Vectra AI Reviews

Our primary focus lies in identifying weaknesses to address customer concerns regarding visibility into network operations. This is especially crucial due to the presence of various managed devices within the network. Detecting and managing these devices and enhancing visibility is done by Vectra AI. It also has the capability to detect potential threats and correlate diverse events that occur on the network. Hackers often target systems from different domains, requiring cross-domain correlation. Net NDR solutions, particularly Vectra, excel in fulfilling these needs using AI-driven algorithms. Over time, these algorithms learn from the data, aiding in automatic post-event analysis. 

Within Vectra, multiple models exist, including an AI model which is very important. Vectra is very compatible with various cloud providers, such as Amazon and Azure AD. This is helpful as customers often migrate their network infrastructure to the cloud. 

Additionally, Vectra provides managed detections and responses, enhancing a company's network detection capabilities. The platform also has attack signal intelligence to identify attackers based on their tactics and techniques, preventing them from compromising critical network devices. So it acts as a detection platform, essential for halting potential threats, including clouds like Amazon and Microsoft 365. 

We offer two solutions, Vectra and ExtraHop in the Qatar market. However, ExtraHop has better features that seem more advantageous when compared to Vectra. During demos, I encountered challenges with Vectra when demonstrating its capabilities, such as dealing with expired SSL certificates. Vectra AI is capable but ExtraHop is able to provide comprehensive insights and easier data querying. It excels in data query capabilities which is helpful for customers to access and manipulate their data effortlessly. This is where Vectra needs to enhance its capabilities. Customer support and handling high network traffic are additional areas that it needs to work on. There should be more flexible options to handle customers’ needs. Also, customers desire performance enhancements and integration capabilities with a single solution and cyber security. 

I have been using Vectra AI for two years. 

I would rate the stability an eight out of ten.

I would rate the scalability an eight out of ten.

We have a strong local presence and support in this market, and our company's origins in Turkey also contribute to robust local assistance. While comprehensive support is provided during major incidents and upgrades, we excel in offering immediate assistance for failover situations and downtime prevention. The team is highly specialized in cyber security and SOC technologies. We are quite strong and are able to help ourselves in the field of technical support.

Positive

The initial setup is straightforward. I would rate the setup an eight out of ten.

In the case of deployment, 70% of the public prefers the public cloud while the rest prefer private. These are the only two forms of deployment.

The initial deployment should ideally be completed within two weeks. However, due to the need for fine-tuning, false positive elimination, and deriving enhanced value, an extended period of around two months is necessary. This allows users to cover all the potential threats and risks, ensuring comprehensive coverage

The solution is low-cost and affordable. 

Vectra faces robust competition, but it substantiates its abilities. Depending on client needs, it can easily work with other IT solutions. Yet, for pure network detection and response, Vectra excels, particularly for enterprises demanding very good solutions. It offers superior detection coverage for heightened security. It has an encryption-based approach, enabling threat detection without decrypting any data. Moreover, Vectra stands out with its broad integration capabilities with third-party tools and I personally find it a successful feature.

Overall, I would rate Vectra AI an eight out of ten. 

We started with it as a replacement for the functionality we had in our SIEM solution. We mainly wanted a detection metric and something that was smart enough to detect some of the more complex attacks because we can have flow data and do nothing with it. We wanted to have some strong alerting capabilities on that. We were looking to get a detailed attack and AI perspective on it. We didn't want something that only sees something as malicious and can alert on it but also detect things that are a little bit out of the ordinary, which was something we could get with this.

It has definitely improved our mean time to identify. In some specific cases, it's making it a lot easier because the enrichment features do help in getting a more detailed view of what's going on. For example, if we see a certain connection or something that's potentially a command and control channel, we can look at who logged in last and what other processes are there. We also have a connection to our SIEM solution, so we can check what's going on there as well. So, it really helps, but it's hard to measure the time savings because we previously didn't have a solution that had the same capabilities as Vectra AI.

It has definitely had an impact on our productivity. Previously, we did have some issues with getting a more detailed view of the network because we could only do it through event-based logs from the network devices, such as firewalls and switches that were providing us with additional information. Now, because it's more detailed and also across the branch offices—which was a big point for us—we do have a more efficient structure. We don't need to do that much additional effort to get to the root cause of problems, which was an issue before.

