We just raised a $30M Series A: Read our story
BV
Project Manager at a university with 1,001-5,000 employees
Real User
Top 20
Straightforward solution with good support, visibility, and implementation

Pros and Cons

  • "It has helped us to organize our security. We get a better overview on what is happening on the network, which has helped us get quicker responses to users. If we see malicious activity, then we can quickly take action on it. Previously, we weren't getting an overview as fast as we are now, so we can now provide a quicker response."
  • "In comparison with a lot of systems I used in the past, the false positives are really a burden because they are taking a lot of time at this moment."

What is our primary use case?

We use it to monitor what is happening on our network, especially to protect our network from malicious activity.

We also have the sensor into Office 365, so we can also monitor everything that is happening in there.

At the moment, we use it to monitor all our endpoints.

How has it helped my organization?

The solution's Privileged Account Analytics for detecting issues with privileged accounts is critical for our organization. Because of risk, we scan our entire network. We have a lot of segmented networks where clients can almost do nothing. If we just look into everything, then sometimes there is a bit of noise. When you select your privileged hosts or accounts, you can see how many things are left over and which are the most critical that need to be solved as soon as possible.

It notifies us if our Office 365 has been compromised. Even after business hours, I get personal emails. This is a temporary solution because we are working doing repetitive alerting, but that's a work in process. We are working on an integration with our authentication system that will be able to detect an account or device. We want to automate that process so the account will be locked out for a period of time.

Vectra is a detection system on top of our protection system. We do a lot of protection on our network, but that protection is a configuration based on human interaction, where there can also be human faults or errors in the system. 

The solution captures network metadata at scale and enriches it with security information, e.g., we have sensors for Symantec antivirus and our virtual infrastructure. We are looking into extra sensors for enabling some things from Microsoft Defender. We integrated it into our Active Directory so we can do some user correlations, etc. It enriches the metadata on hosts and accounts, but that is mainly informative. It is good for us when making a final decision about some detections.

It has helped us to organize our security. We get a better overview on what is happening on the network, which has helped us get quicker responses to users. If we see malicious activity, then we can quickly take action on it. Previously, we weren't getting an overview as fast as we are now, so we can now provide a quicker response.

The visibility is much greater because of the behavior analysis and details that sometimes we have to put into it. On the firewall that we already have, sometimes we do manual lookups and check if everything is okay, then do research into it. Now, we put less effort into trying to manually do things to ensure that we have a good security model. We can see more how behavior changes with time, but that also requires us to put more time into the solution.

The solution gives us a baseline for users and their behaviors. We are able to establish which users have risky behaviors, then reach out to them and recommend better ways of doing things.

What is most valuable?

The hosts are critical hosts, which are really good when used to look up things as fast as you can because these could be very risky situations. Furthermore, within detections, we try to clean up a lot of things that are low in priority. It is same thing for the accounts within Office 365: Everything that is critical has to be solved as fast as possible.

The triaging is very interesting because we can do more with less work. We have more visibility, without too many false positives. It is a work in process because there are a lot of clients in the network, and everything has to be researched to see if it is valid, but most alerts and detections are solved with a bit of triaging.

The interface is very intuitive and easy to use. It gives a good overview, and it is important to understand what is happening on the network.

The integration within our virtualization infrastructure allows us to see the traffic that is going between virtual machines, even within our host. That gives us a lot more insights.

What needs improvement?

The solution’s ability to reduce false positives and help you focus on the highest-risk threats is mostly good. It is still a bit of work in process, but I can give feedback to the company from the help desk. There is follow-up from the Vectra team who follows it closely. We can also give a lot of inputs to make it still a better product. It's already a very good product, but in comparison with a lot of systems I used in the past, the false positives are really a burden because they are taking a lot of time at this moment.

The Office 365 integration is still a pretty new feature. I also have seen some improvements, and they email us with every step in the improvement process. I think that this integration will grow.

Every area has room from improvement. Security is an ongoing process. It is important for Vectra to keep updating their system based on new behaviors.

We would like to see the combination of the cloud with on-premise, e.g., what's happening in the cloud versus what's happening in the on-premise situation. If there is a phishing mail in the cloud, then the phishing mail comes in and a colleague clicks on that mail. Normally, it would be blocked by the system. However, when it's not blocked, then there can be malware on the system locally. We think it's important to get the integration of what's happening on Office 365 with phishing mails. 

Sometimes, it is a bit noisy on the dashboard because all the systems are on one field. On the dashboard, we have a complete overview of high, medium, and low risks. However, it would be more interesting for us if they could split that dashboard into high, medium, and low devices. For example, there is a dashboard on a device with a complete overview specifically for high-risk.

For how long have I used the solution?

It has been operational for a few months.

What do I think about the stability of the solution?

It runs very smoothly. It is stable.

We haven't had any issues in regards to the stability or performance. The interface works very quickly. There is no latency on the traffic.

What do I think about the scalability of the solution?

It scales well. 

For end users, we have about 10,00. On the administrative side, there are five to 10 system admins who use the information from the system for configuration and monitoring tasks.

How are customer service and technical support?

The technical support is very good with fast responses. They reach out if they see there might be more questions. So, if you have a simple question, it could be that they elevate it to a more complex question to see what you really mean.

Seeing all the malware reaching out to CMC services from within our network, we reach out to those people via the help desk, and tell them, "Maybe you can scan this or that because those systems are managed by us." We get a lot of thanks from those people, which are often saying, "I did have some strange behavior on our systems, but I didn't know what it was. I wasn't doing anything about it, but thank you. It helps when you scan it, and the system is running better at the moment." In a completely unmanaged network with a lot of devices bring your own devices), it helps everybody.

The way that we can work with support to add feature requests is very interesting because it is an evolving world.

Which solution did I use previously and why did I switch?

We didn't have a solution like Vectra previously.

How was the initial setup?

The initial setup was completely straightforward. I didn't need any help. They delivered the device within the first weeks of COVID-19. The system is preconfigured from Vectra. I placed it in the server home, configured the network, and moved the Internet traffic out of the mailboxes, then I put it onto network so it was visible. In 30 minutes to an hour, everything was running.

What was our ROI?

We can sleep better.

As long as there is no full cycle attack, we will earn our money back.

Efficiency increased. There is less technical work to be done to ensure that nothing is happening from threats. Now, the system gives us the transparency that we need.

The solution has reduced the time it takes us to respond to attacks. In the past, it was difficult to know if something was happening because we didn't have an overview. Now, we know it very quickly because we have an overview of what is happening.

What's my experience with pricing, setup cost, and licensing?

The pricing is high. 

