Coming October 25: PeerSpot Awards will be announced! Learn more
Buyer's Guide
Intrusion Detection and Prevention Software (IDPS)
September 2022
Get our free report covering Darktrace, Cisco, ExtraHop Networks, and other competitors of Vectra AI. Updated: September 2022.
632,611 professionals have used our research since 2012.

Read reviews of Vectra AI alternatives and competitors

Chief Technology Officer at a financial services firm with 11-50 employees
Real User
it's much easier to create your own queries and hunt for threats
Pros and Cons
  • "When I create a workbench query in Awake to do threat hunting, it's much easier to query. You get a dictionary popup immediately when you try to type a new query. It says, "You want to search for a device?" Then you type in "D-E," and it gives you a list of commands, like device, data set behavior, etc. That gives you the ability to build your own query."
  • "The one thing that the Awake platform lacks is the ability to automate the ingestion of IOCs rather than having to import CSV files or JSON files manually."

How has it helped my organization?

Awake has made us more productive. We're spending less time looking at false positives, so we can focus on what's truly important. It hasn't affected the morale of our analysts because we use a third-party SOC. 

When I look at the central dashboards, I can see what adversarial models were matched within the day, and when I click on that day, I can see what models and device names got triggered within my homepage. If I want to dive further into that model, I can click on that, and it tells me what the threats were as well as a lot more information on the endpoint or the asset. Then, if I want to see even more information, such as the actual activities, it's three clicks, and I'm on the activities themselves. I can pull a PCAP and investigate it. Regarding responsiveness and how quickly I get the answer, it's much faster than what I used to have.

It's hard to quantify, but it would have taken me 10 minutes to figure it out in my previous solution because I'm on the platform every day. Awake is easier and more intuitive. You see the day, the triggered models, and the asset. Then you click on the asset and activities. They're right there. I get the source, destination, and details, then download my PCAP, and I'm done.

Awake also tracks unmanaged devices. We have a guest WiFi, so if someone logs in to that, it's an unmanaged device. If they log in and try to do something bad, Awake will flag it and tell me. It's important even though we don't have as many people coming in and using the guest WiFi due to COVID, but we need to know if a guest user is doing something malicious.

What is most valuable?

It's much easier to create your own queries and hunt for threats. Darktrace's language is more challenging, and it's almost like you have to learn Darktrace's methodology to decipher it. When I create a workbench query in Awake to do threat hunting, it's much easier to query. You get a dictionary popup immediately when you try to type a new query. It says, "You want to search for a device?" Then you type in "D-E," and it gives you a list of commands, like device, data set behavior, etc. That gives you the ability to build your own query. Gathering PCAPs is also quite practical and more straightforward— tweaking the adversarial models, too. With Darktrace, it was tough to do. If you go to another serial model and want to clone it, then edit it and disable the old one, you can do it easily.

We have Palo Altos to decrypt traffic. I have all traffic going in and out via Awake, which can decrypt the traffic. However, Awake doesn't need to decrypt because it can analyze encrypted traffic to get a sense of what it might be. What I find helpful is that Awake can tell me when encrypted files might contain passwords. There is an adversarial model for that, which is great when someone tells me that there are two files with passwords, but the Awake and DR team already has an open ticket for this. They look for files that have "passwords" in the filename. 

That allows me to reach out to the user and tell him that I noticed a file containing passwords, and it's not password-protected. When they password-protect the file, the Awake team still highlights that as a risk but then write to them and say a password now protects the password file, and even though it is a password file, it is encrypted. So if you try to open it, you have to decrypt it with a password. Then we tweak the model to prevent that model from being triggered for that specific filename.

What needs improvement?

