Vectra AI Reviews

We wanted something to understand what's happening on the network of the company, and we wanted something to protect us against attacks and cyber activities. We wanted visibility into our network and all the threats that we're facing.

It has helped improve our mean time to identify, but I don't have the metrics on time savings because we didn't have anything for that previously.

It hasn't had any effect on the productivity of our organization’s SOC, but it has had a great effect on security.

In terms of the effect of Vectra AI Attack Signal Intelligence for empowering security analysts within our organization to take intelligent action, we are looking at the right risks and nothing more. We save some time for sure, and we empower our security with it. Previously, we couldn't see anything, but now, we are seeing some of the things, and we have already stopped some attacks with it.

The automatic filtering that they provide is valuable. The logic inside that makes some detections instead of us is very useful. We are confident that if we are just looking into it and there is nothing, nothing could happen. That's great.

It's simple to implement. It's simple to analyze. The dashboard is very smart and clean. It's very easy to check something. There are a lot of tools to analyze the detections. It's great.

We got two problems that couldn't be solved because of the philosophy of the product. We are using SMB 3.0, which is an encrypted protocol. When we get some alerts or something, we cannot go deep into the protocol to see what's wrong because it's encrypted. We need to decrypt the protocol in another way, which is quite difficult. We might go back to SMB 2.0 just for this reason, but that's not a good solution.

We did some penetration tests and tried to get some hashes or encrypted passwords from Active Directory. Those hashes didn't provide alerts into Vectra. Vectra doesn't survey them, which is quite problematic because it's a very common attack. They said that it's not the only aspect that would come with that kind of attack, but when somebody tries to get a lot of hashes, we would like that there is an alert because that seems like the start of an attack.

For the hashes issue, it could be very easy for them to make the improvement. They can just change a rule, and that's it, but for encrypted protocols, it could be trickier.

We have been using this solution for two to three years.

There is no problem with stability. Sometimes, alerts can come later. For example, for Office 365, we got the alert one day late, but the problem was coming from the Microsoft side.

We just have one, and that's enough for our needs. Its scalability is good for us because we just have one with multiple probes at the same cost, so that's fine for us.

Their support is very good. They have knowledgeable people with great knowledge of cyber security and cyber risks. I'd rate them a 10 out of 10.

Positive

We weren't using any solution before. We went for Vectra AI because we wanted something to have visibility. We were completely blind to what could happen on the network. With Vectra AI, we aren't so blind.

We stopped some attacks. An attack could cost a lot more than the cost of Vectra. For example, we got an attack before that cost us $100,000. So, Vectra's cost is not so high. The cost of an attack could be worse. If we got encrypted data, it could be worse because we would have to stop the factory, which would cost a lot.

Its cost is too much. It's an investment that we can afford. It's a lot, but it's worth it.

We evaluated Darktrace and one more solution. We also evaluated some SOC and SIEM systems, but we found Vectra AI to be better in comparison to other solutions. It was simple to implement and analyze.

I'd rate Vectra AI a 10 out of 10.

Our primary use case for this solution is for security policy and to detect potential attacks on our networks.

This solution helped our mean time to identify as we can have more precise detection and documentation. At the moment, we're seeing daily detection of between 10 and 20 and if it's on the cloud, we can do 50 to 100 per day.

As we are just beginning to use Vectra AI, I find the simplicity of implementation to be quite valuable. The UI is easy to use and when we send detection to everybody, they easily understand what we are asking at the time. The sections are very precise. 

There is room for improvement in the documentation. We would like to have more details on how it detects what we see. 

I have been using Vectra AI for about four months.

This solution is stable.

This solution is quite scalable. In the beginning, we had one point of network capturing the traffic. After that, we added two points on top of it and it worked perfectly. At first, we had five gigabits per second and now we have 30 so I'll say it's a good service.

I would rate their support a ten, on a scale from one to ten, with one being the worst and ten being the best. The reason for this rating is that they were with us every step of the way to help and guide us through the process seamlessly.

Positive

Prior to Vectra AI, we used Gatewatcher and Microprobes and also the IPS/IDS firewall. Vectra AI is an additional layer of security.

My opinion – and a strong point for Vectra AI – is that the deployment is not complex and is quite straightforward. It was an easy deployment and someone from the company helped us on each point and guided us through important milestones. If I recall correctly, it lasted for about two weeks.

