Vectra AI Reviews

Vectra AI is my main cybersecurity tool, and we use the AI data in our company. For example, when we discovered a malicious email, Vectra AI helped us identify that it was not a legitimate email, and we successfully stopped the threats.

Vectra AI offers artificial intelligence capabilities with visibility that can be integrated into our day-to-day operations and other tools, including malware detection tools and cyber threat tools.

Vectra AI has positively impacted my organization. Last year while using it, we received many malicious email threats and virus incidents, including a trojan virus that had reportedly been deployed by someone. Our company used Vectra AI to detect the malicious threats and viruses before they could cause more damage, and we successfully stopped the threats.

Using Vectra AI, I notice that server downtime has decreased significantly. We now experience only two to three hours of downtime, whereas without Vectra AI and other tools, our downtime would exceed 48 to 72 hours.

Vectra AI could be improved by focusing on all threat types, not only malicious threats or virus threats. All threats, including hacking attempts, should be comprehensively addressed.

The user interface of Vectra AI is good, so there are no improvements needed in that area. However, reporting and integration with other tools should be enhanced.

I have been using Vectra AI for two years.

I give Vectra AI a rating of 8 out of 10.

Vectra AI is being used as an NDR solution to sell to customers as a managed service. The product has been productized to sell to customers as an NDR solution. The network is scanned for any anomalies or threats that are detected and fed to the customer's SIEMs and SOARs.

In one financial sector scenario, a customer was complaining about reduced alert fatigue and detecting an attack missed by traditional tools. They wanted an AI solution that could detect anomalies with the best MTTD and MTTR response times to reduce overhead over the SOC teams.

Vectra AI has been used for identity management, which was integrated with Microsoft Entra ID and Active Directory to monitor account activity. A customer wanted in-depth analysis on their identity management solution. Another scenario involved integrating with the customer's cloud solutions, where they wanted a solution that provided cloud detection and response through AWS and Microsoft 365 environments.

The best features of Vectra AI are related to AI. For the NDR part, Attack Signal Intelligence features were mainly responsible for behavior AI, high-fidelity signaling, and prioritization. These features were great for anomaly detection and behavioral-based detection, able to catch zero-day attacks and living-off-the-land attacks. For high-fidelity signaling, it automatically triaged, filtered, and correlated signals, which dramatically reduced alert fatigue noise on the customer side by approximately 80% and eliminated alert fatigue on the SOC teams. Regarding the identity detection and response IDR solution, it monitored Active Directory and Entra ID for any attacks, allowing the SOC to detect any compromised credentials.

Alert noise was dramatically reduced by nearly 80%, allowing SOC analysts to focus more on true threats, which made them more productive and resulted in higher operational efficiency. Attack Signal Intelligence helped reduce irrelevant alerts by 80% to 90%, with metrics showing a 100-plus reduction in investigation workloads and roughly saving about 55,000 hours of investigation time. Investigation time has decreased significantly, empowering analysts with detection and advanced unknown threats that Vectra AI provided. Its knowledge base and database are very up to date, allowing for spotting zero-day attacks with full visibility and helping to stop attacks in minutes.

Vectra AI has reduced the MTTD and MTTR, increasing operational and process efficiency, and has helped reduce the number of SOC analysts that needed to be hired. Thanks to the AI features, the number of employees and SOC analysts hired has been reduced.

Pricing could be improved, as many customers have complained about the pricing model and pricing complexity.

Regarding the product itself, extending direct control and simplifying workflows would be beneficial. More granular built-in responses and cloud remediations could be improved. A native CMDB-like feature and risk scoring would be a big advantage. Improved compatibility with the SASE ecosystem expansion would also be valuable.

Vectra AI has been in use since 2018.

Vectra AI is considered a stable solution.

Vectra AI is scalable because it can work through different kinds of solutions and is compatible with all kinds of cloud solutions. The appliance capacity is very good, whether virtual or physical, providing significant scalability.

Customer support receives a rating of nine out of ten due to being very supportive and responding quite efficiently.

Positive

A different solution was not previously used.

