Overall, I would rate Vectra AI an eight out of ten. I am basing my whole security portfolio and roadmap around Vectra, which means that in the future I need to get more automation, remove some of the cross-tracking that we do with the Microsoft security stack, and then become much more reliant on the data coming through from Vectra AI.

I would advise other organizations using Vectra to ensure they fine-tune their service groups, correctly label their services, and integrate their firewalls and AWS systems. This will help obtain accurate and updated information about DMZ tools, VPN tools, and EC2 tools, allowing Vectra to have better visibility into the services running. This, in turn, can improve the accuracy of the scan feed and provide more precise results, reducing false positives.

Overall, I would rate it seven out of ten.

Do a PoC. Only a PoC will show you if something works or not. I know it takes time but do a POC or a test installation. We did the PoC directly in the production network, which was the best thing to do as we got results very quickly.

Vectra AI enables you to see more. It is their visibility strength that makes the platform so great. Because they really look at severity conditions and do a great correlation, it is time invested wisely. If Vectra shows a high score threat, you must look after it.

In terms of our security stack, this is the most essential cybersecurity tool we use. We are planning to use Vectra as well in the cloud. If they are able to deliver the same performance and capabilities in the cloud sensor, then it will be a really strong foundation that everybody should have in one way or the other.

There is manual input i.e., Triaging is something that you have to do. But in terms of workflow, it has been designed by security people for security people. It provides a very smooth and fast way to set up manual rules or triage filters.

I would rate this solution as 10 out of 10.

It is pretty straightforward. Plug it in and use aggregators in front of the sensors to aggregate multiple tap sources into a single sensor. The sensors can handle it. They de-duplicate everything. There is no need to purchase a sensor for every tap. Truncate all that traffic into an aggregator and have it come out one feed into the sensor. There is no issue there with the Vectra sensor being able to carve out all that. They're powerful enough to do that. Vectra recommends that. So, if someone is purchasing Vectra, they're going to hear that from them. With Vectra, you're picking reliable and fast among cheap, reliable, and fast.

In terms of Vectra's ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation, we do not generate a lot of incidents. We're pretty quick off the gun on detections. We're responding to detections before subsequent detections are detected and become an incident. We maybe get one incident a week, so I don't know if I can comment on that effectively.

We don't use privileged account analytics from Vectra for detecting issues with privileged accounts. In terms of its detection model for providing security around things like Power Automate or other anomalies at a deeper level, we don't use Power Automate, but we use their anomaly detection, and it is very interesting. While it always does provide us something interesting to look at, more times than not, it is our IT admin who does anomaly detection. So, we learn a lot, and it brings odd things to our attention, but with anomaly detection, it has usually been our IT admin.

In terms of Vectra helping our network's cybersecurity and risk-reduction efforts in the future, I'm hoping that one day, we can achieve even client-to-client inspection. Vectra should stay up with the times, and they shouldn't start coasting, which I don't see at all. They fill a good gap, and they do that well. We're just going to leave them filling that gap until the time comes where that is no longer a need, which I don't foresee. So, I don't know if they're going to do anything more than inspect network traffic and provide us an alerting engine on anomalous or malicious network traffic. That's their niche, so that's what they're going to do, probably just more of it. As we grow, we'll deploy more Vectra sensors to capture that extra traffic. I see them scaling very well.

I would rate this solution a solid eight out of 10. It loses a star for not adhering to Bro Logs in my book, and there is no perfect 10.

Overall, I would rate Vectra AI at ten on a scale from one to ten, with ten being the best.

The visibility of your threats will be easier to understand with Vectra AI. It provides you with a centralized dashboard of those threats and alerts. It gives you detailed descriptions for quicker research into what the identified threats and alerts are. It will integrate with existing products you may already be using. Overall, it reduces a lot of time spent on chasing false positives.

Right now, we are leveraging the on-prem appliance and the Office 365 Cloud component. We want to look to the future around potentially extending this to further parts of Office 365 and cloud environments, like Azure and AWS.

We haven't adopted Power Automate into our environment as of yet.

I would rate this solution as eight and a half out of 10.

My advice would be to really utilize the support and collaborate with Vectra. The solution requires heavy usage and customization to your environment. They provide the guidelines and you just have to be able to fill in the specifics. If you don't do that, it's not an effective tool. It is a really hands-on tool.

