Critical Capabilities for Network Detection and Response

18 May 2026 - ID G00844556 - 29 min read
By Charanpal Bhogal, Thomas Lintemuth,  and 1 more
NDR platforms continuously monitor traffic for anomalies, suspicious patterns and threat indicators. Demands for AI-driven SOC automation as well as hybrid infrastructure and multicloud coverage drive NDR innovation. Use these insights to identify the products best aligned to your needs.

Overview

Key Findings

  • All reviewed vendors offer foundational capabilities for network detection and response (NDR) that continuously monitor traffic for anomalies, suspicious patterns and threat indicators. Some are evolving to provide support for hybrid environments and AI capabilities for triage and response. Pay special attention to cyber-physical systems (CPSs) capabilities, postquantum computing (PQC) algorithm identification and false positives when performing your POC.
  • Integrations with adjacent security platforms vary across vendors with a growing need to correlate high-fidelity network signals with endpoint detection and response (EDR), SASE/SSE, identity and cloud security platforms to deliver an effective cross-domain response.
  • A subset of the vendors offers comprehensive AI use cases across observability, threat hunting and augmented response to reduce security operations center (SOC) fatigue from detections and enable AI-driven triage and AI SOC assistants.

Recommendations

As a cybersecurity leader responsible for infrastructure security and deploying NDR for comprehensive threat detection and response, you should:
  • Require unified visibility across all cloud and hybrid environments with cloud-native telemetry and identity tracking as standard features. Avoid platforms that charge extra for visibility across clouds or for comprehensive hybrid visibility, which should be included at no additional cost to support modern hybrid infrastructures.
  • Focus buying decisions on NDR products leveraging AI capabilities, including AI assistants and human-in-loop autonomous agentic response capabilities that can isolate threats or execute mitigation actions with less human intervention, ensuring real-time defense against AI-driven attacks.
  • When evaluating NDR products, focus on adjacent platform integration for high-fidelity enrichment (EDR.SIEM, IAM) and with infrastructure platforms (Hybrid Mesh Firewalls, SASE) to support the shift from manual approval to conditional autonomy.
  • Evaluate vendors that can deliver capabilities consistent with upcoming projects such as PQC migration and CPS coverage.

What You Need to Know

This Critical Capabilities research provides buyers of NDR products with scores for four common use cases based on relevant evaluation criteria. Buyers can view vendor scores for each use case.

Analysis

Critical Capabilities Use-Case Graphics

Figure 1: Vendor Product Scores for the Hybrid Monitoring Use Case
12 providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of Hybrid Monitoring in Network Detection and Response, as of 1 April 2026. This allows comparison across a set of critical differentiators.
Figure 2: Vendor Product Scores for the Augmented Response Use Case
12 providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of Augmented Response in Network Detection and Response, as of 1 April 2026. This allows comparison across a set of critical differentiators.
Figure 3: Vendor Product Scores for the CPS Security Use Case
12 providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of CPS Security in Network Detection and Response, as of 1 April 2026. This allows comparison across a set of critical differentiators.
Figure 4: Vendor Product Scores for the Threat Hunting Use Case
12 providers are ranked on a 1 to 5 scale according to how well their offerings meet the needs of Threat Hunting in Network Detection and Response, as of 1 April 2026. This allows comparison across a set of critical differentiators.

