Buyer's Guide
Intrusion Detection and Prevention Software (IDPS)
May 2023
Get our free report covering CrowdStrike, Vectra AI, SentinelOne, and other competitors of Darktrace. Updated: May 2023.
708,243 professionals have used our research since 2012.

Read reviews of Darktrace alternatives and competitors

Chief Technology Officer at a financial services firm with 11-50 employees
Real User
Top 20
it's much easier to create your own queries and hunt for threats
Pros and Cons
  • "When I create a workbench query in Awake to do threat hunting, it's much easier to query. You get a dictionary popup immediately when you try to type a new query. It says, "You want to search for a device?" Then you type in "D-E," and it gives you a list of commands, like device, data set behavior, etc. That gives you the ability to build your own query."
  • "The one thing that the Awake platform lacks is the ability to automate the ingestion of IOCs rather than having to import CSV files or JSON files manually."

How has it helped my organization?

Awake has made us more productive. We're spending less time looking at false positives, so we can focus on what's truly important. It hasn't affected the morale of our analysts because we use a third-party SOC. 

When I look at the central dashboards, I can see what adversarial models were matched within the day, and when I click on that day, I can see what models and device names got triggered within my homepage. If I want to dive further into that model, I can click on that, and it tells me what the threats were as well as a lot more information on the endpoint or the asset. Then, if I want to see even more information, such as the actual activities, it's three clicks, and I'm on the activities themselves. I can pull a PCAP and investigate it. Regarding responsiveness and how quickly I get the answer, it's much faster than what I used to have.

It's hard to quantify, but it would have taken me 10 minutes to figure it out in my previous solution because I'm on the platform every day. Awake is easier and more intuitive. You see the day, the triggered models, and the asset. Then you click on the asset and activities. They're right there. I get the source, destination, and details, then download my PCAP, and I'm done.

Awake also tracks unmanaged devices. We have a guest WiFi, so if someone logs in to that, it's an unmanaged device. If they log in and try to do something bad, Awake will flag it and tell me. It's important even though we don't have as many people coming in and using the guest WiFi due to COVID, but we need to know if a guest user is doing something malicious.

What is most valuable?

It's much easier to create your own queries and hunt for threats. Darktrace's language is more challenging, and it's almost like you have to learn Darktrace's methodology to decipher it. When I create a workbench query in Awake to do threat hunting, it's much easier to query. You get a dictionary popup immediately when you try to type a new query. It says, "You want to search for a device?" Then you type in "D-E," and it gives you a list of commands, like device, data set behavior, etc. That gives you the ability to build your own query. Gathering PCAPs is also quite practical and more straightforward— tweaking the adversarial models, too. With Darktrace, it was tough to do. If you go to another serial model and want to clone it, then edit it and disable the old one, you can do it easily.

We have Palo Altos to decrypt traffic. I have all traffic going in and out via Awake, which can decrypt the traffic. However, Awake doesn't need to decrypt because it can analyze encrypted traffic to get a sense of what it might be. What I find helpful is that Awake can tell me when encrypted files might contain passwords. There is an adversarial model for that, which is great when someone tells me that there are two files with passwords, but the Awake and DR team already has an open ticket for this. They look for files that have "passwords" in the filename. 

That allows me to reach out to the user and tell him that I noticed a file containing passwords, and it's not password-protected. When they password-protect the file, the Awake team still highlights that as a risk but then write to them and say a password now protects the password file, and even though it is a password file, it is encrypted. So if you try to open it, you have to decrypt it with a password. Then we tweak the model to prevent that model from being triggered for that specific filename.

What needs improvement?

We take in IOCs from my SOC and from AlienVault, and then we focus on traffic that hits IOCs and alerts us to it. The one thing that the Awake platform lacks is the ability to automate the ingestion of IOCs rather than having to import CSV files or JSON files manually. Awake didn't support the manual importation of CSV and JSON in version 3.0, but they added it in version 4.0. It's helpful, but it still has to be a specific CSV format. Automated IOCs are on the roadmap. Hopefully, they will be able to automate the ingestion of IOCs by Q1 next year. I'm currently leveraging Mind Meld, an open-source tool by Palo Alto, to ingest IOCs from external parties. I aggregate those lists and spit them out as a massive list of domains, hashes, file names, IPS. Then we aggregate those into their own specific categories, like a URL category. Awake ingests that just like the Palo Alto firewall does, and then it alerts me if traffic attempts to go into it.

Some of that is already on the Palo Alto firewall, which blocks it, but that doesn't mean that there is no attempted communication. I want to know if there's a communication attempt because there might be an indicator on that specific device trying to reach an IOC. Yes, my Palo Alto blocked it, but there's still something odd sitting there, and what if it can reach a different IOC that I don't have information about? I want to focus on it. I could do that by leveraging Awake if it could ingest the IOCs automatically. That's something I leverage Awake for today. I still have to manually import it, which is cumbersome because I have to manipulate the files that I get from the different IOC providers into a specific format that it understands. Once they add the ability to automate that, it'll be more useful.

For how long have I used the solution?

I have been using Awake since 2020. They hadn't been acquired yet by Arista when I joined.

What do I think about the stability of the solution?

Awake is pretty stable. It has come a long way. There were quite a lot of bugs initially when I had them in version 3.0. I'm on 4.11 now, so it's a lot cleaner, more intuitive, and much less buggy. I found bugs as each new release came out. I brought them to the attention of support, and they would fix them, then I'd find a different one. I can't comment now since Arista acquired them, but before Arista, the development to get something fixed was much faster.

