We evaluated whether we wanted to switch to Vectra AI or whether we wanted to utilize just our existing Microsoft security stack.

We looked at least five different vendors, including Cisco and Darktrace, in PoCs.

Vectra AI said what they are able to do in terms of detection and performance in their sales pitch, which they proved later in their technical PoC, to the point. They were actually the only ones who could.

Vectra AI has a very short deployment time compared to other solutions that we tried.

We did evaluate other options. We evaluated rolling Bro or Zeek on our own. We evaluated Security Onion. We also evaluated Corelight and almost picked them. We also investigated a couple of solutions that are significantly more involved than Vectra, just like full managed solutions, but we decided not to do that.

The main reason for choosing Vectra over all the other solutions was twofold. One was the deployment time and routine administration costs. Its deployment was very simple. The amount of time it would take to deploy and configure was very low. The time it would take to maintain the environment was significantly lower than the other solutions and on par with Corelight.

The second reason for picking it up is that it allowed us to create our own detection rules. They build rules for us when there are major events, as well as they have the ML and AI engine. This was the only solution that was easy and fast to deploy and maintain, and that was giving us all three options for rule detection. That's why we went with them. Some of the solutions provided all three options, but they were a pain to configure and maintain, and some of them were easy to deploy and maintain, but they didn't provide all three options.

We evaluated Vectra AI and CyberSense and did POCs with both. We observed that Vectra AI was better because we can see everything. CyberSense uses a different technology. For example, it creates an Active Directory that isn't used. If someone connects to this Active Directory or starts requests, then we will get an alert. However, we think Vectra uses a better way because we can see more. It also has better technology.

After deploying this solution in our network, it began to add value to our security operations straightaway. We ran the Vectra product in line with DarkTrace and were watching the alerts from both. Because I was sometimes getting exactly the same detections on both platforms, the Vectra information was actually assisting me in understanding what DarkTrace was doing and what it was warning me about. Straightaway, I started to get a better understanding of the alerts that we had been receiving for a long time.

It pays to evaluate the market regularly on products like this. The industry and platforms change very rapidly, and there is always new technology coming out. Three years ago, these guys wouldn't have probably been around or been looked at. Now, they are. Therefore, going out to the market and actually assessing our existing investment, against what is out there today, was very worthwhile.

For EDR, we are using CrowdStrike.

We evaluated other options. I wasn't the person who decided on Vectra AI at the time, but we were looking at Darktrace and other machine learning-type solutions.

Vectra fit the niche of what we needed, from the perspective of the former C-CERT manager. Also the feedback we got from their team and the support we've had with them really pushed us to work with them. They were very collaborative and we believed in what they were doing when they initially started working with us all those years ago.

We evaluated Darktrace and one more solution. We also evaluated some SOC and SIEM systems, but we found Vectra AI to be better in comparison to other solutions. It was simple to implement and analyze.

We evaluated other options very thoroughly. It became a two-horse race between Vectra and Darktrace. The differentiators for us were the UI experience, the MDR, and we felt that there was better engagement with the Vectra presales team. They better understood our needs and how Vectra would fit as a solution.

We did review the marketplace and look around. For example, we looked online at Darktrace, but we didn't run a side by side comparison to see which one would work better.

Vectra was the only tool in which we did a physical pilot or proof of concept. Vectra stood out for its simplicity and the general confidence that I had with the people whom I was engaging and having conversations with at that time. I am very much a people person. If I talk to people and don't get the impression they know what they're talking about, then that will reduce my confidence in their product. E.g., our initial engagement with Darktrace wasn't good enough to provide confidence in their platform, and we had to move quickly.

When we started off, apart from money, we had to look at behavioral analysis. We weren't sure where we wanted to go with the solution, whether we wanted to look at the endpoint or network. So, after a RFI, to define which direction we wanted to go, we thought that we would go down the network analysis route.

Because we have call centers, there is normally a high turnover of staff. The jobs themselves are quite intense and people move around quite a lot, it was key for us to get some visibility in what those guys are doing. We thought, "Although we do a lot of user awareness and logging, this is probably where our weakest link is." It was a case of somebody potentially clicking on a malicious link, some sort of phishing attack which was probably, or is probably, going to cause us the most pain.

We looked at Darktrace and there was another option that dropped out. So, we looked at the main players in that area. We decided on the behavior analysis for network, then we took the top three: Vectra, Darktrace, and another solution. 

It came down to Darktrace and Vectra. Darktrace looked much prettier than Vectra, unfortunately the support that we'd heard about and reviews that we read, led to, "Here's the new tool set. Off you go". This is what we didn't want. We wanted somebody to hold our hand, then give us the support we needed to ensure we get the best out of the tool set.

It obviously comes down to price as well and we feel we picked the best product that fitted us. We did quite a lot of due diligence on both. I went to different places that got both installed and got references from both. I firmly believe that both products would have done the job well. However, the support from Vectra along with their customers' references to say how good it was, I think we made made the right decision.

I evaluated Darktrace but it wasn't so good. Vectra's capabilities in pinpointing things of interest are way better. With Darktrace, it is like they put a skin of Kibana on some standard IDS stuff.

Vectra enables us to answer investigative questions that other solutions are unable to address. It provides an explanation of why it has detected something, every time, and always provides insights about these detections. That's very helpful. Within the tool, you always have small question marks that you click on and you have a whole explanation of everything that has been detected: Why has it been detected and what work is the recommended course of action. This approach is very helpful because I know that if I ask somebody new, within our team, to use Vectra, I don't have to spend months or days in training for him to be able to handle the solution properly. It's guided everywhere. It's very easy to use.