Vectra has done a really good job of giving you visibility into the type of behavior into which you want visibility. But reducing the number of alerts really depends more on the analyst who is operating it and working with it.

As for its ability to reduce false positives and help us focus on the highest-risk threats, the term "false positive," especially in this scope of machine learning, doesn't seem to me to apply. Vectra gives you visibility into what you want to see. It gives us visibility into the exact behaviors which we sometimes have issues trying to create detections for on the host. And on the network it's collected and brought it all together. We get really good visibility into all of the risky behaviors. Vectra provides the whole context, on the network, of what it sees in terms of a risky behavior and provides a story with it.

In comparison to some of the other tools that I've come across in this category, I would definitely give it a 10 out of 10.

The technology is strong, but everything around the technology outside of support is weak. Vectra AI needs to find a way to make it more cost-effective for customers to compete with some of the other tools on the marketplace that customers are buying. Vectra AI should do sample packet captures for clients with different use cases. They're trying to forcefully push their tool on the market when the market wants something else.

Overall, I rate Vectra AI a five out of ten.

From a deployment and operations perspective, it's quite nice. Therefore, I'd give an overall rating of seven out of ten. However, I look forward to increasing the rating when we move into the production phase and see the real output from Vectra AI.

I'd rate Vectra AI a 10 out of 10.

The product is quite good, and we have a good relationship with the customer success managers and other teams as well.

Overall, I would rate Vector AI an eight on a scale from one to ten with ten being the best.

The percentage of critical alerts from Vectra that are critical or true positives, to be fair, is relatively small, probably about 10 percent, but that's more a reflection of the fact that we're still a relatively new client and that the system is still learning. What we have noticed though is that the triage process is effective and we don't get multiple false negatives once we've identified an issue.

We bought Vectra AI through our IT partner, which is CDW. They were only involved in the procurement process. We used a partner to ensure that we could demonstrate that we had done so according to compliance.

I would definitely recommend Vectra and to do a proof of concept. We learned quite a lot through that proof-of-concept process. Those lessons certainly helped us when we went into the implementation process and to engage internal ICT team stakeholders and anticipate central issues in the implementation process. A proof of concept would be invaluable for anybody thinking about implementing this or one of the competitive solutions.

At the moment, we're really pleased with the product and it's a really good fit for the size of our organization.

Make sure you have a dedicated resource committed to daily use of the tool. Because the selling point is it frees up your time, reducing the amount of time you need to spend on it so you don't have to commit resources. Then, you find yourself in an implementation two years later and you don't have committed resources who use it daily or are committed to it full-time. This means you don't maintain things like the triad rules and filters. Even though the sales material says it makes it easier and reduces alert fatigue, it doesn't give more time. You still need to have a dedicated resource to operate the tool, which we never committed at the beginning.

Having an established mature team structure is really important as well. Making sure people are aware of their role and how their role fits into the use of the tool is key. Whereas, we were building a security operation center (SOC) at the same time that we took on the tool, so our analyst activities have evolved around the incorporation of the tool into the organization and it's not necessarily a mature approach.

I would rate this solution as an eight (out of 10).

People do a lot more than we actually see. Looking at the test and development guys, sometimes they do things that they don't understand. So, they will do it because it works. The actual things that are behind the scenes are the sort of things that happen, and they don't really understand. If there's something that's really complicated, they're people that have initiated it that don't really know what it is. That is always a problem, because in our sort of company, we have a lot of developers who are doing a lot of coding and things like that, but they're not 100 percent on all the other things that they affect, such as the supporting applications underneath it. 

They are making a change on one particular app, but it's using the other apps underneath it to develop that and push that across to something else. All these extra, different steps that they are completely oblivious to where we go, "Actually, you've just done this." They go, "Well, I don't know, I just ran the script over here. I don't know why that would happen." But, it'll do a LDAP lookup or connect to a share. Those are the sort of things that you get a lot of visibility from people who don't understand. So, that can become tricky. That's pretty much par for the course for a lot of security tool sets. Where you have a couple of people who know one particular aspect, but don't really understand everything that's going on. To be fair, IT is a big area. You can't expect everyone to know everything of everything, not when you're not working in a massive IT structure, and the security team is a small department.

