in August 2023), embodies a strategic decision to combine its SaaS-delivered NDR with the XDR product offer. A key value proposition is that of Cisco XDR enhancing NDR outcomes, through broader aggregation of multiple telemetry sources, tighter endpoint integration, better cyber-attack chaining, and so on. However, the end of sale of SCA also forces NDR customers to migrate to the XDR licensing over time. Version 7.5.0 of SNA (released in January 2024) includes an initial XDR integration that allows users to post SNA alerts automatically in Cisco XDR, once the user has configured the rule associated with the type of detection. Cisco SNA consumes logs from its AnyConnect and firewall solutions, and Cisco XDR extends to other EDR integrations including CrowdStrike, Microsoft Defender and SentinelOne.

Corelight

Product or Portfolio Overview
The Corelight Open NDR Platform can be deployed on-premises and as SaaS. ML analysis is mostly performed by Corelight Investigator, a SaaS analytics and incident response platform, in the cloud. Fleet Manager provides sensor management as a virtual machine. Corelight combines open-source and proprietary technologies to deliver a solution that includes NDR, intrusion detection system (IDS), network security monitoring and Smart PCAP. Multicloud sensors extend NDR monitoring to IaaS environments.
How Corelight Competes
Corelight provides differentiation based on its rich and transparent analytics, drilling down in detail on root cause analysis for incident response and threat hunting use cases. AI, mostly based on supervised ML and LLM technology, is leveraged to detect threats, provide enriched alert context and automatic investigative recommendations, and perform behavioral analysis on encrypted traffic. Corelight deploys CrowdStrike’s Falcon LogScale, a log management platform, leveraging its speed for fast query and search, which adds differentiation to the threat hunting capabilities of the Open NDR Platform.
Corelight’s single sensor form factor (hardware- or software-based) can deliver NDR, IDS, Smart PCAP (for selective full packet capture), and file extraction capabilities. In addition to selling Investigator (as an optional SaaS NDR analyst interface) with sensors, Corelight also supports “sensor-only” NDR deployments. In the latter, customers can stream 100% or a filtered subset of Corelight analytics and evidence from its sensors to their preferred on-premises or SaaS-based SIEM/XDR/data lake environment. However, this approach limits the benefit of leveraging the Corelight ML models that reside in the cloud, with its scalability and on-demand advantages. Finally, as part of its strategy to target large enterprises, Corelight continues to focus R&D on scalability to minimize total sensor footprints at scale. This has led to various large-scale NDR deployments for customers in the 100- to 400-Gbps range of monitored traffic.

Darktrace

Product or Portfolio Overview
Darktrace’s NDR product includes Darktrace DETECT and Darktrace RESPOND. Darktrace DETECT provides real-time behavioral modeling to reveal deviations that may signal an evolving threat, and Darktrace RESPOND takes action, reacting to threats and enforcing restrictions. Darktrace PREVENT and Darktrace HEAL complement the NDR solution. PREVENT offers attack surface management, and HEAL simulates cyberattacks and provides recommendations for remediation. Darktrace provides NDR for network, Microsoft 365 and public cloud use cases.
How Darktrace Competes
Darktrace’s core strength lies in detection and response mechanisms predominantly based on unsupervised ML, which provide risk and behavioral modeling based on specific customer business data. Attack scenarios can be identified based on the company structure and how it normally operates: endpoints, workloads, systems, and so forth. A key value proposition is that NDR detection is not based on types of malware, threats or exploit techniques, but on behavior based on the customer’s type of data. The Darktrace RESPOND engine can contain threats based on behavior without having to exactly predefine the response action or create a playbook — eliminating validation and testing of response scenarios and programming. All the ML traffic (metadata) analysis either runs on-premises or is hosted in AWS as a private tenant. Darktrace does not train its ML models on cross-customer threat data, which resonates well from a privacy preserving perspective.
As an NDR solution, Darktrace places stronger focus on the automation of detection and response capabilities, and less on hunting and forensic capabilities, leaning toward not cluttering the user with too much information. The detection engine adjusts severity scores using unsupervised ML, eliminating human tuning. This has helped Darktrace in establishing a relatively strong position also in the midmarket. The company also has a good presence in OT/IoT environments, due to converged and integrated analysis in IT and OT networks.