One of the things that we didn't expect to happen was that our network team also jumped on it faster than we thought. In most cases, if it's a security tool that's working on the network part, they can also use it to find out certain flaws that have been in the system. Certain flaws, related to some legacy stuff, were already there for quite a few years, which they couldn't explain at first, but we could explain them based on the timing of certain things. For example, there were about 200 SSH connections within a night. They had seen the traffic, but they couldn't relate it to anything specifically, whereas because we saw it, we knew that it was one of our main Unix machines. We knew it was doing some kind of backup at that time. We then went to talk to the system engineer, and he could confirm that he was using a badly written script that was doing 200 connections instead of just one and sending all 200 files across it.

It's well-built, so it does its thing as a Threat Detection and Response platform for detecting and responding to threats and attacks in real-time. We use the detections that come out of Vectra, and we send them over to our SIEM solution. Especially when it comes to high alerts or alerts with high certainty and high impact, we look at them immediately, and then someone also goes through it every day to clean up. If there are certain things that we need to check, we will check them anyway. Anything that's lower on the priority list is taken care of later in the day.

One of the things that we are missing a bit is the capability to add our own rules to it. At the moment, the tech engine does its thing, but we have some cool ideas to make additional rules. There should be an option in the platform to add custom rules, or there should be some kind of user group where we can suggest them for the roadmap and see if they get evaluated and get transparent communication on whether they will be implemented in the product or not. I understand that not everything can be implemented in the product, but if everyone presses the plus one button, then you know that there's a need for it. 

There is the concept of groups within Vectra. You have IP groups, host groups, and domain groups. Wild cards would be very handy there, or side ranges would be a good one to start with. One of the big things that some of our operational people complain about is that if it's an IP and it has reverse look-ups, why do they need to make two groups—an IP group and a hostname group—just to get the same feature set?

It has been almost three years, so it has been a while.

We haven't had any issues. It's very stable, so no problem.

Their support is pretty good. They follow up fast. It's not like most other support centers we've seen in the past. They are really focused on getting us faster input.

I'd rate them a nine out of ten because there is always a little bit of room for improvement, but normally, they follow up really nicely. As opposed to others, where you mostly hear good product, bad support, in this case, it's good product, good support. That's something to keep in mind.

Positive

We had a SIEM solution that was mainly focused on event-based logging, not necessarily on the network part. We were looking at more of a network IDS solution, and that's where Vectra came in. We wanted something that was easy to use as we didn't want too much platform maintenance. We wanted something to plug into the box and make it work. At first, we didn't believe that we would be able to find something like that after we had seen Darktrace, their biggest competitor, but in the end, Vectra was a perfect fit for us because it made it very easy to insert it into our branch offices as well.

We started from scratch. Three years ago, it was harder to start with than nowadays because back then, it was still in the beginning. The Belgian team that helped us with it also didn't have the experience at that time, whereas now, it's definitely not hard to set up. It's just a matter of knowing the right things, but the support portal really helps. There's good documentation on the setup as well.

From a security perspective, it's always hard to find a return on investment. If you look from the risk mitigation perspective and what's the worst that can happen, if we can stop attacks sooner, it would result in lesser costs on remediation afterward because we were fast on the initial attack.

From a licensing perspective, the Vectra detect platform is pretty doable. Also, the hardware prices are nothing that we're not used to. The stream part is a little overpriced compared to the detect part. The reason is that you need to stream data to detect events anyway, so the data is in there. The only thing that's not available is the UI to be able to look at the stream data, which is also on the appliances but is just not activated. That's mainly the thing that we want to improve on.

We looked at the SIEM solutions and flow-capturing devices. At the time, there was also an open-source product, but I don't remember the name. It was Suricata-based, but it fell off pretty quickly because of the high platform maintenance that would have come with it.

At the moment, we don't let them do intelligent blocks. We do it ourselves, so we are still putting a manual process in place for that. We also haven't yet used Vectra MDR services.

I'd rate Vectra AI an eight out of ten. They can still move a little bit further with the streams. Especially now that ChatGPT and AI have come into the picture, we all need to up our game on the AI part.

Vectra was deployed to give us a view of what is happening on the user network. It helps us to check what is being done by users, if that is compliant with our policies, and if what they're doing is dangerous. It covers cyber security stuff, such as detecting bad proxies, malware infections, and using packet defense on strange behaviors, but it can also be used to help with the assessment of compliance and how my policies will apply.

We also use Vectra to administer servers and for accessing restricted networks.

There are on-prem modules, which are called Cognito Detect, the NDR/IDS solution, which captures traffic. We also have the SaaS data lake, and we also have the Cognito Detect for Office 365, which is a SaaS-type sensor within the O365 cloud.