We take in IOCs from my SOC and from AlienVault, and then we focus on traffic that hits IOCs and alerts us to it. The one thing that the Awake platform lacks is the ability to automate the ingestion of IOCs rather than having to import CSV files or JSON files manually. Awake didn't support the manual importation of CSV and JSON in version 3.0, but they added it in version 4.0. It's helpful, but it still has to be a specific CSV format. Automated IOCs are on the roadmap. Hopefully, they will be able to automate the ingestion of IOCs by Q1 next year. I'm currently leveraging Mind Meld, an open-source tool by Palo Alto, to ingest IOCs from external parties. I aggregate those lists and spit them out as a massive list of domains, hashes, file names, IPS. Then we aggregate those into their own specific categories, like a URL category. Awake ingests that just like the Palo Alto firewall does, and then it alerts me if traffic attempts to go into it.

Some of that is already on the Palo Alto firewall, which blocks it, but that doesn't mean that there is no attempted communication. I want to know if there's a communication attempt because there might be an indicator on that specific device trying to reach an IOC. Yes, my Palo Alto blocked it, but there's still something odd sitting there, and what if it can reach a different IOC that I don't have information about? I want to focus on it. I could do that by leveraging Awake if it could ingest the IOCs automatically. That's something I leverage Awake for today. I still have to manually import it, which is cumbersome because I have to manipulate the files that I get from the different IOC providers into a specific format that it understands. Once they add the ability to automate that, it'll be more useful.

For how long have I used the solution?

I have been using Awake since 2020. They hadn't been acquired yet by Arista when I joined.

What do I think about the stability of the solution?

Awake is pretty stable. It has come a long way. There were quite a lot of bugs initially when I had them in version 3.0. I'm on 4.11 now, so it's a lot cleaner, more intuitive, and much less buggy. I found bugs as each new release came out. I brought them to the attention of support, and they would fix them, then I'd find a different one. I can't comment now since Arista acquired them, but before Arista, the development to get something fixed was much faster.

What do I think about the scalability of the solution?

I have a larger appliance than I technically would need, but I prefer that. If my organization goes up 100 percent, the appliance will still be suitable. So the scalability is there. If you switch from a 50-person shop to a 1000-person shop, it's easy to upgrade the appliance. They get a new one, install it, migrate the data, and you're done. I don't have any reservations about that.

How are customer service and support?

I don't think anyone is a 10 out of ten. There's always room for improvement. I'll give the Arista support group an eight out of 10, and nine and a half to the MNDR team. Awake's managed network detection and response service is fantastic. Awake MNDR has been there night and day for us. In fact, they've helped me a couple of times where my SOC has fallen short. They got me the answers I wanted, which is precisely why I wanted to sign up for MNDR.

Awake MNDR has made our security posture more comfortable. We get some peace of mind knowing they're there if something should happen. I can reach out, and also, they open their own tickets for things they see that the Awake platform doesn't necessarily catch automatically. You want that human element behind it, not just the EML component of it, where you build these models as an ML. You tell the machine what to look for, and if the machine sees it, then it tells us something about it. It's not machine learning — more like machine finding. These guys are looking for the nuances that the machine can't find.

If they see new IOCs, attack vectors, methods of attack, hashes, or techniques, they're going to log in to random customers and do some threat hunting. We get a lot of value from having the ability to say, "Guys, I heard about X, Y, Z. Can you check if there's any indication of that in my environment?" They can then log in, do their own threat hunting, and tell me, "No, categorically, there isn't." That's a lot more helpful than just having a SOC.

If my SOC is spending a couple of hours doing it, they're not going to be Awake experts, of course, because they're a SOC, and they probably have to leverage so many security tools it's impossible. They all have customers with Vectra, Darktrace, etc., and you can't learn them all. So having the Awake team allows me just to ask the Awake MNDR team, "I got this ticket. Can you guys log in and investigate it?" Or, "I have this question. This user did XYZ. Can you guys investigate this and paint a picture based on what you see in Awake." Of course, they don't have access to SentinelOne or a lot of my other tools like the SOC does, but they can give me a sense of exactly what happened just by leveraging Awake.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Previously, we were Darktrace customers, and we had the Darktrace platform set up in two locations: here and our data center. We leveraged them because we wanted to have an NDR solution. Darktrace is great eye candy, but we got a lot of false positives in the environment. When we spoke with Darktrace, they assured us that it was AI with machine learning capabilities so that it would adapt to our environment the longer it was deployed.