It's a bit expensive, as you can have a lot of different solutions for free. So, in the beginning, it's more expensive, but as time passes it gets better.

The issue Vectra AI helps us solve is threat prevention.

Overall, I would rate this solution a seven, on a scale from one to ten, with one being the worst and ten being the best. The reason for this rating is that we are still in a tuning phase and it's too early to say anything about detection, but I would put ten for support.

We use Vectra AI to detect incidents because we have offices in 50 countries and 30 to 40 sensors around the world.

We want to be able to have a sensor or a foothold in as many offices as possible, and Vectra AI helps us achieve that goal.

Vectra AI helps us to have more visibility in terms of what happens in our network and the network at large. It increased our understanding and our ability to respond and clean up.

In terms of valuable features, I like the ability to record the traffic and the metadata in the traffic. I also like the ability to rewind the past and be able to understand what happened. Some of my colleagues like the ability to investigate incidents.

Vectra AI has had a positive effect on the productivity of our company's top teams. They use it a lot to understand what's going on. However, we still need to teach people how to use it to its full potential because it's quite a complicated product.

The Sidekick MDR service is quite important to our organization’s security monitoring and management. The Sidekick team is able to give us the ins and outs of what's going on with some incidents. They are able to triage and help us to focus on a particular part of detection. They also gave us advice on how to configure some parts of the product. The two people I worked with from the MDR service are really good at what they do, and it's quite nice to work with them.

The UI/UX and detection could be improved. More detections of specific security events could be useful. We've had a few incidents that were not detected by Vectra. The teams are working on it right now, but more detection is always better.

Vectra AI is quite good at threat detection, however, it cannot respond to threats and attacks in real time by itself. It has to have plugins with other components, such as EDR or other software, to be able to respond properly. By itself, Vectra AI cannot do much, but it's powerful enough to pilot other software.

I've been using Vectra for nine months now.

Vectra AI's stability is quite good.

Scalability-wise, we have many sensors, and Vectra AI seems to handle them all very well.

We have 30,000 devices across 50 countries with close to 2,000 offices. It's an enterprise-scale environment, and Vectra AI has not had any issues.

The engineer who deploys Vectra at my company seeks perfection, and he wasn't happy with everything. However, Vectra's technical support staff handled all of his requests quite well. I would rate them an eight out of ten.

Positive

The product is quite good, and we have a good relationship with the customer success managers and other teams as well.

Overall, I would rate Vector AI an eight on a scale from one to ten with ten being the best.

The key challenge we face is visibility, things that happen in isolated and pocketed environments where visibility is limited. Silos and isolated networks exist across the environment, and it's difficult to control it completely. Blind spots are the main challenges.

With this solution, the focus has changed from reactive to more proactive, because all the other SOAR and EDR solutions, firewalls, and IPSs are generally reactive. With those tools, when most things are triggered, it means you are already slightly late. With Vectra, we become more proactive than reactive. More often than not, we pick things up before the actual damage can start. It picks up things that none of our other tools pick up because it's designed to detect things before harm is done, at the initial stages. This is one of the main benefits and the biggest business justification and use case for us.

It reduces the time it takes to respond to attacks because we find out about a threat in the beginning so we can stop it before it can cause harm, rather than reacting when the damage is done and significantly more effort is needed.

And since it is not preventive, it does not trigger any adverse reactions. For example, sometimes we have seen, with certain kinds of malware or ransomware, that they tend to get more aggressive if they realize that something is stopping them, but that doesn't happen with detection tools like Vectra.

For capturing network metadata at scale and enriching it with security information, that's where the second product comes in, Cognito Recall. It takes enriched network metadata and keeps that information available for you to access, whether it triggers a detection or not. For example, if you want to check who is using SSL version 3, TLS version 1.0, SNMP version 1, SNMP version 2, or who is using clear text passwords, even though they don't trigger a detection in Cognito Detect, that metadata is available. Of course, the duration of that data is dependent on how much storage we can buy from Vectra. That's a financial constraint and we have opted for one month. We might look at expanding that further.

That metadata helps in closing vulnerabilities. For instance, if there is a TLS version or an encryption level that we want to deprecate, it is very useful for us, because we can also generate reports. We know which systems are using SNMP version 1 or SNMP version 2. Even though it has more features and you can create custom detections through Recall, we've not gone that far. For us, this has been our most common use case: protocols and communications that we would like to stop or close. This provides useful data.