You need to be quite key on your business case and what you're expecting from it. Be 100 percent sure on your use cases. It's an excellent tool. It doesn't create a huge amount of overhead, but it is a tool that you need to keep on top of. The more you keep on top of it and get it right at the start, the easier it will make your life going forward. Don't just stick it in, then leave it to whirl away as a lot of people do. You have to spend that bit of extra time, and it's not huge amount of time, and leverage other teams. 

The way they do their customer success is really good. There's nothing bad that I've got to say apart from the costs, but nothing's free, is it?

It has to be up there with my favorite security tool set at the moment. I am quite lean on scores, but the solution is definitely nine (out of 10). If I look at all my other security tool sets, this is the one that my guys value the most.

The issue Vectra AI helps us solve is threat prevention.

Overall, I would rate this solution a seven, on a scale from one to ten, with one being the worst and ten being the best. The reason for this rating is that we are still in a tuning phase and it's too early to say anything about detection, but I would put ten for support.

Do not be afraid to link Vectra to the domain controller, because doing so can bring a lot of value. It can provide a lot of information. It gets everything from the domain controller and that is very efficient.

You don't need any specialized skills to deploy or use Vectra. It's very intuitive and it's very efficient.

We are in the process of deploying the solution’s Privileged Account Analytics for detecting issues with privileged accounts. We are using specific accounts to know whether they have reached some servers. It's quite easy with all these tools to check whether or not a given access to a server is a legitimate one or not.

We don't use the Power Automate functionality in our company, but I was very convinced by their demonstration, and an analyst in my team played with it a bit to check whether or not it was working properly. These are mostly advanced cases for companies that are using Office 365 in a mature manner, which is not the case for our company at the moment.

In our company, less than 10 people are using the Detect solution, and five or six people are using Recall. But we are also extracting reports that are provided to 15 to 20 people.

My advice is that you need to size it right and identify what your capacity will be. And you need to place it right, because it's as helpful as what it can see, so you need to have an environment that supports that. What we did, as part of implementing Vectra, was implement an effective packet broker solution in our environment. It needs that support system to function properly. It needs copies of your traffic for detection because it doesn't have an agent sitting anywhere. The positioning and packet brokering are critical allies for this solution.

We have it deployed on-premises. However, we are in the process of acquiring O365 and Azure AD as well. When it comes to Power Automate and other deeper anomalies, these are things that we have on the cloud in Azure. In the new module, it lets us know if any automation, scripts, or large, sudden downloads, or access from a country that is different from where the user has normally been, are happening. But this is a very new tool. We are yet to familiarize ourselves with it and do the fine-tuning. We don't have any automation or any such functions happening on-prem.

In terms of correlating behaviors in the enterprise network and data centers with behaviors in the cloud environment, because we have taken the O365 module, it gives us good correlation between an on-prem user and his behavior in the cloud. We have seen that sometimes it detects that an account is disabled, for example, on-prem, and it says somebody downloaded a lot of data just a few days before that or uploaded large data a few days before that. It does those kinds of correlations.

We have one SOC but it's based overseas. It's an offsite managed service and it covers the gambit of incident detection and response. It's an always-available service. The SIEM we are using is RSA NetWitness, and the EDR solution we use is McAfee.

Vectra has some automation features, in the sense of taking action through the firewalls or other integrations, but that's a journey that we have not yet embarked on. As long as we have a continuously available SOC that rapidly responds to the alerts it generates, we are okay. In general, I'm not comfortable with the automation part. Accurate detection is more important for me. Prevention, when something is picked up too late, as is the case with some of the other solutions I mentioned, is a different case. But here, when it is at the preliminary stage, prevention seems a bit too harsh.

Start small and simple. Work with the Vectra support team.

The solution’s ability to reduce false positives and help us focus on the highest-risk threats is the tricky part because we are still doing the filtering. The things it sees are out of the ordinary and anomalous. In our company, we have a lot of anomalous behavior, so it's not the tool. Vectra is doing what it's supposed to do, but we need to figure out whether that anomalous behavior is normal for our company. 

The majority of the findings are misconfigurations of servers and applications. That's the majority of things that I'm investigating at the moment. These are not security risks, but need to be addressed. We have more of those than I expected, which is good, but not part of my job. While it's good that Vectra detects misconfiguratons, there are not our primary goal.

The solution is an eight (out of 10). 

We don't investigate our cloud at the moment.