If we didn't have Vectra and the Detect for Office 365, it would be very difficult to know if our Office 365 was compromised. We tried, in the past, to do it with a SIEM solution consuming Office 365 logs and it was really time-consuming. The Office 365 Detect solution has the exact same "mindset" as the Detect solution for networks. It's almost like we can deploy it in the fire-and-forget mode. You deploy the solution and everything is configured. You have all the relevant alerts out-of-the-box. If you want to, you could tweak, configure, contextualize, and rewrite the parser, because some things might be out of date,  and customize the solution. For a big company with a large team it might be feasible, but for small companies, it's an absolute showstopper. The Detect for Office 365 gives us a lot of visibility and I'm very pleased with the tool.

We use three services from Vectra: Cognito Detect, Detect for Office 365, and Cognito Recall, and we are leveraging all these services within the SOC team to have proper assessments. We even use these tools to prepare the new use cases that we want to implement into our SIEM solution. Recall stores all the metadata that is brought up from Cognito Detect at a central point, data-lake style, with an elastic stack and a Kibana interface available for everybody. Using this, we can try to see what are the general steps.
Without this, I would not have been able to have my SOC analyst do the job. Creating a data lake for cyber security would be too expensive and too time-consuming to develop, deploy, and maintain. But with this solution, I have a lot of insight into my network.

An additional thing that is very convenient with the Recall and Detect interfaces is that you can do use cases involving individuals in Recall and have them triggered in Detect. For example, we found ways to track down if users are trying to bypass proxies, which might be quite a mess in a network. We found a type of search within Recall and have it triggering alerts in Detect. As a result, things can be managed.

It's so efficient that I'm thinking about removing my SIEM solution from our organization. Ours is a small organization and having a SIEM solution is really time-consuming. It needs regular attention to properly maintain it, to keep it up and running, consume all the logs, etc. And the value that it's bringing is currently pretty low. If I have to reduce costs, I will cut costs on my SIEM solution, not on Vectra.

The solution also provides visibility into behaviors across the full life cycle of an attack in our network, beyond just the internet gateway. It provides a lot of insight on how an attack might be coming. There are multiple phases of an attack that can be detected. And there is a new feature where it can even consume intelligence feeds from Vectra, and we can also push our own threat-intelligence feeds, although these have to be tested. The behavioral model of the Detect solution also covers major malware and CryptoLockers. I know it's working. We tested some cases and they showed properly in the tool. I'm quite reassured.

It triages threats and correlates them with compromised host devices. One of the convenient things about Detect is that it can be used by almost anybody. It's very clear. It's quite self-explanatory. It shows quadrants that state what is low-risk and what is high-risk. It is able to automatically pinpoint where to look. Every time we have had an internal pen test campaign, the old pen test workstation has popped up right away in the high-risk quadrant, in a matter of seconds. To filter out false positives it can also provide rules that state, "Okay, this is the standard behavior. This subnet or this workstation can do this type of thing." That means we can triage automatically. It also has some features which aren't so obvious, because they are hidden within the interface, to help you to define triage rules and lower the number of alerts. It looks at all your threat or alert landscapes, and says, "Okay, you have many alerts coming from these types of things, so this group of workstations is using this type of service. Consider defining a new, automated triage rule to reduce the number of alerts."

To give you numbers, with my SIEM I'm monitoring some IDS stuff within my network. Everything is concentrated within my SIEM. From my entire site, IDS is giving me about 5,000 more alerts than my Vectra solution. Of course it will depend on how it is configured and what types of alerts it is meant to detect, but Vectra is humanly manageable. You don't have to add something to make the triage manageable, using some time-consuming fine-tuning of the solution, requiring expertise. This is really a strong point with Vectra. You deploy it, and everything is automatically done and you have very few alerts.

Its ability to reduce false positives and help us focus on the highest-risk threats is quite amazing. I don't know how they made their behavioral or detection models, but they're very efficient. Each alert is scored with a probability and a criticality. Using this combination, it provides you insights on alerts and the risks related to alerts or to workstations. For example, a workstation that has a large number of low-criticality alerts might be pinpointed as a critical workstation to have a look at. In fact, in the previous pen test we launched, the guys were aware that the Vectra solution was deployed so they tried some less obvious tests, by not crawling all the domain controllers, and things like that. Because there were multiple, small alerts, workstations were pinpointed as being in the high-risk quadrant. This capability is honestly quite amazing.