The solution also provides visibility into behaviors across the full lifecycle of an attack, beyond just the internet gateway. It provides the whole MITRE Framework and the key chain—recon, command and control. It has detections under each of those categories, and it picks them up within the network. In fact, most of the detections are internal. Internet-based detections comprise 25 to 30 percent, and those are based on encrypted traffic. And most of the time when we validate, we see that it's genuine because it's a call from a support vendor where large files need to be uploaded. That gives us an opportunity to validate with that end-user as well: What was happening, what did you transfer?

We used to have SIEM and antivirus solutions and we would get a lot of alerts. Those alerts resulted in a lot of effort to refine them and yet we still needed a lot of effort to analyze the information. Vectra does all of that automatically for us, and what it produces, in the end, is something that can easily be done by one person. In fact, you don't even need one.

The most useful feature is the anomaly detection because it's not signature-based. It picks up the initial part of any attack, like the recon and those aspects of the kill chain, very well. We've had numerous red team and penetration exercises and, at the initial stage, when the recon is happening and credentials are used and lateral movement is attempted, our existing tools don't pick it up because it has not yet been "transformed" into something malicious. But Vectra, at that stage, picks it up 80 to 90 percent of the time. That has been one of the biggest benefits because it picks up what other things don't see, and it picks them up at the beginning when attackers are trying to do something rather than when the damage is already done.

The ability to roll up numerous alerts to create a single incident or campaign for investigation takes a bit of effort in the beginning because you'll always have misconfigurations, such as wrong passwords, that could trigger brute force and SMB-types of alerts. And you'll have genuine behaviors in your environment that tend to be suspicious, such as vulnerability assessment and scanning tools, that are not noise, per se. Even if they're non-malicious, it always tends to point to events like misconfigurations and security tools. It's been very useful in that sense, in that, once we do the initial triaging, indicating that this is a security tool, or that is a misconfiguration we need to correct, it reduces the noise quite significantly. We don't get more than 10 to 20 events, maximum, generated per day.

Vectra shows what it does in terms of noise reduction, and we can see that it is down to only 1 percent, and sometimes even less than 1 percent, of what actually requires a person to act on.

It becomes quite easy for a SOC analyst to handle things without being overburdened. And, obviously, it's at the initial stage because it picks things up before the damage happens. It's not the kind of prevention tool that has signatures and that only tells you something bad has already happened. It tells you that something is not right or is suspicious. It says there is a behavior that we have not seen before, and it has always been effective in the red team exercises that we periodically conduct.

Also, we have privileged account management, but we don't have a separate analytics tool. Still, Vectra also picks that up. This is also something that has come up during red team exercises. If there's an account that is executing an escalated privilege or running a service that it normally doesn't run, it gets flagged. It tells us about lateral movements and privilege escalations; things that constitute non-standard usage. It's quite effective at catching these. I have yet to see a red team exercise that doesn't generate any alerts in Vectra. We see a jump, and it's very easy to identify the account and the system that is the source.

It also triages threats and correlates them with the compromised host devices, because it maps both ways. It maps the host, the account, and the detection, and vice versa. You can also go to the detection and see how many affected hosts there are. In addition, if there's a particular detection, is there an existing campaign? How many hosts are also doing the same thing? These are the kinds of visibility the tool provides.

The reporting from Cognito Detect is very limited and doesn't give you too many options. If I want to prepare a customized report on a particular host, even though I see the data, I have to manually prepare the report. The reporting features that are built into the tool are not very helpful. They are very generic and broad. That's one main area that I keep telling Vectra they need to improve. 

Also, whenever there's a software upgrade and new detections are introduced and the intelligence improves, there is a short period at the beginning where there's a lot of noise. Suddenly, you will get a burst of detections because it's a new detection. It's a new type of intelligence they've introduced and it takes some time to learn. We get worried and we always check whether an upgrade has happened. Then we say, "Okay, that must be the reason." I would like to see an improvement wherein, whenever they do an upgrade, that transition is a bit smoother. It doesn't happen all the time, but sometimes an upgrade triggers noise for some time until it settles down.

We've been using the Vectra AI for over three years.

In the beginning, there is a struggle to fine-tune it because it will generate noise for the reasons I mentioned. But once that learning phase is complete, it's quite reliable. We have been using the hardware for more than three years and there have been no failures or RMAs

Upgrades happen automatically. We have never gone into the appliance to do an upgrade, even though it's on-prem. It all happens automatically and seamlessly in the background. 

