NetWitness XDR OverviewUNIXBusinessApplication

NetWitness XDR is the #1 ranked solution in top Threat Intelligence Platforms, #4 ranked solution in SOAR tools, #6 ranked solution in top Network Detection and Response (NDR) tools, #9 ranked solution in XDR Security products, #14 ranked solution in EDR tools, and #27 ranked solution in endpoint security software. PeerSpot users give NetWitness XDR an average rating of 8.0 out of 10. NetWitness XDR is most commonly compared to Darktrace: NetWitness XDR vs Darktrace. NetWitness XDR is popular among the large enterprise segment, accounting for 62% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 21% of all views.
Buyer's Guide

Download the Extended Detection and Response (XDR) Buyer's Guide including reviews and more. Updated: January 2023

What is NetWitness XDR?

Using a centralized combination of network and endpoint analysis, behavioral analysis, data science techniques and threat intelligence, NetWitness XDR helps analysts detect and resolve known and unknown attacks while automating and orchestrating the incident response lifecycle. With these capabilities on one platform, security teams can collapse disparate tools and data into a powerful, blazingly fast user interface.

NetWitness XDR was previously known as RSA ECAT, NetWitness Network.

NetWitness XDR Customers

ADP, Ameritas, Partners Healthcare

NetWitness XDR Pricing Advice

What users are saying about NetWitness XDR pricing:
  • "The pricing is not very economical. It is a quite costly product for India. One thing is that when you purchase it, you have to purchase a module separately."
  • "The price of the solution depends on the environment. If the environment is large then it will cost more. However, the larger the environment with more endpoints, you will receive an increased discount. If the environment is very small, then you might think it is expensive. It is always better to buy in bulk to receive a discount. The minimum number of assets is usually 500, with discounts on 1000 and 2000."
  • "NetWitness Endpoint is less costly than its competitors, but it offers fewer features."
  • "We are on a three-year contract to use RSA NetWitness Network."
  • NetWitness XDR Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Manager, Soc
    Real User
    Top 20
    Log correlation is good, but the solution is slow and there are many licensing complications
    Pros and Cons
    • "The log correlation is good."
    • "The deployment process is complex. I don't know why, but this solution will suddenly stop working. Logs stop coming. Often, one thing or another stops working. Most of the time, one of my team members is working with troubleshooting and working with technical support. Log passing is also one of the biggest challenge."

    What is our primary use case?

    The product is mainly used for security, log reviews, and monitoring.

    In India, mostly on the requirement segment, we don't deploy the solution on the cloud. We use the solution on-premises.

    What is most valuable?

    The log correlation is good. There may be some benefits to the solution, but most of my time has gone to configure it rather than to work with it. So maybe I'm not so aware of that.

    What needs improvement?

    The problem with this product is that it's a bit slow. I am not very happy with this product. In the past, I have worked with a different tool, which was only maintaining a log, but I found that solution much better than NetWitness. It is not properly configured yet.

    One part of this product that needs to be improved is the log passing. Often, it doesn't work or logs go missing. There are many licensing complications as well.

    For how long have I used the solution?

    I have been working with this product for almost one year. I'm not working directly with the product. I do the implementation for companies. We use the latest versions of the solution.

    I'm technically not hands-on with these tools because I manage the team, so I am not exposed to anything.

    Buyer's Guide
    Extended Detection and Response (XDR)
    January 2023
    Find out what your peers are saying about NetWitness, CrowdStrike, Trellix and others in Extended Detection and Response (XDR). Updated: January 2023.
    672,411 professionals have used our research since 2012.

    What do I think about the stability of the solution?

    My own network is very complex. It might be stable, but many times, even our appliances are not. We have had improper shutdowns, so I will not blame RSA. If an improper shutdown happens, then it takes a lot of time to make it up. It doesn't work until you start the machine, and it will work. Finally, you have to get a ticket, then they will do lots of things on them. The services will start and then it will work. We've been having some power issues in my previous assignments, and a lot of trouble in that way.

    What do I think about the scalability of the solution?

    The solution is scalable. It creates 3,000 lab logs per second. I think the solution is suitable for large companies, or medium to large companies.

    How are customer service and support?

    I don't think RSA has good support.

    How was the initial setup?