We did a PoC with Darktrace recently as part of our regular exercise of giving other solutions an opportunity, but the PoC didn't meet our requirements. It didn't detect what Vectra detects in a red team situation.

The deployment time is similar because they all need the same thing. They need the network feed for a copy of the network traffic. The base requirements are the same.

We investigated Darktrace, Vectra, and Cisco Stealthwatch.

Darktrace and Vectra plus Recall were similar in my opinion. Darktrace was a bit more expensive and complex. Vectra has a very nice, clean web GUI. It easier to understand and cheaper, which is one of the main reasons why we chose Vectra over Darktrace.

Darktrace and Vectra are very different, but eventually for what we wanted it to do, they almost did the same thing. Because Darktrace was a bit more expensive, it was a financial decision in the end.

I did the comparison between Darktrace and Vectra. They did almost the same thing. Sometimes, there are differences that Darktrace did detect and Vectra didn't. For the majority, we didn't find any actual hackers. So, it's all false positives, eventually. Both of them are very similar. The big thing is the hacker activity. They both detected it in the same way. But, in the details, they were different.

The options for Stealthwatch were a bit limited in our opinion for what we wanted it to do. Stealthwatch is network data, and that's it.

We looked at the SIEM solutions and flow-capturing devices. At the time, there was also an open-source product, but I don't remember the name. It was Suricata-based, but it fell off pretty quickly because of the high platform maintenance that would have come with it.

We looked at some of Vectra's competitors. We had Snort and also used Bro. We also used Argus and NetFlow collector. Therefore, we looked at what were the products out there that could sort of replicate the things we were doing with a commercial off the shelf product that had artificial intelligence, but not open source.

We looked at Corelight, which was more grow only. We also looked at ExtraHop.

We didn't do a formal RFP with this one. We developed some relationships with the management at Vectra, who really wanted to partner with us. We looked at their technology and other competitors in the area, then decided it was a worthwhile (based on their commitment) for us to work with them.

Usually, I'll go to the Gartner Security & Risk Summits and look around at what different vendors are coming out with. That's a very useful venue for learning about new vendors.

I was remotely involved in its evaluation. We tried to create alerts, and Vectra always caught the attacks. Vectra was also easy to implement.

We looked at ExtraHop, a VMware NDR solution, Carbon Black, and a solution from a French organization.

Carbon Black is oriented around VMware products. As such, it would have been okay for the data center, but we would have had to upgrade the entire physical infrastructure inside the data center. It would have been very expensive, and thus, we eliminated Carbon Black. The French competitor was eliminated because the solution was a few years behind.

We then talked with Vectra AI and were happy with what they offered us. We spoke with other companies that use it and found out that they were happy with it. Thus, Vectra AI got the opportunity to do the proof of concept.

I have thought of evaluating other things, just for evaluation’s sake, but I haven't done so yet.

We looked at NextGen traffic analysis type of solutions, like Darktrace. Then, we looked at Vectra. I found Vectra was a bit more intuitive. I think both products had some really good offerings. What really helped us make a decision was we were trying to find things that help us produce actionable items. I liked Vectra because the one thing it was trying to do is it was show you exactly what is happening in the kill chain. The whole premise behind it was, "These are things that are actually occurring in your network, and they're following a specific pattern." I really liked it because in my view it was very actionable and automated.

I don't want to have to spend cycles on things on unnecessary things. One thing I found with Darktrace was it produces a lot of good things, but it's too much in certain cases. Whereas, I like the way Vectra tells you exactly the things that are happening right now in your network, then groups it based on exactly what the type is, providing you a risk score.

Also, it did seem like it was like a resource built into a box with AI capabilities. I found that the amount of effort we have to spend on analysis from it is a low cost to us. Vectra just fit in well with my team mandate.

I found Darktrace was a bit more noisier than Vectra. Sometimes, when you deal with products like this, the noise is time and effort that you may not necessarily have.

Once we started to do the PoCs, we ran Vectra in certain use cases with the sense of, "Okay, let us know exactly what's kind of going on within the network." What we found in a lot of cases is, and these weren't just cybersecurity incidents that were occurring, and Vectra gave us a good sense of how a lot of our solutions were operating. We ended up finding out, "This is exactly what this solution may be doing. Maybe there is a misconfiguration here or there."

We evaluated Darktrace, in addition to Vectra, each in a PoC. We chose Vectra because the things that Vectra picked up were far more useful, and necessary from an enterprise point of view. Darktrace was a bit noisier.

We looked at Darktrace. 

We also evaluated Darktrace. We made a decision to stop testing Darktrace very early on, so it is difficult to compare to Vectra.

We chose Vectra because of the solution's simplicity; it is more straightforward. Also, we liked Vectra's support, visibility, and implementation. The solution comes to a conclusion within Vectra about some detections. It was easier to find the technical details which were interesting without looking too deep. The correlation was good too. At the end of the proof of a concept, Vectra added some extra features. However, for finding the way into the system, it took us a lot more time. 

We found that Vectra enables us to answer investigative questions that other solutions are unable to address. They provide a checklist regarding what we can do about detections. Because of this visibility, we don't have to do more investigations. 

We have other systems, like Office 365, which do behavior analysis and some signature behavior analysis. However, Vectra does not gives that many false positives in comparison with other solutions. Also, we are now able to see the entire network and cloud.

We evaluated three or four different solutions.

Vectra's licensing model could scale to our research network, which has multiple, 100-gigabit links. Other competitors could not scale that for us.