And, of course, it has reduced the security analyst workload in our organization, on the one hand, but on the other it has increased it. It reduces the amount of attention analysts have to pay to things because they rely on the tool to do the job. We have confidence in its capability to detect and warn only on specific things of interest. But it also increases the workload because, as the tool is quite interesting to use, my guys tend to spend some time in Recall to check and fix things and to try to define new use cases. Previously, I had four analysts in my shop, and every one of them was monitoring everything that was happening on the network and in the company on a daily basis. Now, I have one analyst who is specialized in Vectra and who is using it more than the others. He is focusing on tweaking the rules and trying to find new detections. It brings us new opportunities, in fact. But it has really reduced the workload around NDS.

In addition, it has helped move work from our Tier 2 to our Tier 1 analysts. Previously, with my old IDS, all the detection had to be cross-checked multiple times before we knew if it was something really dangerous or if it was a false positive or a misconfiguration. Now, all the intelligence steps are done by the tool. It does happen that we sometimes see a false positive within the tool, but one well-trained analyst can handle the tool. I would say about 20 to 30 percent of work has moved from our Tier 2 to our Tier 1 analysts, at a global level. If I focus on only the network detections, by changing all my IDS to Vectra, the number is something like more than 90 percent.

It has increased our security efficiency. If I wanted to have the same type of coverage without Vectra, I would need to almost double the size of my team. We are a small company and my team has five guys in our SOC for monitoring and Tier 1 and Tier 2.

It reduces the time it takes for us to respond to attacks. It's quite difficult to say by how much. It depends on the detections and threat types. Previously, we had an antivirus that was warning us about malicious files that were deployed on a workstation within one year. Now, we can detect it within a few minutes, so the response time can be greatly enhanced. And the response time on a high-criticality incident would go from four hours to one hour.

The most valuable feature for Cognito Detect, the main solution, is that external IDS's create a lot of alerts. When I say a lot of alerts I really mean a lot of alerts. Vectra, on the other hand, contextualizes everything, reducing the number of alerts and pinpointing only the things of interest. This is a key feature for me. Because of this, a non-trained analyst can use it almost right away.

It's very efficient. It can correlate multiple sources of alerts and process them through specific modules. For example, it has some specific patterns to detect data exfiltration and it can pinpoint, in a single area, which stations have exfiltrated data, have gathered data, and from which server at which time frame and with which account. It indicates which server the data is sent to, which websites, and when. It's very effective at concentrating and consolidating all the information. If, at one point in time, multiple workstations are reaching some specific website and it seems to be suspicious, it can also create detection campaigns with all the linked assets. Within a single alert you can see all the things that are linked to the alert: the domains, the workstation involved, the IPs, the subnets, and whatever information you might need.

The key feature for me for Detect for Office 365 is that it can also concentrate all the information and detection at one point, the same as the network solution does. This is the key feature for me because, while accessing data from Office 365 is possible using Microsoft interfaces, they are not really user-friendly and are quite confusing to use. But Detect for Office 365 is aggregating all the info, and it's only the interesting stuff.

We are still in the process of deploying the features of Detect for Office 365, but currently it helps us see mailboxes' configurations. For example, the boss of the company had his mailbox reconfigured by an employee who added some other people with the right to send emails on his behalf, and it was a misconfiguration. The solution was able to pinpoint it. Without it, we would never have been able to see that. The eDiscovery can track down all the accesses and it even helped us to open an incident at Microsoft because some discoveries were made by an employee that were not present in the eDiscovery console on the protection portal from Office 365. That was pinpointed by Vectra. After asking the user, he showed that he was doing some stuff without having the proper rights to do so. We were able to mitigate this bit of risk.

It also correlates behaviors in our network and data centers with behaviors we see in our cloud environment. When we first deployed Vectra, I wanted to cross-check the behavioral detection. After cross-checking everything, I saw that everything was quite relevant. On the behavioral side, the Office 365 module can alert us if an employee is trying to authenticate using non-standard authentication methods, such as validating an SMS as a second factor or authenticating on the VPN instead of the standard way. The behavioral model is quite efficient and quite well deployed.

Vectra is still limited to packet management. It's only monitoring packet exchanges. While it can see a lot of things, it can't see everything, depending on where it's deployed. It has its limits and that's why I still have my SIEM.

I am in contact with the Vectra team, if not weekly then on a monthly basis, to propose improvements. For the time being, the main improvement I can see would be to integrate with more external solutions. Since Vectra provides an API, that  should be quite easy to handle. For example, we're using an open source ticketing system within our team and I want to have it handled properly by Vectra. We'll go forward on that with the API. 