ExtraHop

Product or Portfolio Overview
ExtraHop’s NDR offering, the Reveal(x) platform, is available as SaaS and as on-premises implementation with self-managed sensors. Both deployments offer cloud-delivered ML and threat detection capabilities for campus and data center networks, and virtual sensors are available for IaaS NDR use cases. ExtraHop Reveal(x) gathers data from its sensor appliances, from third-party infrastructure and from IaaS platform packet visibility APIs.
How ExtraHop Competes
ExtraHop’s NDR solution offers differentiation with its network performance monitoring capabilities, which provide IT asset discovery from passive network observability. Its ability to provide enterprise-grade full packet capture capabilities if needed is also a strength. Reveal(x) delivers detailed device inventory, including data on operating systems, applications in use and critical network assets. The recent introduction of a NetFlow traffic sensor further extends flow-based security and network performance monitoring. Full payload analysis is performed for asset classification, with native decryption and real-time threat detection from Layer 2 to Layer 7. Early in 2023, ExtraHop added IDS sensors to Reveal(x), subsequently positioning the solution to target the government vertical market.
Beyond detection, Reveal(x) ML capabilities also focus on visibility and investigation to deliver automated incident identification and prioritization of detections, along with attack descriptions and recommendations. In addition to the integration with third-party cybersecurity platforms from CrowdStrike, Splunk and Palo Alto Networks, ExtraHop has recently partnered with Netskope. This extends its NDR use case to remote branch offices and work-from-anywhere. By mirroring traffic from Netskope’s security service edge cloud service, ExtraHop can perform deep packet inspection on full network traffic, bringing its suite of performance and security analytics.

Sangfor Technologies

Product or Portfolio Overview
Sangfor Technologies’ NDR product is Cyber Command, collecting events from sensors and other Sangfor products. Response is available through third-party integrations as well. Cyber Command mixes several detection techniques, including supervised and unsupervised ML, more traditional signatures, and threat intelligence. Sangfor also provides managed services that rely on the Cyber Command product. Sangfor leverages real-time threat intelligence analytics from its Sangfor Neural-X platform.
How Sangfor Technologies Competes
Sangfor is one of the three non-U.S.-headquartered NDR providers included in this “Competitive Profiles” section, along with Darktrace and Trend Micro. While a strong NDR player in its home Chinese market, Sangfor has limited market presence outside Asia/Pacific.
Cyber Command integrates several threat detection technologies, including supervised and unsupervised ML and rule-based analytics. A set of tools and insights conduct incident investigations, including root cause analysis, gathering indicators of compromise (IOCs) and behavior indicators of compromise (BIOCs), and assessing the full extent of the incident. For anomaly detection, Sangfor’s NDR analyzes user and traffic behavior to find out suspicious and abnormal behaviors from the established baseline, such as unauthorized access, violation of access, and account impersonation. However, it does not provide native Transport Layer Security (TLS) decryption, though it can spot anomalies by analyzing TLS metadata. The Golden Eye feature provides visibility and insight into security incidents, allowing the security team to discover the entry point of attacks, the chain of events, and the scope of impact to remediate the vulnerabilities.
Finally, Cyber Command comes equipped with a built-in security orchestration, automation and response (SOAR) module that enables automatic response to identified security threats. Security teams can use predefined or custom playbooks to address some of the common threats or organization-specific scenarios.