Vendors

Arista Networks
Arista Networks, based in California, U.S., offers NDR focused on encrypted traffic analysis and eliminating network blind spots across managed and unmanaged assets without agents. Its strategy integrates NDR with network switches for unified infrastructure and security. Deployment options for stand-alone appliances are available but less common and rarely seen in Gartner interactions.
Arista NDR leverages its AI SOC assistant for automated triage, entity tracking and attack graph visualization, providing comprehensive incident analysis beyond isolated alerts. Its adversarial modeling detects nonmalware threats and insider risks. Arista NDR integration is strongest with Arista network hardware, and the advanced hunting features may present a learning curve for less mature SOC teams.
A summary of the vendor’s key capabilities:
  • Observability: Arista NDR uses a knowledge-graph approach to identify and track assets, automatically correlating traffic patterns to a single entity and providing a continuous forensic timeline.
  • Threat detection: Arista NDR performs deep packet inspection and provides comprehensive protocol support across IT/CPS. It lacks native sandboxing and relies on integration with third parties for deep-dive analysis. Native integration with switches based on Arista Extensible Operating System (EOS) as sensors allows the detection of lateral movement at the leaf-switch level.
  • AI: Arista’s Autonomous Virtual Assist AI sensors can baseline and identify threats at speed without requiring heavy manual tuning or agent installation.
Use-case score summary: Arista achieved low scores for all use cases. Its NDR is most frequently seen bundled with the vendor’s core network switches for a unified infrastructure and security approach, appealing primarily to existing Arista customers.
Arista Networks declined requests for supplemental information or to review the draft contents of this document. Gartner’s analysis is therefore based on other credible sources.
Corelight
Corelight Open NDR product is based on the open-source product Zeek, with proprietary extensions to add value. The vendor is headquartered in San Francisco, CA, U.S., its operations are mostly focused in North America, and its clients tend to be in the public and finance sectors. Corelight NDR’s strengths lie in threat hunting and forensic investigation by providing definitive evidence, rather than just basic alerts. The integration with the Corelight Investigator SaaS platform or existing SIEMs (like Splunk and Snowflake) allows analysts to pivot instantly from a high-level alert to the specific underlying packets to improve detection rates.
While its flexibility is a primary strength, Corelight’s coverage can be limited for organizations that prefer a fully turnkey experience due to it being highly extensible. Custom scripting and advanced threat hunting is available for advanced users, but the platform provides core NDR capabilities for organizations across the maturity spectrum. Corelight offers good integrations for response using EDR/SOAR playbooks, but its enforcement relies on external integrations for active blocking or host containment.
A summary of the vendor’s key capabilities:
  • Observability: Corelight delivers high-fidelity, vendor-neutral metadata (Zeek) that provides visibility of network activity, focusing on eliminating blind spots across cloud and on-premises environments.
  • Threat detection: Comprehensive threat detection combines metadata with Suricata-based signatures and machine learning to identify threats, focusing on advanced machine learning and GenAI use for triage.
  • AI: Corelight focuses on investigating alerts leveraging machine learning and AI with the AI assistant for triage. Some visibility into AI activity is observed.
Use-case score summary: Corelight’s highest use-case score was in the Augmented Response use case, and its scores in the other use cases were comparable. It is best suited to organizations that need customization and a deep threat hunting capability; require flexibility of deployment; and have mature SOC teams.
Darktrace
Darktrace, headquartered in Cambridge, U.K., focuses largely on North America and EMEA with its core NDR product, Darktrace / NETWORK. ​Darktrace uses a multilayered AI architecture for autonomous, real-time threat detection, requiring minimal manual tuning. Deployment is through physical or virtual appliances that provide visibility across on-premises, cloud and hybrid environments.
Darktrace is strong at detecting lateral movement, malicious behavior and insider threats, automatically investigating and correlating all relevant anomalies and events into actionable incident narratives with its Cyber AI Analyst. While it integrates with Darktrace’s email and cloud solutions, its anomaly-based approach offers less manual customization than some competitors. In some cases, a deeper architectural discussion is required for high-volume data retention.
A summary of the vendor’s key capabilities:
  • Observability: Darktrace’s Self-Learning AI focuses on observability; however, it is limited in the attributes it provides for discovered IT assets and details regarding cryptographic algorithms, except for CPS asset discovery.
  • Threat detection: Darktrace has a strong threat hunting capability, with mapping back to IOCs from response actions and a strong focus on integration with EDR and SIEM/SOAR platforms.
  • AI: Darktrace AI is comprehensive across the platform, with strengths in addressing alerts and triage as well as exposing unsanctioned AI use.
