Vectra AI Reviews

Our company is in the retail arena, and we have stores, warehouses, and a data center. Right now, we're using Vectra AI in our offices and the data center. The major issue we had was that we were completely blind inside our data center in terms of seeing what traffic we had. Our main focus with Vectra AI was to see what's happening inside the data center through virtual sensors.

We're going to expand it to include our stores because the franchisees requested that we monitor the networks in all of the stores. Every shop in our company is a franchise, and they can do whatever they want to in their shops. We won't have any idea as to what's on the network in the shops. By using Vectra AI, we will have visibility into the network.

We have started the proof of concept for our warehouses as well.

We discovered a lot of things in our network and are correcting several misconfigurations. We are learning how some apps work together and how some things shouldn't happen. It's also easier for us to identify the source of a brute force, whereas before, we didn't even know we had a brute force.

The platform is well-designed around the quadrant. We know quickly how to investigate, and the detections are clear. I like Vectra AI's integration with Active Directory and the fact that it's easy to take in hand.

We have had a few issues with the integration of Vectra AI with EDR. Some filters have not been working. We've also had issues with the brain not being powerful enough.

In the next release, I would like to see more triage choices. From my point of view, Vectra is missing a lot of choices. This is an area that they could focus on.

Vectra is also moving to a full cloud model, and I am not sure if going full cloud and leaving the on-premises environment is the way to go. We are not sure whether we'll move to the cloud with Vectra because it's hosted by AWS, which is one of our competitors. We don't like to work with anything that works on AWS.

We did a proof of concept two years ago and then deployed it in March, 2022.

We've had issues with stability. Vectra said that they underestimated the power we needed on our brain as it's very slow. We have delays that can be up to 40 seconds. We also had a hard drive that died. In one year, we've experienced three major issues.

We have different types of deployment that impact scalability a lot. The good part is that if we want to see everything that gets into the data center, we only need a single sensor in the data center. However, if we want to go in-depth in every store, then it will be a long process because we'll have to deploy thousands of sensors.

Right now, our license is for 10,000 IPs, and we hope to increase it to 110,000. If we deploy Vectra AI in the warehouse as well, we will need 25,000 extra. When we upgrade the brain server, Vectra AI should be able to scale accordingly.

When I contacted technical support, they usually take control of my laptop for an hour or more, and I can't do anything during that time. They do not explain anything and mute themselves for an hour or more. I don't know what they're doing or if they're even working on the issue.

However, they have been proactive because they know we have issues with our brain. If I have a bug, I've noticed that they usually respond quickly.

Thus, on a scale from one to ten, I would rate technical support at six.

Neutral

I've done four deployments in total, and Vectra AI is easy to deploy. On the admin interface, it's also easy to set up the integration with EDR.

It is an expensive solution, but it's not the most expensive we've seen. We also know how much we're going to pay, unlike with some other providers where all of a sudden our license explodes.

We will probably need to deploy over a thousand physical sensors. This means that the cost will automatically go up to millions. They do not sell the smallest sensors that they had in the past, which we would be glad to have right now.

We looked at ExtraHop, a VMware NDR solution, Carbon Black, and a solution from a French organization.

Carbon Black is oriented around VMware products. As such, it would have been okay for the data center, but we would have had to upgrade the entire physical infrastructure inside the data center. It would have been very expensive, and thus, we eliminated Carbon Black. The French competitor was eliminated because the solution was a few years behind.

We then talked with Vectra AI and were happy with what they offered us. We spoke with other companies that use it and found out that they were happy with it. Thus, Vectra AI got the opportunity to do the proof of concept.

Overall, I would rate Vectra AI an eight out of ten.

The key challenge we face is visibility, things that happen in isolated and pocketed environments where visibility is limited. Silos and isolated networks exist across the environment, and it's difficult to control it completely. Blind spots are the main challenges.

With this solution, the focus has changed from reactive to more proactive, because all the other SOAR and EDR solutions, firewalls, and IPSs are generally reactive. With those tools, when most things are triggered, it means you are already slightly late. With Vectra, we become more proactive than reactive. More often than not, we pick things up before the actual damage can start. It picks up things that none of our other tools pick up because it's designed to detect things before harm is done, at the initial stages. This is one of the main benefits and the biggest business justification and use case for us.

It reduces the time it takes to respond to attacks because we find out about a threat in the beginning so we can stop it before it can cause harm, rather than reacting when the damage is done and significantly more effort is needed.

And since it is not preventive, it does not trigger any adverse reactions. For example, sometimes we have seen, with certain kinds of malware or ransomware, that they tend to get more aggressive if they realize that something is stopping them, but that doesn't happen with detection tools like Vectra.

For capturing network metadata at scale and enriching it with security information, that's where the second product comes in, Cognito Recall. It takes enriched network metadata and keeps that information available for you to access, whether it triggers a detection or not. For example, if you want to check who is using SSL version 3, TLS version 1.0, SNMP version 1, SNMP version 2, or who is using clear text passwords, even though they don't trigger a detection in Cognito Detect, that metadata is available. Of course, the duration of that data is dependent on how much storage we can buy from Vectra. That's a financial constraint and we have opted for one month. We might look at expanding that further.