A good return on investment has been seen. For cost savings over a period of three years, it could be about 350%. The payback period is roughly six months. Productivity savings could be about 800,000, with SOC efficiency increasing nearly 40%. Workload reduction on the SOC side is now 100% lighter than previously.

Other options were not evaluated, as at that time, Vectra AI was the only NDR solution that had AI features. They began with the AI concept that was being sought.

Vectra AI should be considered if looking for an NDR solution and not just an EDR solution only. It provides great value and quality, provided that customers can pay for the licenses, which are quite expensive. Vectra AI is represented as a partner and reseller in business with this vendor. This review has been given a rating of eight out of ten.

I primarily use Vectra AI for customers, and I only provide Vectra AI.

The most valuable features I find are the threat signal intelligence and the ability to build high-fidelity alerting for customers, which is one of the biggest value adds.

Cognito Detect is quite useful, but it has only been used in a few companies that have required deeper insights into their network analytics, so not all customers have it. However, the ones that do have found a lot of value in it.

Vectra AI helps in identifying malicious network activities by enabling threat hunting and providing security enriched network analytics, giving considerable visibility over that aspect.

I am evaluating Cognito Recall's impact on my customers' threat investigation processes by noting that the ones using it are quite intensive. They can use Cognito Recall to look back further in time on events raised from a SIEM perspective.

I think one area that could be improved about Vectra AI is their marketing. One of the aspects that Darktrace excels at is their marketing, and I do not feel Vectra AI is on that level yet, leading to a lack of visibility over the solution.

I have been working with Vectra AI for about three years.

I would rate their technical support a 10, as we have local support in South Africa and the ability to reach out to the teams quickly and effectively when they are in similar time zones, leading to great support globally.

I find the pricing of Vectra AI to be one of the best we have seen as feedback from customers and partners indicates it is very competitive for an EDR solution.

The intuitive dashboards are incredibly useful, with both the Quadrant UX and the Respond UX, so whether looking from a management point of view or an analyst point of view, both dashboards are very intuitive.

The biggest metric I use to demonstrate the dashboard's effectiveness is the ability to respond to an alert effectively, particularly within the SLA timeframe. Many of our customers have an SLA with our partners, and if they keep to that SLA, it means the tool performs effectively. We have not had instances of it not working among our partners.

I assess the benefits of integrating Cognito Stream with existing SIEM systems by noting that Cognito Stream is very similar to Cognito Recall and provides enriched details around the network side in real-time. However, it is not for investigation purposes but rather for visibility purposes over the network.

My overall rating for Vectra AI is 10.

We are using it for our SOC services. We are also using it for our clients. We have our monitoring setup for our SOC staff.

There are many detection features available. There are extensive out-of-box detection capabilities. I cannot mention just one or two at the moment. There are multiple detection rules, and its integration with ADR and Office 365 AI is very nice, to be honest with you. It is scalable, and they have their own appliance that can handle multiple locations. You can deploy it for enterprises with multiple sites.

The advantages of the integration are not entirely out-of-the-box. You have to do it manually. When I'm doing tier response, an out-of-the-box solution is not available. You need to have a Linux server, and from the Linux server, you must perform AI tasks, and there is a lot to be handled in the back end. This is a major consideration about them. The recall feature, if it can be placed in some areas instead of the cloud, and charged for, would be better. Recall the storage where you watch all the traffic, and you can recall it and try to analyze it in the back end. It’s cloud-based. If they offer it on-prem, it would be better. I think they have a solution, but I have never tested it, to be honest with you.

I have been using the solution for years.

It is scalable, and they have their own appliance to handle multiple locations. You can deploy it for enterprises with multiple sites.

They are supportive. From a support perspective, they are supportive, to be honest with you.

I am using something else. I am using Vivo, Vixstrap, Vextra AI, Vectra, and Security Onion as open-source. It depends on the clients.

It is very acceptable when you compare it with Darktrace, for example.