What do I think about the scalability of the solution?

I have a larger appliance than I technically would need, but I prefer that. If my organization goes up 100 percent, the appliance will still be suitable. So the scalability is there. If you switch from a 50-person shop to a 1000-person shop, it's easy to upgrade the appliance. They get a new one, install it, migrate the data, and you're done. I don't have any reservations about that.

How are customer service and support?

I don't think anyone is a 10 out of ten. There's always room for improvement. I'll give the Arista support group an eight out of 10, and nine and a half to the MNDR team. Awake's managed network detection and response service is fantastic. Awake MNDR has been there night and day for us. In fact, they've helped me a couple of times where my SOC has fallen short. They got me the answers I wanted, which is precisely why I wanted to sign up for MNDR.

Awake MNDR has made our security posture more comfortable. We get some peace of mind knowing they're there if something should happen. I can reach out, and also, they open their own tickets for things they see that the Awake platform doesn't necessarily catch automatically. You want that human element behind it, not just the EML component of it, where you build these models as an ML. You tell the machine what to look for, and if the machine sees it, then it tells us something about it. It's not machine learning — more like machine finding. These guys are looking for the nuances that the machine can't find.

If they see new IOCs, attack vectors, methods of attack, hashes, or techniques, they're going to log in to random customers and do some threat hunting. We get a lot of value from having the ability to say, "Guys, I heard about X, Y, Z. Can you check if there's any indication of that in my environment?" They can then log in, do their own threat hunting, and tell me, "No, categorically, there isn't." That's a lot more helpful than just having a SOC.

If my SOC is spending a couple of hours doing it, they're not going to be Awake experts, of course, because they're a SOC, and they probably have to leverage so many security tools it's impossible. They all have customers with Vectra, Darktrace, etc., and you can't learn them all. So having the Awake team allows me just to ask the Awake MNDR team, "I got this ticket. Can you guys log in and investigate it?" Or, "I have this question. This user did XYZ. Can you guys investigate this and paint a picture based on what you see in Awake." Of course, they don't have access to SentinelOne or a lot of my other tools like the SOC does, but they can give me a sense of exactly what happened just by leveraging Awake.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Previously, we were Darktrace customers, and we had the Darktrace platform set up in two locations: here and our data center. We leveraged them because we wanted to have an NDR solution. Darktrace is great eye candy, but we got a lot of false positives in the environment. When we spoke with Darktrace, they assured us that it was AI with machine learning capabilities so that it would adapt to our environment the longer it was deployed.

I'm not sure if they've gotten better since then because I left them two years ago, but our SOC was spending too much time looking at false positives. When we approached Darktrace and told them that the solution was flagging functions that were normal in our environment, the support was not up to scratch. If you constantly have to change the model and tell it to ignore issues in your environment, then that's not machine learning because it's not learning the environment.

Awake had what I was looking for with Darktrace but didn't get, which was to get a response. So you detect it and respond to it by integrating it with the EDR tool, specifically at the endpoint. I wanted a response, but that automation wasn't there. Darktrace has it now. However, Awake had the EDR integration to Crowdstrike and SentinelOne out-of-the-box, which was great because then I wanted to do it, but it's not fully automated yet. I can isolate the endpoint from the Awake platform but there's still no playbook yet where it says, "Okay, if you find a ransomware attack going on, isolate that endpoint and respond automatically." That's on Awake's roadmap. 

Another reason I moved to Awake was that they're not truly an ML or AI, and they don't sell themselves as that. They look at it differently from a security perspective, and I like that. The integration with EDR is better than what I had. They were looking to integrate with Palo Alto and Cisco firewalls to automate the response to IOC. If an IOC is identified in my environment, it will tell my firewall to start dropping the traffic to the IOC. They don't have this functionality yet, but I know it's in the roadmap because I just had a call with them about a month ago. I have a Palo Alto firewall, and the integration with Palo Alto will come along in Q1 next year. 

I think Darktrace has this, or it's in the process of adding it, but Awake already had it on the roadmap two years ago. That was something they were building towards. Since then, I have expanded my relationship with Awake Arista by signing up for their MNDR service, which has been super helpful because we still get false positives when I tweak the adversarial models to match my environment. I don't think there's a solution that will genuinely learn your environment and know what's normal versus what's not. I've found that dealing with support is better than dealing with Darktrace. Granted, I have the MNDR team also now, but this was the case even before that. With the MNDR team, I send them an email telling them the alerts we've gotten and the workbench queries we used. Then I ask them to tweak the model, so we don't get false positives. After an hour or two, it's done. Compared to Darktrace, the level of responsiveness from Awake has been night and day.

I get low-risk false positives, and I treat them all the same, but I have a managed external SOC, and they will not. I do because I want to see less noise, and I want my SOC to focus on what's important. As such, I want to tweak the adversarial models to focus more on aspects that warrant research and response rather than just an alert that comes in. We can decide to look at something later when we have time because we can see it's a low-level risk. Awake categorizes these, so you know it's low when you see an alert with a risk score of 20. Still, I want to clean it up, so that I don't see them. When I look at my platform dashboard, I want to know that I have had X unique adversarial models for the past week and Y high-risk devices. Then I can zero in on those high-risk devices to see what they are and what they're doing. 