That metadata helps in closing vulnerabilities. For instance, if there is a TLS version or an encryption level that we want to deprecate, it is very useful for us, because we can also generate reports. We know which systems are using SNMP version 1 or SNMP version 2. Even though it has more features and you can create custom detections through Recall, we've not gone that far. For us, this has been our most common use case: protocols and communications that we would like to stop or close. This provides useful data.

The solution also provides visibility into behaviors across the full lifecycle of an attack, beyond just the internet gateway. It provides the whole MITRE Framework and the key chain—recon, command and control. It has detections under each of those categories, and it picks them up within the network. In fact, most of the detections are internal. Internet-based detections comprise 25 to 30 percent, and those are based on encrypted traffic. And most of the time when we validate, we see that it's genuine because it's a call from a support vendor where large files need to be uploaded. That gives us an opportunity to validate with that end-user as well: What was happening, what did you transfer?

We used to have SIEM and antivirus solutions and we would get a lot of alerts. Those alerts resulted in a lot of effort to refine them and yet we still needed a lot of effort to analyze the information. Vectra does all of that automatically for us, and what it produces, in the end, is something that can easily be done by one person. In fact, you don't even need one.

The most useful feature is the anomaly detection because it's not signature-based. It picks up the initial part of any attack, like the recon and those aspects of the kill chain, very well. We've had numerous red team and penetration exercises and, at the initial stage, when the recon is happening and credentials are used and lateral movement is attempted, our existing tools don't pick it up because it has not yet been "transformed" into something malicious. But Vectra, at that stage, picks it up 80 to 90 percent of the time. That has been one of the biggest benefits because it picks up what other things don't see, and it picks them up at the beginning when attackers are trying to do something rather than when the damage is already done.

The ability to roll up numerous alerts to create a single incident or campaign for investigation takes a bit of effort in the beginning because you'll always have misconfigurations, such as wrong passwords, that could trigger brute force and SMB-types of alerts. And you'll have genuine behaviors in your environment that tend to be suspicious, such as vulnerability assessment and scanning tools, that are not noise, per se. Even if they're non-malicious, it always tends to point to events like misconfigurations and security tools. It's been very useful in that sense, in that, once we do the initial triaging, indicating that this is a security tool, or that is a misconfiguration we need to correct, it reduces the noise quite significantly. We don't get more than 10 to 20 events, maximum, generated per day.

Vectra shows what it does in terms of noise reduction, and we can see that it is down to only 1 percent, and sometimes even less than 1 percent, of what actually requires a person to act on.

It becomes quite easy for a SOC analyst to handle things without being overburdened. And, obviously, it's at the initial stage because it picks things up before the damage happens. It's not the kind of prevention tool that has signatures and that only tells you something bad has already happened. It tells you that something is not right or is suspicious. It says there is a behavior that we have not seen before, and it has always been effective in the red team exercises that we periodically conduct.

Also, we have privileged account management, but we don't have a separate analytics tool. Still, Vectra also picks that up. This is also something that has come up during red team exercises. If there's an account that is executing an escalated privilege or running a service that it normally doesn't run, it gets flagged. It tells us about lateral movements and privilege escalations; things that constitute non-standard usage. It's quite effective at catching these. I have yet to see a red team exercise that doesn't generate any alerts in Vectra. We see a jump, and it's very easy to identify the account and the system that is the source.

It also triages threats and correlates them with the compromised host devices, because it maps both ways. It maps the host, the account, and the detection, and vice versa. You can also go to the detection and see how many affected hosts there are. In addition, if there's a particular detection, is there an existing campaign? How many hosts are also doing the same thing? These are the kinds of visibility the tool provides.

The reporting from Cognito Detect is very limited and doesn't give you too many options. If I want to prepare a customized report on a particular host, even though I see the data, I have to manually prepare the report. The reporting features that are built into the tool are not very helpful. They are very generic and broad. That's one main area that I keep telling Vectra they need to improve. 

Also, whenever there's a software upgrade and new detections are introduced and the intelligence improves, there is a short period at the beginning where there's a lot of noise. Suddenly, you will get a burst of detections because it's a new detection. It's a new type of intelligence they've introduced and it takes some time to learn. We get worried and we always check whether an upgrade has happened. Then we say, "Okay, that must be the reason." I would like to see an improvement wherein, whenever they do an upgrade, that transition is a bit smoother. It doesn't happen all the time, but sometimes an upgrade triggers noise for some time until it settles down.

We've been using the Vectra AI for over three years.

In the beginning, there is a struggle to fine-tune it because it will generate noise for the reasons I mentioned. But once that learning phase is complete, it's quite reliable. We have been using the hardware for more than three years and there have been no failures or RMAs

Upgrades happen automatically. We have never gone into the appliance to do an upgrade, even though it's on-prem. It all happens automatically and seamlessly in the background. 