Darktrace was also pricey.

Which other solutions did I evaluate?

We also evaluated Darktrace. We made a decision to stop testing Darktrace very early on, so it is difficult to compare to Vectra.

We chose Vectra because of the solution's simplicity; it is more straightforward. Also, we liked Vectra's support, visibility, and implementation. The solution comes to a conclusion within Vectra about some detections. It was easier to find the technical details which were interesting without looking too deep. The correlation was good too. At the end of the proof of a concept, Vectra added some extra features. However, for finding the way into the system, it took us a lot more time. 

We found that Vectra enables us to answer investigative questions that other solutions are unable to address. They provide a checklist regarding what we can do about detections. Because of this visibility, we don't have to do more investigations. 

We have other systems, like Office 365, which do behavior analysis and some signature behavior analysis. However, Vectra does not gives that many false positives in comparison with other solutions. Also, we are now able to see the entire network and cloud.

What other advice do I have?

If you are looking into this type of solution and have the money, then you certainly need to look into Vectra.

The campaigns are interesting when looking at the beginning of a campaign. The scope of false positives is a real issue in a network that continuously has a lot of new hosts, but we can cope with it. We have given some feedback to the help desk regarding coping with this matter.

We hope that we can keep it so we don't see a complete lifecycle of an attack.

We are planning to use more features of the solution in the future, e.g., automation. We also want to integrate it with more advanced client security features.

I would rate this solution as an eight of 10. There is still a lot of development going on with it.

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
John Vicencio
Cyber Specialist, Forensics at Richemont
Real User
Top 20
Makes it much easier for us, as analysts, to engage with and visualize incidents, increasing our efficiency

Pros and Cons

  • "It gives you access, with Recall, to instant visibility into your network through something like a SIEM solution. For us, being able to correlate all of this network data without having to manage it, has provided immediate value. It gives us the ability to really work on the stuff where I and my team have expertise, instead of having to manage a SIEM solution..."
  • "Some of the customization could be improved. Everything is provided for you as an easy solution to use, but working with it and doing specific development could be worked on a bit more in the scope of an incident response team."

What is our primary use case?

We have two use cases. The first is that Vectra's platform allows us to get visibility into anomalous behavior, which, previously, we never really had access to, for threat hunting and incident response. We use it in support of our incident response operations to help supplement our investigations on hosts. We use it to correlate any suspicious activities, which is something that Vectra has been extremely accurate in, when used the right way. 

The second use case is that we've used the Vectra Cognito Recall and Cognito Stream devices. With these integrations, it's given us instant visibility into all the network data as well. That enables us to conduct our own hunts on our network data, data you'd see on a security information and event management (SIEM) solution. It also gives us the ability to correlate with our playbooks because it gives us access to the data itself in much more depth and detail.

How has it helped my organization?

The solution captures network metadata at scale and enriches it with security information. We store metadata for three months. Just to be able to scale the amount of information that we collect on the networks is a problem in itself. We have our SIEM solution that collects all of these logs. Making sure these logs are still sending, that these devices are still sending to our main SIEM, are issues. For Vectra AI, even with three months of retention, with the environment we have, we have never had issues accessing this network data. On top of that, if there are any issues, the support team is amazing in providing feedback and fixing them.

It has actually increased our security analyst workload, but in a good way. It has reduced the amount of stuff that we used to look at, and has allowed us to re-approach our C-CERT from signature-based detections to more behavioral-based detections. It has reduced the amount of boring work and work that is on the host, to more thought-provoking work based on behavioral data. We're now able to approach our C-CERT from a risk perspective and a numbers perspective.

It has reduced that boring work drastically and it reduces the time to investigate incidents in general. While it has definitely added a bunch of incidents for us to look at, it has reduced the workload of how we work those incidents. It makes them not only much easier to engage with and easier to visualize, but also enables us, as analysts, to work in a much more efficient and simple way.

Vectra has also helped move work from our Tier 2 to our Tier 1 analysts. Eighty percent of our Tier 1 analysts are doing Tier 2 work.

Finally, the solution has reduced the time it takes us to respond to attacks. It has gone from on the order of hours to less than 10 minutes to 30 minutes.

What is most valuable?

The most valuable features are Cognito Recall and Cognito Detect.

I didn't think Vectra AI actually provided this functionality, but essentially it gives you access, with Recall, to instant visibility into your network through something like a SIEM solution. For us, being able to correlate all of this network data without having to manage it, has provided immediate value. It gives us the ability to really work on the stuff where I and my team have expertise, instead of having to manage a SIEM solution, as that is a whole undertaking in itself. It has expedited all our investigations and hunting activities because it's all there and available, and they manage it.

We use their Privileged Account Analytics for detecting issues with privileged accounts. Given that we're a global company with over 35,000 machines, the machine learning-type of analysis or visibility into baselining behavior in privileged accounts in the environment is something Vectra does amazingly. It's amazing the visibility that I get. Not only is it providing a baseline to understand the behaviors of how IT, for example, is acting globally and in all these different regions, but it also gives me an ability to get much more granular and understand more of the high-risk behaviors, rather than the behaviors that we expect from IT. Usually, malware attackers and normal IT activities look the same. It's about discerning what's outside of baseline, and Vectra does this amazingly, incorporating not only the account privileges but the context of what these accounts are doing on hosts, on top of that.

The solution also provides visibility into behaviors across the full life cycle of an attack, visibility into the attacker kill-chain. I personally do red-team testing and threat hunting and, in addition to the detections which Vectra has already caught, it's been able to outline a full attack from an external red team that came in and tested with us. Not only did it show exactly what they did, but it was even able to provide a profile of the type of behavior that this exhibited, which was an external actor. In my own attacks that I've conducted on the network, it's been able to detect everything and properly align it in a kill-chain fashion. That is extremely helpful in investigations because it helps align the host data a little bit when you have visibility of the network in such a way.

Vectra also triages threats and correlates them with compromised host devices.

What needs improvement?

Some of the customization could be improved. Everything is provided for you as an easy solution to use, but working with it and doing specific development could be worked on a bit more in the scope of an incident response team. In my opinion, it's built as a solution for everything, instead of it being part of a bunch of other tools.

For example, we have a source solution which will orchestrate the ability for us to use a host EDR and the ability for us to use Vectra. We see Vectra from a purely network standpoint. Therefore, we don't want it to be the incident manager where we have to fill in specific things to be fixed. We think the integration with source solutions could be better. It tries to treat itself as an incident resolution platform.

For how long have I used the solution?

I have been using Vectra AI for three to four years.

What do I think about the stability of the solution?

