Vectra AI Reviews

The key challenge we face is visibility, things that happen in isolated and pocketed environments where visibility is limited. Silos and isolated networks exist across the environment, and it's difficult to control it completely. Blind spots are the main challenges.

With this solution, the focus has changed from reactive to more proactive, because all the other SOAR and EDR solutions, firewalls, and IPSs are generally reactive. With those tools, when most things are triggered, it means you are already slightly late. With Vectra, we become more proactive than reactive. More often than not, we pick things up before the actual damage can start. It picks up things that none of our other tools pick up because it's designed to detect things before harm is done, at the initial stages. This is one of the main benefits and the biggest business justification and use case for us.

It reduces the time it takes to respond to attacks because we find out about a threat in the beginning so we can stop it before it can cause harm, rather than reacting when the damage is done and significantly more effort is needed.

And since it is not preventive, it does not trigger any adverse reactions. For example, sometimes we have seen, with certain kinds of malware or ransomware, that they tend to get more aggressive if they realize that something is stopping them, but that doesn't happen with detection tools like Vectra.

For capturing network metadata at scale and enriching it with security information, that's where the second product comes in, Cognito Recall. It takes enriched network metadata and keeps that information available for you to access, whether it triggers a detection or not. For example, if you want to check who is using SSL version 3, TLS version 1.0, SNMP version 1, SNMP version 2, or who is using clear text passwords, even though they don't trigger a detection in Cognito Detect, that metadata is available. Of course, the duration of that data is dependent on how much storage we can buy from Vectra. That's a financial constraint and we have opted for one month. We might look at expanding that further.

That metadata helps in closing vulnerabilities. For instance, if there is a TLS version or an encryption level that we want to deprecate, it is very useful for us, because we can also generate reports. We know which systems are using SNMP version 1 or SNMP version 2. Even though it has more features and you can create custom detections through Recall, we've not gone that far. For us, this has been our most common use case: protocols and communications that we would like to stop or close. This provides useful data.

The solution also provides visibility into behaviors across the full lifecycle of an attack, beyond just the internet gateway. It provides the whole MITRE Framework and the key chain—recon, command and control. It has detections under each of those categories, and it picks them up within the network. In fact, most of the detections are internal. Internet-based detections comprise 25 to 30 percent, and those are based on encrypted traffic. And most of the time when we validate, we see that it's genuine because it's a call from a support vendor where large files need to be uploaded. That gives us an opportunity to validate with that end-user as well: What was happening, what did you transfer?

We used to have SIEM and antivirus solutions and we would get a lot of alerts. Those alerts resulted in a lot of effort to refine them and yet we still needed a lot of effort to analyze the information. Vectra does all of that automatically for us, and what it produces, in the end, is something that can easily be done by one person. In fact, you don't even need one.

The most useful feature is the anomaly detection because it's not signature-based. It picks up the initial part of any attack, like the recon and those aspects of the kill chain, very well. We've had numerous red team and penetration exercises and, at the initial stage, when the recon is happening and credentials are used and lateral movement is attempted, our existing tools don't pick it up because it has not yet been "transformed" into something malicious. But Vectra, at that stage, picks it up 80 to 90 percent of the time. That has been one of the biggest benefits because it picks up what other things don't see, and it picks them up at the beginning when attackers are trying to do something rather than when the damage is already done.

The ability to roll up numerous alerts to create a single incident or campaign for investigation takes a bit of effort in the beginning because you'll always have misconfigurations, such as wrong passwords, that could trigger brute force and SMB-types of alerts. And you'll have genuine behaviors in your environment that tend to be suspicious, such as vulnerability assessment and scanning tools, that are not noise, per se. Even if they're non-malicious, it always tends to point to events like misconfigurations and security tools. It's been very useful in that sense, in that, once we do the initial triaging, indicating that this is a security tool, or that is a misconfiguration we need to correct, it reduces the noise quite significantly. We don't get more than 10 to 20 events, maximum, generated per day.