Initially, we had some problems with the Recall connection to the cloud, to establish the storage connectivity. But again, these kinds of things are at the beginning. After that, it is quite stable. We've not had any problems.

Scalability for the cloud solution is straightforward. For the on-prem solution, you need to take care of the capacity and the function itself, because the capacity of the same hardware varies, depending on what you use it for. From a capacity point of view, there is some effort required in the design.

Looking forward to the future, the tool integrates with more and more solutions outside of its existing intelligence. It's not something that we have yet embarked on, but that's an interesting area in which we would like to invest some time.

The cloud solution is something that has limited visibility because PaaS and SaaS in the cloud are always a challenge in terms of cyber security. And in the future, even though we have taken the Vectra SaaS for O365, they're also coming up with a PaaS visibility tool. It is currently under testing, and we are one of the users that have been chosen to participate in the beta testing of that. That's another thing in the future that would add a lot of value in terms of visibility.

Currently, we have about 8,000 users.

The support is directly from the device or we get a response via email. The response is okay. Because the product is stable, we have not been in a situation where we urgently needed something and we wanted support right now. We have never tested that kind of fast response. They take some time to respond, but whenever we have requested something, it has not been urgent. 

We do get a response and issues always get resolved. We haven't had any lingering issues. They have all been closed.

Positive

We did not have any tools in the same league. We had security tools, but not with anomaly detection as part of the feature set.

Cognito Detect is on-prem and Cognito Recall is in the cloud, as is the O365 and Azure AD protection.

The cloud setup is extremely simple. The on-prem takes some effort. There is the sizing, depending on what model. The throughput varies. Those kinds of on-prem design considerations create a bit of complexity in the beginning, but the cloud is straightforward. All it needs is the requisite access to the tenant. Once it gets that, it starts its work. 

In the beginning, there is some effort in fine-tuning things, but that comes as part of the package with the solution. They have a success manager and tech analyst assigned to support you in the beginning. Once that is done, the product is very stable.

For us, there were an initial four to eight weeks of triaging and clearing the noise, in terms of misconfiguration issues or known security tools. After that time, we started seeing value.

We only used the people from Vectra.

Vectra is a bit on the higher side in terms of price, but they have always been transparent. The reason that they are this good is that they invest, so they need to charge accordingly. They are above average when it comes to price. They're not very economical but it's for a good reason. As long as we get quality, we are okay with paying the extra amount.

We did a PoC with Darktrace recently as part of our regular exercise of giving other solutions an opportunity, but the PoC didn't meet our requirements. It didn't detect what Vectra detects in a red team situation.

The deployment time is similar because they all need the same thing. They need the network feed for a copy of the network traffic. The base requirements are the same.

My advice is that you need to size it right and identify what your capacity will be. And you need to place it right, because it's as helpful as what it can see, so you need to have an environment that supports that. What we did, as part of implementing Vectra, was implement an effective packet broker solution in our environment. It needs that support system to function properly. It needs copies of your traffic for detection because it doesn't have an agent sitting anywhere. The positioning and packet brokering are critical allies for this solution.

We have it deployed on-premises. However, we are in the process of acquiring O365 and Azure AD as well. When it comes to Power Automate and other deeper anomalies, these are things that we have on the cloud in Azure. In the new module, it lets us know if any automation, scripts, or large, sudden downloads, or access from a country that is different from where the user has normally been, are happening. But this is a very new tool. We are yet to familiarize ourselves with it and do the fine-tuning. We don't have any automation or any such functions happening on-prem.

In terms of correlating behaviors in the enterprise network and data centers with behaviors in the cloud environment, because we have taken the O365 module, it gives us good correlation between an on-prem user and his behavior in the cloud. We have seen that sometimes it detects that an account is disabled, for example, on-prem, and it says somebody downloaded a lot of data just a few days before that or uploaded large data a few days before that. It does those kinds of correlations.

We have one SOC but it's based overseas. It's an offsite managed service and it covers the gambit of incident detection and response. It's an always-available service. The SIEM we are using is RSA NetWitness, and the EDR solution we use is McAfee.

Vectra has some automation features, in the sense of taking action through the firewalls or other integrations, but that's a journey that we have not yet embarked on. As long as we have a continuously available SOC that rapidly responds to the alerts it generates, we are okay. In general, I'm not comfortable with the automation part. Accurate detection is more important for me. Prevention, when something is picked up too late, as is the case with some of the other solutions I mentioned, is a different case. But here, when it is at the preliminary stage, prevention seems a bit too harsh.

We use it as an intrusion detection system to monitor traffic that's going on within our network.

There was an event that happened before I started here, a ransomware event, and Vectra AI was able to quickly detect and alert on the activity. That greatly reduced the time it took for the company to respond to the incident.