It has never crashed. It's always working. And they always resolve any issue before you can act. They'll alert you of an issue and then they'll report that it's fixed. They're very proactive.

What do I think about the scalability of the solution?

In terms of instant access to the data and scalability, we've never seen issues with the platform at all. We use it everywhere, across all our regions across over 35,000 devices. We have plans to increase usage of the solution and the capacity.

We have less than 10 people working with the solution and they're all C-CERT incident responders and investigators. And we have one person, a C-CERT specialist, for maintenance of the solution but he is barely doing that anymore because they have a support team that helps alert us to any issues.

How are customer service and technical support?

I've found that Vectra in general, away from the platform, has been extremely helpful and given me any support that I need on investigations or in trying to reduce the amount of noise. They have allowed me to do this, but it requires a lot of work upfront.

How was the initial setup?

Looking back at the setup now, it was straightforward because of the support that they provided. I'm not sure how long the overall deployment took but it may have taken a couple of months.

We had to install specific brains in multiple regions. We were given instructions on where to install specific network nodes and sensors to be able to collect information where the brains were located. All of this configuration was provided directly from them. They sent the devices over to our data centers along with documentation to support the devices.

What was our ROI?

We have definitely seen return on our investment (ROI). While our analysts are working on "more" incidents, the efficiency of the way they're working, due to the way that Vectra has broken down its platform and its data, has exponentially decreased the response times to incidents. It has also trained them indirectly because with the story-lining, the way that it creates these detections, analysts receive them and pick them up much quicker than they would in a normal security class.

Which other solutions did I evaluate?

We evaluated other options. I wasn't the person who decided on Vectra AI at the time, but we were looking at Darktrace and other machine learning-type solutions.

Vectra fit the niche of what we needed, from the perspective of the former C-CERT manager. Also the feedback we got from their team and the support we've had with them really pushed us to work with them. They were very collaborative and we believed in what they were doing when they initially started working with us all those years ago.

What other advice do I have?

My advice would be to really utilize the support and collaborate with Vectra. The solution requires heavy usage and customization to your environment. They provide the guidelines and you just have to be able to fill in the specifics. If you don't do that, it's not an effective tool. It is a really hands-on tool.

Vectra has done a really good job of giving you visibility into the type of behavior into which you want visibility. But reducing the number of alerts really depends more on the analyst who is operating it and working with it.

As for its ability to reduce false positives and help us focus on the highest-risk threats, the term "false positive," especially in this scope of machine learning, doesn't seem to me to apply. Vectra gives you visibility into what you want to see. It gives us visibility into the exact behaviors which we sometimes have issues trying to create detections for on the host. And on the network it's collected and brought it all together. We get really good visibility into all of the risky behaviors. Vectra provides the whole context, on the network, of what it sees in terms of a risky behavior and provides a story with it.

In comparison to some of the other tools that I've come across in this category, I would definitely give it a 10 out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Learn what your peers think about Vectra AI. Get advice and tips from experienced pros sharing their opinions. Updated: November 2021.
554,382 professionals have used our research since 2012.
Eric Weakland
Director, Information Security at American University
Real User
Top 20
Its artificial intelligence and machine learning helps us with looking at deviations from the norm

Pros and Cons

  • "The solution provide visibility into behaviors across the full lifecycle of an attack in our network, beyond just the Internet gateway. It makes our security operations much more effective because we are now looking not just at traffic on the border, but we're looking at east-west internal traffic. Now, not only will we see if an exploit kit is being downloaded, but we would be able to see then if that exploit kit was then laterally distributed into our environment."
  • "Some of their integrations with other sources of data, like external threat feeds, took a bit more work than I had hoped to get integrated."

What is our primary use case?

One of the reasons we went with this solution was because there is less that we have to customize; it's more commercial off the shelf. Therefore, my team can spend their time doing what's most beneficial for the university, which is protecting it, not upgrading custom software.

We use it to inspect and look for malicious, abusive, or other types of forbidden behavior with our north-south and east-west traffic. We not only look at traffic from our campus to the Internet, but we look at traffic internally in our network as it does network AI. It not only looks when a specific event happens, but whether, "Is this a normal event? Or is it normal for the host to do that?" 

How has it helped my organization?

The Privileged Account Analytics for detecting issues with privileged accounts is very important because, like any organization, we have people from low-privileged, regular users all the way to administrators who have very high levels of privilege. Therefore, a regular student, on their own machine, may run Coinminer on it, which might be something that the student is experimenting with for higher ed. However, it's a very different use case when a staff user on their work issued machine is running it. Cognito will let us discover that very easily and contextualize it, "Is this really the criticality of an alert or a behavior?" It does this not only for the user, but it also lets us see through the DNS and machine name, whether it's a university asset, etc. Also, you can target those users who have a very high level of access by really enriching your analysis of alerts, such as, "I know that this administrative account does do PowerShell stuff because that's one of the main jobs of that sysadmin." Then, if I see that sort of PowerShell behavior from another account that I wouldn't expect it from, then that's a reason for concern.

The solution captures network metadata at scale and enriches it with security information. This provides us context upfront which helps us prioritize.

The solution provide visibility into behaviors across the full lifecycle of an attack in our network, beyond just the Internet gateway. It makes our security operations much more effective because we are now looking not just at traffic on the border, but we're looking at east-west internal traffic. Now, not only will we see if an exploit kit is being downloaded, but we would be able to see then if that exploit kit was then laterally distributed into our environment.

The solution’s ability to reduce false positives and help us focus on the highest-risk threats is very good. The additional context and ability to take other factors that we can feed into it, like our threat intelligence feed or the user identity, helps with running down whether behaviors are legitimate or pose a big risk. It also helps us eliminate false positives where appropriate, such as some of our system admins running PowerShell in a way that looks very suspicious if you saw it from a regular user.

It has reduced the type of analysis needed to run down and get to the bottom of what's really happening. On the flip side, it doesn't miss as much as a human only or more signature oriented approach would. While I don't want to give a false impression that it's going to result in less work, I think the work that we're doing is more efficient. We can do a lot more to protect, because we're able to react and look at what's important. It may not directly translate into, "Oh, well we spend less time on threat hunting and investigating a suspicious behavior," but we're seeing what we need to look at more effectively.

It's easier to get an analyst up to speed and be effective. The solution has helped move approximately 25 percent of the work from our Tier 2 to Tier 1 analysts.

What is most valuable?

I find the network artificial intelligence and machine learning to be most valuable because we have also significantly increased the amount of traffic that we inspect. This has kind of lowered the burden of creating ways to drink from that fire hose of data. The artificial intelligence and machine learning help bubble up to the top things that we should go look at which are real deviations from the norm.