    The deployment process is complex. I don't know why, but this solution will suddenly stop working. Logs stop coming. Often, one thing or another stops working. Most of the time, one of my team members is troubleshooting and working with technical support. Log passing is also one of the biggest challenges. Sometimes you don't get the logs, but even when we make the log passes, they don't work. They suddenly stop working. It might just be a problem from my side as well, but the end result is that it is not working as smoothly as it should.

    Deployment time just depends on different circumstances. Many times, our men were unable to get to the data center. There were some wiring problems and improper shutdowns. We did have trouble with connecting with other people in our department. It took an unusual amount of time. I think we should have been done in 45 to 60 days, but it took us more than eight or nine months to get it done. The deployment time just depends on the current scenario. Tech support would say, "We don't do this, we don't do that. You have to purchase that service and that service."

    What's my experience with pricing, setup cost, and licensing?

    The pricing is not very economical. It is a costly product for India. When you purchase it, you have to purchase a module separately.

    What other advice do I have?

    I would rate this solution 4 out of 10. I would not suggest that someone use this solution because support is a main issue. I would prefer to go with IBM QRadar or some other new AI-based tools.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Senior Cybersecurity Consultant at CIA Botswana
    Real User
    Top 5Leaderboard
    Overall great feature functionality, simple installation, and helpful technical support
    Pros and Cons
    • "They have recently updated the features and the most valuable ones are the instant threat response, ease of use, web interface, integration, and easy access. RSA NetWitness Endpoint is very compatible with other solutions and technologies. However, they do not rely on third-party solutions and have most features built-in."

      What is our primary use case?

      RSA NetWitness Endpoint is used to get an instant detection response from network threats. Additionally, it has the capability to do malware analysis and investigations.

      How has it helped my organization?

      RSA NetWitness Endpoint has helped our organization from its many advantages and because it provides overall visibility of all of our endpoints within the enterprise network. You are able to see what exactly is going on and it provides real-time incident reports, instant management, and investigations.

      What is most valuable?

      They have recently updated the features and the most valuable ones are the instant threat response, ease of use, web interface, integration, and easy access. RSA NetWitness Endpoint is very compatible with other solutions and technologies. However, they do not rely on third-party solutions and have most features built-in.

      For how long have I used the solution?

      I have been using RSA NetWitness Endpoint for approximately six years.

      What do I think about the stability of the solution?

      The solution is very stable and does not overwhelm the network.

      What do I think about the scalability of the solution?

      The solution is highly scalable and is easy to scale.

      When comparing RSA NetWitness Endpoint to Splunk, we have found Splunk is missing some features. For example, the user identity and analytics capabilities are not available with Splunk. You will have to depends on third-party tools to provide those features. What makes Splunk very good is that it is dependent on third parties but all those third parties have to integrate together. Splunk should have someone who is very good at API integration to be able to integrate all the third-party tools, otherwise, the solution will not work well.

      We have approximately six people using this solution in my organization.

      How are customer service and technical support?

      The annual license comes with free online support and all you do is open a ticket through the 24/7 support. The support is very good and they provide different levels of incident priority, such as level one and high priority level, they typically respond within 24 hours.

      How was the initial setup?

      The installation was simple.

      What about the implementation team?

      We did the implementation of the solution ourselves. The vendor provides the datasheet manuals which are readily available online. They are easy to follow to complete the implementation.

      We have a license for the vendor to do maintenance.

      What's my experience with pricing, setup cost, and licensing?

      There are different licenses available for the use of this solution. The license that comes with support is more expensive than the basic license. 

      The price of the solution depends on the environment. If the environment is large then it will cost more. However, the larger the environment with more endpoints, you will receive an increased discount. If the environment is very small, then you might think it is expensive. It is always better to buy in bulk to receive a discount. The minimum number of assets is usually 500, with discounts on 1000 and 2000.

      The perpetual license is not good because it does not cover maintenance, you have to pay maintenance separately. However, they are slowly moving away from perpetual licenses and there will only be annual licensing for your subscription.

      Which other solutions did I evaluate?

      I have evaluated Splunk.

      What other advice do I have?

      Those looking to implement RSA NetWitness Endpoint should do a comprehensive assessment of their environment to check whether they really need the solution. Sometimes you buy the solution and you do not have the right people to use it. Ensure that you invest in the right expertise to use it because after you invest in people, then you invest also in the processes and technologies. If you have the technology but and you do not have the expertise to operate the solution it will not be useful.