Cognito provides visibility into behaviors across the full life cycle of an attack in the network, beyond just the internet gateway. By detecting everything before the internet gateway, it's able to get a fuller picture of what was going on before the target left the network. It greatly increases our ability to investigate events that occur.

The Vectra product also triages threats and correlates them with compromised host devices. As a result, it helps to reduce the time to respond to incidents.

In addition, it does a really good job of bringing the higher-level alerts to our attention while not bombarding us with alerts on lower-level activities that, I find, we don't usually need to investigate. When I first started using it I was investigating everything and I quickly learned the low-level threats, as shown by their scores, were low for a reason and they really didn't need to be looked at too closely.

I would estimate it has reduced our security analyst workload by around 30 to 40 percent. It has increased our security efficiency and has also reduced the time it takes us to respond to attacks by about 50 percent.

One of the most valuable features is all the correlation that it does using AI and machine learning. An example would be alerting on a host and then alerting on other things, like abnormal behavior, that it has noticed coming from the same host. It's valuable because we're a very lean team. It helps reduce workload on our team daily by performing tasks that we don't have to do manually.

It does a really good job of reducing alerts by rolling up numerous alerts to create a single incident or campaign for investigation.

It also does a really good job detecting things. Some things it detects are not really threats, but it is stuff that it should be detecting, even though the behavior, sometimes, isn't malicious.

It does a little bit of packet capture on alert so you can look at the packet capture activity going on, but it doesn't collect a whole lot of data. Sometimes it's only one or two frames, sometimes it does collect more. That's why they have the addition of their Recall platform, because that really does help expand the capability.

I would also like to see more documentation or user guides about using the product.

I've been using Vectra AI for a little over one year, but it was in place at our location before I started working here.

We haven't had any issues other than one power supply failure, but there was a backup power supply and they sent the replacement quickly. Other than that, I haven't seen any issues with stability of the product.

I haven't had any experience in scaling it out beyond what was set up before I started here.

We have about 1,600 employees on site, but I'm not sure how many devices that equates to. Each person has one or more devices. We're scaled out about as far as we can go.

I'm the only person using it directly in our company, as an IT security engineer II.

They have very good tech support.

Our company definitely saw return on investment when it had the ransomware attack. They were able to stop it quickly. That was definitely a huge savings. Otherise, the company was going to have to shut down production.

I don't really have anything to compare it to, but I would assume the pricing is fair.

I believe they are licensing current devices or hosts. When I was last talking to a rep, we were having to go through a true-up process, but that hasn't started yet.

I have thought of evaluating other things, just for evaluation’s sake, but I haven't done so yet.

It's helped me learn how to investigate alerts in a more efficient way.

It also captures network metadata at scale and enriches it with security information. Part of that I was able to witness using a proof of concept for the Cognito Recall platform, which collects all the metadata and then forwards it to an Amazon instance in the cloud. From there you can do a lot of correlation and you can do deep-dives into the data. That was also a really good product, and I would like for us to purchase it, but right now it doesn't look like that's going to happen.

Vectra will alert on activity going to some of our cloud providers, for example Microsoft OneDrive or Teams, but our systems won't really inspect on any type of SSL traffic, and it doesn't provide that much use for external communication that's encrypted. It's something we do not have set up and that's why we're not able to get that full visibility.

We started with it as a replacement for the functionality we had in our SIEM solution. We mainly wanted a detection metric and something that was smart enough to detect some of the more complex attacks because we can have flow data and do nothing with it. We wanted to have some strong alerting capabilities on that. We were looking to get a detailed attack and AI perspective on it. We didn't want something that only sees something as malicious and can alert on it but also detect things that are a little bit out of the ordinary, which was something we could get with this.

It has definitely improved our mean time to identify. In some specific cases, it's making it a lot easier because the enrichment features do help in getting a more detailed view of what's going on. For example, if we see a certain connection or something that's potentially a command and control channel, we can look at who logged in last and what other processes are there. We also have a connection to our SIEM solution, so we can check what's going on there as well. So, it really helps, but it's hard to measure the time savings because we previously didn't have a solution that had the same capabilities as Vectra AI.

It has definitely had an impact on our productivity. Previously, we did have some issues with getting a more detailed view of the network because we could only do it through event-based logs from the network devices, such as firewalls and switches that were providing us with additional information. Now, because it's more detailed and also across the branch offices—which was a big point for us—we do have a more efficient structure. We don't need to do that much additional effort to get to the root cause of problems, which was an issue before.

One of the things that we didn't expect to happen was that our network team also jumped on it faster than we thought. In most cases, if it's a security tool that's working on the network part, they can also use it to find out certain flaws that have been in the system. Certain flaws, related to some legacy stuff, were already there for quite a few years, which they couldn't explain at first, but we could explain them based on the timing of certain things. For example, there were about 200 SSH connections within a night. They had seen the traffic, but they couldn't relate it to anything specifically, whereas because we saw it, we knew that it was one of our main Unix machines. We knew it was doing some kind of backup at that time. We then went to talk to the system engineer, and he could confirm that he was using a badly written script that was doing 200 connections instead of just one and sending all 200 files across it.

