Vectra AI Reviews

I'm a SOC analyst, and I use Vectra AI to detect and respond to security incidents. My team manages the critical detections, and another team takes the low-priority detections. They also use Vectra to hunt for the system root.

We use the Threat Detection and Response platform, and it's quite good at detecting and responding to threats and attacks in real-time. I really like the UI experience because it's simple to use, and we get quite a lot of information very quickly.

Some valuable features of Vectra AI are that it is very intuitive and that there are only a small amount of false positives. Therefore, it's an effective solution.

Another benefit that is unrelated to security is that it allows us to see misconfigurations or things that should not be happening in terms of compliance.

As SOCs, we concentrate on the OS side, and with Vectra AI, we can now see the network from an endpoint point of view. It gives us new alerts and does bring some work because we now have more visibility. However, it's opening up a wide range of things for us.

We have a lot of system solutions and integrations with system solutions. Vectra is a type of black box. It implements AI-informed detection mechanisms, but we cannot create system detections. I understand that the product is designed this way, but it would be great if we could create our own detections as well.

I've been using this solution for six months.

From my point of view, Vectra AI's stability has been quite good. We have never had any issues.

On a scale from one to ten, I would give Vectra AI an overall rating of eight.

Our primary use cases for this solution are detection and then investigation afterward.

Vectra AI helped our team be more productive and save time. We have less work thanks to it.

We have not had any real threats so far.

Vectra AI helped improved our mean time to identify.

One of the things I am not so happy about when it comes to Vectra is the scoring board. 

In Darktrace, you can point or click on any client and see any connections that have been made directly in the dashboard. You don't have to go to recall. This is likely why Darktrace isn't as fast as Vectra, but it would still be nice to see this feature in Vectra. In addition, Darktrace has an advanced mode, but you are also able to see it directly in the main dashboard. This would be great to see in Vectra as well. 

We started implementing the tool around November. It is a step-by-step process for us because we have several locations and my team was not implementing it independently. We have another team that has to drive to the location. We finished the last location in mid-January.

Vectra AI is a stable solution. It works. 

Vectra AI's scalability is fine. We have a brain, we have a lot of centers, and the solution is easy to implement. Everything works.

The tech support is great. Whenever we had a problem, we got an answer immediately. This helps with having a general feeling that everything works in a solution.

Positive

We previously used a different tool, Darktrace. We used it for four years. The management told us to look for other tools. This was after we switched our main network hardware. We contacted Vectra and took the next step. We were just comparing different tools when we decided to go with Vectra. There were many different tools that were similar but we ultimately chose Vectra. Compared to Darktrace, Vectra's UI is much cleaner, there is less noise, and the performance is way better in the graphical interface. We get much fewer false positives. We also have to put less work into this tool, which is great for companies with small teams.

I was involved in the deployment from start to finish. It was fairly straightforward. The support we received was very good. When we had questions, they were answered immediately by the support engineer assigned to us.

I can't speak to whether or not we have seen a return on investment with this solution because we have not had any real threats so far.

As far as pricing goes, my only reference point is Darktrace. Their pricing is pretty even, which is a fair price.

We have not yet tested the whole tool in a penetration test. However, I would nonetheless give it at least an eight out of ten, with one being the worst and ten being the best. 

Right now, we have a good understanding of the UI and I know that there have been improvements to the visualization. The scoring redirects your focus to things that you should be looking at. The tool we used before Vectra was Darktrace. It was similar to where Vectra is heading now. With the scoring system, Vectra is a better solution.

Vectra AI is an NDR tool, and my company is using it for security and insider threat detection purposes.

What I like best about Vectra AI is that it alerts you about suspicious activities.

An area for improvement in Vectra AI is reporting because it currently lacks some details. For example, when you download a report from Vectra AI, you won't see complete information about the alerts or triggers.

Another area for improvement in the tool is that sometimes, an alert has high severity, yet it's marked as low severity. Vectra AI should have a mechanism to change the severity level from low to high or critical.

I've been using Vectra AI for two years now.

Vectra AI is a stable tool.

Vectra AI is a scalable tool.

My company has a dedicated support team for Vectra AI, so I have the support team's direct contact number and WhatsApp number.

The technical support is excellent, so my rating is five out of five.

The initial setup for Vectra AI wasn't that complex. It won't take long if your environment is ready, with all required ports open. Setting up Vectra AI would be easy.

We implemented Vectra AI together with their technical support team.

My company pays for the Vectra AI licensing fee yearly. I know the figure because my company recently renewed the license, and it's okay, at least for the financial sector.

I'm the admin of Vectra AI, a tool implemented in my company.

