ExtraHop Reveal(x) offers advanced network visibility and threat detection through seamless integration with CrowdStrike. It enhances security with machine learning-driven behavioral analysis and customizable dashboards.
| Product | Mindshare (%) |
|---|---|
| ExtraHop Reveal(x) | 7.0% |
| Darktrace | 15.7% |
| Cisco Secure Network Analytics | 9.0% |
| Other | 68.3% |
| Type | Title | Date | |
|---|---|---|---|
| Category | Network Traffic Analysis (NTA) | Jun 24, 2026 | Download |
| Product | Reviews, tips, and advice from real users | Jun 24, 2026 | Download |
| Comparison | ExtraHop Reveal(x) vs Darktrace | Jun 24, 2026 | Download |
| Comparison | ExtraHop Reveal(x) vs Auvik Network Management (ANM) | Jun 24, 2026 | Download |
| Comparison | ExtraHop Reveal(x) vs Cisco Secure Network Analytics | Jun 24, 2026 | Download |
| Title | Rating | Mindshare | Recommending | |
|---|---|---|---|---|
| Darktrace | 4.1 | 15.7% | 95% | 84 interviewsAdd to research |
| TrendAI Vision One | 4.3 | N/A | 98% | 111 interviewsAdd to research |
| Company Size | Count |
|---|---|
| Small Business | 2 |
| Midsize Enterprise | 3 |
| Large Enterprise | 9 |
| Company Size | Count |
|---|---|
| Small Business | 124 |
| Midsize Enterprise | 59 |
| Large Enterprise | 250 |
ExtraHop Reveal(x) excels in network detection and response by decrypting SSL traffic and providing real-time packet inspection. Users benefit from its dynamic triggers and historical data tracing. The platform is valued for its depth of information, powerful analytics, and cloud-based administration. It allows effective monitoring of attack chains and integrates with other solutions to boost security. However, there is room for improvement in pricing flexibility, licensing models, and integration capabilities, particularly with Microsoft Sentinel.
What are ExtraHop Reveal(x)'s Key Features?ExtraHop Reveal(x) is employed across industries for network traffic monitoring, malware detection, and real-time analysis. Analysts use it for server-to-server networking insights and application troubleshooting. Companies leverage its capabilities for behavioral analytics and compliance monitoring without deploying sensors on individual devices.
ExtraHop Reveal(x) was previously known as Reveal(x), Revealx.
Wood County Hospital
| Author info | Rating | Review Summary |
|---|---|---|
| Technical Consultant at Axians | 4.0 | I've used ExtraHop Reveal(x) for over three years primarily for network security analytics; it's stable, scalable, and insightful, though integration and licensing could improve. Overall, it delivers strong ROI if positioned correctly. |
| Assistant VP, Idm Compliance at a financial services firm with 1,001-5,000 employees | 4.5 | In my role at a financial institution, I find ExtraHop Reveal(x) invaluable for monitoring connections due to its in-depth visualization and customization. However, it needs improvement in correlating communications across different security controls. |
| Network Consultant at a non-profit with 201-500 employees | 4.5 | We use ExtraHop Reveal(x) for managing IoT and network traffic due to its user-friendly security GUI. However, we want regular firmware patch notifications, which we currently lack. Before ExtraHop, we used NETSCOUT but switched for better features. |
| Information Security Assurance Engineer at School District of Lee County | 5.0 | I rate ExtraHop Reveal(x) 10/10 for excellent network detection, response, and traffic visibility, especially for large, complex networks and IoT/OT. It integrates seamlessly with CrowdStrike, though more certification training would be great. |
| Senior monitoring engineer at a financial services firm with 10,001+ employees | 4.5 | I highly recommend ExtraHop for its superior analytics, full decryption, and ability to pinpoint network/application issues, dramatically reducing MTTR. Despite minor agent management needs, its extensive features and excellent support make it invaluable, outperforming alternatives. |
| Cyber security specialist officer at a financial services firm with 5,001-10,000 employees | 4.0 | I find ExtraHop Reveal(x) highly effective for detecting new attacks and expired certificates. It offers detailed network visibility and customizable dashboards. Although tuning for fewer false positives is needed, its unique features outperform other solutions I've used. |
| Systems Engineer at LifePoint Health | 5.0 | I use ExtraHop to quickly identify performance issues, even resolving a critical vendor problem. Despite complex setup and limited Citrix decoding, its real-time analysis drastically improved our service and proved highly valuable. |
| Cyber Security Engineer II at a healthcare company with 10,001+ employees | 5.0 | As part of the cybersecurity team handling threat detection and response, I find ExtraHop Reveal(x) intuitive and effective, often outperforming other tools. It excels in threat hunting without customization, though its pricing could be improved. |