It's well-built, so it does its thing as a Threat Detection and Response platform for detecting and responding to threats and attacks in real-time. We use the detections that come out of Vectra, and we send them over to our SIEM solution. Especially when it comes to high alerts or alerts with high certainty and high impact, we look at them immediately, and then someone also goes through it every day to clean up. If there are certain things that we need to check, we will check them anyway. Anything that's lower on the priority list is taken care of later in the day.

One of the things that we are missing a bit is the capability to add our own rules to it. At the moment, the tech engine does its thing, but we have some cool ideas to make additional rules. There should be an option in the platform to add custom rules, or there should be some kind of user group where we can suggest them for the roadmap and see if they get evaluated and get transparent communication on whether they will be implemented in the product or not. I understand that not everything can be implemented in the product, but if everyone presses the plus one button, then you know that there's a need for it. 

There is the concept of groups within Vectra. You have IP groups, host groups, and domain groups. Wild cards would be very handy there, or side ranges would be a good one to start with. One of the big things that some of our operational people complain about is that if it's an IP and it has reverse look-ups, why do they need to make two groups—an IP group and a hostname group—just to get the same feature set?

It has been almost three years, so it has been a while.

We haven't had any issues. It's very stable, so no problem.

Their support is pretty good. They follow up fast. It's not like most other support centers we've seen in the past. They are really focused on getting us faster input.

I'd rate them a nine out of ten because there is always a little bit of room for improvement, but normally, they follow up really nicely. As opposed to others, where you mostly hear good product, bad support, in this case, it's good product, good support. That's something to keep in mind.

Positive

We had a SIEM solution that was mainly focused on event-based logging, not necessarily on the network part. We were looking at more of a network IDS solution, and that's where Vectra came in. We wanted something that was easy to use as we didn't want too much platform maintenance. We wanted something to plug into the box and make it work. At first, we didn't believe that we would be able to find something like that after we had seen Darktrace, their biggest competitor, but in the end, Vectra was a perfect fit for us because it made it very easy to insert it into our branch offices as well.

We started from scratch. Three years ago, it was harder to start with than nowadays because back then, it was still in the beginning. The Belgian team that helped us with it also didn't have the experience at that time, whereas now, it's definitely not hard to set up. It's just a matter of knowing the right things, but the support portal really helps. There's good documentation on the setup as well.

From a security perspective, it's always hard to find a return on investment. If you look from the risk mitigation perspective and what's the worst that can happen, if we can stop attacks sooner, it would result in lesser costs on remediation afterward because we were fast on the initial attack.

From a licensing perspective, the Vectra detect platform is pretty doable. Also, the hardware prices are nothing that we're not used to. The stream part is a little overpriced compared to the detect part. The reason is that you need to stream data to detect events anyway, so the data is in there. The only thing that's not available is the UI to be able to look at the stream data, which is also on the appliances but is just not activated. That's mainly the thing that we want to improve on.

We looked at the SIEM solutions and flow-capturing devices. At the time, there was also an open-source product, but I don't remember the name. It was Suricata-based, but it fell off pretty quickly because of the high platform maintenance that would have come with it.

At the moment, we don't let them do intelligent blocks. We do it ourselves, so we are still putting a manual process in place for that. We also haven't yet used Vectra MDR services.

I'd rate Vectra AI an eight out of ten. They can still move a little bit further with the streams. Especially now that ChatGPT and AI have come into the picture, we all need to up our game on the AI part.

Our primary use case for this solution is network traffic analysis. 

When we initially launched the solution, it gave us more detection compared to what we had before, but we needed more details in the field. However, once we added the Cognito feature, Vectra AI became an important solution in our environment. We now use it as a complete cybersecurity platform for detection, analysis, and referring security alerts. Vectra AI is the best. It is a major product in our cybersecurity.

The Vectra AI feature I find the most valuable is Cognito. It just gives us so much detail about the malware putting our environment in danger. 

The solution needs to become more proactive. When Vectra AI is the primary solution in an environment - like it is in our case - we must work on response time. We have a small team so response time at the endpoint level is vital. At the network level, response time actually works with Vectra AI.

We have been using Vectra for three years. This is the third year that it has been in our environment and we really want to continue with the solution.

Vectra AI's tech support is very good. Like I said, we had a rough start with the solution because we did not have the necessary experience in year one. However, whenever we needed it, Vectra's tech support came through to help us out. They gave us the details we needed and always responded to our questions. We also received online training from them. We had an excellent experience with them. 

Positive

I was not involved in the initial deployment. I'm on the team in charge of monitoring our environment. 

We deployed the solution in our environment through a partner firm called IT Security. 

We have seen a return on investment. 

I think the pricing structure is good compared to other products. The price is not too high and it's not too low. It is perfect. 