I would assess the solution’s ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation very highly. Rather than relying on signatures and a human to look if, "Host X has hit these four different signatures," which is probably an indicator of a fairly high confidence that something's not right, the analytics, artificial intelligence, and machine learning in this product tie those events together. It also looks for new events that are out of the ordinary, then gathers those together and tells us to look at specific hosts. This is rather than an analyst having to sift through a bunch of signature hits, and say, "Oh, this host needs to be looked at."

Also, there is a much lower operational burden of maintenance. We used to use open source monitoring tools, which are very good, but they take a lot of work to maintain and leverage. We really like the commercial off the shelf type of approach of the software, not brewing our own.

What needs improvement?

Some of their integrations with other sources of data, like external threat feeds, took a bit more work than I had hoped to get integrated. I think the company has been very responsive, willing to take our feedback, and look at addressing our concerns.

I have asked that they give direct packets capabilities.

For how long have I used the solution?

About a year and a half.

What do I think about the stability of the solution?

It is very stable and easy to maintain compared to the Linux open source solution that we previously used for a long time.

Maintaining the solution isn't even a full FTE, probably more like a quarter. We have to coordinate if we want to get more data into it, as there are some integrations that we do with our threat intelligence feed from our ISAC.

What do I think about the scalability of the solution?

We have talked to several other customers who have much larger environments than ours, so it is very scalable. We have applied it in excess of probably 20,000 devices. We have probably 50,000 to 60,000 active users who might see traffic from it. We have hundreds of thousands in our directory total, but some of those are alumni or adjunct faculty, so they may not be active all the time. We have on order of 700 servers and hundreds of applications. We're not huge, but we're not tiny.

One of the things that is really exciting about partnering with Vectra is they have solutions for the cloud, both Azure and AWS. This will get us that same type of visibility we're getting now with things on our physical campus using cloud services. This is probably where our increased usage will be concentrated on.

How are customer service and technical support?

Vectra's technical support is very good.

Which solution did I use previously and why did I switch?

We switched from an open source solution to Cognito because there was a lower operational maintenance burden and it provided more visibility into our environment. It also has more analysis and initial triage done by the network AI and machine learning.

Vectra enables us to answer investigate questions faster than our open source solutions previously did.

How was the initial setup?

The initial setup was straightforward.

Our initial deployment with north-south and a bit of east-west for our first virtual sensor probably took two to three days at most. 

Long-term, we now have it deployed on every VMware server that is in our environment and it's monitoring probably 500 to 600 inter-server communications (between different servers). That took a little longer because we had to first work with our colleagues here onsite. It wasn't an issue with Vectra. It just took time and we had to arrange some work with internal partners. We did the reference and first setup in a day.

For our implementation strategy, we turned up north-south visibility immediately and brought up a single virtual sensor for our VMware environment. Then, after three months, we revisited it with a team who operates VMware and their servers. We made sure they were comfortable with the resource demands and how well the solution was working. Finally, we were able to have them turn it on for all the VMware servers.

What about the implementation team?

We had very knowledgeable people from the vendor work with our networking group to get the correct traffic to its sensors. This was done remotely/virtually, but it was done very well.

What was our ROI?

Hopefully, this is a sunk cost. We are mitigating risk. We are not expecting to make money on this solution.

The solution has reduced the time it takes us to respond to attacks by approximately 20 percent.

Which other solutions did I evaluate?

We looked at some of Vectra's competitors. We had Snort and also used Bro. We also used Argus and NetFlow collector. Therefore, we looked at what were the products out there that could sort of replicate the things we were doing with a commercial off the shelf product that had artificial intelligence, but not open source.

We looked at Corelight, which was more grow only. We also looked at ExtraHop.

We didn't do a formal RFP with this one. We developed some relationships with the management at Vectra, who really wanted to partner with us. We looked at their technology and other competitors in the area, then decided it was a worthwhile (based on their commitment) for us to work with them.

Usually, I'll go to the Gartner Security & Risk Summits and look around at what different vendors are coming out with. That's a very useful venue for learning about new vendors.

What other advice do I have?

We don't have that big of a cloud presence yet. However, the solution would correlate behaviors in our enterprise network and data centers with behaviors we see in our cloud environment because part of our east-west visibility includes our dedicated connections to cloud instances. If it goes over to our commodity Internet, it should see it there too.

I would rate this solution as an eight point five (out of 10).

All opinions in this review are my own.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
FH
Head of IT Security, Acting CISO at a retailer with 10,001+ employees
Real User
Top 20
We can detect systems that are not behaving right because they are not configured correctly

Pros and Cons

  • "Cognito Streams gives you a detailed view of what happens in the network in the form of rich metadata. It is just a super easy way to capture network traffic for important protocols, giving us an advantage. This is very helpful on a day-to-day basis."
  • "If you hit a certain number of rules, triage filters, or groups, the UX responds more slowly. However, we have a complex network and a lot of rules. So, our setup might not be a typical implementation example. We even had UX engineers onsite, and they looked at issues, improvements, and user feedback. Since then, it has gotten a lot better, they even built in features that we specifically requested for our company."

What is our primary use case?

Our key challenges are:

  1. People Management: It is always a struggle to coordinate the few people that we have with the necessary skills to put them on the most important topics or projects.
  2. Cloud adoption complexity: You need to figure out which systems, applications, and interfaces are talking to which cloud component in terms of data flow. That is a rather complex topic and usually sold well by the external supplier in terms of marketing to a company. Practically speaking, it is very difficult to elaborate all the connection requirements, on-prem to cloud, cloud to cloud, e.g., what is running where, what should run, and what is not running as it should.

Cognito Platform: We are using the latest on-premises version and some of the cloud services too.

We are mainly operating out of Switzerland. The IT Departments are based in our headquarters.

We have a large network with a lot of points of sales and other geographical locations that are interconnected. We need visibility of all the client-initiated traffic to and from our main data centers and to the Internet. We have good network coverage. Vectra is deployed on different hotspots in our network.

How has it helped my organization?

We can detect systems that are not behaving right because they are not configured correctly. We detect access to malicious sites or domains that should not be there, which should have been picked up by our security services that we implement at different times at different types of levels in the network. This is kind of an add-on to all the existing prevention mechanisms and helps us with network hygiene.

Due to an optimal signal-to-noise ratio that Vectra delivers, it gives us confidence to have a realistic chance of catching and stopping real attacks on time.

One of its strongest parts is that the solution captures network metadata at scale and enriches it with security information. We forward events to our team, then we can correlate them even better.