I was a Dell Secureworks customer for a while. They were great tools, but they weren't NextGen. I thought Darktrace was NextGen. I had probably done a demo with them two years before becoming a client. I had Secureworks as a SOC, but then I wanted something more. When it was time to change my SOC from Secureworks, I figured I could use Darktrace and get an external SOC to ingest all of my security logs for the same cost I'm paying Dell Secureworks.

I thought that my SOC was spending too much time investigating all the false positives we were getting out of Darktrace, and it wasn't their job to tweak Darktrace. It was certainly more challenging for me to do it and more brutal to me to work with support to do it. And so, after attempting that for six months, I came across Awake. I can't remember exactly where. It must have been a marketing email I got, and I decided to look into it.

I think they had just come out of stealth mode when I started talking to them, and I decided to put them in at the same time I had Darktrace and do a bake-off. I realized that I was getting fewer false positives but, unfortunately, the platform does not have 3D manipulation, which I call the "eye candy" of Darktrace. It's an excellent visualization tool. It looks fantastic, but it's not easy to dive in and look at the logs.

I like how Darktrace can replay the traffic and show the messages coming in. I thought that was a pretty cool feature that I wish I could do with the Awake. But again, it's eye candy. The information is there, but you can't play it to the second as the traffic comes in. When I tried out Awake, I was taken aback because they had the IOC ingestion and were planning on automating that. They were also planning on integrating Awake with Palo Alto firewalls. Awake also had the EDR implementation as I was looking at migrating from Cylance to Crowdstrike. They already had Cylance integration also. I thought it was a no-brainer as long as I could get it for the same cost as Darktrace. I knew I would get a little more value out of it. I would lose the eye candy and the playback, but my SOC will spend less time looking at false positives.

I don't pay more or less if my SOC gets a thousand tickets or 10, but I also don't believe in my mailbox getting spammed with issues that worry me. Of course, I still get false positives from Awake. At most, it's maybe one a day, which is not terrible. We used to get five, but then I started tweaking it, and now we're getting roughly one every two days. We used to get five a day because no platform is built for your environment. They're built for all environments. They have to look for issues they think are malicious. You get that with SentinelOne too. I get false positives with SentinelOne and Excel files that look like they're meeting a MITRE ATT&CK framework, but they're not.

I think people should be ignored if they tell you there is a tool out there that's truly going to learn your environment. Darktrace claims that the tool will self-adjust the longer that it's in your environment. It won't. I've seen it, and unless that's been massively improved, I don't believe it.

What's my experience with pricing, setup cost, and licensing?

I got a deal when I bought Awake. It's if you go to buy a car and end up ripping off the dealer. I don't think many customers got the same deal. Darktrace is way too expensive, and so Awake is more price competitive. I think they'll be able to take a lot of clients from Darktrace because it costs a lot of money. All of these vendors push for four-year agreements and offer discounts for that. Darktrace told me that they only do four-year contracts, but I said I wouldn't be a customer if those were the terms. Instead, I got a four-year agreement with a 12-month opt-out. It's still a four-year agreement, but I could opt out after 12 months with a 90-day notice. So to me, it's a one-year agreement. I was able to get that with Darktrace because they wanted me as a customer.

Because I represent a hedge fund, I have some leverage. I told them that they had to meet my conditions if they wanted me as a client. It was the same way with Awake. They wanted an initial four-year agreement. Initially, we signed on for a one-year contract, but they wanted the four-year deal when it came time for the renewal. I told them that I was not doing that. I said that they either had to do it on my terms, or I'd go somewhere else. I don't want to, but I'll go.

We were able to keep the same conditions that I had, and working with them was pretty easy. I didn't have to jump through many hoops to get what I wanted. I was one of their first clients in the alternative investment space, and I've been a big supporter of what they were doing even before Arista bought them. I was worried when Arista bought them. When a conglomerate company bought this unicorn, I was afraid they would turn it into garbage.

Thankfully, I haven't seen that. The platform is improving, and the development continues. They're doing many exciting improvements that were on the roadmap when I first signed on. I can't disclose some of these improvements, but seeing what's coming down the pipeline is exciting. And like I said, I was fearful of Arista. Now I'm thankful that Arista pumped money into it and kept the team together, did not break them, that they're integrating them to their support model, and the teams will become bigger. And obviously, the interaction with the Arista products will become even larger because they're an Arista company, and they want to apply that to their Arista products.

My other big concern was that once Awake was acquired by Arista, they would have no interest in integrating with Palo Alto and Cisco because they are competitors. The sales rep told me, "No, that's incorrect. We still want to integrate with them. However, we understand customers are always going to have a choice, and not everyone chooses Arista for networking." I don't think Arista even does firewalls, so they put me at ease. 

What other advice do I have?

I'd rate Awake Security Platform nine out of 10. I have recommended them to many of my peers and have done references since. I believe in Awake and what they're building. I know how much more they can do with this. Unlike Darktrace, Awake has been built from the ground up. Darktrace took a lot of open-source tools and integrated them. It may have been a sales pitch, but my understanding is that one aspect that sets Awake apart is that this platform is built from the ground up. They didn't take an open-source tool and bandaid it to another one to create a product. 

That's one of the most exciting aspects of Awake. They can do what they want with this. They can build all these features on top of it. I bought into Awake because I wanted to get these features on a single platform. I want to create playbooks. I want something that can automate playbooks and leverage API calls to connect to your Palo Alto firewalls and SentinelOne. It's all about APIs nowadays. I want to have the ability through a single pane of glass that has your top 10 adversarial models that are critical. If you hit this criticality and you are up to this percentage, the following action that the Awake platform takes is X.