Another area for improvement that I have pinpointed is that the Office 365 solution and the Detect solution cannot match the same users. That means we have two "different worlds" currently, the world from Office 365, which is bringing alerts based on users' emails and email addresses. And we have the network world, which is bringing an Active Directory view. On the one hand we are seeing emails or email addresses, and on the other hand we are seeing things like logons on to the domain controller. From time to time, it does not match and the tool cannot currently cross-check this info and consolidate everything. I would like to be able to see that detection related to one workstation and covering a user: what he is using, what services he is using, and what he did with his Office 365 and configuration. That would help. 

Another major feature would be to have all logs pushed to Cognito Detect, and all these logs should be also pushed to Recall. Currently, within Recall, I can't call up the Office 365 detections and I would love to do so. 

The last point would be an automated IoT threat feed consumption by the tool.

I have been using Vectra for two years.

The stability is absolutely flawless. The last time it was rebooted was almost two years ago. 

The only thing we have seen was some interruption in log feeding to the Recall instance, the SaaS solution. I had a quick call with a product manager in Europe and he was very keen to share information about this issue and willing to improve it.

So, within two years we have faced one stability incident. This incident lasted less than two hours and it was not on the monitoring solution but more on the data lake solution.

The scalability is very good. From the financial perspective, we are not limited by the number of sensors. We can deploy as many virtual sensors as we want. The key factor is the IP addresses that are being monitored. In terms of technical scalability, we have one brain appliance, one very big sensor, and multiple virtual sensors, and I don't see any limits with this solution.

We are currently using all the things that it's possible to use in this solution. One thing I like with Vectra is that it's updated very frequently. Almost every month new features are popping up: new detections, new dashboards, new ways to handle things. That's quite good. I work with our SOC team so that they can use everything right away.

The tech support is surprisingly good. We had questions, we faced some slight issues, and we always got very quick answers. Things are taken into account within a few minutes and answers usually come in less than two hours.

To deploy Recall, which is the data lake in SaaS, or to deploy the Office 365 sensor, it was effortless. It was just a quick call and, within minutes, everything was set up.

It was set up the same way the solution is behaving. It's a turnkey solution. You deploy it and everything works. The configuration steps are minimal. It's exactly the same for the SaaS solution. You deploy the tool and you just have to accept and do very basic configuration. For Office 365, you have to grant rights for the sensors to be able to consume API logs and so on. You grant the rights and everything is properly set up. It's exactly the same for Recall. It was a matter of minutes, and not a matter of days and painful configurations.

In terms of maintenance it is very easy and takes no time. It's self-maintaining, aside from checking if backups have properly ended. And in terms of deployment, when we add a network segment, we have to work a bit to determine where to deploy the new sensors, but the deployment model is quite easy. The Vectra console is providing the OVA to provide a virtual sensor for deployment. It can also automate the deployment of the sensor if you link it with vCenter, which we have not done. But it's very easy. It's absolutely not time-consuming.

If I compare the deployment time to other solutions, it's way easier and way quicker. If I compare it to my standard IDS, in terms of deployment and coverage, it's twice or three times better.

We were in contact with Vectra a lot at the beginning to plan the deployment, to check if everything was properly set up. But the solution is quite easy to set up. The next decisions we had were focused on how to enhance the solution: what seemed to be missing from the tool and what we needed for better efficiency.

The guys from Vectra were more providing guidance in terms of where the sensors needed to be deployed and that was about it.

We had a third-party integrator, Nomios, that provided the appliances, but they did not do anything aside from the delivery of appliances to our building. Our team took the hardware and racked it into the data center on its own. With just a basic PDF, we set up the tool within minutes. The integrator was quite unnecessary.

Nomios are nice guys, but we have deployed some of other solutions with them and we were not so happy about the extra fees. We were not the only ones who were not happy about that. We tried to deploy the ForeScout products with Nomios and it was quite a mess. But they have helped us with other topics and they have been quite efficient with those. So they are good on some things and on other things they are not good.

It's ineffective to speak just about the cost of the solution, because all the solutions are costly. They are too costly if we are only looking at them from a cost perspective. But if I look at the value I can extract from every Euro that I spend on Vectra, and compare it to every Euro I spend on other solutions, the return on investment on Vectra is way better.

ROI is not measurable in my setup, but I can tell you that Vectra is way more cost-efficient than my other solution. The other solution is not expensive, but it's very time-consuming and the hardware on which it's running it's quite expensive. If I look at the global picture, Vectra is three or four times more cost-efficient than my other solution.

The pricing is very good. It's less expensive than many of the tools out there.

I evaluated Darktrace but it wasn't so good. Vectra's capabilities in pinpointing things of interest are way better. With Darktrace, it is like they put a skin of Kibana on some standard IDS stuff.