At the end of the day, it's written rules in such a way. The trend in the market is something I did not consider much. The detection rules are written in the back end. There is something happening in such a way to do it again. AI is mentioned too much, and for me, it is only marketing talk. At the end of the day, there is no one hundred percent AI in security. Detection requires manual writing at times. They already handle back-end processes but vendors won't show this. AI is not targeting a specific vendor. AI, for me, is just a trend. It depends on the client. I tailor solutions to client requirements. For visibility and monitoring, I choose the best products. Every application, every NDR solution has its capabilities. It varies by client because I must advise clients on solutions they can use and benefit from. I sometimes advise clients about Vectra as it still serves my clients well. It's fair enough for now. The overall product rating is seven out of ten.

Negative

The key challenge we face is visibility, things that happen in isolated and pocketed environments where visibility is limited. Silos and isolated networks exist across the environment, and it's difficult to control it completely. Blind spots are the main challenges.

With this solution, the focus has changed from reactive to more proactive, because all the other SOAR and EDR solutions, firewalls, and IPSs are generally reactive. With those tools, when most things are triggered, it means you are already slightly late. With Vectra, we become more proactive than reactive. More often than not, we pick things up before the actual damage can start. It picks up things that none of our other tools pick up because it's designed to detect things before harm is done, at the initial stages. This is one of the main benefits and the biggest business justification and use case for us.

It reduces the time it takes to respond to attacks because we find out about a threat in the beginning so we can stop it before it can cause harm, rather than reacting when the damage is done and significantly more effort is needed.

And since it is not preventive, it does not trigger any adverse reactions. For example, sometimes we have seen, with certain kinds of malware or ransomware, that they tend to get more aggressive if they realize that something is stopping them, but that doesn't happen with detection tools like Vectra.

For capturing network metadata at scale and enriching it with security information, that's where the second product comes in, Cognito Recall. It takes enriched network metadata and keeps that information available for you to access, whether it triggers a detection or not. For example, if you want to check who is using SSL version 3, TLS version 1.0, SNMP version 1, SNMP version 2, or who is using clear text passwords, even though they don't trigger a detection in Cognito Detect, that metadata is available. Of course, the duration of that data is dependent on how much storage we can buy from Vectra. That's a financial constraint and we have opted for one month. We might look at expanding that further.

That metadata helps in closing vulnerabilities. For instance, if there is a TLS version or an encryption level that we want to deprecate, it is very useful for us, because we can also generate reports. We know which systems are using SNMP version 1 or SNMP version 2. Even though it has more features and you can create custom detections through Recall, we've not gone that far. For us, this has been our most common use case: protocols and communications that we would like to stop or close. This provides useful data.

The solution also provides visibility into behaviors across the full lifecycle of an attack, beyond just the internet gateway. It provides the whole MITRE Framework and the key chain—recon, command and control. It has detections under each of those categories, and it picks them up within the network. In fact, most of the detections are internal. Internet-based detections comprise 25 to 30 percent, and those are based on encrypted traffic. And most of the time when we validate, we see that it's genuine because it's a call from a support vendor where large files need to be uploaded. That gives us an opportunity to validate with that end-user as well: What was happening, what did you transfer?

We used to have SIEM and antivirus solutions and we would get a lot of alerts. Those alerts resulted in a lot of effort to refine them and yet we still needed a lot of effort to analyze the information. Vectra does all of that automatically for us, and what it produces, in the end, is something that can easily be done by one person. In fact, you don't even need one.

The most useful feature is the anomaly detection because it's not signature-based. It picks up the initial part of any attack, like the recon and those aspects of the kill chain, very well. We've had numerous red team and penetration exercises and, at the initial stage, when the recon is happening and credentials are used and lateral movement is attempted, our existing tools don't pick it up because it has not yet been "transformed" into something malicious. But Vectra, at that stage, picks it up 80 to 90 percent of the time. That has been one of the biggest benefits because it picks up what other things don't see, and it picks them up at the beginning when attackers are trying to do something rather than when the damage is already done.

The ability to roll up numerous alerts to create a single incident or campaign for investigation takes a bit of effort in the beginning because you'll always have misconfigurations, such as wrong passwords, that could trigger brute force and SMB-types of alerts. And you'll have genuine behaviors in your environment that tend to be suspicious, such as vulnerability assessment and scanning tools, that are not noise, per se. Even if they're non-malicious, it always tends to point to events like misconfigurations and security tools. It's been very useful in that sense, in that, once we do the initial triaging, indicating that this is a security tool, or that is a misconfiguration we need to correct, it reduces the noise quite significantly. We don't get more than 10 to 20 events, maximum, generated per day.