The tool was updated three or four months ago, but I'm unsure if I have the latest release.

My company has two SOCs in different areas, so all SOC analysts log in or use Vectra AI, with the alerts forwarded to Splunk. One person is the admin in-house, but he works with support because the tool is customized for my company, as any command can't be run in Linux.

I'd recommend Vectra AI to others looking for an NDR solution.

Vectra AI is excellent for NDR purposes, in general. I'm rating it as ten out of ten based on my experience because I'm investigating the Vectra AI alerts. It triggers alerts for suspicious activities, so it's an excellent tool.

Vectra was deployed to give us a view of what is happening on the user network. It helps us to check what is being done by users, if that is compliant with our policies, and if what they're doing is dangerous. It covers cyber security stuff, such as detecting bad proxies, malware infections, and using packet defense on strange behaviors, but it can also be used to help with the assessment of compliance and how my policies will apply.

We also use Vectra to administer servers and for accessing restricted networks.

There are on-prem modules, which are called Cognito Detect, the NDR/IDS solution, which captures traffic. We also have the SaaS data lake, and we also have the Cognito Detect for Office 365, which is a SaaS-type sensor within the O365 cloud.

If we didn't have Vectra and the Detect for Office 365, it would be very difficult to know if our Office 365 was compromised. We tried, in the past, to do it with a SIEM solution consuming Office 365 logs and it was really time-consuming. The Office 365 Detect solution has the exact same "mindset" as the Detect solution for networks. It's almost like we can deploy it in the fire-and-forget mode. You deploy the solution and everything is configured. You have all the relevant alerts out-of-the-box. If you want to, you could tweak, configure, contextualize, and rewrite the parser, because some things might be out of date,  and customize the solution. For a big company with a large team it might be feasible, but for small companies, it's an absolute showstopper. The Detect for Office 365 gives us a lot of visibility and I'm very pleased with the tool.

We use three services from Vectra: Cognito Detect, Detect for Office 365, and Cognito Recall, and we are leveraging all these services within the SOC team to have proper assessments. We even use these tools to prepare the new use cases that we want to implement into our SIEM solution. Recall stores all the metadata that is brought up from Cognito Detect at a central point, data-lake style, with an elastic stack and a Kibana interface available for everybody. Using this, we can try to see what are the general steps.
Without this, I would not have been able to have my SOC analyst do the job. Creating a data lake for cyber security would be too expensive and too time-consuming to develop, deploy, and maintain. But with this solution, I have a lot of insight into my network.

An additional thing that is very convenient with the Recall and Detect interfaces is that you can do use cases involving individuals in Recall and have them triggered in Detect. For example, we found ways to track down if users are trying to bypass proxies, which might be quite a mess in a network. We found a type of search within Recall and have it triggering alerts in Detect. As a result, things can be managed.

It's so efficient that I'm thinking about removing my SIEM solution from our organization. Ours is a small organization and having a SIEM solution is really time-consuming. It needs regular attention to properly maintain it, to keep it up and running, consume all the logs, etc. And the value that it's bringing is currently pretty low. If I have to reduce costs, I will cut costs on my SIEM solution, not on Vectra.

The solution also provides visibility into behaviors across the full life cycle of an attack in our network, beyond just the internet gateway. It provides a lot of insight on how an attack might be coming. There are multiple phases of an attack that can be detected. And there is a new feature where it can even consume intelligence feeds from Vectra, and we can also push our own threat-intelligence feeds, although these have to be tested. The behavioral model of the Detect solution also covers major malware and CryptoLockers. I know it's working. We tested some cases and they showed properly in the tool. I'm quite reassured.

It triages threats and correlates them with compromised host devices. One of the convenient things about Detect is that it can be used by almost anybody. It's very clear. It's quite self-explanatory. It shows quadrants that state what is low-risk and what is high-risk. It is able to automatically pinpoint where to look. Every time we have had an internal pen test campaign, the old pen test workstation has popped up right away in the high-risk quadrant, in a matter of seconds. To filter out false positives it can also provide rules that state, "Okay, this is the standard behavior. This subnet or this workstation can do this type of thing." That means we can triage automatically. It also has some features which aren't so obvious, because they are hidden within the interface, to help you to define triage rules and lower the number of alerts. It looks at all your threat or alert landscapes, and says, "Okay, you have many alerts coming from these types of things, so this group of workstations is using this type of service. Consider defining a new, automated triage rule to reduce the number of alerts."