Use-case score summary: Darktrace received high scores for all use cases. Organizations that see the value of the self-learning AI and are looking to unify across other Darktrace offerings will gain maximum value from the Darktrace NDR product.
ExtraHop
ExtraHop, based in Seattle WA, U.S., primarily serves North American clients but is expanding in EMEA and Asia. Its Reveal(x) NDR platform provides near real-time, protocol-level visibility into encrypted network traffic with strong performance, making it well suited for organizations operating large, high-throughput networks across hybrid and multicloud environments. Reveal(x) is deployed via passive sensors as physical, virtual or cloud-native appliances that ingest raw network traffic.
The platform performs well in incident response and threat hunting by unifying NDR, Network Performance (NPM), Forensics and Intrusion Detection Systems (IDS) within a single interface, effectively detecting lateral movement, ransomware and supply chain attacks. However, its response capabilities are mostly passive, relying on third-party integrations for automation. Maximizing its forensic insights also demands a mature SOC team to manage and utilize its extensive data.
A summary of the vendor’s key capabilities:
  • Observability: The platform offers strong asset discovery and grouping on device type and protocols. ExtraHop NDR can present detailed information on observed detections and automatically maps to the MITRE framework.
  • Threat detection: The platform differentiates between native detections and third-party alerts, with strong integration with adjacent platforms like EDR/SIEM. Limited customization capability is available for the risk scoring of detections.
    AI: ExtraHop AI assistant enables querying for detections, devices and records, but it currently offers limited AI assistant capabilities for deep analysis or response actions and for initial setup.
Use-case score summary: Extrahop achieved high scores for all use cases. Its NDR is best suited for organizations requiring strong asset discovery, real-time decryption, deep packet inspection and protocol analysis.
Fortinet
Based in Sunnyvale, CA, U.S., Fortinet markets its product as FortiNDR, which is adopted primarily within the Fortinet customer base. FortiNDR integrates natively with the Fortinet Security Fabric and supports automated incident response, playbooks and integration with over 100 third-party products. It is available as an on-premises appliance for high-compliance environments or as FortiNDR Cloud for rapid SaaS-based deployment and extended data retention.
FortiNDR excels in malware analysis and rapid threat classification. It leverages AI to correlate anomalies and trigger native automated containment actions within the Fortinet ecosystem. However, its response features are largely limited to organizations already invested in Fortinet products, and the on-premises version requires substantial hardware resources for advanced traffic inspection, making it less ideal for highly heterogeneous or cloud-native environments.
A summary of the vendor’s key capabilities:
  • Observability: Fortinet NDR has limited observability capabilities beyond standard asset discovery and baselining of the network. The asset inventory provides basic asset information and limited reporting. Observability for cloud and cloud workloads is limited.
  • Threat detection: Fortinet threat detection capability is focused on anomaly detection and reliance on machine learning that is most effective across Fortinet deployments.
  • AI: FortiNDR delivers good GenAI for dashboards and reporting. Its core detection AI remains secondary to basic natural language processing and has less advanced behavioral analysis.
Use-case score summary: Fortinet achieved low scores across all of the use cases. Its NDR benefits from integration with the vendor’s core network switches for a unified infrastructure and security approach.
Gatewatcher
Gatewatcher is headquartered in Paris, France, with operations mostly focused in EMEA and APAC. Gatewatcher’s NDR offering focuses on detections, threat intelligence and strong focus on its AI. Gatewatcher NDR is suited to organizations seeking a platform that prioritizes efficiency and advanced malware analysis. The platform is commonly seen in the critical infrastructure and highly regulated sectors due to its ability to operate in fully air-gapped and on-premises environments without requiring cloud-tethered analysis or external data sharing.
Gatewatcher’s NDR has robust detection capabilities, with good integrations with SIEM/SOAR vendors. The platform offers rich metadata for forensic hunting, yet the behavioral detection rules are still maturing compared with the market leaders. The platform’s interface can appear fragmented, requiring security teams to navigate separate modules for hunting and dashboarding.
A summary of the vendor’s key capabilities:
  • Observability: Gatewatcher is strong at identifying critical assets of the organization on initial discovery and using its AI engine to contextualize the assets discovered.
  • Threat detection: The platform enables detailed forensics and detection of alerts with good MITRE ATT&CK mapping.
  • AI: Gatewatcher AI uses natural language in incident qualification and triage, which aids SOC teams and focuses on response actions.
Use-case score summary: Gatewatcher’s use-case scores reflect strengths in forensics and Threat Hunting, CPS use cases and broad AI capability. The product is a good fit for mature teams in highly regulated industries or critical infrastructures.
Jizô AI