When we initially deployed Vectra, I was not working on it very much because I did not have very much experience with it. At that time, I was not happy with Vectra and was mainly using other solutions, like Splunk. However, as we learned more about how to use Vectra more effectively, we added additional features and made greater use of the dashboard. In year two, we started seeing Vectra as a tool for analyzing our network traffic. Right now, I think it is a good solution. 

We use Cognito.

The biggest challenge we face in protecting the organization against cyber attacks is mean time to detection, operating from a position of an assumed breach. Then being able to detect breaches or malicious traffic within the environment as quickly as possible to reduce dwell time.

We have a small environment with only 300 users. It's very technically focused given the market that we operate in. There are two data centers, four offices, a small IT and security team. Cognito allows us to make the best investment for the most return, given we don't have dedicated SOC analysts looking at a SIEM environment.

Cognito is highly successful in detecting red team engagements and giving clear broad-level assurance and confidence in the product.

It captures network metadata at scale and enriches it with security information. The add-on of Recall is an invaluable investigation tool. It's able to look back and triage incidents.

We have been enabled to do things now that we could not do before: 

• There is more detailed visibility into network behavior. 
• We have the ability to pull out anomalies. 
• The high-fidelity alerts allow our team to focus on what's important.

The administrative privilege detection feature is the most valuable feature. The admin accounts are often highly accessible to the high-risk component of the environment. If those accounts are compromised or are being used in a suspicious manner, those are high-fidelity events for us to look into.

Its ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation is very useful. Given that we are not a dedicated SOC environment, having to trawl through several false positives is not something that we have the capacity for.

Cognito theoretically provides us with visibility into behaviors across the full lifecycle of an attack in our network beyond just the internet gateway. It has not been fully tested. But hypothetically it would give us full visibility into your attack chain.

We use privileged account analytics for detecting issues with privileged accounts.

Integration with other security components needs improvement. It should have true integration as opposed to just being a separate pane of glass.

I have been using Vectra AI for three years. 

Their stability is bulletproof. 

We're using it across our entire estate, so we don't have plans to increase usage. It's been adopted 100%. 

Their support is excellent. They're very responsive. Exactly as you would hope for from a vendor, which is rare.

Vectra AI displaced an EOL North South solution.

The initial setup was very straightforward. 

We had appliances in each physical data center. It took three or four days to see results.

Deployment time is equivalent to other solutions we have tried. The learning curve and speed of efficiencies are higher coming from Vectra.

We deployed it with the assistance of Vectra. Our experience with them was exceptional. The engineers knew the product. Vectra is extremely responsive to assisting with technical issues. It was a very good experience.

It's hard to scientifically quantify ROI but I would say we have seen ROI, certainly from the risk and threat perspective.

After we deployed the solution it instantly began to add value to our security operations.

Pricing is comfortable. I have no issues with the pricing structure at the moment.

There are no additional costs that I'm aware of unless you layer on MSP, additional soft services, or professional services. But for the solution itself, I don't believe there are.

We looked at Darktrace. 

I think the solution would help the network, cybersecurity, and risk reduction efforts in the future if we were to adopt a SOC, it would be a key threat feed to that environment. As they continue to iterate and enhance the product, it's a critical security component for us now and for the future.

Two security senior analysts work on this solution.

My advice to anybody considering this solution is: don't delay. It does exactly what it's sold to do. It does it efficiently and effectively.

I would rate Vectra AI Cognito a nine out of ten. 

The Detect platform that we have is on-prem. We have what's called "the brain", then we have sensors placed in different key/strategic areas in the organization. It is helping us do a lot of the monitoring. We also have some SaaS offerings from the Recall platform, which look at some of the metadata, etc. If we were doing things like incident response, it gives us a bit more granular type of information to query. However, the Cognito Detect platform is all on-prem.

We are using the latest version.

We had a gap where we didn't necessarily have a managed service, which we do today, but at the time we needed something that would help us detect malicious behavior and anomalies within the organization. We found that Vectra solved this. We were able to find issues within minutes or hours of them occurring, then we were able to action them rather quickly.

Some of the metrics that we try to show from an incident response perspective are the effectiveness of our controls, like mean time to detection and mean time to remediate. E.g., mean time to detection shows how quickly the organization detects it from when it first occurred, then determines the remediation aspect as well. We take those numbers and correlate them back to how effective our tools are in our organization. Vectra's really helped in the sense that our mean time to detect is within zero the majority of the time, meaning that from the time we detect it to the time it occurred is within zero days. This promotes how effective our controls are.

When we get an alert, we're not wasting hours or so trying to determine if, "I need to find more logs. I need to correlate the data." We're getting actionable data that we are able to action on right away. I have found value in that.

We can find things quickly that users shouldn't have been doing in the organization. Simple things, e.g., all of a sudden we have a user whose exfiltrating a lot of gigs of data. Why are they doing that? We found value there. My very small team does not have to waste cycles on investigating issues when we get a good sense of exactly what is occurring fairly quickly.