| Business Development Manager at Westcon-Comstor | 3.5 | We use ExtraHop Reveal(x) to send sensors to the Reveal 360 cloud for our 500 customers. While it effectively handles sensor transmission, it would benefit from additional support protocols and a reduction in cost. |
| Information Security Program Manager at a non-profit with 11-50 employees | 3.5 | I use ExtraHop Reveal(x) for network anomaly detection and alerting, finding it stable and scalable with good ROI. My primary improvement would be extending the 30-day look-back period, a feature I valued in Darktrace. Support can be sporadic. |
The typical use case for ExtraHop Reveal(x) that we use is from a security perspective, specifically Network Detect and Response. The ExtraHop solution has both the network analytics and the security side of it, and a typical use case is the security side of the entire solution.
We position it in a network to do security-based analytics, detections, and threat and anomaly detection. That's what we position it for and use it for.
The best features of ExtraHop Reveal(x) include the cloud-based Reveal(x) 360, which is an absolute plus. You've got one point of administration where you can attach multiple vendors or solutions or sensors, and that's good.
The plus is the capacity of the different sensors that the ExtraHop solution has; it's quite big compared to the price it costs, and the detailed dashboarding is a big plus to get proper insights on both traffic and asset visibility within the network.
The machine learning-driven behavioral analysis feature is quite useful. I do quite a lot of POVs with customers for a period of four weeks, and I always tell them that in the first week, week and a half, the machine needs to learn the network. Customers appreciate it, so that's good.
On the other side, it gives you clear insights into what the normal baseline would be and what the actual deviation is after machine learning has understood how the network functions. It's very useful.
ExtraHop Reveal(x) can improve regarding integration capabilities. For instance, the market is getting really flooded with Microsoft Sentinel, and I know there is an integration possible, but the tools on the market right now indicate that integration should not be a skill from an integrator point of view. It should be quite easy for customers to integrate that solution into SOCs, SIEMs, or any other integration with other tools.
There are various integrations from which there's a manual on how to do it, but specifically, the Microsoft portfolio, particularly Sentinel, integration is not yet there. If you score them on a scale of one to ten, ExtraHop scores around a 7.5 to an 8 on an integration basis, but there's actually room for improvement on that side.
In the older days, ExtraHop had a license model where you could do all you can eat, so if you had a sensor with 10 gig of capacity, you could use all the entire 10 gig of throughput. They changed that to an asset-based license model, and that's an absolute downside of the solution, where it is harder for smaller companies to acquire the solution itself.
That has given us quite some problems in positioning the solution properly within the network, so the licensing model is an absolute downside where they need to improve.
I would rate the technical support from ExtraHop a solid eight. It's not exceptional, but it's definitely not bad. There are a lot more worse examples in the market, so it's good and we are happy.
My clients do see an ROI from ExtraHop Reveal(x); they see the value of the solution within the network, and it gives them solid confidence that they actually do see everything that's going across it.
Looking at the Dutch market, where I am based, and looking at the positioning and the customer base, for instance, educational customers with 20,000 clients find the price has a high impact on positioning it properly within educational environments.
In contrast, if you look at healthcare, where there are quite a lot of devices in the network or people that come and go, the amount of devices can become quite high, impacting the licensing model of ExtraHop and therefore the cost. The cost and return on investment are relative; if you have an enterprise customer with a static environment, it's quite easy to accept the cost and therefore see the return on investment. However, with other verticals, it's a lot harder to position the solution successfully.
We manage the setup cost ourselves, so I am quite happy with that. I also had engagement with professional services from ExtraHop, and it wasn't bad, but I was not impressed; it's not academic work. Pricing-wise, they are not cheap, but they also offer quite a lot of features. Pricing is subjective to different customers.