Jizô AI, formerly Sesame, headquartered in Paris, France, is designed for organizations needing a EU-focused NDR platform. It offers real-time, passive monitoring for IT and OT networks without disrupting operations. The product combines signature-based detection with proprietary AI and features the Jizô Alert Advisor, a generative AI assistant that streamlines alert triage and visualizes attack paths for effective threat identification and asset mapping.
Jizô AI is well suited for environments requiring strict data sovereignty and compliance with French and European standards, but its regional focus may limit support and integrations for organizations outside these areas. Its on-premises approach enhances security but requires users to manage more infrastructure themselves, rather than relying on a fully managed SaaS model.
A summary of the vendor’s key capabilities:
  • Observability: The platform provides deep, high-performance visibility across both IT and CPS environments, using proprietary “Cyber AI” to correlate metadata and explain threats in natural language for faster root-cause analysis.
  • Threat detection: Jizô AI focuses on a preemptive defense strategy, using proprietary, unsupervised machine learning to identify near zero-day threats and lateral movement across both IT and CPS environments without relying on traditional signature databases. Its reliance on behavioral anomalies can require resource time in tuning to distinguish legitimate network shifts from actual malicious activity.
  • AI: Jizô AI differentiates itself with explainable AI (XAI) and the Jizô Alert Advisor, which leverages generative AI to translate complex network anomalies into plain-language investigations, potentially reducing SOC triage time. The platform’s architecture can make it less plug-and-play with non-European third-party AI ecosystems than more open, vendor-agnostic NDR platforms.
Use-case score summary: Jizô AI scores high for each of the use cases, with strength in observability across IT and CPS and advanced AI for detection and response. The product is a good fit for mature teams and highly regulated industries or critical infrastructures, particularly in EMEA.
LinkShadow
Headquartered in Athens, GA, U.S., with a large regional hub in Dubai, UAE and focused mainly on EMEA, LinkShadow offers NDR as a stand-alone product or as part of its CyberMeshX Platform, with deployment options for on-premises and cloud. LinkShadow NDR uses a hierarchical architecture with both virtual and physical sensors forwarding metadata to a central master appliance for analysis.
LinkShadow focuses on user entity behavior analytics (UEBA) and identity intelligence that correlates network anomalies with user behavior for effective detection of lateral movement and internal threats. However, it requires third-party integrations for functions like TLS decryption and sandboxing, and its event-based metadata capture can limit deep forensic analysis. Initial deployment may require significant manual tuning to align behavioral models with specific network environments.
A summary of the vendor’s key capabilities:
  • Observability: LinkShadow is effective in base asset discovery, though presorting is limited and information on observed algorithms is basic. Data ingestion is available from a variety of IaaS providers, with good integrations across adjacent platforms. Asset discovery and protocol support in CPS environments are limited.
  • Threat detection: Integration with third-party EDR and threat intelligence is good, but the product offers no native sandbox or support for Suricata/Zeek or IPS signatures.
  • AI: The platform enables AI interrogation of ingested data and AI chat to diagnose incidents but offers only a limited view of unsanctioned use.
Use-case score summary: LinkShadow earned high scores in three use cases, with its lowest score in CPS Security. The NDR product has strong Augmented Response actions, with good use of AI in triage. Buyers looking for strong on-premises options, including air gap use cases, or located in EMEA should consider LinkShadow.
NetWitness
Based in Boston, U.S., NetWitness NDR has robust forensic capabilities for threat hunting and investigation, with transparent detection logic features. NetWitness NDR is commonly deployed in large, complex enterprises seeking deep visibility and session reconstruction across hybrid infrastructures. Deployment is highly flexible, utilizing a combination of physical or virtual sensors for on-premises collection and lightweight cloud sensors for cloud deployments.
The product’s strengths lie in network forensics and hunting, allowing full network session replay. While its forensic depth is strong, NetWitness NDR’s coverage can be limited by the technical expertise and resources required for optimal tuning. The initial deployment and tuning of the sensors can be complex, often necessitating a mature SOC team or professional services to manage the hardware overhead and storage requirements for full-packet capture.
A summary of the vendor’s key capabilities:
  • Observability: The platform features strong parsing of network packets with a mature DPI engine, offers extensive reporting and provides robust CPS asset discovery.
  • Threat detection: The product has strong forensic capabilities for threat hunting and investigating. However, it offers no sandbox or malware analysis. Use of machine learning is limited, with detections being primarily rule based. Integration with third parties is minimal.
  • AI: Netwitness offers limited use of AI for initial configuration or detecting AI traffic beyond base assessment of alerts.
Use-case score summary: Netwitness has good scores across use cases, with strengths across observability and threat detection. NetWitness NDR is best suited for organizations with complex infrastructures and advanced SOC teams requiring deep forensic visibility.