Vectra shows what it does in terms of noise reduction, and we can see that it is down to only 1 percent, and sometimes even less than 1 percent, of what actually requires a person to act on.

It becomes quite easy for a SOC analyst to handle things without being overburdened. And, obviously, it's at the initial stage because it picks things up before the damage happens. It's not the kind of prevention tool that has signatures and that only tells you something bad has already happened. It tells you that something is not right or is suspicious. It says there is a behavior that we have not seen before, and it has always been effective in the red team exercises that we periodically conduct.

Also, we have privileged account management, but we don't have a separate analytics tool. Still, Vectra also picks that up. This is also something that has come up during red team exercises. If there's an account that is executing an escalated privilege or running a service that it normally doesn't run, it gets flagged. It tells us about lateral movements and privilege escalations; things that constitute non-standard usage. It's quite effective at catching these. I have yet to see a red team exercise that doesn't generate any alerts in Vectra. We see a jump, and it's very easy to identify the account and the system that is the source.

It also triages threats and correlates them with the compromised host devices, because it maps both ways. It maps the host, the account, and the detection, and vice versa. You can also go to the detection and see how many affected hosts there are. In addition, if there's a particular detection, is there an existing campaign? How many hosts are also doing the same thing? These are the kinds of visibility the tool provides.

The reporting from Cognito Detect is very limited and doesn't give you too many options. If I want to prepare a customized report on a particular host, even though I see the data, I have to manually prepare the report. The reporting features that are built into the tool are not very helpful. They are very generic and broad. That's one main area that I keep telling Vectra they need to improve. 

Also, whenever there's a software upgrade and new detections are introduced and the intelligence improves, there is a short period at the beginning where there's a lot of noise. Suddenly, you will get a burst of detections because it's a new detection. It's a new type of intelligence they've introduced and it takes some time to learn. We get worried and we always check whether an upgrade has happened. Then we say, "Okay, that must be the reason." I would like to see an improvement wherein, whenever they do an upgrade, that transition is a bit smoother. It doesn't happen all the time, but sometimes an upgrade triggers noise for some time until it settles down.

We've been using the Vectra AI for over three years.

In the beginning, there is a struggle to fine-tune it because it will generate noise for the reasons I mentioned. But once that learning phase is complete, it's quite reliable. We have been using the hardware for more than three years and there have been no failures or RMAs

Upgrades happen automatically. We have never gone into the appliance to do an upgrade, even though it's on-prem. It all happens automatically and seamlessly in the background. 

Initially, we had some problems with the Recall connection to the cloud, to establish the storage connectivity. But again, these kinds of things are at the beginning. After that, it is quite stable. We've not had any problems.

Scalability for the cloud solution is straightforward. For the on-prem solution, you need to take care of the capacity and the function itself, because the capacity of the same hardware varies, depending on what you use it for. From a capacity point of view, there is some effort required in the design.

Looking forward to the future, the tool integrates with more and more solutions outside of its existing intelligence. It's not something that we have yet embarked on, but that's an interesting area in which we would like to invest some time.

The cloud solution is something that has limited visibility because PaaS and SaaS in the cloud are always a challenge in terms of cyber security. And in the future, even though we have taken the Vectra SaaS for O365, they're also coming up with a PaaS visibility tool. It is currently under testing, and we are one of the users that have been chosen to participate in the beta testing of that. That's another thing in the future that would add a lot of value in terms of visibility.

Currently, we have about 8,000 users.

The support is directly from the device or we get a response via email. The response is okay. Because the product is stable, we have not been in a situation where we urgently needed something and we wanted support right now. We have never tested that kind of fast response. They take some time to respond, but whenever we have requested something, it has not been urgent. 

We do get a response and issues always get resolved. We haven't had any lingering issues. They have all been closed.

Positive

We did not have any tools in the same league. We had security tools, but not with anomaly detection as part of the feature set.

Cognito Detect is on-prem and Cognito Recall is in the cloud, as is the O365 and Azure AD protection.