I believe that's where this platform can go, and I don't think any platform out there is at that level yet, even though Darktrace now has integration with EDR. They can automate many aspects, and they have added Palo Alto to it since then. Also, they have an email phishing component. I think Awake has the potential to do much more and based on the roadmap that I've seen, I believe they are well-positioned to do even better.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Operations Manager at a healthcare company with 51-200 employees
Real User
Gives us a greater level of confidence that we will be able to detect threats more quickly
Pros and Cons
  • "One of the core features is that Vectra AI triages threats and correlates them with compromised host devices. From a visibility perspective, we can better track the threat across the network. Instead of us potentially finding one device that has been impacted without Vectra AI, it will give us the visibility of everywhere that threat went. Therefore, visibility has increased for us."
  • "I would like to see data processed onshore. Right now, the cloud components, like Office 365, must be processed on servers outside of Australia. I would like to see a future adoption of onshore processing."

What is our primary use case?

The key challenges are employee weakness, getting alerted as soon as possible on our network and infrastructures to anything suspicious that is happening, and policy-type enforcement.

The challenge that it tends to solve is visibility. We put a lot of controls in place for what we suspect will be a risk. However, something like Vectra gives us more visibility and confidence that we have a better understanding of what is actually happening, rather than just the things that we have already planned for.

How has it helped my organization?

We adopted an Office 365 add-in with the product that looks over the Office 365 suite and data traversing that platform. In the future, we see this as a valuable asset that we already have in place to be able to better monitor that type of detection of information. We don't have an environment where there are many true positives, which is good. That has been consistent across the old and new. Our detections have usually been benign or more configuration-based rather than some sort of attack. Because it provides more context and raises things in a way that make it more actionable, it does help you understand the anomaly on a deeper level because it is not just a log that is being forwarded on and has context around it. Vectra AI does do a good job of providing the model information upfront about how its detections work, which is helpful.

We have an external SOC and most of the data or detections from Vectra now flows to them. The final design is that they are the recipient of those alerts in parallel with us. We also receive them directly at times, depending on the criticality. What it does for us is it improves the information and context that they are getting upfront, which means less questions for our internal IT team about what these assets are and what they are doing. Because the analysts at the SOC have more information to work from, it has reduced wasted time and improved the path that we are taking to a resolution, if there is a problem. It is more straightforward when you are getting quality information upfront about what you are actually investigating and why you are investigating it, rather than just, "This particular activity was detected on the network. Go and work out everything about it," Vectra gives you some context around it and a little bit of direction when you see these things, e.g., this is potentially what could be causing it. This improves workflow, reduces wasted time, and makes everyone's life a little bit easier.

It has given us an increased level of confidence in our information security that we have a tool like Vectra to back up some of the incidents that could take place, knowing we are going to get them detected as quickly as possible and identified to us. Nowadays, with threats on ransomware and information security types of techs, we believe that Vectra does give us a greater level of confidence that we will be able to detect those more quickly. If they do occur, we can shut them down more quickly, preventing further risks or damage to our systems or infrastructure.

Vectra AI provides visibility into behaviors across the full lifecycle of an attack in our network, beyond just the Internet gateway. It spells that out quite clearly in each detection. It is not just in the detection. You can look at detections individually, which are essentially individual events. Also, when you are looking at an asset that has multiple detections attached to it, you can see where those sit in the lifecycle of an attack. This gives you an idea of how far Vectra thinks that it has progressed. Having the ability to know where you are in an attack helps you prioritize things a bit better.

The solution correlates behaviors in our enterprise network and data centers with behaviors that we see in our cloud environment. In terms of a specific example, it links cloud identities to on-prem identities. This is something that we have never really had before, because we didn't have that visibility in our cloud environment. Now, it improves the visibility that we have of our security operations as a whole. Rather than sometimes viewing these things in silos and objects as individual objects, we are now viewing them as what they are, which is people undertaking action in our network and the pathways that they are taking to get to certain resources. By combining the cloud and on-prem data, it gives us context and helps us to get a proper view of what is actually going on.

What is most valuable?

An attractive thing about Vectra AI is the AI component that it has over the top of the detections. It will run intelligence over detections coming across in our environment and contextualize them a bit and filter them before raising them as something that the IT team or SOC need to address. 

While the device itself is deployed on-prem, the hybrid nature of what it can monitor is important to us.

Its ability to group detections for us in an easier way to better identify and investigate is beneficial. It also provides detailed descriptions on the detection, which reduces our research time into what the incident is. 

There are also some beneficial features around integration with existing products, like EDR, Active Directory, etc., where we can get some hooks to use the Vectra product to isolate devices when threats are found.

On a scale of good to bad, Vectra AI is good at having the ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation. My frame of reference is another product that we had beforehand, which wasn't very good at this side of things. Vectra AI has been a good improvement in this space. In our pretty short time with it so far, Vectra AI has done a lot to reduce the noise and combine multiple detections into more singular or aggregated alerts that we can then investigate with a bit more context. It has been very good for us.

There is a level of automation that takes place where we don't have to write as many rules or be very specific around filtering data. It starts to learn, adapt, and automate some of the information coming in. It works by exception, which is really good. Initially, you get a little bit more noise, but once it understands what is normal in your environment, some of the detections are based on whether an action or activity is more than usual. It will then raise it. Initially, you are getting everything because everything is more than nothing, but now we are not getting much of that anymore because the baseline has been raised for what it would expect to see on the network.