To give you numbers, with my SIEM I'm monitoring some IDS stuff within my network. Everything is concentrated within my SIEM. From my entire site, IDS is giving me about 5,000 more alerts than my Vectra solution. Of course it will depend on how it is configured and what types of alerts it is meant to detect, but Vectra is humanly manageable. You don't have to add something to make the triage manageable, using some time-consuming fine-tuning of the solution, requiring expertise. This is really a strong point with Vectra. You deploy it, and everything is automatically done and you have very few alerts.

Its ability to reduce false positives and help us focus on the highest-risk threats is quite amazing. I don't know how they made their behavioral or detection models, but they're very efficient. Each alert is scored with a probability and a criticality. Using this combination, it provides you insights on alerts and the risks related to alerts or to workstations. For example, a workstation that has a large number of low-criticality alerts might be pinpointed as a critical workstation to have a look at. In fact, in the previous pen test we launched, the guys were aware that the Vectra solution was deployed so they tried some less obvious tests, by not crawling all the domain controllers, and things like that. Because there were multiple, small alerts, workstations were pinpointed as being in the high-risk quadrant. This capability is honestly quite amazing.

And, of course, it has reduced the security analyst workload in our organization, on the one hand, but on the other it has increased it. It reduces the amount of attention analysts have to pay to things because they rely on the tool to do the job. We have confidence in its capability to detect and warn only on specific things of interest. But it also increases the workload because, as the tool is quite interesting to use, my guys tend to spend some time in Recall to check and fix things and to try to define new use cases. Previously, I had four analysts in my shop, and every one of them was monitoring everything that was happening on the network and in the company on a daily basis. Now, I have one analyst who is specialized in Vectra and who is using it more than the others. He is focusing on tweaking the rules and trying to find new detections. It brings us new opportunities, in fact. But it has really reduced the workload around NDS.

In addition, it has helped move work from our Tier 2 to our Tier 1 analysts. Previously, with my old IDS, all the detection had to be cross-checked multiple times before we knew if it was something really dangerous or if it was a false positive or a misconfiguration. Now, all the intelligence steps are done by the tool. It does happen that we sometimes see a false positive within the tool, but one well-trained analyst can handle the tool. I would say about 20 to 30 percent of work has moved from our Tier 2 to our Tier 1 analysts, at a global level. If I focus on only the network detections, by changing all my IDS to Vectra, the number is something like more than 90 percent.

It has increased our security efficiency. If I wanted to have the same type of coverage without Vectra, I would need to almost double the size of my team. We are a small company and my team has five guys in our SOC for monitoring and Tier 1 and Tier 2.

It reduces the time it takes for us to respond to attacks. It's quite difficult to say by how much. It depends on the detections and threat types. Previously, we had an antivirus that was warning us about malicious files that were deployed on a workstation within one year. Now, we can detect it within a few minutes, so the response time can be greatly enhanced. And the response time on a high-criticality incident would go from four hours to one hour.

The most valuable feature for Cognito Detect, the main solution, is that external IDS's create a lot of alerts. When I say a lot of alerts I really mean a lot of alerts. Vectra, on the other hand, contextualizes everything, reducing the number of alerts and pinpointing only the things of interest. This is a key feature for me. Because of this, a non-trained analyst can use it almost right away.

It's very efficient. It can correlate multiple sources of alerts and process them through specific modules. For example, it has some specific patterns to detect data exfiltration and it can pinpoint, in a single area, which stations have exfiltrated data, have gathered data, and from which server at which time frame and with which account. It indicates which server the data is sent to, which websites, and when. It's very effective at concentrating and consolidating all the information. If, at one point in time, multiple workstations are reaching some specific website and it seems to be suspicious, it can also create detection campaigns with all the linked assets. Within a single alert you can see all the things that are linked to the alert: the domains, the workstation involved, the IPs, the subnets, and whatever information you might need.

The key feature for me for Detect for Office 365 is that it can also concentrate all the information and detection at one point, the same as the network solution does. This is the key feature for me because, while accessing data from Office 365 is possible using Microsoft interfaces, they are not really user-friendly and are quite confusing to use. But Detect for Office 365 is aggregating all the info, and it's only the interesting stuff.

We are still in the process of deploying the features of Detect for Office 365, but currently it helps us see mailboxes' configurations. For example, the boss of the company had his mailbox reconfigured by an employee who added some other people with the right to send emails on his behalf, and it was a misconfiguration. The solution was able to pinpoint it. Without it, we would never have been able to see that. The eDiscovery can track down all the accesses and it even helped us to open an incident at Microsoft because some discoveries were made by an employee that were not present in the eDiscovery console on the protection portal from Office 365. That was pinpointed by Vectra. After asking the user, he showed that he was doing some stuff without having the proper rights to do so. We were able to mitigate this bit of risk.