Vectra enables us to answer investigative questions that other solutions are unable to address. It provides an explanation of why it has detected something, every time, and always provides insights about these detections. That's very helpful. Within the tool, you always have small question marks that you click on and you have a whole explanation of everything that has been detected: Why has it been detected and what work is the recommended course of action. This approach is very helpful because I know that if I ask somebody new, within our team, to use Vectra, I don't have to spend months or days in training for him to be able to handle the solution properly. It's guided everywhere. It's very easy to use.

Do not be afraid to link Vectra to the domain controller, because doing so can bring a lot of value. It can provide a lot of information. It gets everything from the domain controller and that is very efficient.

You don't need any specialized skills to deploy or use Vectra. It's very intuitive and it's very efficient.

We are in the process of deploying the solution’s Privileged Account Analytics for detecting issues with privileged accounts. We are using specific accounts to know whether they have reached some servers. It's quite easy with all these tools to check whether or not a given access to a server is a legitimate one or not.

We don't use the Power Automate functionality in our company, but I was very convinced by their demonstration, and an analyst in my team played with it a bit to check whether or not it was working properly. These are mostly advanced cases for companies that are using Office 365 in a mature manner, which is not the case for our company at the moment.

In our company, less than 10 people are using the Detect solution, and five or six people are using Recall. But we are also extracting reports that are provided to 15 to 20 people.

We have a basic Vectra environment because we mainly only use the NDR for the solution's options. We do mainly filled logins, anomalies, and network flow monitoring.

Vectra AI helped improve our mean time to identify by allowing us to have visibility and reveal some hidden or unknown things.

Vectra AI has had a positive impact on the productivity of our SOC team which is an external party. It as well had a positive impact on our IT environment for detection purposes, adapting, and hardening.

The fact that we get the visualization of what's happening on our network, which is a way of improving our security in-depth is most valuable. That's because with the information we get out of Vectra, we know how to adapt and modify things in our network.

Regarding Vectra AI attack signal intelligence, it is providing us with information on how to adapt or protect ourselves against certain attack vectors. This feature is quite helpful.

I think Vectra AI's automation, reporting, and integration could be improved.

I have been using this solution for two years now.

It's stable as it performs as we expected.

If you have enough power or bandwidth to deploy another sensor, the scalability of this solution shouldn't be very complex.

I would rate the technical support of the Vectra AI solution a seven, on a scale from one to ten, with one being the worst and 10 being the best. The reason for this rating is that they always deliver what we expect and that's good enough for us. The reason that the rating is not a ten, is that we always need to let people improve themselves.

Neutral

I joined the deployment project at a later stage and I worked on deploying the sensors and tuning false positives and similar things. My experience when it comes to deployment was quite good as we had good hands-on engineers which is why the implementation went well. Our deployment was straightforward with our hands-on approach.

When it comes to ROI, in certain places we saw the return and in certain places we didn't. When it comes to security investments and tooling of security, the return on investment takes a bit longer and you always see your investment back. At one point something will happen and you will start using the tool for the reason you bought it.

Before Vectra, we didn't have any feasibility of our network net flow, so this solution gives us a better view of what has been happening on our network and this is what we're trying to solve by implementing Vectra.

We are not using the flood detection response platform.

We are not using Vectra MDR services.

Overall, I would rate this solution a seven, on a scale from one to ten, with one being the worst and ten being the best.

Our company is in the retail arena, and we have stores, warehouses, and a data center. Right now, we're using Vectra AI in our offices and the data center. The major issue we had was that we were completely blind inside our data center in terms of seeing what traffic we had. Our main focus with Vectra AI was to see what's happening inside the data center through virtual sensors.

We're going to expand it to include our stores because the franchisees requested that we monitor the networks in all of the stores. Every shop in our company is a franchise, and they can do whatever they want to in their shops. We won't have any idea as to what's on the network in the shops. By using Vectra AI, we will have visibility into the network.

We have started the proof of concept for our warehouses as well.

We discovered a lot of things in our network and are correcting several misconfigurations. We are learning how some apps work together and how some things shouldn't happen. It's also easier for us to identify the source of a brute force, whereas before, we didn't even know we had a brute force.

The platform is well-designed around the quadrant. We know quickly how to investigate, and the detections are clear. I like Vectra AI's integration with Active Directory and the fact that it's easy to take in hand.

We have had a few issues with the integration of Vectra AI with EDR. Some filters have not been working. We've also had issues with the brain not being powerful enough.

In the next release, I would like to see more triage choices. From my point of view, Vectra is missing a lot of choices. This is an area that they could focus on.