      I rate RSA NetWitness Endpoint a ten out of ten.

      Which deployment model are you using for this solution?

      On-premises
      Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
      PeerSpot user
      Buyer's Guide
      Extended Detection and Response (XDR)
      January 2023
      Find out what your peers are saying about NetWitness, CrowdStrike, Trellix and others in Extended Detection and Response (XDR). Updated: January 2023.
      672,411 professionals have used our research since 2012.
      Senior Cyber Security Analyst (SAFe Agile) at a transportation company with 1,001-5,000 employees
      Real User
      Top 20
      Advanced threat detection undermined by issues with blocking
      Pros and Cons
      • "NetWitness Endpoint's most valuable features are its interoperability across many different operating systems and the ease of pivoting from network to endpoint via a single console."
      • "NetWitness Endpoint's blocking feature does not work properly - if there's a malicious process, it's not possible to kill it via a custom rule unless and until it's flagged as malicious."

      What is our primary use case?

      I primarily use NetWitness Endpoint to detect anomalies like the presence of web shields that are not detected by traditional antivirus solutions. I also use it for digital forensics and containment.

      How has it helped my organization?

      NetWitness Endpoint has enabled us to detect attacks that bypass the first stage of cybersecurity, like zero-day and advanced attacks.

      What is most valuable?

      NetWitness Endpoint's most valuable features are its interoperability across many different operating systems and the ease of pivoting from network to endpoint via a single console.

      What needs improvement?

      NetWitness Endpoint's blocking feature does not work properly - if there's a malicious process, it's not possible to kill it via a custom rule unless and until it's flagged as malicious. For example, if you put IOCs in the form of hashes, it's not possible to block those IOCs - the system will alert you, but they can't be blocked. In the next release, NetWitness Endpoint should include regular expressions for blocking processes and sub-processes, the ability to block IPs, and scalability and integration with the ServiceNow platform or other ticketing solutions.

      For how long have I used the solution?

      I've been using NetWitness Endpoint for seven to eight years.

      What do I think about the stability of the solution?

      NetWitness Endpoint is stable, but there are times when the RSA agents installed on the endpoint don't respond, and they don't have proper health checkups for this, so you don't get any notification of what's happening.

      What do I think about the scalability of the solution?

      NetWitness Endpoint scales well.

      How are customer service and support?

      NetWitness Endpoint's technical support is very good and fast. Their system allows us to raise tickets with various levels of severity, so cases are dealt with per those levels.

      How would you rate customer service and support?

      Positive

      How was the initial setup?

      The initial setup isn't too complex, and deployment can be completed in a day. I would rate the setup experience as four out of five.

      What about the implementation team?

      We used a third-party team.

      What was our ROI?

      NetWitness Endpoint has provided an ROI in terms of increased threat detection and containment, allowing us to perform deep-dive digital forensics on assets.

      What's my experience with pricing, setup cost, and licensing?

      NetWitness Endpoint is less costly than its competitors, but it offers fewer features. Its licensing is per installation, and there are additional costs for the RSA NetWitness NDR solution and extra bandwidth requirements.

      What other advice do I have?

      I would give NetWitness Endpoint a rating of seven out of ten because it's missing the features of modern EDR solutions.

      Which deployment model are you using for this solution?

      On-premises
      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      Flag as inappropriate
      PeerSpot user
      Manager, IT Security Operations at a non-profit with 11-50 employees
      Real User
      Top 20
      Reliable and good support but can be expensive
      Pros and Cons
      • "Technical support is knowledgeable."
      • "Threat detection could be better."

      What is our primary use case?

      We primarily use the solution for NDR. 

      What is most valuable?

      We like the solution doesn't have to be managed by an IT department. It's easy to use. You can still check the machine without the IT department being involved.

      The solution is stable. 

      Technical support is knowledgeable. 

      What needs improvement?

      I have no real complaints about the solution. 

      Threat detection could be better. They need to enhance their threat intelligence feeds.

      We would like to have more IOCs or more trade intelligence to not only rely on the intelligence of the engineer in charge but to have some threat intelligence and some seeds of IOCs and to have the host have some artificial intelligence to reduce the number of false positives.

      I don't see this solution being very scalable. 

      The solution is pricey.

      For how long have I used the solution?