At the moment, we don't let them do intelligent blocks. We do it ourselves, so we are still putting a manual process in place for that. We also haven't yet used Vectra MDR services.

I'd rate Vectra AI an eight out of ten. They can still move a little bit further with the streams. Especially now that ChatGPT and AI have come into the picture, we all need to up our game on the AI part.

I'm the admin of Vectra AI, a tool implemented in my company.

The tool was updated three or four months ago, but I'm unsure if I have the latest release.

My company has two SOCs in different areas, so all SOC analysts log in or use Vectra AI, with the alerts forwarded to Splunk. One person is the admin in-house, but he works with support because the tool is customized for my company, as any command can't be run in Linux.

I'd recommend Vectra AI to others looking for an NDR solution.

Vectra AI is excellent for NDR purposes, in general. I'm rating it as ten out of ten based on my experience because I'm investigating the Vectra AI alerts. It triggers alerts for suspicious activities, so it's an excellent tool.

On a scale from one to ten, I would give Vectra AI an overall rating of eight.

We don't have that big of a cloud presence yet. However, the solution would correlate behaviors in our enterprise network and data centers with behaviors we see in our cloud environment because part of our east-west visibility includes our dedicated connections to cloud instances. If it goes over to our commodity Internet, it should see it there too.

I would rate this solution as an eight point five (out of 10).

All opinions in this review are my own.

Vectra faces robust competition, but it substantiates its abilities. Depending on client needs, it can easily work with other IT solutions. Yet, for pure network detection and response, Vectra excels, particularly for enterprises demanding very good solutions. It offers superior detection coverage for heightened security. It has an encryption-based approach, enabling threat detection without decrypting any data. Moreover, Vectra stands out with its broad integration capabilities with third-party tools and I personally find it a successful feature.

Overall, I would rate Vectra AI an eight out of ten. 

Before Vectra, we didn't have any feasibility of our network net flow, so this solution gives us a better view of what has been happening on our network and this is what we're trying to solve by implementing Vectra.

We are not using the flood detection response platform.

We are not using Vectra MDR services.

Overall, I would rate this solution a seven, on a scale from one to ten, with one being the worst and ten being the best.

We have not yet tested the whole tool in a penetration test. However, I would nonetheless give it at least an eight out of ten, with one being the worst and ten being the best. 

Right now, we have a good understanding of the UI and I know that there have been improvements to the visualization. The scoring redirects your focus to things that you should be looking at. The tool we used before Vectra was Darktrace. It was similar to where Vectra is heading now. With the scoring system, Vectra is a better solution.

My advice would be to make sure it is planned and deployed properly. That's a problem with my organization, not a problem with Vectra AI. Otherwise, if you don't build it to the specifications that you were told to, you're going to spend your whole life trying to fix a problem that shouldn't be there. My advice would be the plan and implement as per the plan.

I would rate Vectra AI a nine out of ten. 

I'd rate Vectra AI a nine out of ten because there's always room for improvement.

Overall, I would rate Vectra AI an eight out of ten.

It's helped me learn how to investigate alerts in a more efficient way.

It also captures network metadata at scale and enriches it with security information. Part of that I was able to witness using a proof of concept for the Cognito Recall platform, which collects all the metadata and then forwards it to an Amazon instance in the cloud. From there you can do a lot of correlation and you can do deep-dives into the data. That was also a really good product, and I would like for us to purchase it, but right now it doesn't look like that's going to happen.

Vectra will alert on activity going to some of our cloud providers, for example Microsoft OneDrive or Teams, but our systems won't really inspect on any type of SSL traffic, and it doesn't provide that much use for external communication that's encrypted. It's something we do not have set up and that's why we're not able to get that full visibility.

When we initially deployed Vectra, I was not working on it very much because I did not have very much experience with it. At that time, I was not happy with Vectra and was mainly using other solutions, like Splunk. However, as we learned more about how to use Vectra more effectively, we added additional features and made greater use of the dashboard. In year two, we started seeing Vectra as a tool for analyzing our network traffic. Right now, I think it is a good solution. 

I rate Vectra AI a nine out of ten.

There was no complexity with Vectra; it is very simplistic. However, for the tool to be effective, you want to make sure that you place your sensors in appropriate places. Other than that, you let the tool run and do its thing. There's really no overhead.