We use the solution’s Privileged Account Analytics for detecting issues with privileged accounts. Privileged accounts are one of the biggest attack vectors that we can protect ourselves against. This is one of the few solutions that gives you true insight into where some of those privileged accounts are being used and when they are being used in an exceptional way.

We have found that Vectra AI captures network metadata at scale and enriches it with security information. We have seen that data enriched with integrations has been available and implemented. This comes back to the integration of our EDR solution. It is enriching its detection with existing products from our EDR suite, and probably some other integrations around AWS and Azure. In the future, we will see that improve even further. 

One of the core features is that Vectra AI triages threats and correlates them with compromised host devices. From a visibility perspective, we can better track the threat across the network. Instead of us potentially finding one device that has been impacted without Vectra AI, it will give us the visibility of everywhere that threat went. Therefore, visibility has increased for us.

What needs improvement?

I would like to see data processed onshore. Right now, the cloud components, like Office 365, must be processed on servers outside of Australia. I would like to see a future adoption of onshore processing. 

For how long have I used the solution?

I have been using it for two to three months.

What do I think about the stability of the solution?

We have only a few months of history with it, but the solution has been rock solid. I don't think it has gone down yet.

What do I think about the scalability of the solution?

We have the ability to add agents in Azure and AWS Cloud if we want, but we still haven't made a decision yet. We can also add more agents or sensors on-prem with the VMware virtual machine that they provide. It is scalable in that way, but at some point, you will hit the limit of the device.

One of the selling points for us was, down the track, we can just add additional agents to the box from other sources without the need for additional licensing costs.

Internal to the business, there are only two users. External to the business (the SOC), there could be a team of up to 10 people who are watching alerts day-to-day as well as using the product and logging into the product to better identify what those alerts are. Being the owners of the system, we use it when we are triggered by alerts about something significant.

We have a small IT team with fewer than 10 staff, where there are only one to two information security focused staff. We leverage an external SOC, i.e., a third-party.

Vectra AI has enabled us to do things now that we could not do before. We are able to give our SOC a tool that can both reduce their time and potentially allow them to do more on our network. Potentially, they will look into isolating the threat a lot quicker. They can use some of the integrations to turn off endpoints when a threat, which is significant, is detected.

How are customer service and technical support?

Through the different phases of deployment that we have gone through so far, we have been mainly assigned one technical resource to assist us with everything from beginning to end. He has been very knowledgeable and responsive. I can't say anything really negative about him. 

In terms of the ongoing support, we haven't had to leverage it much yet. We are now in the production phase, so we have been handed over to the main support desk, but I haven't had to use them yet.

Through deployment, the technical support was very responsive. I think every question that I asked, if it wasn't able to be answered, got passed onto someone who could then come back with something. I think they were pretty upfront as well when the solution couldn't do what we were after. We were told that they would go away and check, then they would come back with an answer about whether what we were asking for could be done. It has all been pretty good so far.

Which solution did I use previously and why did I switch?

We already had a solution like this one in place, which was another competitor's product, where the three-year contract for that product was up. We wanted to retain the level of detection that the product provided, but adapt to the way our network had changed over three years to adopt a more hybrid cloud technology. This device sits on our internal network watching for any threats to our internal network. It looks at our Office 365 threats as well.

We were previously using DarkTrace. We went to the market for reasons of maturity over time for our network. We wanted to further adapt this product to a hybrid working model. We wanted it to be able to adapt to cloud technology that we were adopting. We also wanted something commercially competitive. After three years, they came back asking for a 20% increase in their renewal fees, which wasn't acceptable.

One of the main things that Vectra has brought to the table for us, over what we were previously using, was the ability to combine our on-prem packet data that we were watching with the cloud data that we needed to start including. We have one system monitoring a hybrid environment, rather than having separate systems for separate environments. That is a key thing that Vectra does that others might not. It comes back to visibility with network monitoring.

For critical alerts, there has been a huge reduction compared to our previous solution, approximately 80% less. What our previous tool would mark as high, we wouldn't, and Vectra AI aligns with that. Vectra gave us some classifications of the threats, where our previous tool would just trigger high risks on a lot of things that to us, as a business, were not high risk. This is because of fundamentally the way that Vectra looks at detections compared to the way that our previous product did. Every detection was its own entity within the previous one. Whereas, with Vectra AI, it is all about combining the detections and getting a more complete picture. When you are looking for more than just one indicator of compromise, and you are not viewing these things in isolation, you start to realize that one indicator oftentimes doesn't mean critical. That is what Vectra does pretty well.

How was the initial setup?

The initial setup was straightforward. We had the existing competitor already in place, and it was architected in a pretty similar way. Someone without a device like this one in place would need to spend a little bit of time on the setup. However, that is not so much about Vectra as it is with the type of device that it is. No matter which device does this sort of thing, when you put it in place, you will need to set certain things up.

We unboxed the device, plugged it in, and it pretty much turned on. We didn't have to do much at all. Then, there was the config after the fact, which was all supported.

The initial deployment really only took a couple of weeks to get it to the point that we were relatively comfortable with what we were receiving. In terms of getting the box plugged in, that took a day. Then, we finished the whole deployment phase of it. which was to fine tune some of our detections and config. That has really been finalized in the last few weeks.