      I've been using the solution for five years. 

      What do I think about the stability of the solution?

      It's pretty stable. It's reliable. There are no bugs or glitches. It doesn't crash or freeze.

      What do I think about the scalability of the solution?

      It's not a very scalable product.

      We have three engineers that work on the solution. They use it regularly, yet not necessarily on a daily basis. 

      How are customer service and support?

      Technical support is good. They are knowledgeable and responsive. We are satisfied with the support on offer. 

      How would you rate customer service and support?

      Positive

      How was the initial setup?

      The setup is neither easy nor difficult. It's moderate. I'd rate it four out of five in terms of the deployment process. It wasn't challenging, yet had some complications so wasn't completely straightforward. 

      What's my experience with pricing, setup cost, and licensing?

      The solution is expensive. I'd rate it at a one or two out of five. They need to adjust it to keep up with the competition.

      I cannot speak to the exact pricing of the product.

      What other advice do I have?

      I'd rate the solution a six out of ten.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      Flag as inappropriate
      PeerSpot user
      SupravatMaji - PeerSpot reviewer
      Associate Vice President - IT Security at Inspira Enterprise
      Real User
      Top 20
      Beneficial single unified dashboard, good native application integration, and high availability
      Pros and Cons
      • "The most valuable feature of RSA NetWitness Network is the single unified dashboard from which you can manage all the different products of RSA. Additionally, the integration with native applications is good."
      • "RSA NetWitness Network could improve on integration with non-native application integration."

      What is most valuable?

      The most valuable feature of RSA NetWitness Network is the single unified dashboard from which you can manage all the different products of RSA. Additionally, the integration with native applications is good.

      What needs improvement?

      RSA NetWitness Network could improve on integration with non-native application integration.

      For how long have I used the solution?

      I have been using RSA NetWitness Network for approximately three years.

      What do I think about the stability of the solution?

      RSA NetWitness Network on-premise is stable. I have not used the version to compare.

      What do I think about the scalability of the solution?

      RSA NetWitness Network could improve scalability. The process is simple you can stack on devices. It can scale horizontally and vertically.

      How are customer service and support?

      The technical support from RSA NetWitness Network is good because the response time is fast. Whenever you raise a request, we receive a response. It's not immediately but based on the priority, and on the server, we have a response. 

      How was the initial setup?

      The initial setup of the RSA NetWitness Network is fine. The device setup is easy. However, we need professional services for creating dashboards and other aspects. 

      What about the implementation team?

      We used professional service for some of the implementation aspects.

      What was our ROI?

      We have seen a return on investment using RSA NetWitness Network.

      What's my experience with pricing, setup cost, and licensing?

      We are on a three-year contract to use RSA NetWitness Network.

      What other advice do I have?

      My advice to those wanting to implement RSA NetWitness Network is they have to first do a little due diligence, such as the exact requirement based on their needs. That will give them a direction for their investment because otherwise, the bill of material or bill of quantity (BOQ) may be higher side. It is important to do good due intelligence on the environment, see the exact requirement, and then go ahead with the solution. The solution is perfectly stable.

      I rate RSA NetWitness Network a nine out of ten.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      Flag as inappropriate
      PeerSpot user
      HananSyed - PeerSpot reviewer
      Cyber Security Consultant at Mideast Data Systems
      Real User
      Top 20
      Scalable and useful single location management
      Pros and Cons
      • "The stability of the RSA NetWitness Endpoint is very good."
      • "The threat intelligence could improve in RSA NetWitness Endpoint."

      What needs improvement?

      The threat intelligence could improve in RSA NetWitness Endpoint.

      For how long have I used the solution?

      I have been using RSA NetWitness Endpoint for approximately seven years.

      What do I think about the stability of the solution?

      The stability of the RSA NetWitness Endpoint is very good.

      What do I think about the scalability of the solution?

      RSA NetWitness Endpoint is a scalable solution. However, the problem which we normally face is in terms of the migration of the solution. This solution has hard-coded IP addresses in its agents. When somebody wants to migrate from one data center to another data center, they have to reinstall all the agents. They can't change the hard-coded IP address to allow communication with the target server. That is the largest problem of the solution. Otherwise, in terms of scalability, it's fine.

      If they are able to provide provisioning of the IP address change in the agents only when somebody migrates the hardware appliances from one data center to another data center. It would be a great improvement for those who want to migrate.