We have almost our complete network covered. This solution is like the absolute base coverage for us. You don't get many alerts, and if you get one, you better look at it because it is a good quality alert. After verification, we respond accordingly. Vectra AI brings great visibility. Without it, we would be blind.

The solution has enabled us to do things now that we could not do before. With Streams enabled, we can easily find out who is using SMB v1, as an example. So, it is a kind of hunting in the network. If you have a detection and need proof, you have network capture. In terms of searching accounts or assets, it is a great platform that allows us to use the default search, i.e., searching for a hostname/IP or the advanced queries for complex searches. This allows you to search back in time, which is very convenient, i.e., if one specific host has had detections in the past.

What is most valuable?

Cognito Streams gives you a detailed view of what happens in the network in the form of rich metadata. It is just a super easy way to capture network traffic for important protocols, giving us an advantage. This is very helpful on a day-to-day basis. 

The Office 365 detection is a great add-on. It will not only see the local traffic, i.e., the local user but also how the user is connecting to the cloud. If communication has been initiated within our network, we would capture anomalies with on-premises mechanisms. If it is a connection from the Internet to O365 SaaS services, we gain visibility through the Vectra add-on. It depends where the communication was started, but we do have a good, complete picture in a single view.

Vectra AI is really focusing on the most critical, severe detections. That is the key point of this platform for us. It gives you enough details and data, if you need it. However, for daily operations, we are just getting the priority 1 alerts that we need, and nothing more.

We use the solution’s Privileged Account Analytics for detecting issues with privileged accounts. This is important to our organization because you need to monitor and control privileged accounts.

The detection model and correlation of events, e.g., you are only having one priority event a day, go hand in hand. They have awesome detection models and very good algorithms. Out-of-the-box, you get a decent severity matrix and great consolidation. This is what has made this platform so usable to us over the last three to four years. We can rely on these detections and on its event generating mechanism that clearly focuses on the most important priority one cases.

What needs improvement?

If you hit a certain number of rules, triage filters, or groups, the UX responds more slowly. However, we have a complex network and a lot of rules. So, our setup might not be a typical implementation example. We even had UX engineers onsite, and they looked at issues, improvements, and user feedback. Since then, it has gotten a lot better, they even built in features that we specifically requested for our company.

We know that Vectra AI sensors for cloud IaaS deployments have been released and we are planning to deploy those shortly.

For how long have I used the solution?

We have been using it for four years.

What do I think about the stability of the solution?

Great! Currently, our Brain shows 190 days uptime (last reboot initiated by us). There have been no operational issues at all. I can't complain.

What do I think about the scalability of the solution?

Scalability is another very good selling point. It is easy to deploy virtual sensors as well as other sensors, which is a big plus.

We have a team of three people, mainly security officers, who are investigating or following up on detections and alerts. We also use the Vectra AI Sidekick Services, which helps a lot by providing a skillful set of people who look into things with a great customer perspective. We have roughly 20 to 30 people who, from time to time, get details on detections or campaigns that they need to look at.

How are customer service and support?

The technical support is fast, customer-oriented, and has a great skill set.

When we started with Vectra AI, we noticed certain things that could be done better from the UI experience and workflow. We had a lot of input. They built this into their software. Some of the features that customers use today are there because we said, "Well, guys do it like that because everybody can profit from that," and they said, "Well, that is a great idea. Let's do it."

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We did not use another solution before Cognito.

How was the initial setup?

The initial setup was straightforward. 

We already had an existing on-prem installation, so adding Office 365 detection was straightforward. It took about half an hour.

After we deployed this solution in our network, it took about two weeks for it to begin to add value to our security operations.

What about the implementation team?

They brought in the requirements and said, "We need this amount of time, as well as this type of rack, space, power, and network configuration." We prepared that, then they were able to set things up in a very short manner. It took maybe a day, then we were set and traffic was flowing in. This was one of our smoothest installations in the last years. After two days, we saw all the needed network traffic. So, implementation and initial setup were very fast.

We are still a happy customer after four years.

What was our ROI?

In terms of detection, we have seen ROI from finding out stuff as well as preventing, hunting, and intelligence gathering.

What's my experience with pricing, setup cost, and licensing?

Cost is a big factor, as always. However, I think we have a very good price–performance ratio.

Which other solutions did I evaluate?

We looked at least five different vendors, including Cisco and Darktrace, in PoCs.

Vectra AI said what they are able to do in terms of detection and performance in their sales pitch, which they proved later in their technical PoC, to the point. They were actually the only ones who could.

Vectra AI has a very short deployment time compared to other solutions that we tried.

What other advice do I have?

Do a PoC. Only a PoC will show you if something works or not. I know it takes time but do a POC or a test installation. We did the PoC directly in the production network, which was the best thing to do as we got results very quickly.

Vectra AI enables you to see more. It is their visibility strength that makes the platform so great. Because they really look at severity conditions and do a great correlation, it is time invested wisely. If Vectra shows a high score threat, you must look after it.

In terms of our security stack, this is the most essential cybersecurity tool we use. We are planning to use Vectra as well in the cloud. If they are able to deliver the same performance and capabilities in the cloud sensor, then it will be a really strong foundation that everybody should have in one way or the other.

There is manual input i.e., Triaging is something that you have to do. But in terms of workflow, it has been designed by security people for security people. It provides a very smooth and fast way to set up manual rules or triage filters.

I would rate this solution as 10 out of 10.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
MH
Head of Information Security at a retailer with 1,001-5,000 employees
Real User
Top 20
Enables us to understand what our normal traffic is, then pulls out the anomalies for us

Pros and Cons

  • "It has reduced the time it takes to respond to attacks. That comes back to the proactive point. It makes us able to lower down in the kill chain, we can react now, rather than reacting to incidents that happened, we can see an instant, in some cases, as it's being implemented, or as it's being launched."
  • "The false positives and the tuning side of it is something that could use improvement. But that could be from our side."

What is our primary use case?

Vectra AI sits across our entire estate, we have an outsource provider for a lot of our backend systems. It sits in theirs and it sits in our own estates. It's deployed across our other numerous offices across the country. It sits across our entire state.

How has it helped my organization?

We don't have very much in the way of IDS or IPS on our estate, so we're relying on Vectra AI to do that sort of work for us. We're allowing that to look at our traffic and to flag up to us on our system. It helps my analysts investigate other things. We might get other alerts in the estate, Vectra AI is one of the first tools that they'll jump onto, to do further investigation of alerts that are raised up to them. It's a really good tool, not just for what it throws up, but for us to dig into our network as well.

What is most valuable?