Vectra is also moving to a full cloud model, and I am not sure if going full cloud and leaving the on-premises environment is the way to go. We are not sure whether we'll move to the cloud with Vectra because it's hosted by AWS, which is one of our competitors. We don't like to work with anything that works on AWS.

We did a proof of concept two years ago and then deployed it in March, 2022.

We've had issues with stability. Vectra said that they underestimated the power we needed on our brain as it's very slow. We have delays that can be up to 40 seconds. We also had a hard drive that died. In one year, we've experienced three major issues.

We have different types of deployment that impact scalability a lot. The good part is that if we want to see everything that gets into the data center, we only need a single sensor in the data center. However, if we want to go in-depth in every store, then it will be a long process because we'll have to deploy thousands of sensors.

Right now, our license is for 10,000 IPs, and we hope to increase it to 110,000. If we deploy Vectra AI in the warehouse as well, we will need 25,000 extra. When we upgrade the brain server, Vectra AI should be able to scale accordingly.

When I contacted technical support, they usually take control of my laptop for an hour or more, and I can't do anything during that time. They do not explain anything and mute themselves for an hour or more. I don't know what they're doing or if they're even working on the issue.

However, they have been proactive because they know we have issues with our brain. If I have a bug, I've noticed that they usually respond quickly.

Thus, on a scale from one to ten, I would rate technical support at six.

Neutral

I've done four deployments in total, and Vectra AI is easy to deploy. On the admin interface, it's also easy to set up the integration with EDR.

It is an expensive solution, but it's not the most expensive we've seen. We also know how much we're going to pay, unlike with some other providers where all of a sudden our license explodes.

We will probably need to deploy over a thousand physical sensors. This means that the cost will automatically go up to millions. They do not sell the smallest sensors that they had in the past, which we would be glad to have right now.

We looked at ExtraHop, a VMware NDR solution, Carbon Black, and a solution from a French organization.

Carbon Black is oriented around VMware products. As such, it would have been okay for the data center, but we would have had to upgrade the entire physical infrastructure inside the data center. It would have been very expensive, and thus, we eliminated Carbon Black. The French competitor was eliminated because the solution was a few years behind.

We then talked with Vectra AI and were happy with what they offered us. We spoke with other companies that use it and found out that they were happy with it. Thus, Vectra AI got the opportunity to do the proof of concept.

Overall, I would rate Vectra AI an eight out of ten.

We need to move our whole data traffic over the core switches. We also want to secure our network and have it integrated into our vCenter and into our Active Directory.

We have 18,000 IP addresses, and in Recall, we have uploads from about 250 GB per day.

One year ago, we found notebooks that were compromised with Emotet. Vectra saw that the client performed search requests to the Active Directory for a keyword root and contacted domains that are known for Emotet.

Vectra AI also found that a notebook had permanent contact with a domain outside our network.

We often use the new feature to create PCAP files from the whole data traffic. It makes it much easier to find network problems such as whether the server is responding to a request. It has nothing to do with security, but it helps a lot to find other problems.

Vectra AI helped improve our mean time to identify. For example, the Sophos client doesn't recognize anything, and without Vectra AI, we wouldn't be able to identify problems. It does it quickly.

We use the Sidekick MDR service. It's very important to us because it gives us another layer of security and a second pair of eyes. We have learned a lot from the Sidekick.

For S&D account scans, it would be easier if Vectra AI could triage with users. If a client uses a lot of accounts, then it could indicate that these accounts are benign, for example. That would help a lot.

I've been using Vectra AI since 2020.

We have not had any problems with stability.

Vectra's technical support is very fast. They have been able to resolve the tickets I created very quickly. I would rate technical support a ten out of ten.

Positive

The initial deployment is easy. You have to give them an IP address, plug it into the switch, and then get started.

We have seen an ROI. The cost of security breaches outweighs the cost of Vectra AI.

Vectra AI is not a cheap solution.

We evaluated Vectra AI and CyberSense and did POCs with both. We observed that Vectra AI was better because we can see everything. CyberSense uses a different technology. For example, it creates an Active Directory that isn't used. If someone connects to this Active Directory or starts requests, then we will get an alert. However, we think Vectra uses a better way because we can see more. It also has better technology.

Overall, I would rate Vectra AI at ten on a scale from one to ten, with ten being the best.

Vectra AI is an NDR tool, and my company is using it for security and insider threat detection purposes.

What I like best about Vectra AI is that it alerts you about suspicious activities.