I'm not sure if they've gotten better since then because I left them two years ago, but our SOC was spending too much time looking at false positives. When we approached Darktrace and told them that the solution was flagging functions that were normal in our environment, the support was not up to scratch. If you constantly have to change the model and tell it to ignore issues in your environment, then that's not machine learning because it's not learning the environment.

Awake had what I was looking for with Darktrace but didn't get, which was to get a response. So you detect it and respond to it by integrating it with the EDR tool, specifically at the endpoint. I wanted a response, but that automation wasn't there. Darktrace has it now. However, Awake had the EDR integration to Crowdstrike and SentinelOne out-of-the-box, which was great because then I wanted to do it, but it's not fully automated yet. I can isolate the endpoint from the Awake platform but there's still no playbook yet where it says, "Okay, if you find a ransomware attack going on, isolate that endpoint and respond automatically." That's on Awake's roadmap. 

Another reason I moved to Awake was that they're not truly an ML or AI, and they don't sell themselves as that. They look at it differently from a security perspective, and I like that. The integration with EDR is better than what I had. They were looking to integrate with Palo Alto and Cisco firewalls to automate the response to IOC. If an IOC is identified in my environment, it will tell my firewall to start dropping the traffic to the IOC. They don't have this functionality yet, but I know it's in the roadmap because I just had a call with them about a month ago. I have a Palo Alto firewall, and the integration with Palo Alto will come along in Q1 next year. 

I think Darktrace has this, or it's in the process of adding it, but Awake already had it on the roadmap two years ago. That was something they were building towards. Since then, I have expanded my relationship with Awake Arista by signing up for their MNDR service, which has been super helpful because we still get false positives when I tweak the adversarial models to match my environment. I don't think there's a solution that will genuinely learn your environment and know what's normal versus what's not. I've found that dealing with support is better than dealing with Darktrace. Granted, I have the MNDR team also now, but this was the case even before that. With the MNDR team, I send them an email telling them the alerts we've gotten and the workbench queries we used. Then I ask them to tweak the model, so we don't get false positives. After an hour or two, it's done. Compared to Darktrace, the level of responsiveness from Awake has been night and day.

I get low-risk false positives, and I treat them all the same, but I have a managed external SOC, and they will not. I do because I want to see less noise, and I want my SOC to focus on what's important. As such, I want to tweak the adversarial models to focus more on aspects that warrant research and response rather than just an alert that comes in. We can decide to look at something later when we have time because we can see it's a low-level risk. Awake categorizes these, so you know it's low when you see an alert with a risk score of 20. Still, I want to clean it up, so that I don't see them. When I look at my platform dashboard, I want to know that I have had X unique adversarial models for the past week and Y high-risk devices. Then I can zero in on those high-risk devices to see what they are and what they're doing. 

I was a Dell Secureworks customer for a while. They were great tools, but they weren't NextGen. I thought Darktrace was NextGen. I had probably done a demo with them two years before becoming a client. I had Secureworks as a SOC, but then I wanted something more. When it was time to change my SOC from Secureworks, I figured I could use Darktrace and get an external SOC to ingest all of my security logs for the same cost I'm paying Dell Secureworks.

I thought that my SOC was spending too much time investigating all the false positives we were getting out of Darktrace, and it wasn't their job to tweak Darktrace. It was certainly more challenging for me to do it and more brutal to me to work with support to do it. And so, after attempting that for six months, I came across Awake. I can't remember exactly where. It must have been a marketing email I got, and I decided to look into it.

I think they had just come out of stealth mode when I started talking to them, and I decided to put them in at the same time I had Darktrace and do a bake-off. I realized that I was getting fewer false positives but, unfortunately, the platform does not have 3D manipulation, which I call the "eye candy" of Darktrace. It's an excellent visualization tool. It looks fantastic, but it's not easy to dive in and look at the logs.