What is pretty good is the unknown unknowns. It's the anomalies to the norm and the intelligence behind it that helps us to dig through a mountain of data and find the stuff that's important to us.

It allows us to understand what our normal traffic is, then pulls out the anomalies for us. For instance, a recent use case of it would be that it suddenly picked up that a file transfer was happening out of our estate that we weren't aware of. It hadn't been there before. There was a file transfer that suddenly appeared, that was actually in our estate that hadn't been there before. We would never have been able to see that normally, it's just that Vectra AI saw it. It was okay, it was going to a third-party and it allowed us to investigate it and find it but we would never have seen that without a notification. It understands what should be happening and then usually says "This isn't normal," and it allows us to flag it up and dig deeper into that.

It is very good at reducing alerts by rolling up numerous sellers to create a single incident or campaign for investigation. Although it doesn't reduce, it actually increases our alerts because we wouldn't have seen the stuff in the first place, but when it does create an alert, it pulls all investigative information together. We're not getting hundreds of alerts, we're getting alerts that contain all of the relevant components.

Vectra AI captures network metadata at scale and enriches it with security information. Although, we don't make the most of that, but we've never had a problem with its captures and it captures the correct data for what we want it to do. I think we could be using it better.

The information affects investigations by our security team by allowing them to be more effective and quicker in their investigations.

Vectra AI provides visibility into behaviors across the full life cycle of an attack in our network, beyond just the internet gateway. Although, we found it's flagging up early, so it's not developing to that further stage of that because it's flagging up at an early stage.

Its ability to reduce false positives takes quite a bit of tuning. We've had to put a lot of effort into tuning out false positives, so that's something that we've had to invest our time into. Obviously it's getting better and better as time goes on, but we still have to spend time tuning it.

We've seen our tuning has lessened those processes, but we're still getting more than we would want. That's probably some of our fault. It could be some issues with the way it's set up in certain areas. But, once we tune them out, they're staying tuned out.

It hasn't reduced the security analyst workload in our organization but that was never the purpose of it for us. It's an additional tool in our armory, so it hasn't reduced our workload, but it's made us more efficient.

It makes the team more efficient in speed of response. I would say it makes them more efficient in the breadth of their coverage of what they can respond to. It makes us have a more proactive response to incidents.

It has reduced the time it takes to respond to attacks. That comes back to the proactive point. It makes us able to lower down in the kill chain. We can react now, rather than reacting to incidents that happened, we can see an instant, in some cases, as it's being implemented, or as it's being launched.

It's not all attacks, but I would say that it's a shift less on the material chain. It's things that we might not even have spotted if it hadn't been for Vectra AI, so it's difficult to know how we would quantify that as an amount.

What needs improvement?

The false positives and the tuning side of it are some things that could use improvement but that could be from our side. 

I don't want to criticize the product for performance with our role out of it. It does what it says it's going to do very well. We've got issues with the way we've deployed it in some places, but the support we've had in that is very good as well, so I'm very happy with the support we get.

For how long have I used the solution?

My company has been using Vectra AI for three years. I've been here for eight or nine months now, but the company has just been using it for three years.

What do I think about the stability of the solution?

We've had absolutely no issues with stability at all.

What do I think about the scalability of the solution?

Scalability is obviously based around the size of the clients that we have. We have had some issues around scalability but that's only because when it was implemented before my time but I know it is scalable. Obviously, we have to put some thought into that, some planning into that from our side, but it is limited on the size of the boxes. To summarize, yes, it is scalable, but it needs planning.

We have four users who use it in my company who are cybersecurity analysts.

Vectra AI is on everything apart from the clouds. Now we're on a journey towards more and more cloud. At least 70% of our company is covered by it. 

We do have plans to increase usage. We want to move to the cloud. 

How are customer service and technical support?

The support is excellent. We've had really good technical support from Vectra AI all the time. We have very regular catch-ups with them. They always pick the right people to do the calls, and we even have deep-dive sessions with our analysts with them and provide us with training. They've been excellent.

Which solution did I use previously and why did I switch?

We didn't have anything in place before Vectra AI. 

I have used another solution in the past. I used Darktrace where I was before. It compares very favorably with Darktrace. I wouldn't say it was any better or worse.

The UI is quite different, but apart from that, there are obviously slight differences in the analytics behind it, but I'd be struggling to say that one of them was better than the other. They both seem to do what I do well. Vectra AI is a little bit more honest about their capabilities than Darktrace is.

I don't think Vectra AI enables us to answer investigative questions that other solutions are unable to address. I know that there are other solutions that could do it as well. They're as good as everything else out there, but I wouldn't go and say they're massively better. The thing that sells it for me is that the support has been very good. That's one of the bits that keeps me with them.

What was our ROI?

ROI depends on how you quantify that in security. It's really difficult to quantify what you find to a monetary value. We do see a return on investment because it's a good tool that we're using well and it's helping us to keep the company secure. It's really difficult to quantify a monetary value on that or say that you've got return on your investment. I wouldn't want to be without it. You can't put a price on security.

What's my experience with pricing, setup cost, and licensing?

They compare very favorably against the competition in terms of price. Nothing in this area is cheap. There is a lot of value in the products that you're buying, but they have come in at the right price for us in comparison to others. I would say that they're competitive in their pricing.

What other advice do I have?

My advice would be to make sure it is planned and deployed properly. That's a problem with my organization, not a problem with Vectra AI. Otherwise, if you don't build it to the specifications that you were told to, you're going to spend your whole life trying to fix a problem that shouldn't be there. My advice would be the plan and implement as per the plan.

I would rate Vectra AI a nine out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Mark Davies
Security Operations Specialist at a tech services company with 1,001-5,000 employees
Real User
Top 20
Filters out the noise and streamlines the investigation process and our ability to get to root cause

Pros and Cons

  • "The dashboard gives me a scoring system that allows me to prioritize things that I should look at. I may not necessarily care so much about one event, whereas if I have a single botnet detection or a brute force attack, I really want to get on top of those."
  • "I'd like to be able to get granular reports and to be able to output them into formats that are customizable and more useful. The reporting GUI is lacking."

What is our primary use case?

We use Vectra AI to sniff the network using Ixia taps so that we can identify potentially malicious activity on the network and at all points of the kill chain. What it's exceptionally good at doing is correlating seemingly unrelated events.

It's in our data center, but the versioning is controlled by Vectra. They push it out discreetly so I don't have any touch on that.

How has it helped my organization?

We have 89,000 concurrent IPS that we're analyzing and it's distilled it down to under 1,000 IP addresses that warrant deeper investigation. It's filtering out 99 percent of the traffic that would otherwise be noise, noise that we would never get through.