Vectra shows what it does in terms of noise reduction, and we can see that it is down to only 1 percent, and sometimes even less than 1 percent, of what actually requires a person to act on.

It becomes quite easy for a SOC analyst to handle things without being overburdened. And, obviously, it's at the initial stage because it picks things up before the damage happens. It's not the kind of prevention tool that has signatures and that only tells you something bad has already happened. It tells you that something is not right or is suspicious. It says there is a behavior that we have not seen before, and it has always been effective in the red team exercises that we periodically conduct.

Also, we have privileged account management, but we don't have a separate analytics tool. Still, Vectra also picks that up. This is also something that has come up during red team exercises. If there's an account that is executing an escalated privilege or running a service that it normally doesn't run, it gets flagged. It tells us about lateral movements and privilege escalations; things that constitute non-standard usage. It's quite effective at catching these. I have yet to see a red team exercise that doesn't generate any alerts in Vectra. We see a jump, and it's very easy to identify the account and the system that is the source.

It also triages threats and correlates them with the compromised host devices, because it maps both ways. It maps the host, the account, and the detection, and vice versa. You can also go to the detection and see how many affected hosts there are. In addition, if there's a particular detection, is there an existing campaign? How many hosts are also doing the same thing? These are the kinds of visibility the tool provides.

The reporting from Cognito Detect is very limited and doesn't give you too many options. If I want to prepare a customized report on a particular host, even though I see the data, I have to manually prepare the report. The reporting features that are built into the tool are not very helpful. They are very generic and broad. That's one main area that I keep telling Vectra they need to improve. 

Also, whenever there's a software upgrade and new detections are introduced and the intelligence improves, there is a short period at the beginning where there's a lot of noise. Suddenly, you will get a burst of detections because it's a new detection. It's a new type of intelligence they've introduced and it takes some time to learn. We get worried and we always check whether an upgrade has happened. Then we say, "Okay, that must be the reason." I would like to see an improvement wherein, whenever they do an upgrade, that transition is a bit smoother. It doesn't happen all the time, but sometimes an upgrade triggers noise for some time until it settles down.

We've been using the Vectra AI for over three years.

In the beginning, there is a struggle to fine-tune it because it will generate noise for the reasons I mentioned. But once that learning phase is complete, it's quite reliable. We have been using the hardware for more than three years and there have been no failures or RMAs

Upgrades happen automatically. We have never gone into the appliance to do an upgrade, even though it's on-prem. It all happens automatically and seamlessly in the background. 

Initially, we had some problems with the Recall connection to the cloud, to establish the storage connectivity. But again, these kinds of things are at the beginning. After that, it is quite stable. We've not had any problems.

Scalability for the cloud solution is straightforward. For the on-prem solution, you need to take care of the capacity and the function itself, because the capacity of the same hardware varies, depending on what you use it for. From a capacity point of view, there is some effort required in the design.

Looking forward to the future, the tool integrates with more and more solutions outside of its existing intelligence. It's not something that we have yet embarked on, but that's an interesting area in which we would like to invest some time.

The cloud solution is something that has limited visibility because PaaS and SaaS in the cloud are always a challenge in terms of cyber security. And in the future, even though we have taken the Vectra SaaS for O365, they're also coming up with a PaaS visibility tool. It is currently under testing, and we are one of the users that have been chosen to participate in the beta testing of that. That's another thing in the future that would add a lot of value in terms of visibility.

Currently, we have about 8,000 users.

The support is directly from the device or we get a response via email. The response is okay. Because the product is stable, we have not been in a situation where we urgently needed something and we wanted support right now. We have never tested that kind of fast response. They take some time to respond, but whenever we have requested something, it has not been urgent. 

We do get a response and issues always get resolved. We haven't had any lingering issues. They have all been closed.

We did not have any tools in the same league. We had security tools, but not with anomaly detection as part of the feature set.

Cognito Detect is on-prem and Cognito Recall is in the cloud, as is the O365 and Azure AD protection.