My advice to others considering ExtraHop Reveal(x) is don't doubt, just get it and make sure you have the money because the return on investment will prove itself, and you only need to have one problem for the solution to prove its value. On a scale of one to ten, I rate ExtraHop Reveal(x) an eight.
Being in a financial institution, we have certain regulations such as PCI DSS, so we want to ensure any connection from a non-PCA segment is not being connected to a core segment; vice versa connection should not happen. We have something called a server segment and a workstation segment, so apart from the whitelisted internet connection, no connection should be established from the server segment. These are the monitoring use cases we have implemented in ExtraHop Reveal(x) so far.
The best features of ExtraHop Reveal(x) for me are the depth it provides, especially the picturization where the connection is established; it's absolutely remarkable. If I want to know a specific IP and which server it has been connected to, it's easy to gather those kinds of trees from the NDR.
ExtraHop is very customizable, it's easy to access, and I can understand the flow where an IP address or email address has reached which level of security system; it's very easy to follow that flow.
I would like to see improvements in areas where events are getting dropped; we're not able to view complete insights. For example, if I'm sending communication from one place to another while passing multiple security controls, it's not giving a complete flow easily. It shows one communication from the firewall, then one from the firewall to the proxy, and one from the proxy to the user endpoint as separate communications. There's no way to uniquely correlate that this is the same communication happening throughout that packet flow.
I have been working with ExtraHop Reveal(x) for two to four months. It is a new product.
The integration with other security and IT operation tools has been implemented through an agent on the network level, and we are not facing any issues while deploying the agents. We've done integration only with the SIM solutions, specifically QRadar, and we don't find any issues there. The only consideration is that its rules are very noisy, and we need to fine-tune extensively; custom fine-tuning is completely required when bringing NDR into the picture.
At the moment, we are using different endpoint solutions, including EDR, and we have extra NDR solutions.
XDR is from Microsoft, and MDR is not from Microsoft; it's ExtraHop.
ExtraHop Reveal(x) is a new solution for me, from an NDR SIM perspective, that's a monitoring solution we have just implemented. We are not sure how efficient an NDR is to detect network-level threats; it needs to be explored.
At the moment, we don't use the machine learning driven behavioral analysis feature; we're not sure where the data will be hosted and where it will be sent, so we don't want to do any kind of AI-based and machine learning-based decision making.
We don't want to decrypt any of the information; it's supposed to be captured based on the network flow of the packets without opening or reading them, considering the sensitive information stored under the packets.
I have not put any statistics or metrics to evaluate the effectiveness of ExtraHop Reveal(x) at the moment; it's still on the roadmap. This is an experience from SIM, and many stakeholders also need to be given feedback on the effectiveness, especially to validate with the business if it's blocking any genuine operations which cause an impact or not.
So far, I am using only EDR, the Microsoft EDR, for containment and related activities; there is no automation at the NDR level at the moment, but it is in the roadmap for future use.
If you have proper network segmentation, then I would recommend going for this kind of NDR monitoring with ExtraHop Reveal(x) as it provides more insights about what is happening in the networks. If you don't have network segmentation and only small subnets of IPs, I suggest not to go for NDR solutions because they won't add any value, even if you have many solutions on your network.
I would rate ExtraHop Reveal(x) eight to nine out of ten.
We have IoT devices, network traffic, and all these traffic. ICT and non-ICT, all.
I am not sure about the specifics of how ExtraHop Reveal(x) has changed our approach. The cybersecurity team could elaborate more on this topic.
The solution offers a friendly GUI for security features.
We expect regular firmware patches for upgrades and maintenance. Currently, we have to check manually as we do not receive any notifications about new patches, maintenance, or firmware releases. It would be beneficial if they could send us notifications for new releases and maintenance trials.
The technical support is good, very good. I would rate their technical support nine out of ten.
Positive
We used NETSCOUT previously.
The initial setup was straightforward. We had 20 credit hours and completed it on time within ten days.
The implementation was done with the help of a reseller. We requested two individuals for implementation.