The solution captures network metadata at scale and enriches it with security information, but that's because we are using the API calls to inject our CMDB data into the brain. It speeds things up quite significantly. Being an enterprise, sometimes it can take a day or two just to find the person responsible for looking after a particular server or service. This way, the information is right there at our fingertips. When we open up the GUI, if we have a detection we look at the detection and see the server belongs to so-and-so. We can reach out to that party directly if we need to. It streamlines the investigation process by having the data readily available to us and current. Each one is unique, but typically, from initial detection to completion of validation (that it's innocuous or that there's something else is going on) it's within 24 to 48 hours

It also provides visibility into behaviors across the full lifecycle of an attack in our network, beyond just internet gateway. It gives us visibility for when something is inside the network and it's maybe doing a lateral movement that it wouldn't normally be doing. Or if we have a system that has suddenly popped up on the network and we can see that it's a wireless router, for example, we pick that up right away. We can see it and we can deal with it. If people put unauthorized devices on the network — a wireless router from home — we can pick that up right away and deal with it.

In addition, Vectra triages threats and correlates them with compromised host devices. We can do a search based on the threat type and get the host. It streamlines things and makes it faster to get to the root cause of an issue.

And while it hasn't reduced the security analyst workload in our company, it has reduced the workload in that analysts are not having to look at stuff that absolutely means nothing. There is still a lot to do, but it has allowed us to focus better on the workload that needs to be done.

It has also increased our security efficiency. It has reduced the time it takes us to respond to attacks by 100 percent. If you're not aware of it you can't respond to it. Now, it's making us aware of it so we can respond to it, which is a 100 percent improvement.

The solution enables us to answer investigative questions that other solutions are unable to address. We will detect the fact that there is some suspicious domain activity going on — a DNS query is going out to MGAs and it really shouldn't be. The other systems are just passing that through, not even realizing that it shouldn't be happening. We see them and we can take action on them.

What is most valuable?

The dashboard gives us a scoring system that allows prioritization of detections that need attention. We may not necessarily be so concerned about any single detection type, or event, but when we see any botnet detections or a brute force attack detections, we really want to get on top of those. 

What needs improvement?

The solution's ability to reduce false positives wasn't very good, initially, because it was picking up so much information. It took the investment of some time and effort on our part to get the triage filters in place in such a fashion that it was filtering out the noise. Once we got to that point, then there was definitely value in time-savings and in percolating up the high-risk events that we need to be paying attention to.

I'd like to be able to get granular reports and to be able to output them into formats that are customizable and more useful. The reporting GUI is lacking.

For how long have I used the solution?

I've been using Vectra for three years.

What do I think about the stability of the solution?

The stability is excellent.

What do I think about the scalability of the solution?

We've had no issues so far with the scalability. Right now, it covers about 90 percent of our network. We are considering increasing the usage to incorporate it in the new cloud environments that we're standing up.

How are customer service and technical support?

Their technical support is excellent.

How was the initial setup?

I was not involved in the initial setup, but I was involved in a review of the setup when I took it over, to make sure that it is doing what it's supposed to be doing. The initial setup would have been straightforward, but it would have been very large.

The implementation strategy would have been to make sure that it got to all the places that it needed to be, and to work out a way to make that happen by getting the Ixia taps into the right locations in our enterprise.

In terms of staff from our side involved in deployment, it's web-based so there weren't a lot. Maintenance is ongoing from Vectra and they do it on the back-end. It just works. It's a black box for us.

What other advice do I have?

Take time to understand how the triage filtering works and standardize it early on. Use a  standardized naming convention and be consistent.

It's a very effective tool, but if you don't pay attention to what it's telling you, then it's like anything else. If you don't use it, then it's no good. You have to trust that what it's telling you is correct and then you can take the appropriate action.

For the most part, the users who log into it in our company are people on the security operations team. It's pretty much a closed tool. Access is limited to the people in the security center of excellence.

In terms of the solution's ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation, we don't use it that way. We've set up enough triage filters over the course of the last year-and-a-half to get all the noise out of the way; stuff that is either innocuous or really isn't bad. Then we're focusing on what's left, which is typically, for lack of a better term, the bad stuff or the stuff that we need to pay attention to.

Regarding the solution's privileged account analytics for detecting issues with privileged accounts, we've used it, but not to the extent that we would like to. We just don't have enough manpower to be able to do that at this point. But it's important because we can see when an account is doing something that it shouldn't be doing, or that it doesn't normally do, or that it's connecting to a place that it doesn't normally connect to, or that it's escalating its privileges unexpectedly. We see all that and then we can respond accordingly.

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
ZM
Information Technology Security Engineer II at a mining and metals company with 10,001+ employees
Real User
Top 10
Helps us focus on higher-level alerts while not bombarding us with alerts on lower-level activities

Pros and Cons

  • "One of the most valuable features is all the correlation that it does using AI and machine learning. An example would be alerting on a host and then alerting on other things, like abnormal behavior, that it has noticed coming from the same host. It's valuable because we're a very lean team."
  • "It does a little bit of packet capture on alert so you can look at the packet capture activity going on, but it doesn't collect a whole lot of data. Sometimes it's only one or two frames, sometimes it does collect more. That's why they have the addition of their Recall platform, because that really does help expand the capability."

What is our primary use case?

We use it as an intrusion detection system to monitor traffic that's going on within our network.

How has it helped my organization?

There was an event that happened before I started here, a ransomware event, and Vectra AI was able to quickly detect and alert on the activity. That greatly reduced the time it took for the company to respond to the incident.

Cognito provides visibility into behaviors across the full life cycle of an attack in the network, beyond just the internet gateway. By detecting everything before the internet gateway, it's able to get a fuller picture of what was going on before the target left the network. It greatly increases our ability to investigate events that occur.

The Vectra product also triages threats and correlates them with compromised host devices. As a result, it helps to reduce the time to respond to incidents.

In addition, it does a really good job of bringing the higher-level alerts to our attention while not bombarding us with alerts on lower-level activities that, I find, we don't usually need to investigate. When I first started using it I was investigating everything and I quickly learned the low-level threats, as shown by their scores, were low for a reason and they really didn't need to be looked at too closely.

I would estimate it has reduced our security analyst workload by around 30 to 40 percent. It has increased our security efficiency and has also reduced the time it takes us to respond to attacks by about 50 percent.

What is most valuable?

One of the most valuable features is all the correlation that it does using AI and machine learning. An example would be alerting on a host and then alerting on other things, like abnormal behavior, that it has noticed coming from the same host. It's valuable because we're a very lean team. It helps reduce workload on our team daily by performing tasks that we don't have to do manually.