I like how Darktrace can replay the traffic and show the messages coming in. I thought that was a pretty cool feature that I wish I could do with the Awake. But again, it's eye candy. The information is there, but you can't play it to the second as the traffic comes in. When I tried out Awake, I was taken aback because they had the IOC ingestion and were planning on automating that. They were also planning on integrating Awake with Palo Alto firewalls. Awake also had the EDR implementation as I was looking at migrating from Cylance to Crowdstrike. They already had Cylance integration also. I thought it was a no-brainer as long as I could get it for the same cost as Darktrace. I knew I would get a little more value out of it. I would lose the eye candy and the playback, but my SOC will spend less time looking at false positives.

I don't pay more or less if my SOC gets a thousand tickets or 10, but I also don't believe in my mailbox getting spammed with issues that worry me. Of course, I still get false positives from Awake. At most, it's maybe one a day, which is not terrible. We used to get five, but then I started tweaking it, and now we're getting roughly one every two days. We used to get five a day because no platform is built for your environment. They're built for all environments. They have to look for issues they think are malicious. You get that with SentinelOne too. I get false positives with SentinelOne and Excel files that look like they're meeting a MITRE ATT&CK framework, but they're not.

I think people should be ignored if they tell you there is a tool out there that's truly going to learn your environment. Darktrace claims that the tool will self-adjust the longer that it's in your environment. It won't. I've seen it, and unless that's been massively improved, I don't believe it.

What's my experience with pricing, setup cost, and licensing?

I got a deal when I bought Awake. It's if you go to buy a car and end up ripping off the dealer. I don't think many customers got the same deal. Darktrace is way too expensive, and so Awake is more price competitive. I think they'll be able to take a lot of clients from Darktrace because it costs a lot of money. All of these vendors push for four-year agreements and offer discounts for that. Darktrace told me that they only do four-year contracts, but I said I wouldn't be a customer if those were the terms. Instead, I got a four-year agreement with a 12-month opt-out. It's still a four-year agreement, but I could opt out after 12 months with a 90-day notice. So to me, it's a one-year agreement. I was able to get that with Darktrace because they wanted me as a customer.

Because I represent a hedge fund, I have some leverage. I told them that they had to meet my conditions if they wanted me as a client. It was the same way with Awake. They wanted an initial four-year agreement. Initially, we signed on for a one-year contract, but they wanted the four-year deal when it came time for the renewal. I told them that I was not doing that. I said that they either had to do it on my terms, or I'd go somewhere else. I don't want to, but I'll go.

We were able to keep the same conditions that I had, and working with them was pretty easy. I didn't have to jump through many hoops to get what I wanted. I was one of their first clients in the alternative investment space, and I've been a big supporter of what they were doing even before Arista bought them. I was worried when Arista bought them. When a conglomerate company bought this unicorn, I was afraid they would turn it into garbage.

Thankfully, I haven't seen that. The platform is improving, and the development continues. They're doing many exciting improvements that were on the roadmap when I first signed on. I can't disclose some of these improvements, but seeing what's coming down the pipeline is exciting. And like I said, I was fearful of Arista. Now I'm thankful that Arista pumped money into it and kept the team together, did not break them, that they're integrating them to their support model, and the teams will become bigger. And obviously, the interaction with the Arista products will become even larger because they're an Arista company, and they want to apply that to their Arista products.

My other big concern was that once Awake was acquired by Arista, they would have no interest in integrating with Palo Alto and Cisco because they are competitors. The sales rep told me, "No, that's incorrect. We still want to integrate with them. However, we understand customers are always going to have a choice, and not everyone chooses Arista for networking." I don't think Arista even does firewalls, so they put me at ease. 

What other advice do I have?

I'd rate Awake Security Platform nine out of 10. I have recommended them to many of my peers and have done references since. I believe in Awake and what they're building. I know how much more they can do with this. Unlike Darktrace, Awake has been built from the ground up. Darktrace took a lot of open-source tools and integrated them. It may have been a sales pitch, but my understanding is that one aspect that sets Awake apart is that this platform is built from the ground up. They didn't take an open-source tool and bandaid it to another one to create a product. 