I do not know the prices and therefore cannot provide any comments on pricing or setup costs.
We used NETSCOUT before using ExtraHop Reveal(x).
ExtraHop Reveal(x) is highly recommended and very good. It is operationally easy to use.
I'd rate the solution nine out of ten.
Initially, we deployed Reveal as a standalone solution for network detection and response. It provided us with data and analytics on server-to-server enterprise networking. We used it to gain visibility into the amount of traffic and where it's going. For example, it will say that 28 gigs of data went to Google and break that down based on all the sites that have been visited.
It also tells you about the authentication data and helps you visualize how data moves across your network. Based on that, you can adjust the routing tables to make things work a little more evenly. It will also help you identify specific types of malware and how it moves across devices, what protocols and ports it uses, etc.
Unlike Crowdstrike, Reveal(x) doesn't require you to deploy sensors. CrowdStrike puts a sensor on the computer, so I know exactly how many devices are going through it. It's roughly 50,000. Those aren't people using it. Those are just devices that exist in the world. ExtraHop just looks at traffic, so each device connected to the network goes through it, and that's around 230,000 devices, and it's monitoring all the traffic to and from the internet.
We have a lot of other devices that do more analytics based on utilization instead of the actual configuration and management, but Reveal X gives us insight from a security standpoint into uptime, downtime, data aggregation, types of data, suspicious activity, etc.
Reveal X integrates seamlessly with CrowdStrike. If you see something sketchy on the network, you can quarantine devices through ExtraHop and it'll push to the CrowdStrike server.
It's a ton of data. CrowdStrike looks at anything that's on the machine and the network. Instead of having hard points on your network core switches with some antivirus on it or your firewall or rules at your internet service provider or things managing your cloud for access control, this lets you see actual traffic and it's a little bit more fluid in what you're allowed to see.
There is a little training online, but it'd be cool if ExtraHop provided certifications. CrowdStrike does elective training that gives you a certification as a Falcon administrator. It'd be nice to see ExtraHop have something like that
I have been using Reveal X for a little less than a year.
Reveal(x)'s stability is excellent.
Reveal(x) covers every bit of our network just fine. We started off small to see what it could do. It didn't matter. We opened up the floodgates, and it handled the traffic well.
The console is a cloud product. There's also an on-prem server that collects and aggregates the data and sends it to your cloud instance. There's an appliance and a cloud console. Deployment and maintenance require only one person.
It picks up on real issues. It alerts you quickly, so you can clean them up.
We get discounts because we're an educational institution, but I think this solution was $150,000 a year. That isn't terrible considering the amount of traffic we're pushing through it. We also need to pay for a separate license to integrate Reveal with CrowdStrike. I think there is a separate charge for hardware, too.
I rate ExtraHop Reveal(x) 10 out of 10. This is more of a nice-to-have rather than a must-have solution. Something like a CrowdStrike or a next-gen AV is an essential product, whereas NDR is more of a nice-to-have thing. If you only have a little bit of traffic, you're probably not going to get anything out of it.
It's better for a medium-to-large enterprise. It's more appropriate for companies wh a massfootprints or industrial applications using use nonstandard devices. It's helpful for things that use SCADA, the Internet of Things, somethingings that don't fit neatly into other management categories. Itty common for industrial, construction, or maintenance devices to be a little lackluster in their security.
Major breaches like the Colonial Pipeline hack and attempted hacks on nuclear power plants all went through Internet of Things vulnerabilities and other devices where security wasn't part of their plan. This helps you cover yourself by monitoring the traffic. With something like CrowdStrike, you need to put the CrowdStrike sensor on it, but Reveal(x) looks at everything on the network.
It's used by application owners and network engineers for troubleshooting application performance issues or network performance issues.
It's a hybrid solution. We have on-prem sensors and trace appliances and a cloud control appliance.
It's a wire analytics tool. We use it for isolating and determining issues on our network or applications. It does a lot for crediting the network as opposed to discrediting the network. A lot of people come along and say that it's a network issue. It's always considered to be a network issue, but by using ExtraHop, we can quickly tell them that it's not a networking issue. It's something to do with your application or something at the other end. It could be a database issue. This tool gives us the ability to pinpoint with great accuracy the comings and goings on our network.