      What other advice do I have?

      I would recommend others to use RSA NetWitness Endpoint at this time because they have evolved from an MD to an EDR solution to an XDR solution. They have a single solution in which they can pivot from the NetWitness to the endpoint. Everything is combined in a single pane of glass.

      Earlier, they used to have distinct solutions. The NetWitness EDI used another pane of glass and then the EDR used a different one. Now the EDR and MDR have been combined into a single solution. That is an advantage from the security perspective. They can use a lateral movement and see all aspects in a single pane of glass. It's an easy investigation for everyone. I would definitely recommend this solution.

      I rate RSA NetWitness Endpoint an eight out of ten.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Jakaria Udoy - PeerSpot reviewer
      Information Security Engineer at Nhq Distribution Ltd
      Real User
      Has user behavior analytics features and is stable and scalable
      Pros and Cons
      • "It's a scalable solution. We have around five to eight customers using RSA NetWitness Endpoint, and we hope to increase the number of users."
      • "The integration of the solution needs to be improved. The dashboard needs lots of updates as well. In the next release, we would like to see advanced fraud detection features."

      What is our primary use case?

      We use it for IT security purposes. This is our central log management solution. So we incorporate all of our servers and PCs to this software, and we can monitor the logs from there.

      What is most valuable?

      I like the user behavior analytics feature.

      What needs improvement?

      The integration of the solution needs to be improved. The dashboard needs lots of updates as well.

      In the next release, we would like to see advanced fraud detection features.

      For how long have I used the solution?

      I've been using this software for the last three years.

      What do I think about the stability of the solution?

      It is stable.

      What do I think about the scalability of the solution?

      It's a scalable solution. We have around five to eight customers using RSA NetWitness Endpoint, and we hope to increase the number of users.

      How are customer service and support?

      The technical support staff are quite responsive, and I'd give them an eight out of ten.

      How would you rate customer service and support?

      Positive

      Which solution did I use previously and why did I switch?

      We have both McAfee and NetWitness, but NetWitness has much better options than McAfee does.

      How was the initial setup?

      The initial setup is complex. On a scale from one to five with one being the worst and five being the best, I would rate the initial setup at four.

      It took a couple of hours to set up. The deployment and maintenance can be done by one person, such as a technician.

      What about the implementation team?

      We implemented it in-house.

      What other advice do I have?

      I recommend RSA NetWitness Endpoint and would give it a rating of eight on a scale from one to ten.

      Which deployment model are you using for this solution?

      On-premises
      Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
      Flag as inappropriate
      PeerSpot user
      Security information and incident handling. at a financial services firm with 501-1,000 employees
      Real User
      Provides great protection against malicious files
      Pros and Cons
      • "Ability to isolate the machine when there are malicious files."
      • "The solution lacks a reporting engine."

      What is our primary use case?

      We are customers of RSA.

      What is most valuable?

      The valuable feature is being able to isolate the machine when there are malicious files.

      What needs improvement?

      The solution doesn't have a reporting engine which would be helpful. I've also found that the UI times out too quickly and you have to close and reopen. It should allow for a longer session time.

      For how long have I used the solution?

      I've been using this solution for four years. 

      What do I think about the stability of the solution?

      The solution is stable. 

      What do I think about the scalability of the solution?

      The solution is scalable in terms of coverage. We have more than 2500 endpoints with different levels of users and operating systems. 

      How are customer service and support?

      Custome support is very good in terms of the knowledge base but the response time is too long. It can sometimes take two days before you get a reply. 

      How was the initial setup?

      The initial setup was relatively straightforward because we only had to provision the SQL server and then run the setup. We deployed in-house with a DBA and the deployment took a day. We have an external maintenance contract.

      What was our ROI?

      We've seen a good ROI. 

      What other advice do I have?

      I rate this solution eight out of 10. 

      Which deployment model are you using for this solution?

      On-premises
      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      Flag as inappropriate
      PeerSpot user
      Buyer's Guide
      Download our free Extended Detection and Response (XDR) Report and find out what your peers are saying about NetWitness, CrowdStrike, Trellix, and more!
      Updated: January 2023
      Buyer's Guide
      Download our free Extended Detection and Response (XDR) Report and find out what your peers are saying about NetWitness, CrowdStrike, Trellix, and more!