The cloud setup is extremely simple. The on-prem takes some effort. There is the sizing, depending on what model. The throughput varies. Those kinds of on-prem design considerations create a bit of complexity in the beginning, but the cloud is straightforward. All it needs is the requisite access to the tenant. Once it gets that, it starts its work. 

In the beginning, there is some effort in fine-tuning things, but that comes as part of the package with the solution. They have a success manager and tech analyst assigned to support you in the beginning. Once that is done, the product is very stable.

For us, there were an initial four to eight weeks of triaging and clearing the noise, in terms of misconfiguration issues or known security tools. After that time, we started seeing value.

We only used the people from Vectra.

Vectra is a bit on the higher side in terms of price, but they have always been transparent. The reason that they are this good is that they invest, so they need to charge accordingly. They are above average when it comes to price. They're not very economical but it's for a good reason. As long as we get quality, we are okay with paying the extra amount.

We did a PoC with Darktrace recently as part of our regular exercise of giving other solutions an opportunity, but the PoC didn't meet our requirements. It didn't detect what Vectra detects in a red team situation.

The deployment time is similar because they all need the same thing. They need the network feed for a copy of the network traffic. The base requirements are the same.

My advice is that you need to size it right and identify what your capacity will be. And you need to place it right, because it's as helpful as what it can see, so you need to have an environment that supports that. What we did, as part of implementing Vectra, was implement an effective packet broker solution in our environment. It needs that support system to function properly. It needs copies of your traffic for detection because it doesn't have an agent sitting anywhere. The positioning and packet brokering are critical allies for this solution.

We have it deployed on-premises. However, we are in the process of acquiring O365 and Azure AD as well. When it comes to Power Automate and other deeper anomalies, these are things that we have on the cloud in Azure. In the new module, it lets us know if any automation, scripts, or large, sudden downloads, or access from a country that is different from where the user has normally been, are happening. But this is a very new tool. We are yet to familiarize ourselves with it and do the fine-tuning. We don't have any automation or any such functions happening on-prem.

In terms of correlating behaviors in the enterprise network and data centers with behaviors in the cloud environment, because we have taken the O365 module, it gives us good correlation between an on-prem user and his behavior in the cloud. We have seen that sometimes it detects that an account is disabled, for example, on-prem, and it says somebody downloaded a lot of data just a few days before that or uploaded large data a few days before that. It does those kinds of correlations.

We have one SOC but it's based overseas. It's an offsite managed service and it covers the gambit of incident detection and response. It's an always-available service. The SIEM we are using is RSA NetWitness, and the EDR solution we use is McAfee.

Vectra has some automation features, in the sense of taking action through the firewalls or other integrations, but that's a journey that we have not yet embarked on. As long as we have a continuously available SOC that rapidly responds to the alerts it generates, we are okay. In general, I'm not comfortable with the automation part. Accurate detection is more important for me. Prevention, when something is picked up too late, as is the case with some of the other solutions I mentioned, is a different case. But here, when it is at the preliminary stage, prevention seems a bit too harsh.

We use Vectra AI for endpoints where we are unable to install agents, like endpoint agents, EDR agents, or antivirus tools. For example, BYOD devices or routers in our network. We don't have any control over those, but we need monitoring capability. 

Vectra AI can monitor the traffic from the wireless router to the firewall or any outgoing traffic. It can give us an idea of whether there is any C&C or C2 communication or any botnet activity from those source IPs. Without having any agents in the endpoint, it is a network monitoring tool. We use this tool to detect threats within the environment where the assets are unmanaged. 

Also, since we tap into certain network points such as firewalls or IDSs, we get more visibility from managed assets as well. So before the endpoint notices the behavior, Vectra notices some of the exfiltration techniques and alerts us.

Overall, it is good and has reduced our time in identifying the system. It is for unmanaged devices. Previously, if we got an alert from the firewall, it was very difficult to find that particular asset. But with the help of this tool, we can simply run a packet capture and immediately get the hostname and know which user is using it. 

It has greatly reduced our time to remediate the situation. We can identify the user, block their account immediately, and sometimes kick that device off the network completely.