It also correlates behaviors in our network and data centers with behaviors we see in our cloud environment. When we first deployed Vectra, I wanted to cross-check the behavioral detection. After cross-checking everything, I saw that everything was quite relevant. On the behavioral side, the Office 365 module can alert us if an employee is trying to authenticate using non-standard authentication methods, such as validating an SMS as a second factor or authenticating on the VPN instead of the standard way. The behavioral model is quite efficient and quite well deployed.

Vectra is still limited to packet management. It's only monitoring packet exchanges. While it can see a lot of things, it can't see everything, depending on where it's deployed. It has its limits and that's why I still have my SIEM.

I am in contact with the Vectra team, if not weekly then on a monthly basis, to propose improvements. For the time being, the main improvement I can see would be to integrate with more external solutions. Since Vectra provides an API, that  should be quite easy to handle. For example, we're using an open source ticketing system within our team and I want to have it handled properly by Vectra. We'll go forward on that with the API. 

Another area for improvement that I have pinpointed is that the Office 365 solution and the Detect solution cannot match the same users. That means we have two "different worlds" currently, the world from Office 365, which is bringing alerts based on users' emails and email addresses. And we have the network world, which is bringing an Active Directory view. On the one hand we are seeing emails or email addresses, and on the other hand we are seeing things like logons on to the domain controller. From time to time, it does not match and the tool cannot currently cross-check this info and consolidate everything. I would like to be able to see that detection related to one workstation and covering a user: what he is using, what services he is using, and what he did with his Office 365 and configuration. That would help. 

Another major feature would be to have all logs pushed to Cognito Detect, and all these logs should be also pushed to Recall. Currently, within Recall, I can't call up the Office 365 detections and I would love to do so. 

The last point would be an automated IoT threat feed consumption by the tool.

I have been using Vectra for two years.

The stability is absolutely flawless. The last time it was rebooted was almost two years ago. 

The only thing we have seen was some interruption in log feeding to the Recall instance, the SaaS solution. I had a quick call with a product manager in Europe and he was very keen to share information about this issue and willing to improve it.

So, within two years we have faced one stability incident. This incident lasted less than two hours and it was not on the monitoring solution but more on the data lake solution.

The scalability is very good. From the financial perspective, we are not limited by the number of sensors. We can deploy as many virtual sensors as we want. The key factor is the IP addresses that are being monitored. In terms of technical scalability, we have one brain appliance, one very big sensor, and multiple virtual sensors, and I don't see any limits with this solution.

We are currently using all the things that it's possible to use in this solution. One thing I like with Vectra is that it's updated very frequently. Almost every month new features are popping up: new detections, new dashboards, new ways to handle things. That's quite good. I work with our SOC team so that they can use everything right away.

The tech support is surprisingly good. We had questions, we faced some slight issues, and we always got very quick answers. Things are taken into account within a few minutes and answers usually come in less than two hours.

To deploy Recall, which is the data lake in SaaS, or to deploy the Office 365 sensor, it was effortless. It was just a quick call and, within minutes, everything was set up.

It was set up the same way the solution is behaving. It's a turnkey solution. You deploy it and everything works. The configuration steps are minimal. It's exactly the same for the SaaS solution. You deploy the tool and you just have to accept and do very basic configuration. For Office 365, you have to grant rights for the sensors to be able to consume API logs and so on. You grant the rights and everything is properly set up. It's exactly the same for Recall. It was a matter of minutes, and not a matter of days and painful configurations.

In terms of maintenance it is very easy and takes no time. It's self-maintaining, aside from checking if backups have properly ended. And in terms of deployment, when we add a network segment, we have to work a bit to determine where to deploy the new sensors, but the deployment model is quite easy. The Vectra console is providing the OVA to provide a virtual sensor for deployment. It can also automate the deployment of the sensor if you link it with vCenter, which we have not done. But it's very easy. It's absolutely not time-consuming.

If I compare the deployment time to other solutions, it's way easier and way quicker. If I compare it to my standard IDS, in terms of deployment and coverage, it's twice or three times better.

We were in contact with Vectra a lot at the beginning to plan the deployment, to check if everything was properly set up. But the solution is quite easy to set up. The next decisions we had were focused on how to enhance the solution: what seemed to be missing from the tool and what we needed for better efficiency.

The guys from Vectra were more providing guidance in terms of where the sensors needed to be deployed and that was about it.