Trend Micro

Product or Portfolio Overview
Trend Vision OneXDR for Networks is Trend Micro’s NDR solution. It uses Trend Vision One Deep Discovery Inspector and Trend Vision One TippingPoint as its network sensors. It can also ingest logs from firewalls and alerts from Trend Micro’s EDR solution to deliver correlation across many products. The majority of NDR sensors are deployed on-premises (either hardware or virtual), though a cloud sensor offering is also available, including for IaaS protection use cases.
How Trend Micro Competes
Trend Micro’s NDR solution offers differentiation by ingesting alerts and endpoint activity data through integration with Trend Micro’s existing security solution portfolio. As such, it can find anomalies from data correlated across multiple layers for further action and analysis. Trend Vision One (Trend Micro’s cloud-hosted overarching unified cybersecurity platform) is required to manage its NDR solution. Trend Vision One provides SaaS sandbox and Deep Discovery advanced threat protection.
Trend Micro’s NDR offering can be tightly integrated with its intrusion detection and prevention system (IDPS) and its Security Management System (SMS), combining the AI/ML behavioral analysis of NDR with IDPS inspection. Trend Micro’s high-throughput IDPS technology excels at addressing demanding use cases for data center and high-performance network perimeters. Its integration with NDR enhances incident discovery and orchestrated response actions across the entire network fabric. Threat intelligence and intrusion prevention system (IPS) signatures are favored for threat detection, with many signatures available from the TippingPoint IPS engine.
Trend Micro’s NDR product includes threat hunting by way of its search engine, based on proprietary language and a turnkey approach to finding threats. Large language models are supported to assist in interpreting security findings for remediation of threats. Zero-day and n-day threats can be detected in encrypted traffic and in unmanaged devices. Third-party integrations allow findings from the sandbox to be propagated to other NDR, EDR, endpoint protection platform (EPP), firewall, SIEM and XDR solutions. Incident response stands out as the key use case of Trend Micro’s NDR offering.

Vectra AI

Product or Portfolio Overview
Vectra NDR is available as an appliance or as a SaaS platform, the latter converging network, SaaS (Microsoft 365) and public cloud NDR. The on-premises implementation provides the same functionality via network “plugs in,” and hybrid customers can take advantage of converged cloud and network NDR from the SaaS platform UI. Vectra AI complements its NDR offering by offering MDR services (co-managed SOCs).
How Vectra AI Competes
Vectra AI provides differentiation by delivering a unified NDR solution spanning across network, hybrid cloud and SaaS environments. Metadata is pulled from cloud log sources, network packet logs, SaaS APIs and other sources in a unified UI, formatted and available for query. Multiple methods are used for behavior-based detections, with a heavy emphasis on ML, heuristics and deep learning. Vectra Match provides IDS-based signatures to NDR detection.
Vectra AI’s scoring algorithm takes an entity-centric approach to score hosts and accounts exhibiting malicious activity, further providing context and endpoint lockdown/isolation. By exploiting the correlation of endpoint and network alerts, Vectra NDR can tune threat scoring and provide insight into the factors that led to an attack rating. Integration with EDR providers, predominantly CrowdStrike and Microsoft Defender, adds context to the NDR prioritization layer. Respond User Experience (Respond UX) is Vectra AI’s analyst user experience tool for investigation and IR use cases. It provides access to commonly asked questions, which can help to speed up problem resolution.
Vectra NDR supports forensic analysis across hybrid cloud domains, mapping lateral movements across cloud and data centers. It can also provide automated threat response mechanisms to lock down Microsoft Entra ID and AWS accounts.
As a key part of its Vectra AI Platform launch of 2023, Vectra AI has pivoted to an XDR-oriented marketing position, mirroring a customer base that is evolving to look beyond NDR.

References and Methodology

Primary and secondary resources were used to prepare this research. We used additional industry sources and publicly available information to verify the accuracy of the information. Sources of data used by Gartner include the following:
  • Technology provider questionnaires
  • Technology provider briefings and interviews
  • Data from Gartner interaction with end users and technology providers
  • Gartner end-user surveys
  • Articles in the general and trade media
  • Published company announcements and financial earnings reports
In addition, factual review of the technology provider information was conducted with the respective technology providers. Our conclusions about competitive positioning consider these inputs but, ultimately, reflect Gartner’s own judgment based on our overall perspective of the market.

Acronym Key and Glossary Terms

EDR
endpoint detection and response
IR
incident response
LDAP
lightweight directory access protocol
LLM
large language model
MDR
managed detection and response
NAC
network access control
NDR
network detection and response
SIEM
security information and event management
SOC
security operations center
TSN
time-sensitive networking
VXLAN
Virtual Extensible LAN
XDR
extended detection and response