Vectra was extremely easy and quick to get into place. It was able to run inline with DarkTrace while we were evaluating it. Also, the implementation was not heavy in any way.

What about the implementation team?

We went through a proof of concept with Vectra. We had already identified our functional requirements for the product and entered into our proof of concept arrangement with Vectra to assess that they could achieve all the functional requirements that we had.

The support for deploying it was ready to assist further, if needed, with the deployment. In our case, it was very straightforward. It was very quick to implement. The support that they gave us week-to-week kept us moving. They were also able to implement it in line with us.

Development and maintenance needs a tenth of a staff member. We mostly handle this ourselves. To be effective with the alerts that you are getting, you need security staff or people who are dedicated to this kind of thing. It is one thing to maintain and deploy the device.

It is another thing to action the information that the solution is giving you. We outsource that, so we don't do it in-house.

What was our ROI?

The capturing of network metadata at scale reduces the time of investigations when researching incidents. Instead of having to look over multiple tools, that data can be somewhat aggregated, from a Vectra perspective. The time to detect and understand a threat has been reduced.

Vectra AI has reduced the time it takes us to respond to attacks. The amount of time depends on the specific detection or circumstance around it. Some things have been raised previously, then we would have good knowledge about what that detection meant and how to investigate it effectively. Other times, a detection might be viewed as more novel, where there may not be the immediate skills in place to investigate it effectively, whether that is the security team or me. There is a whole lot of research that needs to go into this to make sure that you have the knowledge to actually verify whether a thing needs to be dealt with.

Vectra AI provides you this information very well, with more context around the detection. Someone with a more general knowledge of some of these things can look at all the factors rather than just the detection to make a determination of how risky it is and how you might start investigating it. For example, with autodetection in an account, if it was just that detection, then your initial response might be to lock that account out. However, if you get a bit more context about it and can see what other activities were happening on the same asset around the same time, then you might not lock that account. You might just reach out to that user, and say, "Hey, what was this about?" because you are not so concerned about an immediate threat.

There is ongoing maturity from our security strategy, which this solution introduces. Down the track, we could look to extend this from an agent perspective to our cloud platforms in a more rigorous way than what has already been implemented. It gives us increased confidence over time as we do get these detections and alerts that are valid, so we are able to accurately resolve and stop them quite quickly. That is where we will see the bigger benefit. It will tick something and alert us as quickly as possible, then we can get to it and shut it down as quickly as possible. That means our security maturity is only strengthening, and we can respond and have visibility over events in the future.

The return on investment was passed over to our SOC. They were using our previous tool, DarkTrace, and now they are using Vectra. There will be a lot less in future reports because there will be a lot less that they are actually investigating.

What's my experience with pricing, setup cost, and licensing?

From a pricing perspective, they are very commercially competitive. From a licensing perspective, just be conscious that some of their future cloud solutions come with additional subscriptions. Also, if you're outside of the US, you will get charged freight for the device back to your country. I tried to negotiate getting rid of this, but unfortunately, it just wasn't something they would take off the table.

I would like to see ways they can look to bring out new cloud functionality without introducing additional costs for them as additional subscriptions. They're about to bring out their AWS add-in, which has an additional cost. So, I would like to see them start to roll that into the product, as opposed to having it be offered as a separate subscription service. Because the more that that happens, the more it goes away from the core functionality of the product if we are just buying a lot of separate cloud processing pieces doing different functions. Why is that not being made as part of the core product?

They also have some additional threat hunting tools that I would like to at least consider leveraging, but the cost is just prohibitive.

Which other solutions did I evaluate?

After deploying this solution in our network, it began to add value to our security operations straightaway. We ran the Vectra product in line with DarkTrace and were watching the alerts from both. Because I was sometimes getting exactly the same detections on both platforms, the Vectra information was actually assisting me in understanding what DarkTrace was doing and what it was warning me about. Straightaway, I started to get a better understanding of the alerts that we had been receiving for a long time.

It pays to evaluate the market regularly on products like this. The industry and platforms change very rapidly, and there is always new technology coming out. Three years ago, these guys wouldn't have probably been around or been looked at. Now, they are. Therefore, going out to the market and actually assessing our existing investment, against what is out there today, was very worthwhile.

For EDR, we are using CrowdStrike.

What other advice do I have?

The visibility of your threats will be easier to understand with Vectra AI. It provides you with a centralized dashboard of those threats and alerts. It gives you detailed descriptions for quicker research into what the identified threats and alerts are. It will integrate with existing products you may already be using. Overall, it reduces a lot of time spent on chasing false positives.

Right now, we are leveraging the on-prem appliance and the Office 365 Cloud component. We want to look to the future around potentially extending this to further parts of Office 365 and cloud environments, like Azure and AWS.

We haven't adopted Power Automate into our environment as of yet.

I would rate this solution as eight and a half out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Braam Mouton - PeerSpot reviewer
CTO at a tech services company with 51-200 employees
Real User
Backup automation reduces repetitive work and network map helps with troubleshooting, saving us time
Pros and Cons
  • "The network monitoring and backups of specific devices are really impressive. We've seen very good responses from our staff regarding the backup functionality. You can add a product, such as a switch and, once the product is added, it backs it up for you."
  • "I'd like to be able to deep dive more into the reporting. The reporting is still being scaled and built out and I would love to see some additional products being added to the stack. For example, Auvik covers certain types of firewalls, but I would like to see more enterprise stuff added to the stack."

What is our primary use case?