We had a third-party integrator, Nomios, that provided the appliances, but they did not do anything aside from the delivery of appliances to our building. Our team took the hardware and racked it into the data center on its own. With just a basic PDF, we set up the tool within minutes. The integrator was quite unnecessary.

Nomios are nice guys, but we have deployed some of other solutions with them and we were not so happy about the extra fees. We were not the only ones who were not happy about that. We tried to deploy the ForeScout products with Nomios and it was quite a mess. But they have helped us with other topics and they have been quite efficient with those. So they are good on some things and on other things they are not good.

It's ineffective to speak just about the cost of the solution, because all the solutions are costly. They are too costly if we are only looking at them from a cost perspective. But if I look at the value I can extract from every Euro that I spend on Vectra, and compare it to every Euro I spend on other solutions, the return on investment on Vectra is way better.

ROI is not measurable in my setup, but I can tell you that Vectra is way more cost-efficient than my other solution. The other solution is not expensive, but it's very time-consuming and the hardware on which it's running it's quite expensive. If I look at the global picture, Vectra is three or four times more cost-efficient than my other solution.

The pricing is very good. It's less expensive than many of the tools out there.

I evaluated Darktrace but it wasn't so good. Vectra's capabilities in pinpointing things of interest are way better. With Darktrace, it is like they put a skin of Kibana on some standard IDS stuff.

Vectra enables us to answer investigative questions that other solutions are unable to address. It provides an explanation of why it has detected something, every time, and always provides insights about these detections. That's very helpful. Within the tool, you always have small question marks that you click on and you have a whole explanation of everything that has been detected: Why has it been detected and what work is the recommended course of action. This approach is very helpful because I know that if I ask somebody new, within our team, to use Vectra, I don't have to spend months or days in training for him to be able to handle the solution properly. It's guided everywhere. It's very easy to use.

Do not be afraid to link Vectra to the domain controller, because doing so can bring a lot of value. It can provide a lot of information. It gets everything from the domain controller and that is very efficient.

You don't need any specialized skills to deploy or use Vectra. It's very intuitive and it's very efficient.

We are in the process of deploying the solution’s Privileged Account Analytics for detecting issues with privileged accounts. We are using specific accounts to know whether they have reached some servers. It's quite easy with all these tools to check whether or not a given access to a server is a legitimate one or not.

We don't use the Power Automate functionality in our company, but I was very convinced by their demonstration, and an analyst in my team played with it a bit to check whether or not it was working properly. These are mostly advanced cases for companies that are using Office 365 in a mature manner, which is not the case for our company at the moment.

In our company, less than 10 people are using the Detect solution, and five or six people are using Recall. But we are also extracting reports that are provided to 15 to 20 people.

We have two use cases. The first is that Vectra's platform allows us to get visibility into anomalous behavior, which, previously, we never really had access to, for threat hunting and incident response. We use it in support of our incident response operations to help supplement our investigations on hosts. We use it to correlate any suspicious activities, which is something that Vectra has been extremely accurate in, when used the right way. 

The second use case is that we've used the Vectra Cognito Recall and Cognito Stream devices. With these integrations, it's given us instant visibility into all the network data as well. That enables us to conduct our own hunts on our network data, data you'd see on a security information and event management (SIEM) solution. It also gives us the ability to correlate with our playbooks because it gives us access to the data itself in much more depth and detail.

The solution captures network metadata at scale and enriches it with security information. We store metadata for three months. Just to be able to scale the amount of information that we collect on the networks is a problem in itself. We have our SIEM solution that collects all of these logs. Making sure these logs are still sending, that these devices are still sending to our main SIEM, are issues. For Vectra AI, even with three months of retention, with the environment we have, we have never had issues accessing this network data. On top of that, if there are any issues, the support team is amazing in providing feedback and fixing them.

It has actually increased our security analyst workload, but in a good way. It has reduced the amount of stuff that we used to look at, and has allowed us to re-approach our C-CERT from signature-based detections to more behavioral-based detections. It has reduced the amount of boring work and work that is on the host, to more thought-provoking work based on behavioral data. We're now able to approach our C-CERT from a risk perspective and a numbers perspective.

It has reduced that boring work drastically and it reduces the time to investigate incidents in general. While it has definitely added a bunch of incidents for us to look at, it has reduced the workload of how we work those incidents. It makes them not only much easier to engage with and easier to visualize, but also enables us, as analysts, to work in a much more efficient and simple way.

Vectra has also helped move work from our Tier 2 to our Tier 1 analysts. Eighty percent of our Tier 1 analysts are doing Tier 2 work.

Finally, the solution has reduced the time it takes us to respond to attacks. It has gone from on the order of hours to less than 10 minutes to 30 minutes.