It has a confidence level of around 60% to detect insider threats of anomalies, but we mostly need to fine-tune the product. We are still in the fine-tuning process. Even though it has been one year since we implemented the product, the first six months were spent integrating various log servers and determining where to tap. 

For the past three months, we have been actively investigating the alerts. When we investigate some of the insider alerts, most of the time it is a false positive because the domain is allowed. Vectra does not know that those are allowed domains, such as OneDrive and SharePoint, to access our network devices. 

It considers it malicious because a huge amount of file uploads is seen, according to Vectra. But we know those are known URLs and known behavior. When we slowly started whitelisting, the threat confidence level increased. So right now, for insider threats, it gives around 60% confidence, but around 80% of the incidents were false positives because we are still in the fine-tuning process.

The packet capturing feature is very useful, and as the name suggests, AI uses models to detect abnormal behavior. Some of the patent-matching algorithms they use are very advanced and detect threats at a very early stage.

For me, detections from unmanaged networks are one of the greatest values. You can identify threats from BYOD or even mobile devices, which were not handled before.

The detection algorithms can be improved at the sensor level rather than doing all the things at the brain. For example, if the sensor has some directional algorithm or detects repeating traffic, it can drop those packets at the beginning itself. There is no need to send that traffic to the brain in order to reduce the bandwidth.

AI is picking up a lot now. There is no manual intervention needed. Whenever a detection happens, it can automatically summarize and give it to you. But Vectra doesn't have those kinds of capabilities. It still needs manual intervention to analyze, and they don't have a summarized kind of output. So that can be improved. But apart from that, the detection models and all the other categories have good support for that.

In future releases, I would like to see Vectra AI to generate a summary of the instance.

I have been using it for a year. 

I would rate it at eight. The remaining two points I'm not giving because it's a fairly new product. So far, it is good as per our test and it is able to scale as well.

The only limit is you need to increase the sensors when you have more traffic. For example, the current sensors can handle up to 50 GBPS of traffic per second. If you need more traffic to be utilized, then you need to buy additional sensors to handle the traffic.

From a technical perspective, there is not much more possible, because there are some hard limits in the hardware. You cannot increase the bandwidth. They have other options to increase with more sensors, but it ultimately ends up being a cost factor.

If you have more money, you can buy more sensors and do it.

In our organization, we are an MSSP provider. We use Vectra, and our entire SOC team, which is around 20 people, uses Vectra for our MSSP. We have two customers who are also using this product. Two of the largest telecom industries in Thailand are using this product to understand their behavior as of now. The approximate number of users in those categories will be around ten.

The customer service and support are good. So far, we have not faced any issues at all.

The setup is a very straightforward process. You need to tap the network traffic at your desired point, and it has two components: a sensor and a brain. The sensor collects the logs and forwards them to the brain, which does the detection and everything. They offer a virtual appliance that you can run in your environment. 

The setup process is usually very simple. It took only two days to set up. But, initially, deciding the location of the sensor and other factors took more time. The threat team at Vectra AI engaged with us effectively, provided all the support, understood our architecture and advised us on placing the sensors.

The licensing is on annual basis. 

I would rate it at nine out of ten. The one point I'm reducing is because the model can learn itself. If no one is fine-tuning it, for example, every time we find a huge number of alerts, then only we go and look it up and fine-tune the product. 

If no one is acknowledging it or it seems like regular traffic, then the product can understand that behavior and have a feedback mechanism to correct it, mark it as a false positive, or whitelist it.

My recommendation: 

Understand your network first, and place the sensors in the correct position to receive all kinds of traffic: THC, PDNS, and all those things. If you place the sensors at the egress traffic, you may not receive some of the packets, and you will not have overall visibility. 

So the placement of sensors is very important; you need to understand your network to place them correctly.

Our Customers use Vectra AI to detect networks, endpoints, identities, SaaS-based, and private and public clouds.

The most valuable feature of the solution is that it only shows us the events that are actually critical. The solution is currently used as a central threat detection and response system. It ingests every bit of information from the SIEM, does AI triaging and detection, and sends incredibly high-fidelity alerts to the SIEM for investigation.