Stellar Cyber
Stellar Cyber is headquartered in San Jose, CA, U.S., and its customer base is primarily in North America and Asia, with observed growth in EMEA and Latin America. Its product is typically deployed as a SaaS offering with some options for on-premises and IaaS environments. Its NDR offering is an NDR-specific licensing option for its unified SecOps platform.
The platform’s strengths are in correlating network anomalies with cross-stack telemetry to generate high-fidelity incidents, aided by its agentic AI for autonomous alert triage and natural language summaries. It offers strong protocol support for unified IT/OT threat tracking. For self-managed deployments, its unified data lake architecture may require significant compute resources and tuning, and administrators can face a learning curve with its investigative interface. This is less of a concern in the SaaS model.
A summary of the vendor’s key capabilities:
  • Observability: The product offers strong observability and visualization across hybrid infrastructures, including cloud and CPS environments, with broad third-party integrations.
  • Threat detection: Uses AI to correlate network anomalies with cross-stack telemetry into a single alert, reducing alert fatigue. Due to its broad security operations approach, there can be higher latency in complex queries and retrospective analysis.
  • AI: AI capability focuses on natural language processing and agentic reasoning to automatically correlate raw disparate signals into high-fidelity alerts with an AI assistant to aid in triage.
Use-case score summary: Stellar Cyber achieved good scores across all use cases. It is best suited for midsize organizations that prioritize operational efficiency and tool consolidation or MSSP/MSPs positioning security operations capabilities with strong integrations.
Trellix
Trellix, headquartered in Texas, U.S., primarily operates in North America and EMEA but is expanding its presence in Latin America and Asia. The company specializes in deploying physical or virtual sensors, with a unique focus on air-gapped and on-premises autonomy, maintaining full behavioral detection and AI capabilities locally.
The platform excels in convergence and accelerated incident triage, offering integration with CPS vendors for unified threat visibility across CPS and IT environments. While Trellix provides robust integration and response capabilities, it requires more initial setup tuning than some autonomous solutions and is most effective when used within the broader Trellix ecosystem. As a result, it may lag behind market leaders in stand-alone, vendor-agnostic customization.
A summary of the vendor’s key capabilities:
  • Observability: The platform’s reliance on deep behavioral baselining can result in a longer initial learning phase and a higher volume of benign alerts, requiring dedicated manual tuning. The full packet capture add-on enables visibility across the attack chain.
  • Threat detection: The product offers comprehensive threat detection by offering full packet capture (PCAP) alongside high-fidelity metadata. It has a native sandboxing capability and can create latency in query and response.
  • AI: Trellix has limited GenAI assistance for setup.
Use-case score summary: Trellix NDR scores low overall except in the CPS use case, where it is good. The platform is best suited for organizations seeking to integrate network visibility into a broader, unified XDR ecosystem, particularly those bridging the gap between IT and CPS.
Vectra AI
Vectra AI, headquartered in San Jose, CA, U.S., with a strong presence in EMEA and North America, offers agentless, flexible deployment for hybrid attack surface monitoring. It integrates seamlessly with platforms like Microsoft 365, Amazon Web Services, Microsoft Azure, Google Cloud and Entra ID, using patented AI to deliver high-fidelity detection of attacker behaviors and actionable threats.
Vectra AI focuses on reducing alert noise and SOC fatigue by correlating threats across on-premises, hybrid cloud and identity environments that leverage AI. Vectra AI offers robust automated response options via integrations with SASE/SSE, EDR and SOAR platforms. However, its metadata-driven approach may not suit organizations needing deep packet-level forensics or extensive AI customization.
A summary of the vendor’s key capabilities:
  • Observability: Vectra AI provides deep observability using AI-driven metadata extraction to monitor all traffic moving between users, nonuser devices and cloud workloads, exposing hidden lateral movement and replacing traditional deep packet inspection.
  • Threat detection: The platform utilizes AI-driven attack signal intelligence to surface high-fidelity threats and map cross-domain kill chains. It excels at prioritizing actionable alerts, but the tool can be deemed detection heavy, requiring third-party integrations to achieve a robust automated response.
  • AI: Vectra AI’s attack signal intelligence moves beyond simple anomaly detection to prioritize threats based on actual adversary TTPs, effectively reducing alert noise and surfacing critical lateral movement in real time. Its AI assistant provides full triage and response actions.
Use-case score summary: Vectra AI scores high across all use cases, with key strengths in observability, signal consolidation and flexible deployment models. It uses AI effectively to consolidate attack detections into high-fidelity signals and Augmented Response actions. The platform will appeal to most organizations looking for an NDR product.