An area for improvement in Vectra AI is reporting because it currently lacks some details. For example, when you download a report from Vectra AI, you won't see complete information about the alerts or triggers.

Another area for improvement in the tool is that sometimes, an alert has high severity, yet it's marked as low severity. Vectra AI should have a mechanism to change the severity level from low to high or critical.

I've been using Vectra AI for two years now.

Vectra AI is a stable tool.

Vectra AI is a scalable tool.

My company has a dedicated support team for Vectra AI, so I have the support team's direct contact number and WhatsApp number.

The technical support is excellent, so my rating is five out of five.

The initial setup for Vectra AI wasn't that complex. It won't take long if your environment is ready, with all required ports open. Setting up Vectra AI would be easy.

We implemented Vectra AI together with their technical support team.

My company pays for the Vectra AI licensing fee yearly. I know the figure because my company recently renewed the license, and it's okay, at least for the financial sector.

I'm the admin of Vectra AI, a tool implemented in my company.

The tool was updated three or four months ago, but I'm unsure if I have the latest release.

My company has two SOCs in different areas, so all SOC analysts log in or use Vectra AI, with the alerts forwarded to Splunk. One person is the admin in-house, but he works with support because the tool is customized for my company, as any command can't be run in Linux.

I'd recommend Vectra AI to others looking for an NDR solution.

Vectra AI is excellent for NDR purposes, in general. I'm rating it as ten out of ten based on my experience because I'm investigating the Vectra AI alerts. It triggers alerts for suspicious activities, so it's an excellent tool.

We use Cognito.

The biggest challenge we face in protecting the organization against cyber attacks is mean time to detection, operating from a position of an assumed breach. Then being able to detect breaches or malicious traffic within the environment as quickly as possible to reduce dwell time.

We have a small environment with only 300 users. It's very technically focused given the market that we operate in. There are two data centers, four offices, a small IT and security team. Cognito allows us to make the best investment for the most return, given we don't have dedicated SOC analysts looking at a SIEM environment.

Cognito is highly successful in detecting red team engagements and giving clear broad-level assurance and confidence in the product.

It captures network metadata at scale and enriches it with security information. The add-on of Recall is an invaluable investigation tool. It's able to look back and triage incidents.

We have been enabled to do things now that we could not do before: 

• There is more detailed visibility into network behavior. 
• We have the ability to pull out anomalies. 
• The high-fidelity alerts allow our team to focus on what's important.

The administrative privilege detection feature is the most valuable feature. The admin accounts are often highly accessible to the high-risk component of the environment. If those accounts are compromised or are being used in a suspicious manner, those are high-fidelity events for us to look into.

Its ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation is very useful. Given that we are not a dedicated SOC environment, having to trawl through several false positives is not something that we have the capacity for.

Cognito theoretically provides us with visibility into behaviors across the full lifecycle of an attack in our network beyond just the internet gateway. It has not been fully tested. But hypothetically it would give us full visibility into your attack chain.

We use privileged account analytics for detecting issues with privileged accounts.

Integration with other security components needs improvement. It should have true integration as opposed to just being a separate pane of glass.

I have been using Vectra AI for three years. 

Their stability is bulletproof. 

We're using it across our entire estate, so we don't have plans to increase usage. It's been adopted 100%. 

Their support is excellent. They're very responsive. Exactly as you would hope for from a vendor, which is rare.

Vectra AI displaced an EOL North South solution.

The initial setup was very straightforward. 

We had appliances in each physical data center. It took three or four days to see results.

Deployment time is equivalent to other solutions we have tried. The learning curve and speed of efficiencies are higher coming from Vectra.

We deployed it with the assistance of Vectra. Our experience with them was exceptional. The engineers knew the product. Vectra is extremely responsive to assisting with technical issues. It was a very good experience.

It's hard to scientifically quantify ROI but I would say we have seen ROI, certainly from the risk and threat perspective.

After we deployed the solution it instantly began to add value to our security operations.

Pricing is comfortable. I have no issues with the pricing structure at the moment.

There are no additional costs that I'm aware of unless you layer on MSP, additional soft services, or professional services. But for the solution itself, I don't believe there are.

We looked at Darktrace. 

I think the solution would help the network, cybersecurity, and risk reduction efforts in the future if we were to adopt a SOC, it would be a key threat feed to that environment. As they continue to iterate and enhance the product, it's a critical security component for us now and for the future.

Two security senior analysts work on this solution.

My advice to anybody considering this solution is: don't delay. It does exactly what it's sold to do. It does it efficiently and effectively.

I would rate Vectra AI Cognito a nine out of ten.