We have the solution’s Privileged Account Analytics. We have seen detection on certain cases, and it's been good. It actually is a good feature. We already have an organizational approach to privileged accounts, so we have seen a few detections on it but haven't necessarily seen abuse of privilege because of the way our organization handles privilege management. We are an organization where users don't run with privilege. Instead, everybody runs with their basic user account access. Only those that need it have privileges, like our IT administrators and a few others, and those people are very few and far between. 

If we are investigating something, we may be investigating user behavior. Using the metadata, we can find exactly, "What are all the sites he's going to? Is he exfiltrating any information? Internally, is he trying to pivot from asset to asset or within network elements?' Using that rich set of information, we can find pretty much anything we need now. 

The solution provide visibility into behaviors across the full lifecycle of an attack in our network, beyond just the internet gateway. It augments what we are doing within the organization now. Being able to discover/find everything that is occurring within the kill chain helps us dive down to find the root of the problem. It's been beneficial to us because that's a gap we've always had in the past. While we may have gotten an alert in a certain area, trying to find exactly where it originated from or how it originated was difficult. Now, by utilizing the information that Vectra produces, we can find exactly what the root cause is, which helps with discovering exactly how it originated in the first place.

With a lot of the detections or things that are happening, I would not say they're necessarily malicious. Where I find it very valuable is that it gives us an opportunity to understand exactly how users are sometimes operating as well as how systems are operating. In a lot of cases, we have had to go back and reconfigure things because, "Oh, this was not done." We realized that maybe systems were not setup correctly. I really liked this aspect of the solution because we don't like false positives. We don't want Vectra to produce things that are just noise, which is something that it doesn't do. 

Vectra produces actionable data using automation. That has helped us. It's less manpower now to look at incidents, which has definitely increased efficiency. Right now, in a lot of cases, our mean time to detection is within zero days. This tells me by the time something happened, and we were able to detect it, it was within the same day.

It gives you a risk score of everything that you just found. The quadrant approach is useful because if there are things in the lower-left quadrant, then we don't necessarily need to look at them immediately. However, if there's something with a high impact and high risk score, then we will want to start looking at that right away. We found this very valuable as part of our investigative analysis approach.

The solution’s ability to reduce alerts by rolling up numerous alerts to create a single campaign for investigation is very good. Once it starts adding multiple detections, those are correlated to a campaign. Then, all of a sudden, this will increase the risk score. I've found that approach helps us with understanding exactly what we need to prioritize. I find it very useful.

The amount of metadata that the Recall solution produces is enormous. What we can find from that metadata is exceptional. Once you get to know how to use the tool, it's much simpler and more intuitive to use when finding information than using a traditional SIEM, where you have to build SQL type commands in order to retrieve data. So, I do find it very valuable.

I would like to see a bit more strategic metrics instead of technical data. Information that I could show to my executive management team or board would be valuable. 

I would like to see some improvements on the integration aspects of it. They are getting better in this. However, most organizations have a plethora of cybersecurity solutions that they run, and I think that there is a bit more that could be done on the integration side. 

About four years.

The stability is good. I don't think we've ever had an issue with it at all. I don't think I've ever seen it misbehave, crash, or anything like that.

It is continuously updated. Whenever they release a new patch or updates, they push it to the brain (the centralized management).

We have never seen an issue from a scaling perspective. It is not an issue for us.

We have a team of less than four people. We don't really have a Tier 1 or Tier 2. We just have people working in cyber.

There are areas where we would like to increase our capabilities. We have 100 percent visibility for anything leaving the organization. There are some areas within the organization where we would like to monitor some of the internal workings. One of the places where we are looking to expand is into our OT segment. We do have a path for where we would like to see this go.

They are very competent and good. They are always able to solve problems.

A few years ago when we were looking at this, we had a gap in the organization. We didn't have like a managed service offering. We had an on-prem SIEM, but we didn't have a large team so we didn't have resources fully dedicated to looking to see threats and correlating them with other event logs to see exactly what was occurring. The reason that we didn't have a managed server previously was cost. Therefore, we looked for alternative ways to solve the gap, lower the resource count, and be able to automate and integrate within our enterprise solutions.

It was pretty straightforward. You can plug the appliances in, whether it is into a switch, router, or some other demarc point from a SPAN port, then you let it learn. That is it. There's nothing really you have to do.

Our deployment took days at most. Once you configure it, you just let the system learn. Usually, within a week, it starts to detect things. For it to be effective, it needs to know what the known baseline is.

You plug it in, let it learn, and it's up and running.

We saw ROI within the first six month due to the reduced impact on our staff and we have been deploying it for years. 

Vectra has absolutely reduced security analyst workload in our organization. This was the real thing that we were trying to find: How can we do this? With a small team, it is very hard. We have a small team with a large stock of solutions. Therefore, we were looking for the best way to reduce the amount of manual effort that's required for an individual. We've found Vectra has significantly reduced the workload by probably 200 percent for our staff.