Context

NDR reviews all traffic, looking for anomalies. It understands the underlying threat behavior and explains the scope of the impact. Beyond ingesting network packets or traffic flow, NDR must ingest and correlate third-party telemetry. This ecosystem includes data from EDR, ITDR, IaaS flow logs and SASE network packets or flow logs. NDR products include automated responses such as host containment or traffic blocking, directly or through integration with other cybersecurity tools. NDR can be delivered as a combination of hardware and software appliances for sensors, some with infrastructure as a service (IaaS) support.
NDR buyers cover the gamut of user organizations, from small organizations with a nascent security program to very large organizations with an established security program. Most vendors have a preferred set of markets to which they cater.
The NDR market will continue to grow over the next decade, evolving from a niche security product to a critical one as user behaviors are increasingly obfuscated by encryption and attackers increasingly hide their activities in “living off the land” techniques. NDR is critical in identifying insider threats, threats from internally compromised hosts and zero-day threats.

Market Definition

Gartner defines network detection and response (NDR) as products that detect abnormal network behaviors by applying behavioral analytics to network traffic data. NDR products continuously analyze raw network packets or traffic metadata within internal networks (east-west) and between internal and external networks (north-south). They include automated responses, such as host containment or traffic blocking, implemented directly or through integration with other cybersecurity products. Vendors deliver NDR as hardware or software appliances for sensors, with some supporting IaaS environments. Management and orchestration consoles are available as software or SaaS.
Organizations rely on NDR to detect and contain postbreach activities such as ransomware, insider threats and lateral movements. NDR complements other technologies that primarily trigger alerts based on rules and signatures by building heuristic models of normal network behavior and detecting anomalies.

Security teams commonly use NDR as a complementary detection and response technology within a broader set of security operations center (SOC) tools. These include security orchestration, automation and response (SOAR), security information and event management (SIEM), endpoint detection and response (EDR), and other detection technologies.

Mandatory Features

NDR must:
  • Deliver physical or virtual sensors in form factors compatible with on-premises and cloud networks to analyze raw network packet traffic or traffic flows, and monitor both north-south (perimeter) and east-west (lateral) traffic.
  • Model normal network traffic and highlight unusual activity that falls outside established baselines.
  • Provide detection based on behavioral techniques (non-signature-based detection), including machine learning (ML) and advanced analytics, to detect network anomalies.
  • Aggregate individual alerts into structured incidents to facilitate threat investigation and enable automatic or manual response to malicious network activity.
  • Include traditional detection techniques, such as intrusion detection and prevention system (IDPS) signatures, rule-based heuristics, and threshold-based alerts.
  • Automate responses, such as host containment or traffic blocking, either directly or through integration with other cybersecurity products.
  • Detect threats using intelligence feeds from internal or external sources.

Optional Features

Optional capabilities for this market include:
  • Operating in-line and supporting use cases such as “virtual patching.”
  • Monitoring and analyzing traffic in IaaS environments.
  • Providing SaaS API connectors to analyze events and user activities.
  • Offering log ingestion, investigation and response capabilities that enable SOC analysts to use the NDR console as the primary facility for operational duties and threat hunting, replacing alternative platforms such as SIEM or extended detection and response (XDR).
  • Enriching metadata during collection or event analysis.
  • Performing retroactive and forensics analysis using network packet flow data and scalable full-packet capture (PCAP) with long-term data retention.
  • Utilizing AI-based search assistants to accelerate threat hunting and deliver actionable insights.
  • Integrating natively with EDR and SIEM platforms.
  • Maintaining a low false-positive rate after initial tuning to provide trustworthy insights and support automated response use cases.