It's useful for different teams in our organization. The cybersecurity team uses it because it has got great analytics for anomaly detection, malware detection, and ransomware. It's used by the networking people because it's great to be able to get the three-way handshake between systems to see how your network is doing.
The microservices for DNS use it because they like to be able to see how their DNS services are operating and how many DNS requests are being rejected, denied, or dropped. Application people love it because it fully decrypts their traffic. On the server side, they can see what's going on, how many methods are running, and which users are doing it. If there is a long-running process, what the SSL handshake looks like and how long does it take to figure out which cipher suite you're going to use and get it working.
I like their dashboards. It has machine learning, and it has great analytics for security, network, and microservice performance.
Out of the box, with very little configuration, it does more than all the other tools. The features that other vendors promise to be available within six months to a year of purchase are already available in this product.
Agent management could certainly use some focus. It should also be a little bit easier to work with collections. We should be able to nest collections within collections. There should be better nesting.
The beautiful thing about the company that runs ExtraHop is that when we go to them with feature requests or with things that we would like to see, they're really good at getting them added. The most recent one that we're looking for is being able to limit the packets that users can download. So, if you're an administrator, you should be able to download a full packet capture with the full packet, but if you're just an engineer or an application person just looking at your application header traffic, you don't need to see any payload data. We want to be able to limit that traffic. We want to limit who can see the payload, and we can do that. The vendor is putting that into the tool for us. It's going to be done before the end of the year.
Our company has been using it for eight or nine years. I've been using it for five years, and I've been the subject matter expert over it for the last two years.
One series of hardware that we ordered with the same sequential serial numbers has issues, but the rest of the hardware is rock solid. The operating system they put on this, the firmware, the versions, and everything that they run is pretty good. I don't have an issue with the appliances, but the initial release of these new 10k appliances has had some issues.
It's very scalable. I have close to a thousand users who use this tool or have access to the tool. They are DBAs, application people, networking people, and security people. It's used by all of them. It's a great tool.
It's being used globally. We always have plans to increase the usage. The more people use it, the harder it's to get rid of it.
They're great. I would rate them a ten out of ten.
Positive
At this company, I did not use any other solution.
It was pretty straightforward. After you've done it once or twice, it's pretty simple and straightforward.
It was really easy and straightforward for me. The problem is that there are so many bits and pieces that are required on the outside in order to get the inside working. It reads packet data. So, I have to somehow get the packets to the appliances. The complexities come in when you are trying to create the packet stuff on the outside.
It has taken us two years to do this implementation. The hardware is easy to put in, but I work with so many other groups that it's difficult to get the time and resources to get hardware racked, get IP addresses, and get cabling done. It's all done by different teams. Our company makes it difficult. If I was at my previous company, it would be a breeze because I would just order the hardware, and I would rack it myself. I would cable it myself, IP it myself, hook it up at the switch myself, and do all the configuration myself, but because I have to go through so many other teams and groups, it's much more difficult now.
It was done in-house. I'm the only person who takes care of its deployment and maintenance.
It reduces our MTTR. The mean time to repair is reduced dramatically because you can quickly isolate where the problem is. I can quickly say the problem is not a network-related problem. It’s a server-related problem or an application-related problem. The return on investment on this one is probably seen in the first year of purchase.
We have some fairly hefty applications. We're a finance company. So, we're constantly processing banking information, credit card information, and online transactional information. It's constantly running through our mainframes or data centers. So, it's invaluable that we keep the lights on and these applications running as smoothly and as efficiently as possible.
We've done our due diligence and research on other products such as Riverbed and NetScout. This product is by far the supreme leader. It does full decryption currently at a hundred gigabits per second on a single appliance. Their next generational appliances are going up to 400 gigabits per second. That's full decrypt, which means a consistent rate. So, it can decrypt packets and store over 4,000 metrics from these packets. It's an invaluable tool.
I would say absolutely go for it. It's a well-rounded product. The company is nimble enough to be able to implement change.
I would rate it a nine out of ten because there is always room for improvement.
It can detect new attacks or expired certificates. It's especially effective in identifying Netria attacks or any other online threats that may occur.