I would probably rate it as a nine or 10 (out of 10). We have been extremely happy with the solution. It's been one of the best solutions we have in our enterprise. I would put it at the top of the list.

Take time to understand how the triage filtering works and standardize it early on. Use a  standardized naming convention and be consistent.

It's a very effective tool, but if you don't pay attention to what it's telling you, then it's like anything else. If you don't use it, then it's no good. You have to trust that what it's telling you is correct and then you can take the appropriate action.

For the most part, the users who log into it in our company are people on the security operations team. It's pretty much a closed tool. Access is limited to the people in the security center of excellence.

In terms of the solution's ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation, we don't use it that way. We've set up enough triage filters over the course of the last year-and-a-half to get all the noise out of the way; stuff that is either innocuous or really isn't bad. Then we're focusing on what's left, which is typically, for lack of a better term, the bad stuff or the stuff that we need to pay attention to.

Regarding the solution's privileged account analytics for detecting issues with privileged accounts, we've used it, but not to the extent that we would like to. We just don't have enough manpower to be able to do that at this point. But it's important because we can see when an account is doing something that it shouldn't be doing, or that it doesn't normally do, or that it's connecting to a place that it doesn't normally connect to, or that it's escalating its privileges unexpectedly. We see all that and then we can respond accordingly.

One thing we have learned using Vectra is that anomaly detection is a critical component of security; a non-signature-based technology is very critical. It helps pick up things that other tools, which are more focused on active threats, will miss. That is one major lesson that we have picked up from Vectra.

My advice would be that you need to focus, because the licensing is based heavily on IPs and area of coverage, although predominantly IPs. You need to have a very clear idea of what areas you want to cover, and plan according to that. Full coverage, sometimes, may not be practical because, since it's a detection tool, covering everything for large organizations is complicated. Focus on critical areas first, and then expand later on.

Also, the architecture part needs to be discussed and finalized early on, because there is a limited flexibility, depending on which model you choose to take.

The solution captures network metadata at scale and enriches it with security information, but the full realization of that will come with Cognito Stream, which we have yet to implement. Right now we are on Cognito Detect. Cognito Stream is something that we are working on implementing, hopefully within the next month or so. Once that comes online, the enriched metadata will have greater value. As of now, the value is there and it's inside Vectra, but we don't see that information — such as Kerberos tokens, or certificates, or what the encryption is — unless it leads to a detection. Only in that event do we currently see that information.

The Cognito Stream can feed into our SIEM and then we will have rich information about all the metadata which Vectra has in our data lake.

We use the Threat Detection and Response platform, mainly for forensics. It's quite effective because it's easy to understand and everything is in real-time.

Overall, I would rate this solution an eight, on a scale from one to ten, with one being the worst and ten being the best. 

I think the solution would help the network, cybersecurity, and risk reduction efforts in the future if we were to adopt a SOC, it would be a key threat feed to that environment. As they continue to iterate and enhance the product, it's a critical security component for us now and for the future.

Two security senior analysts work on this solution.

My advice to anybody considering this solution is: don't delay. It does exactly what it's sold to do. It does it efficiently and effectively.

I would rate Vectra AI Cognito a nine out of ten. 

If you are looking into this type of solution and have the money, then you certainly need to look into Vectra.

The campaigns are interesting when looking at the beginning of a campaign. The scope of false positives is a real issue in a network that continuously has a lot of new hosts, but we can cope with it. We have given some feedback to the help desk regarding coping with this matter.

We hope that we can keep it so we don't see a complete lifecycle of an attack.

We are planning to use more features of the solution in the future, e.g., automation. We also want to integrate it with more advanced client security features.

I would rate this solution as an eight of 10. There is still a lot of development going on with it.

Set up specific threat scenarios that you are looking into, then monitor and evaluate on that. For example, it could be a botnet or certain user behavior. Also, the solution works best within an enterprise.

We are currently evaluating upgrading our SIEM and EDR technologies. When we extend our scope of the traffic that we are monitoring, Vectra AI will possibly enable us to do things that we could not do before, which would be a nice side effect.

There are still quite a lot of alarms coming in. It helps to reduce the amount of alerts that an older IDS-based system would have had. While there are still a lot of alarms, there are less alarms than the traditional IDS.

I would rate the solution as nine out of 10.

I rate Vectra AI an eight out of ten.