Product/Service Trends

A key trend is the integration of products like EDR and identity with NDR to provide context driven by the rise of hybrid infrastructure. This has increased the need for unifying telemetry that normalizes signals across network, cloud, identity and endpoint sources into a single context-based view to eliminate visibility gaps. Additionally, as organizations adopt zero-trust security models, NDR platforms increasingly are used to provide deep visibility and detect lateral movement across infrastructures. The AI race is driving NDR vendors to add agentic AI detection and control capabilities to mitigate the AI threat through autonomous investigation as well as NDR focusing on postquantum cryptography (PQC) assessment in readiness for the PQC era.

Critical Capabilities Definition

Administration
Straightforward and intuitive UIs reduce operational overhead, simplify training and improve outcomes for the connectivity and security use cases.
Use of AI-based copilots, digital agents or chatbots help with initial configuration and operational activities, including documentation, policy creation and troubleshooting. The offering should be straightforward to implement initially, using default configurations for common use-case scenarios, not requiring a high degree of custom work or hundreds of hours of consulting. Recommendation engines optimize deployments and suggest policies based on best practices, observed user and application behaviors or anticipated changes.
Platform
The platform provides the ability to detect and mitigate basic, advanced and custom threats by analyzing raw network traffic and flow records through a combination of signature-based detection and advanced machine learning models.
By applying static and dynamic analysis, including deep packet inspection, integrated sandboxing for suspicious files and multilayered malware engine, the product continuously incorporates global threat intelligence to recognize malicious infrastructure and command-and-control patterns.
Threat Detection
The product provides the ability to detect and prevent basic, advanced and custom threats. It includes static and dynamic analysis combined with advanced threat protection features, such as sandboxes and layers of malware engines, assessing TI research and applying TI to the platform.
Detections must include the ability to utilize signature-based detection in addition to machine learning models. The product must be able to identify insider threats, external attacks and advanced persistent threats.
Asset Discovery
The offering must provide discovery and assemble an inventory of all the devices found. Advanced techniques to provide deep visibility into network devices and communication paths are expected. The system must be able to identify weak algorithms and protocols that are detected.
Special consideration should be available to address algorithms that are susceptible to being broken by quantum computers.
CPS Discovery
The product must provide discovery and inventory of all assets within CPS environments. It must employ advanced techniques to deliver deep visibility into CPS devices and their communication channels.
The system should be able to detect weak or outdated algorithms and protocols, with a focus on those that could be vulnerable to both known and emerging threats.
Incident Response
The product must provide a detailed investigation of incidents and event correlation. Risk scores must be assigned to detected threats to prioritize response efforts.
Automated responses must be available to mitigate the threat, such as isolating infected devices, blocking malicious traffic or shutting down compromised accounts. Visualizing network events and activities on a timeline is crucial for piecing together the sequence of events during an incident.

Use Cases

Hybrid Monitoring
This use case focuses on the offering being able to support the monitoring of traffic on-premises, in IaaS environments and in SaaS environments.
Integration with leading SSE and identity vendors is expected. The product must be able to clearly differentiate between on-premises users and remote workers.
Augmented Response
The product must provide a detailed investigation of incidents and event correlation. Risk scores must be assigned to detected threats to prioritize response efforts.
Automated responses must be available to mitigate the threat, such as isolating infected devices, blocking malicious traffic or shutting down compromised accounts. Visualizing network events and activities on a timeline is crucial for piecing together the sequence of events during an incident.
CPS Security
This use case focuses on looking for specifics geared toward securing the CPS environment.
The product should utilize discovery capabilities specific to the identification of CPS devices. This includes baselining normal activity and alerting on anomalous activity in a CPS environment. The depth of a CPS-specific protocol support is considered.
Threat Hunting
This use case focuses on the proactive side of NDR by shifting the security posture from reactive defense to active discovery of stealthy, nonmalware-based threats.
By analyzing long-term behavioral metadata and east-west traffic, it unmasks lateral movement and persistent backdoor attack vectors that remain invisible to perimeter-focused tools. This ultimately delivers reduced dwell time and a deeper understanding of the environment’s “ground truth,” ensuring that sophisticated attackers cannot remain undetected or maintain a foothold within the network.