The cloud setup is extremely simple. The on-prem takes some effort. There is the sizing, depending on what model. The throughput varies. Those kinds of on-prem design considerations create a bit of complexity in the beginning, but the cloud is straightforward. All it needs is the requisite access to the tenant. Once it gets that, it starts its work. 

In the beginning, there is some effort in fine-tuning things, but that comes as part of the package with the solution. They have a success manager and tech analyst assigned to support you in the beginning. Once that is done, the product is very stable.

For us, there were an initial four to eight weeks of triaging and clearing the noise, in terms of misconfiguration issues or known security tools. After that time, we started seeing value.

We only used the people from Vectra.

Vectra is a bit on the higher side in terms of price, but they have always been transparent. The reason that they are this good is that they invest, so they need to charge accordingly. They are above average when it comes to price. They're not very economical but it's for a good reason. As long as we get quality, we are okay with paying the extra amount.

We did a PoC with Darktrace recently as part of our regular exercise of giving other solutions an opportunity, but the PoC didn't meet our requirements. It didn't detect what Vectra detects in a red team situation.

The deployment time is similar because they all need the same thing. They need the network feed for a copy of the network traffic. The base requirements are the same.

My advice is that you need to size it right and identify what your capacity will be. And you need to place it right, because it's as helpful as what it can see, so you need to have an environment that supports that. What we did, as part of implementing Vectra, was implement an effective packet broker solution in our environment. It needs that support system to function properly. It needs copies of your traffic for detection because it doesn't have an agent sitting anywhere. The positioning and packet brokering are critical allies for this solution.

We have it deployed on-premises. However, we are in the process of acquiring O365 and Azure AD as well. When it comes to Power Automate and other deeper anomalies, these are things that we have on the cloud in Azure. In the new module, it lets us know if any automation, scripts, or large, sudden downloads, or access from a country that is different from where the user has normally been, are happening. But this is a very new tool. We are yet to familiarize ourselves with it and do the fine-tuning. We don't have any automation or any such functions happening on-prem.

In terms of correlating behaviors in the enterprise network and data centers with behaviors in the cloud environment, because we have taken the O365 module, it gives us good correlation between an on-prem user and his behavior in the cloud. We have seen that sometimes it detects that an account is disabled, for example, on-prem, and it says somebody downloaded a lot of data just a few days before that or uploaded large data a few days before that. It does those kinds of correlations.

We have one SOC but it's based overseas. It's an offsite managed service and it covers the gambit of incident detection and response. It's an always-available service. The SIEM we are using is RSA NetWitness, and the EDR solution we use is McAfee.

Vectra has some automation features, in the sense of taking action through the firewalls or other integrations, but that's a journey that we have not yet embarked on. As long as we have a continuously available SOC that rapidly responds to the alerts it generates, we are okay. In general, I'm not comfortable with the automation part. Accurate detection is more important for me. Prevention, when something is picked up too late, as is the case with some of the other solutions I mentioned, is a different case. But here, when it is at the preliminary stage, prevention seems a bit too harsh.

Our Customers use Vectra AI to detect networks, endpoints, identities, SaaS-based, and private and public clouds.

The most valuable feature of the solution is that it only shows us the events that are actually critical. The solution is currently used as a central threat detection and response system. It ingests every bit of information from the SIEM, does AI triaging and detection, and sends incredibly high-fidelity alerts to the SIEM for investigation.

It would be commercially beneficial if Vectra AI had something like Darktrace's Antigena Email or something similar to email protection. 

I have been assisting customers using Vectra AI for nine months.

Vectra AI provides 100% stability because it sends you either a physical box or a VMware deployment, making it very simple and stable. Obviously, VMware will depend on your own environment.

Vectra AI is a scalable solution. Since we have added distribution levels, we've made quite a few deployments. The solution can support up to 1,00,000 endpoints. There's a specific customer that's using Vectra AI and has over 1,00,000 endpoints.

The solution’s technical support team is quite competent.

Positive

Vectra AI's initial setup is very simple. The Vectra AI team is quite competent, and they support and help us set everything up.