Our use cases are around network monitoring. That was our biggest challenge.

How has it helped my organization?

The most important thing to me has been the benefits around visibility. If I don't have visibility then I can't report on things and the tool doesn't work.

And when it comes to reducing repetitive tasks through automation, it has absolutely done so, for example, through the backup features and functionality. Also, from an auditing point of view, it has greatly helped us because we now don't find ourselves in a situation where we have to figure out who did what and when. It sends out reports on a user basis, meaning we know when a user was logged in. Those are all very cool features and functionality.

With the reduction in repetitive tasks for my team, at different levels, time has been freed up. Another factor in saving time is definitely due to the improved fault finding we can do now. Because we have a network map, when something goes wrong, such as what couldn't communicate with which device, it saves us good chunks of time.

What is most valuable?

The network monitoring and backups of specific devices are really impressive. We've seen very good responses from our staff regarding the backup functionality. You can add a product, such as a switch and, once the product is added, it backs it up for you.

The ease of use of the monitoring and management functions depends on what level of engineer you are and how you perceive it, but to me, it's quite simple to use and user-friendly. The overall intuitiveness of the network visualization is about eight out of 10. That aspect is actually quite good in the product. There are small tweaks and improvements that can be made, but overall, it is really good.

It also does change-tracking, which is a big aspect for us. If someone makes a change on a device, Auvik will report on it for us.

In addition, it helps keep the devices up-to-date. At a minimum, it gives us a monitoring feature on the versions of the devices. If it can't auto-update, the key here is visibility. As long as we have that visibility, there's a lot we can do with that info. The visibility saves us time.

And while it's not a single, integrated platform for everything, because I still use some of my other network tools to complete some other tasks, Auvik is a comprehensive platform.

What needs improvement?

I would like to see some improvements in some of the reporting functionality, meaning I'd like to be able to deep dive more into the reporting.

The reporting is still being scaled and built out and I would love to see some additional products being added to the stack. For example, Auvik covers certain types of firewalls, but I would like to see more enterprise stuff added to the stack. These aren't exact examples, but it may cover Sophos and FortiGate but not Palo Alto.

For how long have I used the solution?

I have been using Auvik for about six months.

What do I think about the stability of the solution?

So far, I have found it to be quite stable. I haven't found the cloud provider to be offline and I haven't found that I was unable to log in to the cloud portal yet.

What do I think about the scalability of the solution?

This is a quite easily scalable solution because it's a cloud platform. It's an easy rollout and the solution should be able to scale very simply. It shouldn't be difficult to scale out if we want more agents or more installs. It would be quite quick.

We have it deployed in a few different locations.

How are customer service and support?

I haven't needed to contact their technical support yet.

Which solution did I use previously and why did I switch?

We use different vendors' products and they have been troublesome or quite challenging. We did not have something that can do proper network monitoring around the devices themselves. We needed something that can scan the network, find the switches and devices, assign licensing, and then monitor them from there on out.

We're in the middle of transitioning, so we are still using the previous solution. It's a mix of SolarWinds and Darktrace. Those are two of the two bigger ones. This is a process, which means we won't jump to Auvik only and not use anything else, but we're finding it to be a great tool when integrated into our stack with the rest of the tools. We're definitely finding value in it.

What's my experience with pricing, setup cost, and licensing?

Auvik is priced in the middle tier. We have customers using bottom-tier products and those who use what I wouldn't say are necessarily higher-tier products in terms of functionality, but more extensive products. For the way that it's deployed, where the pricing only affects certain devices—meaning there are some free devices, so that you don't pay for everything—it's quite nicely priced in the middle. It's not an overpriced product, but it's also not a very cheap product. It is in a good range of pricing.

If someone is concerned about pricing, in most cases the functionality makes a strong use case and it mostly trumps the pricing. Generally, functionality wins. If you give me a product that works really well and it's a little bit more expensive, I'll take it. It doesn't make sense to sacrifice functionality for pricing.

Which other solutions did I evaluate?

We didn't really evaluate other options. In our specific case, Auvik came recommended by one of my friends, so we started a trial and then used it from there. I wasn't necessarily looking for just this type of network tech. It was just a happy coincidence.

What other advice do I have?

As for our team's visibility into remote and distributed networks globally, it has helped us somewhat. My team has started really integrating the product, but they've deployed it on a smaller scale at this point. It's not deployed on such a large scale yet.

Auvik, as a cloud-based solution, versus on-prem network monitoring solutions, is quite simple and intuitive to use. The cloud-based aspect is actually a very nice touch since some vendors require you to have an appliance onsite that they communicate with. It's very useful that it's a cloud-based application from an ease-of-deployment point of view. With no onsite appliance, there are fewer dependencies.

My advice would be to review and focus on the features and the functionality of the product. Don't necessarily, off the bat, just look at the pricing and say this is very expensive. With some customers, the first question is always, "What's the price?" without our having even said a word about the product. Take it for a test drive first, before you look at the pricing, so at least you know what you would be getting for that price.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Senior Network Security Architect at a financial services firm with 10,001+ employees
Real User
Top 20
A good amount of granularity and advanced URL filtering capabilities
Pros and Cons
  • "The sandboxing tools offer great prevention for cloud feeds."
  • "Mission learning techniques should continue to expand and detect unknown threats on the fly."

What is our primary use case?

Our company uses the solution for IDS and IPS functionality in the signature phase that includes vulnerability and antivirus plus file blocking in the DLP to some extent. 