The most valuable features are Cognito Recall and Cognito Detect.

I didn't think Vectra AI actually provided this functionality, but essentially it gives you access, with Recall, to instant visibility into your network through something like a SIEM solution. For us, being able to correlate all of this network data without having to manage it, has provided immediate value. It gives us the ability to really work on the stuff where I and my team have expertise, instead of having to manage a SIEM solution, as that is a whole undertaking in itself. It has expedited all our investigations and hunting activities because it's all there and available, and they manage it.

We use their Privileged Account Analytics for detecting issues with privileged accounts. Given that we're a global company with over 35,000 machines, the machine learning-type of analysis or visibility into baselining behavior in privileged accounts in the environment is something Vectra does amazingly. It's amazing the visibility that I get. Not only is it providing a baseline to understand the behaviors of how IT, for example, is acting globally and in all these different regions, but it also gives me an ability to get much more granular and understand more of the high-risk behaviors, rather than the behaviors that we expect from IT. Usually, malware attackers and normal IT activities look the same. It's about discerning what's outside of baseline, and Vectra does this amazingly, incorporating not only the account privileges but the context of what these accounts are doing on hosts, on top of that.

The solution also provides visibility into behaviors across the full life cycle of an attack, visibility into the attacker kill-chain. I personally do red-team testing and threat hunting and, in addition to the detections which Vectra has already caught, it's been able to outline a full attack from an external red team that came in and tested with us. Not only did it show exactly what they did, but it was even able to provide a profile of the type of behavior that this exhibited, which was an external actor. In my own attacks that I've conducted on the network, it's been able to detect everything and properly align it in a kill-chain fashion. That is extremely helpful in investigations because it helps align the host data a little bit when you have visibility of the network in such a way.

Vectra also triages threats and correlates them with compromised host devices.

Some of the customization could be improved. Everything is provided for you as an easy solution to use, but working with it and doing specific development could be worked on a bit more in the scope of an incident response team. In my opinion, it's built as a solution for everything, instead of it being part of a bunch of other tools.

For example, we have a source solution which will orchestrate the ability for us to use a host EDR and the ability for us to use Vectra. We see Vectra from a purely network standpoint. Therefore, we don't want it to be the incident manager where we have to fill in specific things to be fixed. We think the integration with source solutions could be better. It tries to treat itself as an incident resolution platform.

I have been using Vectra AI for three to four years.

It has never crashed. It's always working. And they always resolve any issue before you can act. They'll alert you of an issue and then they'll report that it's fixed. They're very proactive.

In terms of instant access to the data and scalability, we've never seen issues with the platform at all. We use it everywhere, across all our regions across over 35,000 devices. We have plans to increase usage of the solution and the capacity.

We have less than 10 people working with the solution and they're all C-CERT incident responders and investigators. And we have one person, a C-CERT specialist, for maintenance of the solution but he is barely doing that anymore because they have a support team that helps alert us to any issues.

I've found that Vectra in general, away from the platform, has been extremely helpful and given me any support that I need on investigations or in trying to reduce the amount of noise. They have allowed me to do this, but it requires a lot of work upfront.

Looking back at the setup now, it was straightforward because of the support that they provided. I'm not sure how long the overall deployment took but it may have taken a couple of months.

We had to install specific brains in multiple regions. We were given instructions on where to install specific network nodes and sensors to be able to collect information where the brains were located. All of this configuration was provided directly from them. They sent the devices over to our data centers along with documentation to support the devices.

We have definitely seen return on our investment (ROI). While our analysts are working on "more" incidents, the efficiency of the way they're working, due to the way that Vectra has broken down its platform and its data, has exponentially decreased the response times to incidents. It has also trained them indirectly because with the story-lining, the way that it creates these detections, analysts receive them and pick them up much quicker than they would in a normal security class.

We evaluated other options. I wasn't the person who decided on Vectra AI at the time, but we were looking at Darktrace and other machine learning-type solutions.

Vectra fit the niche of what we needed, from the perspective of the former C-CERT manager. Also the feedback we got from their team and the support we've had with them really pushed us to work with them. They were very collaborative and we believed in what they were doing when they initially started working with us all those years ago.

My advice would be to really utilize the support and collaborate with Vectra. The solution requires heavy usage and customization to your environment. They provide the guidelines and you just have to be able to fill in the specifics. If you don't do that, it's not an effective tool. It is a really hands-on tool.

Vectra has done a really good job of giving you visibility into the type of behavior into which you want visibility. But reducing the number of alerts really depends more on the analyst who is operating it and working with it.