With ExtraHop Reveal(x), it gives me more visibility into the packets. It doesn't provide the entire packet capture, but it offers more information on how connections are made at the network layer. This can be helpful for detecting network attacks. Additionally, I really like the customizable dashboards and reports. The incident dashboard and alerts provide a good summary initially, and diving deeper into them gives more detailed information. It's also great for analyzing specific attacks and victim logs. The feature that tracks the full attack chain makes it easier to monitor the progress of attacks. Plus, it's connected to the Netria.com app, which I find useful for certain tasks.
I think the tuning capabilities could be improved. We're working on minimizing false positives. Apart from that, everything seems fine to me.
I have been using ExtraHop Reveal(x) for sometime.
I would rate it 9 out of 10 as it is very stable.
I would rate it 10 out of 10 as it is very high.
So, in my experience with ExtraHop Reveal(x), I've found it to be a reliable tool. I haven't come across anything that compares directly to what Reveal(x) offers.
As for advice or recommendations for someone considering implementing ExtraHop Reveal(x), I'd say it's a good investment, especially considering its price point. It's a great product, particularly for enhancing security measures. Before installing this solution, it's important to consider its compatibility with your existing security infrastructure. While Managed Detection and Response (MDR) solutions are commonly used for comprehensive security, Reveal(x) stands out for its specific strengths in network security.
I would rate it 8 out of 10.
We are a healthcare organization with more than 80 facilities, but I'm the only one who uses ExtraHop. When there are performance issues with an HTTP app, ExtraHop enables us to identify the causes within a few minutes. We can see what transactions are being impacted by something that may be happening within the server environment.
We set up a number of traffic sources that are typically either ERSPANs or TAPs and place ExtraHop appliances at critical places within the network. That traffic is typically fed into a packet. We have four small devices designed to go into small data centers. We're continually rotating those around to different facilities to help identify issues. They have helped us to understand what's going on.
The ExtraHop appliance enables you to do what an expert using Wireshark can do. However, it's all in the firmware, so you can do real-time analysis without the need to boil terabytes worth of data to find out what's happening.
We've been able to leverage the information to show other vendors we use that there are issues with the SaaS solution they provide to our EMR physicians. At the top of every hour, they were doing a data recovery operation in the event of an outage of some sort. That was preventing our physicians from using the application.
It only lasted about five minutes, but the physicians had to stop working. Of course, when they called the support desk and finally reached a support person, the vendor insisted it was our problem, not theirs. This data helped to prove it was their problem. They eventually brought in some other consultants from the hardware vendor and corrected the issue.
ExtraHop enables us to create dynamic triggers that allow us to inspect packet flow in real-time.
They used to have the ability to decode Citrix sign-on, setup, and tear down. Unfortunately, Citrix has stopped sharing that knowledge. Citrix has continued to change its model of processing, making it harder and harder to troubleshoot.
We've been using ExtraHop for seven years, but the Reveal process has only been available for around three years.
They do routine updates of their firmware roughly every month, so they're continually adding more ability to decode and analyze the traffic flow.
ExtraHop is highly scalable. However, you may exceed the capacity of a small device and need to upgrade to a larger one. The smaller devices have worked well for us, but you might need to upgrade to a newer one, so they've been aggressive on their pricing.
I rate ExtraHop support nine out of 10. I've frequently worked with ExtraHop, and they've always been excellent.
We considered using Riverbed's analysis tools for this type of process, but it never panned out. It was always a problem to get into the right spot to grab the data we needed, but that was always challenging with their devices.
Setting up ExtraHop is complex because we needed a nuanced understanding of the data flows into our data center. We need to know where things are coming into the environment versus where we thought they were entering. It's a complicated process of setting up the network taps and sending the data into a packet broker that forwards it to our ExtraHop device.
The packet broker was required because we had so many different taps bringing data into the ExtraHop. ExtraHop only had four interfaces to receive data, yet we had 20 different taps that had been placed. Some of those taps required two interfaces each to absorb the data that was tapped.
We did it all in-house.
ExtraHop has improved our service drastically. In that sense, it has saved us money because we can quickly identify problems.