That's one of the most exciting aspects of Awake. They can do what they want with this. They can build all these features on top of it. I bought into Awake because I wanted to get these features on a single platform. I want to create playbooks. I want something that can automate playbooks and leverage API calls to connect to your Palo Alto firewalls and SentinelOne. It's all about APIs nowadays. I want to have the ability through a single pane of glass that has your top 10 adversarial models that are critical. If you hit this criticality and you are up to this percentage, the following action that the Awake platform takes is X.

I believe that's where this platform can go, and I don't think any platform out there is at that level yet, even though Darktrace now has integration with EDR. They can automate many aspects, and they have added Palo Alto to it since then. Also, they have an email phishing component. I think Awake has the potential to do much more and based on the roadmap that I've seen, I believe they are well-positioned to do even better.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Mark Lavine - PeerSpot reviewer
Airway Transportation Service Specialist at Federal Aviation Administration
Real User
Allowed us to effectively monitor network traffic and analyze anomalies
Pros and Cons
  • "From what I understand, you can encrypt and unencrypt traffic moving in transit. This is one of the features that we liked about it."
  • "We determined that Stealthwatch wouldn't provide the machine learning model that we required."

What is our primary use case?

Five engineers and I were testing this solution. We were looking for an NDR solution. We're cyber threat hunters, so we're looking to provide cyber hunting services for our clients. We're in the market for a network detection response solution so that we can monitor network traffic and analyze anomalies or anything that may be on the network that looks like normal traffic. We were using Stealthwatch to get a feel for it and to see whether or not it was going to be something that we would use in the future.

What is most valuable?

From what I understand, you can encrypt and unencrypt traffic moving in transit. This is one of the features that we liked about it. 

What needs improvement?

We didn't want to encrypt all the traffic, but there are certain things that we needed to pull out. Eventually, we determined that Stealthwatch wouldn't provide the machine learning model that we required.

ExtraHop and Vectra both leverage artificial intelligence and machine learning. With Cisco, it looks like you have to do some provisioning. When it's pulling out, it doesn't automatically detect certain things that you're looking for. It didn't automatically pull certain communications out of the traffic so and we had to do some manual configurations to pull this stuff out. Overall, that's really the only thing. We didn't see anything else wrong with it other than that. It seemed like a pretty good product.

In the next release, I would like to see more artificial intelligence as far as pulling out certain packets in the traffic because it's an NDR that monitors your traffic, and because there's so much traffic in general. For us, when we serve hedge funds, most of them have a lot of stuff going on their network. Transactions, talking to clients, customers, all the rest of this stuff over the wire. They've got data feeds from several sources as well — Bloomberg, Reuters. Monitoring all of that coming in and out of their network is a lot of work. I would like to have seen more artificial intelligence to detect more anomalous behavior in the network.

A UBA feature that profiles user behaviors would also be a nice addition. They have an app, but that's not a UBA feature. It just monitors all the endpoints, etc.

For how long have I used the solution?

I used Cisco Stealthwatch for a 30-day trial.

What do I think about the stability of the solution?

We didn't notice any bugs or glitches. 

What do I think about the scalability of the solution?

As it's in the cloud, I would imagine that it scales easily. Still, we didn't use it long enough to worry about scaling it. 

How are customer service and technical support?

We only needed to contact technical support once. They were very helpful. They walked us through everything. 

How was the initial setup?

It was fairly easy to set up. It took us about 20 minutes to set it up. All we had to do was click a bunch of buttons and look through the documentation. The documentation is pretty straightforward. Overall, it took about 20 minutes.

What other advice do I have?

Overall, It seemed like a good product. Cisco's behind the name — I would recommend it. Cisco's got a suite of security and network products. I think it's pretty durable. It works for non-technical people, too. You'll have to do some fine-tuning and you probably should have experienced staff looking after it, but it's a pretty good product in my opinion.

We're looking at other products that are more automated like Darktrace, ExtraHop, and Vectra. Any solution that cuts down the time it takes to analyze and sift through the logs, etc. I'm pretty sure that Cisco does it, but there's some fine-tuning that you'll need to do to make it fully automated to where you can cut down the time required to inspect logs and things of that nature. 