The signature feed is sent to the firewall based on a schedule we configure. Intervals can go up to every five minutes where the firewall goes to the cloud to get the latest signature feeds. At the same time, there are mission learning capabilities on the firewall that categorize certain non-threats on ports and protocols as malicious traffic before creating the signature. 

We have 30 to 50 resources that use the solution throughout our company. 

What is most valuable?

The sandboxing tool offers great prevention for cloud feeds.

The solution is granular and able to recognize more applications with respect to firewall inspection.

The new, advanced URL filtering capability has cloud integration that runs analysis and fetches the latest signature categorization.

The solution is very easy to operate. 

What needs improvement?

The granularity of the signature could be improved. 

Mission learning techniques on firewalls are good but should continue to expand and detect unknown threats on the fly. The capability seems to be a bit limited on certain types of traffic. 

The solution should include a checkbox to select or bypass the profile on a firewall or policy. 

The option to customize signature fields or allow feeds from other tools or environments would be interesting.

For how long have I used the solution?

I have been using the solution for five years. 

What do I think about the stability of the solution?

The solution is stable but could improve. It seems to be how the solution generates signatures because there are sometimes false positives. Signature updates sometimes cause breaks in production traffic. 

What do I think about the scalability of the solution?

The solution is a cloud feed so is scalable. Continued expansion with integrations will allow even more scalability. 

How are customer service and support?

I speak with technical support every day. Support is good with troubleshooting and identifying problems in comparison to other vendors. 

It sometimes takes a lot of time for support to address issues. There is no structure for identifying major issues from more routine issues or taking proper accountability for them. 

I often provide feedback about what can be done better or what features I need. Turnaround for new features takes a lot of time. 

How was the initial setup?

The solution has a one-time setup that is easy. The granularity during cloud setup is very good. 

Custom signatures might require a bit of engineering work but are doable. 

Firewalls automatically get the feed from clouds and dump it to the firewall at intervals ranging from five minutes to 24 hours.

What's my experience with pricing, setup cost, and licensing?

The pricing depends on the hardware or license purchased but is expensive. 

There is an initial investment but the return is good because the solution has many features, is stable, and scales without having to change anything on an existing deployment. 

When considering the value obtained, I rate pricing a nine out of ten. 

Which other solutions did I evaluate?

The solution's granularity with web URL categorizations and its ability to recognize more firewall applications are better than Zscaler. Threat prevention has very recently been introduced in Zscaler but has a way to go before matching the solution's capabilities. 

CrowdStrike provides more signature granularity than the solution. 

What other advice do I have?

The solution is great and continues to improve so I rate it a nine out of ten. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Director Of Information Technology at a security firm with 1-10 employees
Real User
Top 5Leaderboard
Helpful alerting, provides valuable network insights, and the pricing is negotiable
Pros and Cons
  • "Overall, it give me a lot of insight into my network that I didn't have before."
  • "The pain point that I have with this solution is contacting technical support."

What is our primary use case?

We primarily use Check Point to provide visibility into our network. It lets us see the east-west traffic, and it gives us a lot of information to work on as far as what kind of traffic was passing through.

How has it helped my organization?

Overall, it give me a lot of insight into my network that I didn't have before.

What is most valuable?

It lets us know about anomalous behavior and it provides alerts regarding activity on certain ports. It lets me decide, for example, whether something is a valid connection, or causes me to question why a certain port is open.

What needs improvement?

The pain point that I have with this solution is contacting technical support.

For how long have I used the solution?

I have been working with Check Point IPS for more than a year.

What do I think about the stability of the solution?

Stability-wise, this product is great.

What do I think about the scalability of the solution?

The scalability comes from the fact that this is an on-premises device that ties into a cloud service. It's a hybrid application. Once you have it installed, it's collecting information. You put it right there in front of your input into the network, and it picks up all of the traffic.

How are customer service and support?

Sometimes, technical support takes a long time to get back to you.

Which solution did I use previously and why did I switch?

I used Check Point Endpoint Security, as well as the Network Detect and Response (NDR) appliance.

I am currently using Darktrace and Vectra in addition to Check Point. I've been using all three and I find that Check Point is the one where I get the most information from. I will stop using Vectra this year but I will retain Darktrace, as long as they keep it at a certain price.

Darktrace takes a lot more configuration; unlike Check Point, there are a lot more changes that need to be made. When it's fully integrated, it requires a lot of time and it may end up being as useful as the Check Point.

The reason I keep all three is because they all give me a different kind of view. They all give me different information. If they gave the same information, it'd be useless to keep them.

With respect to similar security products, I have demoed CrowdStrike, worked with Symantec, and am also using Check Point.

How was the initial setup?

Check Point was fairly usable out of the box.

I am using an on-premises appliance that ties into a cloud service.

What's my experience with pricing, setup cost, and licensing?

Pricing for this solution is negotiable and I'm happy with our pricing.

I suggest negotiating either at the end of their fiscal year or at the end of every quarter. At the end of the quarter, they have an incentive to lower the prices to sell as many units as possible in order to meet their end-of-quarter quota.

What other advice do I have?

If I could only keep one of my security solutions, it would be Check Point. To me, it provides the most valuable information.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Intrusion Detection and Prevention Software (IDPS)
May 2023
Get our free report covering CrowdStrike, Vectra AI, SentinelOne, and other competitors of Darktrace. Updated: May 2023.
708,243 professionals have used our research since 2012.