We looked at NextGen traffic analysis type of solutions, like Darktrace. Then, we looked at Vectra. I found Vectra was a bit more intuitive. I think both products had some really good offerings. What really helped us make a decision was we were trying to find things that help us produce actionable items. I liked Vectra because the one thing it was trying to do is it was show you exactly what is happening in the kill chain. The whole premise behind it was, "These are things that are actually occurring in your network, and they're following a specific pattern." I really liked it because in my view it was very actionable and automated.

I don't want to have to spend cycles on things on unnecessary things. One thing I found with Darktrace was it produces a lot of good things, but it's too much in certain cases. Whereas, I like the way Vectra tells you exactly the things that are happening right now in your network, then groups it based on exactly what the type is, providing you a risk score.

Also, it did seem like it was like a resource built into a box with AI capabilities. I found that the amount of effort we have to spend on analysis from it is a low cost to us. Vectra just fit in well with my team mandate.

I found Darktrace was a bit more noisier than Vectra. Sometimes, when you deal with products like this, the noise is time and effort that you may not necessarily have.

Once we started to do the PoCs, we ran Vectra in certain use cases with the sense of, "Okay, let us know exactly what's kind of going on within the network." What we found in a lot of cases is, and these weren't just cybersecurity incidents that were occurring, and Vectra gave us a good sense of how a lot of our solutions were operating. We ended up finding out, "This is exactly what this solution may be doing. Maybe there is a misconfiguration here or there."

There was no complexity with Vectra; it is very simplistic. However, for the tool to be effective, you want to make sure that you place your sensors in appropriate places. Other than that, you let the tool run and do its thing. There's really no overhead.

I would probably rate it as a nine or 10 (out of 10). We have been extremely happy with the solution. It's been one of the best solutions we have in our enterprise. I would put it at the top of the list.

Our primary focus lies in identifying weaknesses to address customer concerns regarding visibility into network operations. This is especially crucial due to the presence of various managed devices within the network. Detecting and managing these devices and enhancing visibility is done by Vectra AI. It also has the capability to detect potential threats and correlate diverse events that occur on the network. Hackers often target systems from different domains, requiring cross-domain correlation. Net NDR solutions, particularly Vectra, excel in fulfilling these needs using AI-driven algorithms. Over time, these algorithms learn from the data, aiding in automatic post-event analysis. 

Within Vectra, multiple models exist, including an AI model which is very important. Vectra is very compatible with various cloud providers, such as Amazon and Azure AD. This is helpful as customers often migrate their network infrastructure to the cloud. 

Additionally, Vectra provides managed detections and responses, enhancing a company's network detection capabilities. The platform also has attack signal intelligence to identify attackers based on their tactics and techniques, preventing them from compromising critical network devices. So it acts as a detection platform, essential for halting potential threats, including clouds like Amazon and Microsoft 365. 

We offer two solutions, Vectra and ExtraHop in the Qatar market. However, ExtraHop has better features that seem more advantageous when compared to Vectra. During demos, I encountered challenges with Vectra when demonstrating its capabilities, such as dealing with expired SSL certificates. Vectra AI is capable but ExtraHop is able to provide comprehensive insights and easier data querying. It excels in data query capabilities which is helpful for customers to access and manipulate their data effortlessly. This is where Vectra needs to enhance its capabilities. Customer support and handling high network traffic are additional areas that it needs to work on. There should be more flexible options to handle customers’ needs. Also, customers desire performance enhancements and integration capabilities with a single solution and cyber security. 

I have been using Vectra AI for two years. 

I would rate the stability an eight out of ten.

I would rate the scalability an eight out of ten.

We have a strong local presence and support in this market, and our company's origins in Turkey also contribute to robust local assistance. While comprehensive support is provided during major incidents and upgrades, we excel in offering immediate assistance for failover situations and downtime prevention. The team is highly specialized in cyber security and SOC technologies. We are quite strong and are able to help ourselves in the field of technical support.

Positive

The initial setup is straightforward. I would rate the setup an eight out of ten.

In the case of deployment, 70% of the public prefers the public cloud while the rest prefer private. These are the only two forms of deployment.

The initial deployment should ideally be completed within two weeks. However, due to the need for fine-tuning, false positive elimination, and deriving enhanced value, an extended period of around two months is necessary. This allows users to cover all the potential threats and risks, ensuring comprehensive coverage

The solution is low-cost and affordable. 

Vectra faces robust competition, but it substantiates its abilities. Depending on client needs, it can easily work with other IT solutions. Yet, for pure network detection and response, Vectra excels, particularly for enterprises demanding very good solutions. It offers superior detection coverage for heightened security. It has an encryption-based approach, enabling threat detection without decrypting any data. Moreover, Vectra stands out with its broad integration capabilities with third-party tools and I personally find it a successful feature.

Overall, I would rate Vectra AI an eight out of ten.