Overall, on a scale from one to ten, I would give this solution a rating of eight. 

Cisco is a huge company. I would imagine that they would probably try to lead the way as far as network detection systems or network detection response systems or solutions are concerned. I just thought that maybe they would have had more automated functionality because it saves time. It saves time for the analysts who have to look through all of the logs and try to correlate all of that stuff and see what's anomalous behavior, etc. 

Clearly, there are things on the network, certain conversations you could pull out of the network, but we didn't see that. We didn't see a lot of that. We thought that that would have been included in the solution. I guess we just expected more from Cisco. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Founder and Director at a tech services company with 11-50 employees
Real User
Good detection capability and reduces our team's effort, but there should be more visibility at the endpoint level and less effort in fine-tuning
Pros and Cons
  • "In terms of features, the data or information they collect and unsupervised machine learning are very valuable. Its unsupervised machine learning has reduced our team's effort. Both Darktrace and Vectra work on unsupervised machine learning that learns the behavior or develops a profile on its own, which allows our security team to do some other tasks rather than spending time on Darktrace or Vectra. Because of unsupervised machine learning, its detection capability is quite good. Along with that, if we utilize the integration feature properly, the automated incident response capability of Darktrace is quite useful."
  • "In terms of improvements, fine-tuning is the area where we have to spend some time because it works on unsupervised machine learning. It would be good if they can improve their algorithm or technical functionality to reduce the fine-tuning effort. They can also come up with something at the endpoint level. So far, Darktrace has been a network detection response (NDR) solution. It does not offer much at the endpoint level or on user-client devices or servers. There should be more visibility at the endpoint level. It would be good to have the detection and response at the endpoint level by Darktrace. It should also have integration with an agile environment so that we can have continuous development and continuous integration in the application development environment. This is currently not there. It should also have internet-facing platform visibility, which is currently missing. They also need to improve the reporting and management dashboards. Currently, these are not so easy for a non-technical person. All these features would make Darktrace much better, and they would also be helpful in selling more solutions."

What is our primary use case?

I'm currently heading cybersecurity for 1,500 entities. Some of them have deployed Vectra, and some of them have deployed Darktrace. Darktrace has been in the UK market for a while, whereas Vectra is a not-so-old player in the UK market.

We are using the latest version of Darktrace but not their latest offering. They are now also providing email security over the Darktrace platform, but we have not been utilizing that. We have been utilizing their network detection and response and some part of automated incident response (IR) capability.

We have a hybrid infrastructure. Some centers are deployed in the cloud, and some centers are deployed on-prem. The management platform is currently on-prem, but the plan is to move it to SaaS.

What is most valuable?

In terms of features, the data or information they collect and unsupervised machine learning are very valuable. Its unsupervised machine learning has reduced our team's effort. Both Darktrace and Vectra work on unsupervised machine learning that learns the behavior or develops a profile on its own, which allows our security team to do some other tasks rather than spending time on Darktrace or Vectra. 

Because of unsupervised machine learning, its detection capability is quite good. Along with that, if we utilize the integration feature properly, the automated incident response capability of Darktrace is quite useful.

What needs improvement?

In terms of improvements, fine-tuning is the area where we have to spend some time because it works on unsupervised machine learning. It would be good if they can improve their algorithm or technical functionality to reduce the fine-tuning effort. 

They can also come up with something at the endpoint level. So far, Darktrace has been a network detection response (NDR) solution. It does not offer much at the endpoint level or on user-client devices or servers. There should be more visibility at the endpoint level. It would be good to have the detection and response at the endpoint level by Darktrace.

It should also have integration with an agile environment so that we can have continuous development and continuous integration in the application development environment. This is currently not there. It should also have internet-facing platform visibility, which is currently missing. 

They also need to improve the reporting and management dashboards. Currently, these are not so easy for a non-technical person. All these features would make Darktrace much better, and they would also be helpful in selling more solutions.

For how long have I used the solution?

I have been using this solution for maybe six or seven years. At my previous workplace, we were one of the early adopters of Darktrace's unsupervised machine learning technology.