I rate ExtraHop Reveal(x) six out of 10 for affordability. We pay for an annual license. It's always one of those trade-offs. You get a lot of value, but ExtraHop isn't exorbitantly priced. You can pay extra for additional features like the ability to decode HL7 traffic, which is crucial for EMR environments.
I rate ExtraHop Reveal(x) 12 out of 10. My advice to new users is to learn Wireshark first. You'll better understand what ExtraHop can do for you.
I'm on the cybersecurity team. I do a lot of the blue threat-hunting and incident response. The things I deal with have nothing to do with network performance, but I handle the detections and things that ExtraHop Reveal(x) can pick up.
ExtraHop Reveal(x) is very easy to use and intuitive. ExtraHop Reveal(x) can pick up threats without any customization on the threat detection when none of my other tools can pick up. I've been told to make my other tools work how ExtraHop Reveal(x) works. I'm trying to get my SIEM to perform the way ExtraHop does out of the box.
For example, we're starting to ingest our DNS logs to be able to pick up on something that's called DNS tunneling. ExtraHop picks it up in the middle of it. My SIEM, however, didn't have the log. So, I have to work with the server team. It's been two-plus months trying to get those logs up and running, but I am still not there yet. The other tool I have didn't tell me for almost 24 hours.
ExtraHop was able to pick it up in the middle and detect there's DNS tunneling. ExtraHop Reveal(x) is one of the tools that works out of the box when it comes to threat hunting.
The solution’s pricing could be improved.
The solution's technical support is great. Unlike other vendors that take more than two months to fix simple problems, ExtraHop's technical support team does actual troubleshooting over the phone. A lot of times, they fix it on the back end without any intervention from me.
The solution's initial setup is easy. I rate ExtraHop Reveal(x) ten out of ten for the ease of its initial setup.
Overall, I rate ExtraHop Reveal(x) ten out of ten.
Our company uses the solution to send sensors to the Reveal 360 cloud for customers. We have about 500 customers using the solution.
The solution works well for sending sensors.
The solution should include more support protocols.
The solution should be less expensive.
I have been using the solution for 18 months.
The stability is rated an eight out of ten.
The scalability is rated an eight out of ten.
The technical support is good and very fast. Support is rated an eight out of ten.
Positive
The setup is straightforward.
We implement the solution for customers and deployment takes two or three days. We use the app to send middle traffic from the network to the ExtraHop sensor.
The solution is based on an annual subscription model and is expensive. Pricing is rated a five out of ten.
If you want to implement the SOC, then you must use the ExtraHop for the SOC operating system.
I recommend the solution and rate it a seven out of ten.
We are using ExtraHop Reveal(x) for lateral movement and for behavioral analytics.
ExtraHop Reveal(x) has allowed us to triage the alerts as they're coming in. For example, as detections are noticed, being able to spot any issues within the application or failed access.
We also use ExtraHop Reveal(x) for endpoint detection. The ability it has to mitigate risk from external IP addresses has been a lifesaver for us.
The most valuable features of ExtraHop Reveal(x) are the detection and alerting of network behavior and anomalies.
ExtraHop Reveal(x) could improve by allowing a longer look back in the feature. Right now you have a limit of 30 days to look back on your activity. I've used Darktrace before, and they allow you the ability to play back events. This would be a good feature to have in ExtraHop Reveal(x).
I have been using ExtraHop Reveal(x) for approximately one year.
ExtraHop Reveal(x) is stable.
The scalability of ExtraHop Reveal(x) is good it picks up the traffic along the network. It picks up everything within our tenant.
We have approximately 10 people using the solution in my organization.
We might increase the usage of this solution in the future.
The support from ExtraHop Reveal(x) is sporadic, it can be good and it can be poor.
I rate the support from ExtraHop Reveal(x) a three out of five.
Neutral
I previously used Darktrace.
We have received a return on investment using this solution.
We have approximately two people who do the maintenance of the solution.
My advice to others is for them to make sure that ExtraHop Reveal(x) can see everything within their environment. Additionally, review the packet capture and look into the tuning features within it to tune your exceptions. They're pretty granular and don't tune them too broadly to where you exclude things that you want to see.
I rate ExtraHop Reveal(x) a seven out of ten.