It does a really good job of reducing alerts by rolling up numerous alerts to create a single incident or campaign for investigation.

It also does a really good job detecting things. Some things it detects are not really threats, but it is stuff that it should be detecting, even though the behavior, sometimes, isn't malicious.

What needs improvement?

It does a little bit of packet capture on alert so you can look at the packet capture activity going on, but it doesn't collect a whole lot of data. Sometimes it's only one or two frames, sometimes it does collect more. That's why they have the addition of their Recall platform, because that really does help expand the capability.

I would also like to see more documentation or user guides about using the product.

For how long have I used the solution?

I've been using Vectra AI for a little over one year, but it was in place at our location before I started working here.

What do I think about the stability of the solution?

We haven't had any issues other than one power supply failure, but there was a backup power supply and they sent the replacement quickly. Other than that, I haven't seen any issues with stability of the product.

What do I think about the scalability of the solution?

I haven't had any experience in scaling it out beyond what was set up before I started here.

We have about 1,600 employees on site, but I'm not sure how many devices that equates to. Each person has one or more devices. We're scaled out about as far as we can go.

I'm the only person using it directly in our company, as an IT security engineer II.

How are customer service and technical support?

They have very good tech support.

What was our ROI?

Our company definitely saw return on investment when it had the ransomware attack. They were able to stop it quickly. That was definitely a huge savings. Otherise, the company was going to have to shut down production.

What's my experience with pricing, setup cost, and licensing?

I don't really have anything to compare it to, but I would assume the pricing is fair.

I believe they are licensing current devices or hosts. When I was last talking to a rep, we were having to go through a true-up process, but that hasn't started yet.

Which other solutions did I evaluate?

I have thought of evaluating other things, just for evaluation’s sake, but I haven't done so yet.

What other advice do I have?

It's helped me learn how to investigate alerts in a more efficient way.

It also captures network metadata at scale and enriches it with security information. Part of that I was able to witness using a proof of concept for the Cognito Recall platform, which collects all the metadata and then forwards it to an Amazon instance in the cloud. From there you can do a lot of correlation and you can do deep-dives into the data. That was also a really good product, and I would like for us to purchase it, but right now it doesn't look like that's going to happen.

Vectra will alert on activity going to some of our cloud providers, for example Microsoft OneDrive or Teams, but our systems won't really inspect on any type of SSL traffic, and it doesn't provide that much use for external communication that's encrypted. It's something we do not have set up and that's why we're not able to get that full visibility.

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PR
Head of Information Security at a financial services firm with 51-200 employees
Real User
Top 20
Highly successful in detecting red team engagements and giving clear broad-level assurance

Pros and Cons

  • "The administrative privilege detection feature is the most valuable feature. The admin accounts are often highly accessible to the high-risk component of the environment. If those accounts are compromised or are being used in a suspicious manner, that's high-fidelity events for us to look into."
  • "Integration with other security components needs improvement. It should have true integration as opposed to just being a separate pane of glass."

What is our primary use case?

We use Cognito.

The biggest challenge we face in protecting the organization against cyber attacks is mean time to detection, operating from a position of an assumed breach. Then being able to detect breaches or malicious traffic within the environment as quickly as possible to reduce dwell time.

We have a small environment with only 300 users. It's very technically focused given the market that we operate in. There are two data centers, four offices, a small IT and security team. Cognito allows us to make the best investment for the most return, given we don't have dedicated SOC analysts looking at a SIEM environment.

How has it helped my organization?

Cognito is highly successful in detecting red team engagements and giving clear broad-level assurance and confidence in the product.

It captures network metadata at scale and enriches it with security information. The add-on of Recall is an invaluable investigation tool. It's able to look back and triage incidents.

We have been enabled to do things now that we could not do before: 

  • There is more detailed visibility into network behavior. 
  • We have the ability to pull out anomalies. 
  • The high-fidelity alerts allow our team to focus on what's important.

What is most valuable?

The administrative privilege detection feature is the most valuable feature. The admin accounts are often highly accessible to the high-risk component of the environment. If those accounts are compromised or are being used in a suspicious manner, those are high-fidelity events for us to look into.

Its ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation is very useful. Given that we are not a dedicated SOC environment, having to trawl through several false positives is not something that we have the capacity for.

Cognito theoretically provides us with visibility into behaviors across the full lifecycle of an attack in our network beyond just the internet gateway. It has not been fully tested. But hypothetically it would give us full visibility into your attack chain.

We use privileged account analytics for detecting issues with privileged accounts.

What needs improvement?

Integration with other security components needs improvement. It should have true integration as opposed to just being a separate pane of glass.

For how long have I used the solution?

I have been using Vectra AI for three years. 

What do I think about the stability of the solution?

Their stability is bulletproof. 

What do I think about the scalability of the solution?

We're using it across our entire estate, so we don't have plans to increase usage. It's been adopted 100%. 

How are customer service and technical support?

Their support is excellent. They're very responsive. Exactly as you would hope for from a vendor, which is rare.

Which solution did I use previously and why did I switch?

Vectra AI displaced an EOL North South solution.

How was the initial setup?

The initial setup was very straightforward. 

We had appliances in each physical data center. It took three or four days to see results.

Deployment time is equivalent to other solutions we have tried. The learning curve and speed of efficiencies are higher coming from Vectra.

What about the implementation team?

We deployed it with the assistance of Vectra. Our experience with them was exceptional. The engineers knew the product. Vectra is extremely responsive to assisting with technical issues. It was a very good experience.

What was our ROI?

It's hard to scientifically quantify ROI but I would say we have seen ROI, certainly from the risk and threat perspective.

After we deployed the solution it instantly began to add value to our security operations.

What's my experience with pricing, setup cost, and licensing?

Pricing is comfortable. I have no issues with the pricing structure at the moment.

There are no additional costs that I'm aware of unless you layer on MSP, additional soft services, or professional services. But for the solution itself, I don't believe there are.

Which other solutions did I evaluate?

We looked at Darktrace. 

What other advice do I have?

I think the solution would help the network, cybersecurity, and risk reduction efforts in the future if we were to adopt a SOC, it would be a key threat feed to that environment. As they continue to iterate and enhance the product, it's a critical security component for us now and for the future.

Two security senior analysts work on this solution.

My advice to anybody considering this solution is: don't delay. It does exactly what it's sold to do. It does it efficiently and effectively.

I would rate Vectra AI Cognito a nine out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Buyer's Guide
Download our free Vectra AI Report and get advice and tips from experienced pros sharing their opinions.