What do I think about the stability of the solution?

Its stability is fine. We are utilizing a mix of their deployment capability. We have appliance-based and sensor-based deployments. Performance-wise, sensor-based ones are slower than appliance-based ones. An appliance also has dedicated hardware.

What do I think about the scalability of the solution?

In terms of scalability, it is fine. We have deployed Darktrace for around 7,000 to 8,000 users for one part of an entity, and it has been working fine. I don't see any issue in terms of its scalability. 

Currently, it has around 7,000 to 8,000 users, but it is getting extended. We are in the process of extending the Darktrace capability to other entities. We are talking about 1,500 entities and 120,000 users in different dispersed and segregated environments. 

How are customer service and technical support?

They've been quite okay in their responses. This solution is definitely complex, so sometimes we don't get the expected level of information or answer straight away, but they have been okay in responding and following up. I would rate them a seven out of ten.

How was the initial setup?

From the initial deployment perspective, it was quite straightforward. We just need to make some configuration changes and then Darktrace works on spanning. It gets a copy of all the data from the network, and it starts building the profile. It has a pretty straightforward deployment.

What other advice do I have?

I would rate Darktrace a seven out of ten. It is a good solution, but it requires some improvements. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Director Of Information Technology at a security firm with 1-10 employees
Real User
Top 5Leaderboard
Helpful alerting, provides valuable network insights, and the pricing is negotiable
Pros and Cons
  • "Overall, it give me a lot of insight into my network that I didn't have before."
  • "The pain point that I have with this solution is contacting technical support."

What is our primary use case?

We primarily use Check Point to provide visibility into our network. It lets us see the east-west traffic, and it gives us a lot of information to work on as far as what kind of traffic was passing through.

How has it helped my organization?

Overall, it give me a lot of insight into my network that I didn't have before.

What is most valuable?

It lets us know about anomalous behavior and it provides alerts regarding activity on certain ports. It lets me decide, for example, whether something is a valid connection, or causes me to question why a certain port is open.

What needs improvement?

The pain point that I have with this solution is contacting technical support.

For how long have I used the solution?

I have been working with Check Point IPS for more than a year.

What do I think about the stability of the solution?

Stability-wise, this product is great.

What do I think about the scalability of the solution?

The scalability comes from the fact that this is an on-premises device that ties into a cloud service. It's a hybrid application. Once you have it installed, it's collecting information. You put it right there in front of your input into the network, and it picks up all of the traffic.

How are customer service and support?

Sometimes, technical support takes a long time to get back to you.

Which solution did I use previously and why did I switch?

I used Check Point Endpoint Security, as well as the Network Detect and Response (NDR) appliance.

I am currently using Darktrace and Vectra in addition to Check Point. I've been using all three and I find that Check Point is the one where I get the most information from. I will stop using Vectra this year but I will retain Darktrace, as long as they keep it at a certain price.

Darktrace takes a lot more configuration; unlike Check Point, there are a lot more changes that need to be made. When it's fully integrated, it requires a lot of time and it may end up being as useful as the Check Point.

The reason I keep all three is because they all give me a different kind of view. They all give me different information. If they gave the same information, it'd be useless to keep them.

With respect to similar security products, I have demoed CrowdStrike, worked with Symantec, and am also using Check Point.

How was the initial setup?

Check Point was fairly usable out of the box.

I am using an on-premises appliance that ties into a cloud service.

What's my experience with pricing, setup cost, and licensing?

Pricing for this solution is negotiable and I'm happy with our pricing.

I suggest negotiating either at the end of their fiscal year or at the end of every quarter. At the end of the quarter, they have an incentive to lower the prices to sell as many units as possible in order to meet their end-of-quarter quota.

What other advice do I have?

If I could only keep one of my security solutions, it would be Check Point. To me, it provides the most valuable information.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Buyer's Guide
Intrusion Detection and Prevention Software (IDPS)
September 2022
Get our free report covering Darktrace, Cisco, ExtraHop Networks, and other competitors of Vectra AI. Updated: September 2022.
632,611 professionals have used our research since 2012.