Initially, we had some problems with the Recall connection to the cloud, to establish the storage connectivity. But again, these kinds of things are at the beginning. After that, it is quite stable. We've not had any problems.

Scalability for the cloud solution is straightforward. For the on-prem solution, you need to take care of the capacity and the function itself, because the capacity of the same hardware varies, depending on what you use it for. From a capacity point of view, there is some effort required in the design.

Looking forward to the future, the tool integrates with more and more solutions outside of its existing intelligence. It's not something that we have yet embarked on, but that's an interesting area in which we would like to invest some time.

The cloud solution is something that has limited visibility because PaaS and SaaS in the cloud are always a challenge in terms of cyber security. And in the future, even though we have taken the Vectra SaaS for O365, they're also coming up with a PaaS visibility tool. It is currently under testing, and we are one of the users that have been chosen to participate in the beta testing of that. That's another thing in the future that would add a lot of value in terms of visibility.

Currently, we have about 8,000 users.

The support is directly from the device or we get a response via email. The response is okay. Because the product is stable, we have not been in a situation where we urgently needed something and we wanted support right now. We have never tested that kind of fast response. They take some time to respond, but whenever we have requested something, it has not been urgent. 

We do get a response and issues always get resolved. We haven't had any lingering issues. They have all been closed.

Positive

We did not have any tools in the same league. We had security tools, but not with anomaly detection as part of the feature set.

Cognito Detect is on-prem and Cognito Recall is in the cloud, as is the O365 and Azure AD protection.

The cloud setup is extremely simple. The on-prem takes some effort. There is the sizing, depending on what model. The throughput varies. Those kinds of on-prem design considerations create a bit of complexity in the beginning, but the cloud is straightforward. All it needs is the requisite access to the tenant. Once it gets that, it starts its work. 

In the beginning, there is some effort in fine-tuning things, but that comes as part of the package with the solution. They have a success manager and tech analyst assigned to support you in the beginning. Once that is done, the product is very stable.

For us, there were an initial four to eight weeks of triaging and clearing the noise, in terms of misconfiguration issues or known security tools. After that time, we started seeing value.

We only used the people from Vectra.

Vectra is a bit on the higher side in terms of price, but they have always been transparent. The reason that they are this good is that they invest, so they need to charge accordingly. They are above average when it comes to price. They're not very economical but it's for a good reason. As long as we get quality, we are okay with paying the extra amount.

We did a PoC with Darktrace recently as part of our regular exercise of giving other solutions an opportunity, but the PoC didn't meet our requirements. It didn't detect what Vectra detects in a red team situation.

The deployment time is similar because they all need the same thing. They need the network feed for a copy of the network traffic. The base requirements are the same.

My advice is that you need to size it right and identify what your capacity will be. And you need to place it right, because it's as helpful as what it can see, so you need to have an environment that supports that. What we did, as part of implementing Vectra, was implement an effective packet broker solution in our environment. It needs that support system to function properly. It needs copies of your traffic for detection because it doesn't have an agent sitting anywhere. The positioning and packet brokering are critical allies for this solution.

We have it deployed on-premises. However, we are in the process of acquiring O365 and Azure AD as well. When it comes to Power Automate and other deeper anomalies, these are things that we have on the cloud in Azure. In the new module, it lets us know if any automation, scripts, or large, sudden downloads, or access from a country that is different from where the user has normally been, are happening. But this is a very new tool. We are yet to familiarize ourselves with it and do the fine-tuning. We don't have any automation or any such functions happening on-prem.

In terms of correlating behaviors in the enterprise network and data centers with behaviors in the cloud environment, because we have taken the O365 module, it gives us good correlation between an on-prem user and his behavior in the cloud. We have seen that sometimes it detects that an account is disabled, for example, on-prem, and it says somebody downloaded a lot of data just a few days before that or uploaded large data a few days before that. It does those kinds of correlations.

We have one SOC but it's based overseas. It's an offsite managed service and it covers the gambit of incident detection and response. It's an always-available service. The SIEM we are using is RSA NetWitness, and the EDR solution we use is McAfee.