As for its ability to reduce false positives and help us focus on the highest-risk threats, the term "false positive," especially in this scope of machine learning, doesn't seem to me to apply. Vectra gives you visibility into what you want to see. It gives us visibility into the exact behaviors which we sometimes have issues trying to create detections for on the host. And on the network it's collected and brought it all together. We get really good visibility into all of the risky behaviors. Vectra provides the whole context, on the network, of what it sees in terms of a risky behavior and provides a story with it.

In comparison to some of the other tools that I've come across in this category, I would definitely give it a 10 out of 10.

I work as an analyst who determines how our services should be built and integrated. We use Vectra to address a lack of visibility in our client environments. The tool has the potential to solve problems in a few areas, with new features on the way. We're exploring ways to build our services on top of the Vectra platform. 

We are considering the various integration options and how we can build a solid portfolio using this suite of products in future services. We have other tools like Palo Alto, and we hope to leverage our services on other platforms. There are several internal integration challenges that we need to examine.

Vectra gives my clients a sense of comfort. For example, in some of our cases last year, Vectra enabled us to understand each exploit's phases of attack, helping us to segment those phases. We knew how the phases were executed, so we could search for all those signs. It put the client at ease to know we could see signs of successful exploitation and demonstrated our value to them. 

We're software clients building services on top of Vectra for our customers. It's crucial for us to get the alerts we need and decide which quarter should be our focus. We're still trying to navigate the solution, but we're getting closer to determining how we want to build our services. We know how to deliver the services, but there are nuanced ways we can improve. However, learning the cloud UI and new scoring models has been an adjustment. 

The core product provides excellent visibility, but my favorite feature is Vectra Recall. It enables us to use archived data to address current or active threats that may not have been detected.

I have yet to see real-time attacks, and I'm the kind of person who needs hands-on experience. At the same time, they are triggering alerts on our regular scanning tools like Nessus. It triggers if they are noisy enough. Vectra's Threat Lab showcases this, but I need a case to work with to know from experience. 

Vectra Recall could be utilized much more, and I'm seeing some indications of that today with the investigative components. I use the visualize feature to visualize components and dashboards a lot. I'm interested in new ways to build automated searches or having them leveraged already from Vectra.

I have used Vectra AI for around a year.

Vectra AI is stable on the sensor side. It doesn't create a heavy maintenance burden on our team. There is a thin line between what we need to do and what our client needs to do. The client has an outsourcing partner doing things for them, and there aren't many issues with the detection platform. Recall sometimes goes down when we make too many queries, but it comes back up quickly. 

Vectra AI is highly scalable. Our clients vary in size, ranging from 400 IPs to massive deployments with upwards of 20,000 IPs. So it's just a matter of getting the initial scoping and what type of visibility you want to have.

I rate Vectra customer support ten out of ten. They're excellent, and they'll find the correct answer even if they don't know it at first. We use tech support and the customer success team. They are top-notch and responsive to any suggestions we have as an MSP. 

Positive

I have some personal experience with one of Vectra's main competitors, but I won't mention them by name. I'm trying to go beyond all the marketing hype, and I have huge respect for both tools. As an analyst, I want to find the bad guys at the end of the day, and I've had good experiences with both. We have more experience with the other tool, and I'm comfortable detecting threats on both. They're equally capable in this field.

Vectra AI has advantages, including a more extensive list of attack and defense references. Vecta has better at-a-glance integration options with EDR tools like CrowdStrike. There are nuanced differences between the products, and one might be more suitable depending on your needs. 

There are more dimensions than detection capabilities. It depends on the partner model and the market. Vectra covers many of those areas, and it's our primary vendor. 

Our platform team was responsible for implementing Vectra. The greatest challenge was getting the initial scoping a hundred percent correct. Sometimes the client comes from Vectra, and/or they come from us. The handover must be hundred percent because we know exactly what we will deliver. Existing and future clients need to ensure the scoping is perfect. 

The scope is sometimes unclear and isn't apparent until you start. The scoping needs to be right for you to have a good deployment. You know your integration options and will connect X of these sensors.

Once the scoping is correct, everything else is straightforward for our team to implement. 

I haven't gotten much feedback about the return on investment. Because nothing is happening yet, we need some reassurance that we can see when it does. We must feel confident that it will actively respond when something happens. 

We can use Vectra to create visibility, like Microsoft coming out with end-of-life PCERPC integrations. We can help the clients even though it's not on the security operations team. You can utilize the network data once you have it and we can build the services to provide assistance above and beyond detection.

I rate Vectra AI a nine out of ten.

Our primary use case for this solution is network traffic analysis. 