Inclusion and Exclusion Criteria

Inclusion Criteria
To qualify for inclusion, the provider’s NDR product must:
  • Be generally available by 31 October 2025
  • Be primarily marketed as a vendor’s product or service, rather than delivered via a managed service provider
  • Have the ability to ingest data via network flows and packet capture (PCAP)
  • The NDR vendor must also demonstrate scale relevant to enterprise-class organizations. At least two of the following three criteria must be met:
    • Generated $20 million in revenue from the evaluated NDR product between 1 January 2025 and 31 December 2025
    • As of 31 December 2025, have at least 70 enterprise customers (each of over 5,000 seats)
    • Have at least 4 million devices under paid support as of 31 October 2025
An NDR vendor must also demonstrate relevance to global organizations by:
  • Gartner receiving strong evidence that no more than 85% of its revenue/sales is from a single region (North America, EMEA or APAC)

Weighting for Critical Capabilities in Use Cases

Critical CapabilitiesHybrid MonitoringAugmented ResponseCPS SecurityThreat Hunting
Administration
10%
10%
10%
10%
Platform
20%
15%
15%
20%
Threat Detection
15%
25%
35%
40%
Asset Discovery
23%
20%
5%
10%
CPS Discovery
15%
0%
35%
10%
Incident Response
17%
30%
0%
10%
As of 1 April 2026
Source: Gartner (May 2026)
This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighted in terms of its relative importance for specific product/service use cases.

Critical Capabilities Rating

Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use-case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.

Product/Service Rating on Critical Capabilities

Critical CapabilitiesArista NetworksCorelightDarktraceExtraHopFortinetGatewatcherJizô AILinkShadowNetWitnessStellar CyberTrellixVectra AI
Administration
3.4
3.5
3.6
3.5
3.8
2.8
3.3
3.6
3.8
4.0
3.2
4.4
Platform
2.3
2.4
3.1
2.8
2.4
3.1
2.1
3.0
2.3
3.0
1.8
3.7
Threat Detection
2.2
3.4
3.4
3.7
3.6
3.1
3.9
3.2
3.6
3.4
3.6
3.7
Asset Discovery
1.8
3.9
3.7
3.3
2.6
2.9
3.0
2.9
2.9
3.1
2.7
2.9
CPS Discovery
2.1
2.7
4.6
3.0
2.7
3.5
3.7
1.5
3.2
3.0
3.5
3.6
Incident Response
2.9
3.0
3.9
3.8
2.8
3.5
3.8
3.8
3.0
3.3
2.8
4.3
As of 1 April 2026
Source: Gartner (May 2026)
Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use-case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.

Product Score in Use Cases

Use CasesArista NetworksCorelightDarktraceExtraHopFortinetGatewatcherJizô AILinkShadowNetWitnessStellar CyberTrellixVectra AI
Hybrid Monitoring
2.35
3.15
3.69
3.32
2.88
3.15
3.23
2.98
3.04
3.23
2.84
3.67
Augmented Response
2.47
3.24
3.59
3.50
3.00
3.15
3.36
3.33
3.11
3.31
2.87
3.79
CPS Security
2.28
3.04
3.81
3.28
3.08
3.20
3.46
2.60
3.25
3.25
3.21
3.70
Threat Hunting
2.36
3.15
3.56
3.40
3.11
3.13
3.36
3.06
3.19
3.30
3.02
3.74
As of 1 April 2026
Source: Gartner (May 2026)
To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.

Critical Capabilities Methodology

This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.
"Critical capabilities" are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.
In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.
The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.
Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.
Ratings and summary scores range from 1.0 to 5.0:
1 = Poor or Absent: most or all defined requirements for a capability are not achieved
2 = Fair: some requirements are not achieved
3 = Good: meets requirements
4 = Excellent: meets or exceeds some requirements
5 = Outstanding: significantly exceeds requirements
To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.
The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.