Vectra has some automation features, in the sense of taking action through the firewalls or other integrations, but that's a journey that we have not yet embarked on. As long as we have a continuously available SOC that rapidly responds to the alerts it generates, we are okay. In general, I'm not comfortable with the automation part. Accurate detection is more important for me. Prevention, when something is picked up too late, as is the case with some of the other solutions I mentioned, is a different case. But here, when it is at the preliminary stage, prevention seems a bit too harsh.

Our key challenges are:

1. People Management: It is always a struggle to coordinate the few people that we have with the necessary skills to put them on the most important topics or projects.
2. Cloud adoption complexity: You need to figure out which systems, applications, and interfaces are talking to which cloud component in terms of data flow. That is a rather complex topic and usually sold well by the external supplier in terms of marketing to a company. Practically speaking, it is very difficult to elaborate all the connection requirements, on-prem to cloud, cloud to cloud, e.g., what is running where, what should run, and what is not running as it should.

Cognito Platform: We are using the latest on-premises version and some of the cloud services too.

We are mainly operating out of Switzerland. The IT Departments are based in our headquarters.

We have a large network with a lot of points of sales and other geographical locations that are interconnected. We need visibility of all the client-initiated traffic to and from our main data centers and to the Internet. We have good network coverage. Vectra is deployed on different hotspots in our network.

We can detect systems that are not behaving right because they are not configured correctly. We detect access to malicious sites or domains that should not be there, which should have been picked up by our security services that we implement at different times at different types of levels in the network. This is kind of an add-on to all the existing prevention mechanisms and helps us with network hygiene.

Due to an optimal signal-to-noise ratio that Vectra delivers, it gives us confidence to have a realistic chance of catching and stopping real attacks on time.

One of its strongest parts is that the solution captures network metadata at scale and enriches it with security information. We forward events to our team, then we can correlate them even better.

We have almost our complete network covered. This solution is like the absolute base coverage for us. You don't get many alerts, and if you get one, you better look at it because it is a good quality alert. After verification, we respond accordingly. Vectra AI brings great visibility. Without it, we would be blind.

The solution has enabled us to do things now that we could not do before. With Streams enabled, we can easily find out who is using SMB v1, as an example. So, it is a kind of hunting in the network. If you have a detection and need proof, you have network capture. In terms of searching accounts or assets, it is a great platform that allows us to use the default search, i.e., searching for a hostname/IP or the advanced queries for complex searches. This allows you to search back in time, which is very convenient, i.e., if one specific host has had detections in the past.

Cognito Streams gives you a detailed view of what happens in the network in the form of rich metadata. It is just a super easy way to capture network traffic for important protocols, giving us an advantage. This is very helpful on a day-to-day basis. 

The Office 365 detection is a great add-on. It will not only see the local traffic, i.e., the local user but also how the user is connecting to the cloud. If communication has been initiated within our network, we would capture anomalies with on-premises mechanisms. If it is a connection from the Internet to O365 SaaS services, we gain visibility through the Vectra add-on. It depends where the communication was started, but we do have a good, complete picture in a single view.

Vectra AI is really focusing on the most critical, severe detections. That is the key point of this platform for us. It gives you enough details and data, if you need it. However, for daily operations, we are just getting the priority 1 alerts that we need, and nothing more.

We use the solution’s Privileged Account Analytics for detecting issues with privileged accounts. This is important to our organization because you need to monitor and control privileged accounts.

The detection model and correlation of events, e.g., you are only having one priority event a day, go hand in hand. They have awesome detection models and very good algorithms. Out-of-the-box, you get a decent severity matrix and great consolidation. This is what has made this platform so usable to us over the last three to four years. We can rely on these detections and on its event generating mechanism that clearly focuses on the most important priority one cases.

If you hit a certain number of rules, triage filters, or groups, the UX responds more slowly. However, we have a complex network and a lot of rules. So, our setup might not be a typical implementation example. We even had UX engineers onsite, and they looked at issues, improvements, and user feedback. Since then, it has gotten a lot better, they even built in features that we specifically requested for our company.

We know that Vectra AI sensors for cloud IaaS deployments have been released and we are planning to deploy those shortly.

We have been using it for four years.

Great! Currently, our Brain shows 190 days uptime (last reboot initiated by us). There have been no operational issues at all. I can't complain.

Scalability is another very good selling point. It is easy to deploy virtual sensors as well as other sensors, which is a big plus.