It would be commercially beneficial if Vectra AI had something like Darktrace's Antigena Email or something similar to email protection. 

I have been assisting customers using Vectra AI for nine months.

Vectra AI provides 100% stability because it sends you either a physical box or a VMware deployment, making it very simple and stable. Obviously, VMware will depend on your own environment.

Vectra AI is a scalable solution. Since we have added distribution levels, we've made quite a few deployments. The solution can support up to 1,00,000 endpoints. There's a specific customer that's using Vectra AI and has over 1,00,000 endpoints.

The solution’s technical support team is quite competent.

Positive

Vectra AI's initial setup is very simple. The Vectra AI team is quite competent, and they support and help us set everything up.

The solution's deployment was fairly quick. We had everything up and running within a day. Then, it was just about the information they were putting out that was being collected.

Vectra AI has an annual subscription license. You could choose the components you need for your environment. 

The solution had some very good integrations with firewalls and EDR solutions. Since Vectra AI is more of an internally-detection and response tool, it detects insider threats extremely well.

Before choosing Vectra AI, ensure you have a proper architect for your environment that shows you where all your blindspots could be. This makes the deployment a lot easier. Vectra AI detects threats that people miss, especially manual operators.

Vectra AI has helped save a lot of log analysts time because they don't have to deal with a lot of alert noise and false positives. Using Vectra AI for detection, triaging, and responses speeds up your soft response mechanism and makes the responses much quicker.

Overall, I rate the solution an nine out of ten.

This tool operates on machine learning principles, utilizing its own AI-based models and rules to detect activity within your environment. Initially, Vectra AI observes and monitors your organization's behavior for a two-week period, identifying legitimate services operating within your environment. Once it completes this monitoring phase and detects all services, it begins to assign certainty and severity levels to the network traffic it observes.

Vectra AI offers a range of valuable features. Firstly, it utilizes its own AI-based tools. Secondly, it provides various dashboards that facilitate the identification of connections and can detect data exfiltration, meaning data sent from your environment to another. The tool operates based on metadata, offering comprehensive information about traffic between source and destination. Some key features include the ability to integrate with EDR or EPP solutions, allowing you to secure servers with stability issues or infections. Alternatively, you can use Active Directory to lock down infected hosts if you choose not to incorporate EPP or EDR. These features provide insights into your network, showing connection details, data transfers, VPN connections, and the number of connected EDS event hosts, among other things.             

One area where there's room for improvement is the absence of a comprehensive TCP recording and replay feature. While there is an alternative method available, it doesn't provide the same functionality in a graphical interface.

I have been using Vectra AI for the past 12 months. 

In terms of stability, I've been using it for the past month, and I haven't encountered any significant issues or downtime. Based on this one-month experience, I would rate its stability as a seven out of ten.

Scalability is excellent and I would rate it a 10 out of 10. Expanding the sensor capacity is relatively straightforward. However, it's crucial to plan for scalability during deployment. If an organization anticipates significant traffic, they should choose a brain that can handle it. Selecting a smaller brain initially and then attempting to expand later may lead to challenges. The scalability largely depends on the organization's needs and Vectra's ability to accommodate them.

From what I've heard, the support team is responsive and helpful. However, I haven't had the opportunity to directly interact with the technical support team.

Positive

The on-prem setup requirement is something easy. However, the cloud's environment setup is a bit tricky and complex. Not only because of the Vectra but also due to the some limitations of the cloud setup. The deployment process varies depending on the organization's size and footprint. It typically takes about one week for data centers with a dispersed network across different regions. For Vectra, on-premises deployment is relatively straightforward, but the cloud deployment can be more complex.

It's relatively on the pricier side, but when compared to other solutions. It's not the most budget-friendly option, but it can be considered somewhat more cost-effective in comparison to other alternatives.

I would rate it a seven.

I would advise other organizations using Vectra to ensure they fine-tune their service groups, correctly label their services, and integrate their firewalls and AWS systems. This will help obtain accurate and updated information about DMZ tools, VPN tools, and EC2 tools, allowing Vectra to have better visibility into the services running. This, in turn, can improve the accuracy of the scan feed and provide more precise results, reducing false positives.