When we initially launched the solution, it gave us more detection compared to what we had before, but we needed more details in the field. However, once we added the Cognito feature, Vectra AI became an important solution in our environment. We now use it as a complete cybersecurity platform for detection, analysis, and referring security alerts. Vectra AI is the best. It is a major product in our cybersecurity.

The Vectra AI feature I find the most valuable is Cognito. It just gives us so much detail about the malware putting our environment in danger. 

The solution needs to become more proactive. When Vectra AI is the primary solution in an environment - like it is in our case - we must work on response time. We have a small team so response time at the endpoint level is vital. At the network level, response time actually works with Vectra AI.

We have been using Vectra for three years. This is the third year that it has been in our environment and we really want to continue with the solution.

Vectra AI's tech support is very good. Like I said, we had a rough start with the solution because we did not have the necessary experience in year one. However, whenever we needed it, Vectra's tech support came through to help us out. They gave us the details we needed and always responded to our questions. We also received online training from them. We had an excellent experience with them. 

Positive

I was not involved in the initial deployment. I'm on the team in charge of monitoring our environment. 

We deployed the solution in our environment through a partner firm called IT Security. 

We have seen a return on investment. 

I think the pricing structure is good compared to other products. The price is not too high and it's not too low. It is perfect. 

When we initially deployed Vectra, I was not working on it very much because I did not have very much experience with it. At that time, I was not happy with Vectra and was mainly using other solutions, like Splunk. However, as we learned more about how to use Vectra more effectively, we added additional features and made greater use of the dashboard. In year two, we started seeing Vectra as a tool for analyzing our network traffic. Right now, I think it is a good solution. 

From our research network in Sweden, we use it to communicate to and from the Internet. The deployment is on our Internet-facing services. We facilitate monitoring for universities who need this as well.

One of the biggest challenges facing us today is data growth and the continual diversification of the IT landscape. It is a very heterogeneous model, where you have on-premises, hybrid, and cloud solutions, as well as service providers, where everything is communicating back and forth towards each other.

We just have one SOC in Sweden.

It keeps up with the network traffic, which is a good thing. It provides more context to plain alerts compared to using an older system. So, it helps an analyst reduce the information overload. 

Vectra AI triages threats and correlates them with the compromised host device. That is how the functionality works. It helps us prioritize which hosts to look into.

It works over the hours when an analyst is not available, so the work keeps going. It can help you prioritize certain traffic patterns and things that you need to handle.

It is a good system that goes hand in hand for both junior and senior analysts. I see it as a nice add-on there.

I would like more integrations with IOCs and threats currently on the Internet. I would also like to know which threats are based on zero-day attacks, current botnets, etc. Therefore, I would like more information on external threats.

We have been using it for evaluation and collaboration together with our customers for the past two years. We have had it in our own production environment for half a year.

We haven't had any major disruptions. We had one hardware error after delivery, but that was taken care of.

Not much maintenance is needed.

It scales nicely since they separate the sensor node from the brain node.

You can scale up to sensors and separate the architecture as you grow. So, you can define your initial steps first. then have a more mature hardware later on.

We are a team of less than 10 people. We have network engineers, security analysts, incident handlers, and operators. We have a broad team.

We have only had direct contact with the customer success team, and that has been great.

Positive

We previously used open-source SIEM models. We switched to Vectra AI to help with the automation of alerts.

The initial setup was fairly straightforward.

The deployment was done over the pilot phase. We changed the links and aggregation a bit on the networking side, but the work was fairly quick.

We had a good dialogue with Vectra regarding the initial setup.

After deploying Vectra AI in our network, it began to add value to our security operations within a week.

We have not yet seen ROI, but we are growing our usage. We need to offload at least one analyst or have it do the work of a couple of analysts over time. 

We had a pricing meeting for the solution, where we set up a certain set of requirements that Vectra could fit on both price and quality.

We evaluated three or four different solutions.

Vectra's licensing model could scale to our research network, which has multiple, 100-gigabit links. Other competitors could not scale that for us. 

Set up specific threat scenarios that you are looking into, then monitor and evaluate on that. For example, it could be a botnet or certain user behavior. Also, the solution works best within an enterprise.

We are currently evaluating upgrading our SIEM and EDR technologies. When we extend our scope of the traffic that we are monitoring, Vectra AI will possibly enable us to do things that we could not do before, which would be a nice side effect.

There are still quite a lot of alarms coming in. It helps to reduce the amount of alerts that an older IDS-based system would have had. While there are still a lot of alarms, there are less alarms than the traditional IDS.

I would rate the solution as nine out of 10.