We have a team of three people, mainly security officers, who are investigating or following up on detections and alerts. We also use the Vectra AI Sidekick Services, which helps a lot by providing a skillful set of people who look into things with a great customer perspective. We have roughly 20 to 30 people who, from time to time, get details on detections or campaigns that they need to look at.

The technical support is fast, customer-oriented, and has a great skill set.

When we started with Vectra AI, we noticed certain things that could be done better from the UI experience and workflow. We had a lot of input. They built this into their software. Some of the features that customers use today are there because we said, "Well, guys do it like that because everybody can profit from that," and they said, "Well, that is a great idea. Let's do it."

Positive

We did not use another solution before Cognito.

The initial setup was straightforward. 

We already had an existing on-prem installation, so adding Office 365 detection was straightforward. It took about half an hour.

After we deployed this solution in our network, it took about two weeks for it to begin to add value to our security operations.

They brought in the requirements and said, "We need this amount of time, as well as this type of rack, space, power, and network configuration." We prepared that, then they were able to set things up in a very short manner. It took maybe a day, then we were set and traffic was flowing in. This was one of our smoothest installations in the last years. After two days, we saw all the needed network traffic. So, implementation and initial setup were very fast.

We are still a happy customer after four years.

In terms of detection, we have seen ROI from finding out stuff as well as preventing, hunting, and intelligence gathering.

Cost is a big factor, as always. However, I think we have a very good price–performance ratio.

We looked at least five different vendors, including Cisco and Darktrace, in PoCs.

Vectra AI said what they are able to do in terms of detection and performance in their sales pitch, which they proved later in their technical PoC, to the point. They were actually the only ones who could.

Vectra AI has a very short deployment time compared to other solutions that we tried.

Do a PoC. Only a PoC will show you if something works or not. I know it takes time but do a POC or a test installation. We did the PoC directly in the production network, which was the best thing to do as we got results very quickly.

Vectra AI enables you to see more. It is their visibility strength that makes the platform so great. Because they really look at severity conditions and do a great correlation, it is time invested wisely. If Vectra shows a high score threat, you must look after it.

In terms of our security stack, this is the most essential cybersecurity tool we use. We are planning to use Vectra as well in the cloud. If they are able to deliver the same performance and capabilities in the cloud sensor, then it will be a really strong foundation that everybody should have in one way or the other.

There is manual input i.e., Triaging is something that you have to do. But in terms of workflow, it has been designed by security people for security people. It provides a very smooth and fast way to set up manual rules or triage filters.

I would rate this solution as 10 out of 10.

Our company is in the retail arena, and we have stores, warehouses, and a data center. Right now, we're using Vectra AI in our offices and the data center. The major issue we had was that we were completely blind inside our data center in terms of seeing what traffic we had. Our main focus with Vectra AI was to see what's happening inside the data center through virtual sensors.

We're going to expand it to include our stores because the franchisees requested that we monitor the networks in all of the stores. Every shop in our company is a franchise, and they can do whatever they want to in their shops. We won't have any idea as to what's on the network in the shops. By using Vectra AI, we will have visibility into the network.

We have started the proof of concept for our warehouses as well.

We discovered a lot of things in our network and are correcting several misconfigurations. We are learning how some apps work together and how some things shouldn't happen. It's also easier for us to identify the source of a brute force, whereas before, we didn't even know we had a brute force.

The platform is well-designed around the quadrant. We know quickly how to investigate, and the detections are clear. I like Vectra AI's integration with Active Directory and the fact that it's easy to take in hand.

We have had a few issues with the integration of Vectra AI with EDR. Some filters have not been working. We've also had issues with the brain not being powerful enough.

In the next release, I would like to see more triage choices. From my point of view, Vectra is missing a lot of choices. This is an area that they could focus on.

Vectra is also moving to a full cloud model, and I am not sure if going full cloud and leaving the on-premises environment is the way to go. We are not sure whether we'll move to the cloud with Vectra because it's hosted by AWS, which is one of our competitors. We don't like to work with anything that works on AWS.

We did a proof of concept two years ago and then deployed it in March, 2022.

We've had issues with stability. Vectra said that they underestimated the power we needed on our brain as it's very slow. We have delays that can be up to 40 seconds. We also had a hard drive that died. In one year, we've experienced three major issues.

We have different types of deployment that impact scalability a lot. The good part is that if we want to see everything that gets into the data center, we only need a single sensor in the data center. However, if we want to go in-depth in every store, then it will be a long process because we'll have to deploy thousands of sensors.