Overall, I would rate it seven out of ten.

We use it as our internal network monitoring solution.

It's interesting to consider how it has helped our organization because it's a security product. But the way it has helped is that nothing has gone wrong. And it has certainly enhanced our internal security capabilities.

Vectra has helped accelerate our threat investigations, providing us with real-time visibility of potential threats to the network that we can act upon or triage accordingly. Prior to the implementation of Vectra, we didn't have that visibility. We had a number of disparate security tools, each with its own alerting functionality. Vectra has significantly helped with a consolidated view of potential threats. And the prioritization of threats allows us to focus specifically on those threats that we believe present the greatest risk and to react to those threats extremely quickly.

Vectra MDR is also very important for us, given the relatively small size of our internal team, and it gives us 24/7 capability that we didn't have before we used Vectra's MDR service.

We particularly like the user experience around the dashboard, which we find to be much more straightforward than the dashboard of some of the competitive products. In the grand scheme of things, we're a relatively small organization with approximately 1,000 users and a small internal security team. Compared with some of its competitors, Vectra is a really easy system to understand and use to prioritize where we need to focus our security resources.

We use Microsoft 365 and Vectra extends our ability to track attacker activity, whether that happens on-premises, in a data center, or in a SaaS environment. It provides complete coverage and visibility across our ICT estate. That was a real positive when we were going through the selection process. The simplicity of the dashboard and the categorization of alerts as low, medium, high, or critical, presents us with the potential of a security risk. We can then choose to investigate it, regardless of whether it's an on-premises or cloud-security risk. They are presented in the single-pane-of-glass dashboard, and that allows us to take the appropriate action. The detection and prioritization of attacker behaviors are extremely important.

A blind spot that I have is around the ease with which you can automate threat intervention.

We've been using Vectra AI for approximately 12 months.

It seems to be extremely stable. We've not had any issues in that respect.

Vectra has visibility across our entire ICT network, which is a combination of on-premises and cloud environments. Our cloud solution is Azure, and it extends to about 1,000 users. The vast majority of them are now remote or mobile workers.

It has comfortably managed the needs of our organization and I don't have any concerns if we were to need, at some point in the future, to either scale or switch the current balance between on-prem and cloud.

We are very satisfied with the support. It has been excellent so far. It has been very timely, very personalized, and always quick to find solutions. We've been really pleased with it.

Positive

We didn't have a previous solution. We have no internal networking monitoring capability.

We started with a proof of concept and then we committed to the Vectra solution. That's when we began the formal implementation. From the very initial engagement to the proof concept and through the transition to service, it took approximately six months.

The deployment went very well and that was a real positive in terms of the engagement with the onboarding and the customer experience.

Across our ICT team, six individuals were involved in security, infrastructure, project management, and service transition.

There is no maintenance of the solution on our side.

The implementation was supported directly by Vectra UK itself.

The return on investment from the product comes from not incurring unplanned costs because of a security incident.

The upfront pricing model that we have would have been more beneficial if it had been a recurring license fee, but that wasn't a massive issue for us. It's fairly priced.

We evaluated other options very thoroughly. It became a two-horse race between Vectra and Darktrace. The differentiators for us were the UI experience, the MDR, and we felt that there was better engagement with the Vectra presales team. They better understood our needs and how Vectra would fit as a solution.

The percentage of critical alerts from Vectra that are critical or true positives, to be fair, is relatively small, probably about 10 percent, but that's more a reflection of the fact that we're still a relatively new client and that the system is still learning. What we have noticed though is that the triage process is effective and we don't get multiple false negatives once we've identified an issue.

We bought Vectra AI through our IT partner, which is CDW. They were only involved in the procurement process. We used a partner to ensure that we could demonstrate that we had done so according to compliance.

I would definitely recommend Vectra and to do a proof of concept. We learned quite a lot through that proof-of-concept process. Those lessons certainly helped us when we went into the implementation process and to engage internal ICT team stakeholders and anticipate central issues in the implementation process. A proof of concept would be invaluable for anybody thinking about implementing this or one of the competitive solutions.

At the moment, we're really pleased with the product and it's a really good fit for the size of our organization.