Right now, our license is for 10,000 IPs, and we hope to increase it to 110,000. If we deploy Vectra AI in the warehouse as well, we will need 25,000 extra. When we upgrade the brain server, Vectra AI should be able to scale accordingly.

When I contacted technical support, they usually take control of my laptop for an hour or more, and I can't do anything during that time. They do not explain anything and mute themselves for an hour or more. I don't know what they're doing or if they're even working on the issue.

However, they have been proactive because they know we have issues with our brain. If I have a bug, I've noticed that they usually respond quickly.

Thus, on a scale from one to ten, I would rate technical support at six.

Neutral

I've done four deployments in total, and Vectra AI is easy to deploy. On the admin interface, it's also easy to set up the integration with EDR.

It is an expensive solution, but it's not the most expensive we've seen. We also know how much we're going to pay, unlike with some other providers where all of a sudden our license explodes.

We will probably need to deploy over a thousand physical sensors. This means that the cost will automatically go up to millions. They do not sell the smallest sensors that they had in the past, which we would be glad to have right now.

We looked at ExtraHop, a VMware NDR solution, Carbon Black, and a solution from a French organization.

Carbon Black is oriented around VMware products. As such, it would have been okay for the data center, but we would have had to upgrade the entire physical infrastructure inside the data center. It would have been very expensive, and thus, we eliminated Carbon Black. The French competitor was eliminated because the solution was a few years behind.

We then talked with Vectra AI and were happy with what they offered us. We spoke with other companies that use it and found out that they were happy with it. Thus, Vectra AI got the opportunity to do the proof of concept.

Overall, I would rate Vectra AI an eight out of ten.

We started with it as a replacement for the functionality we had in our SIEM solution. We mainly wanted a detection metric and something that was smart enough to detect some of the more complex attacks because we can have flow data and do nothing with it. We wanted to have some strong alerting capabilities on that. We were looking to get a detailed attack and AI perspective on it. We didn't want something that only sees something as malicious and can alert on it but also detect things that are a little bit out of the ordinary, which was something we could get with this.

It has definitely improved our mean time to identify. In some specific cases, it's making it a lot easier because the enrichment features do help in getting a more detailed view of what's going on. For example, if we see a certain connection or something that's potentially a command and control channel, we can look at who logged in last and what other processes are there. We also have a connection to our SIEM solution, so we can check what's going on there as well. So, it really helps, but it's hard to measure the time savings because we previously didn't have a solution that had the same capabilities as Vectra AI.

It has definitely had an impact on our productivity. Previously, we did have some issues with getting a more detailed view of the network because we could only do it through event-based logs from the network devices, such as firewalls and switches that were providing us with additional information. Now, because it's more detailed and also across the branch offices—which was a big point for us—we do have a more efficient structure. We don't need to do that much additional effort to get to the root cause of problems, which was an issue before.

One of the things that we didn't expect to happen was that our network team also jumped on it faster than we thought. In most cases, if it's a security tool that's working on the network part, they can also use it to find out certain flaws that have been in the system. Certain flaws, related to some legacy stuff, were already there for quite a few years, which they couldn't explain at first, but we could explain them based on the timing of certain things. For example, there were about 200 SSH connections within a night. They had seen the traffic, but they couldn't relate it to anything specifically, whereas because we saw it, we knew that it was one of our main Unix machines. We knew it was doing some kind of backup at that time. We then went to talk to the system engineer, and he could confirm that he was using a badly written script that was doing 200 connections instead of just one and sending all 200 files across it.

It's well-built, so it does its thing as a Threat Detection and Response platform for detecting and responding to threats and attacks in real-time. We use the detections that come out of Vectra, and we send them over to our SIEM solution. Especially when it comes to high alerts or alerts with high certainty and high impact, we look at them immediately, and then someone also goes through it every day to clean up. If there are certain things that we need to check, we will check them anyway. Anything that's lower on the priority list is taken care of later in the day.

One of the things that we are missing a bit is the capability to add our own rules to it. At the moment, the tech engine does its thing, but we have some cool ideas to make additional rules. There should be an option in the platform to add custom rules, or there should be some kind of user group where we can suggest them for the roadmap and see if they get evaluated and get transparent communication on whether they will be implemented in the product or not. I understand that not everything can be implemented in the product, but if everyone presses the plus one button, then you know that there's a need for it. 

There is the concept of groups within Vectra. You have IP groups, host groups, and domain groups. Wild cards would be very handy there, or side ranges would be a good one to start with. One of the big things that some of our operational people complain about is that if it's an IP and it has reverse look-ups, why do they need to make two groups—an IP group and a hostname group—just to get the same feature set?

It has been almost three years, so it has been a while.

We haven't had any issues. It's very stable, so no problem.

Their support is pretty good. They follow up fast. It's not like most other support centers we've seen in the past. They are really focused on getting us faster input.

I'd rate them a nine out of ten because there is always a little bit of room for improvement, but normally, they follow up really nicely. As opposed to others, where you mostly hear good product, bad support, in this case, it's good product, good support. That's something to keep in mind.

Positive

We had a SIEM solution that was mainly focused on event-based logging, not necessarily on the network part. We were looking at more of a network IDS solution, and that's where Vectra came in. We wanted something that was easy to use as we didn't want too much platform maintenance. We wanted something to plug into the box and make it work. At first, we didn't believe that we would be able to find something like that after we had seen Darktrace, their biggest competitor, but in the end, Vectra was a perfect fit for us because it made it very easy to insert it into our branch offices as well.

We started from scratch. Three years ago, it was harder to start with than nowadays because back then, it was still in the beginning. The Belgian team that helped us with it also didn't have the experience at that time, whereas now, it's definitely not hard to set up. It's just a matter of knowing the right things, but the support portal really helps. There's good documentation on the setup as well.

From a security perspective, it's always hard to find a return on investment. If you look from the risk mitigation perspective and what's the worst that can happen, if we can stop attacks sooner, it would result in lesser costs on remediation afterward because we were fast on the initial attack.

From a licensing perspective, the Vectra detect platform is pretty doable. Also, the hardware prices are nothing that we're not used to. The stream part is a little overpriced compared to the detect part. The reason is that you need to stream data to detect events anyway, so the data is in there. The only thing that's not available is the UI to be able to look at the stream data, which is also on the appliances but is just not activated. That's mainly the thing that we want to improve on.

We looked at the SIEM solutions and flow-capturing devices. At the time, there was also an open-source product, but I don't remember the name. It was Suricata-based, but it fell off pretty quickly because of the high platform maintenance that would have come with it.

At the moment, we don't let them do intelligent blocks. We do it ourselves, so we are still putting a manual process in place for that. We also haven't yet used Vectra MDR services.

I'd rate Vectra AI an eight out of ten. They can still move a little bit further with the streams. Especially now that ChatGPT and AI have come into the picture, we all need to up our game on the AI part.

Vectra AI is an NDR tool, and my company is using it for security and insider threat detection purposes.

What I like best about Vectra AI is that it alerts you about suspicious activities.

An area for improvement in Vectra AI is reporting because it currently lacks some details. For example, when you download a report from Vectra AI, you won't see complete information about the alerts or triggers.

Another area for improvement in the tool is that sometimes, an alert has high severity, yet it's marked as low severity. Vectra AI should have a mechanism to change the severity level from low to high or critical.

I've been using Vectra AI for two years now.

Vectra AI is a stable tool.

Vectra AI is a scalable tool.

My company has a dedicated support team for Vectra AI, so I have the support team's direct contact number and WhatsApp number.

The technical support is excellent, so my rating is five out of five.

The initial setup for Vectra AI wasn't that complex. It won't take long if your environment is ready, with all required ports open. Setting up Vectra AI would be easy.

We implemented Vectra AI together with their technical support team.

My company pays for the Vectra AI licensing fee yearly. I know the figure because my company recently renewed the license, and it's okay, at least for the financial sector.

I'm the admin of Vectra AI, a tool implemented in my company.

The tool was updated three or four months ago, but I'm unsure if I have the latest release.

My company has two SOCs in different areas, so all SOC analysts log in or use Vectra AI, with the alerts forwarded to Splunk. One person is the admin in-house, but he works with support because the tool is customized for my company, as any command can't be run in Linux.

I'd recommend Vectra AI to others looking for an NDR solution.

Vectra AI is excellent for NDR purposes, in general. I'm rating it as ten out of ten based on my experience because I'm investigating the Vectra AI alerts. It triggers alerts for suspicious activities, so it's an excellent tool.