The solution's deployment was fairly quick. We had everything up and running within a day. Then, it was just about the information they were putting out that was being collected.

Vectra AI has an annual subscription license. You could choose the components you need for your environment. 

The solution had some very good integrations with firewalls and EDR solutions. Since Vectra AI is more of an internally-detection and response tool, it detects insider threats extremely well.

Before choosing Vectra AI, ensure you have a proper architect for your environment that shows you where all your blindspots could be. This makes the deployment a lot easier. Vectra AI detects threats that people miss, especially manual operators.

Vectra AI has helped save a lot of log analysts time because they don't have to deal with a lot of alert noise and false positives. Using Vectra AI for detection, triaging, and responses speeds up your soft response mechanism and makes the responses much quicker.

Overall, I rate the solution an nine out of ten.

As a sector, the education industry as a whole is under threat with quite a large volume of immediate threat offenders. We've seen numerous attacks coming through brute force or DDoS. The amount of ransomware and phishing attacks is on the rise compared to that of five years ago, for instance. I see regular threat campaigns from numerous actors around the world.

Our main use case is to have Vectra AI as an addition to our security team. We have a large campus with 1,100 boarding students and about 600 staff on top of that. However, my security team only comprises myself and one other person.

Being able to detect security threats in real-time and, more importantly, being able to get rid of the noise is very important to me. That is, getting rid of the false positives and just focusing on the actual high threats that we see coming through is a great benefit for us.

The biggest feature for us, because we are heavy Microsoft users, is its integration with Office 365. On top of Vectra AI, we use all of the Microsoft security platforms, such as Defender ATP and Sentinel. Having full integration and a central platform to look at all of the threats that are coming through from the different platforms is a huge benefit for us.

With one nice front dashboard, we can look at the high-volume threats rather than all of the noise. We do get a lot of noise as our students all own their own devices. With Vectra AI, we can look at threats in a controlled manner, which saves us an extraordinary amount of time. Even if I doubled the manpower, I doubt that I would still have the same visibility that I have with the correct security platform.

Vectra AI's Threat Detection and Response platform has done remarkably well. We're well-versed in using the security dashboard from Microsoft Defender, and we're at the stage where we are checking both. We haven't fully switched to relying on only the Vectra dashboard yet.

In terms of Vectra AI Attack Signal Intelligence for empowering security analysts within our organization, we have complete faith in the data that's coming through from Vectra. If we could also have what's happening at the front-end, that is, the firewall, then it would give us the complete security front dashboard.

In education as a sector, we are looking at AI a lot in terms of how it can be used as part of the teaching and learning side of things. It would be great to have Vectra AI look at a better way to enhance the security posture related to the AI tools in our portfolio.

We've been using Vectra now for about eight months.

Vectra AI's stability has been 100%.

Vectra AI's integration team was spot-on. They helped us with a very well-defined and well-tested plan, and they worked with us to ensure that the product met all of our goals. Now that we're a customer, we have regular meet-ups with the team.

The technical support staff are very knowledgeable regardless of the type of questions we've had. It feels like they are more than just a support team. I feel like I can reach out to them whenever I need to because they're approachable and understand the challenges that we have within our industry. As such, I would give them a rating of ten out of ten.

Positive

Previously, we used Darktrace. Though it is a good platform, because there were so many false positives coming through, we found that we were neglecting it and not investigating the alerts. After less than a year of using Vectra, we've managed to tailor our dashboards to a point where we just see the high-volume or high-risk alerts coming through, and we act on those on an instant basis. Vectra AI has helped me get my time back. 

Vectra's pricing is too high. All schools will not be able to afford it. Vectra will only end up targeting higher education and higher value independence purely because of the price.

A lot of schools would love to have a product like Vectra AI, but they simply can't because they struggle to even pay the high E5 licensing from Microsoft. When you're up against that, Vectra AI is never going to be within the sector's price range.

We evaluated whether we wanted to switch to Vectra AI or whether we wanted to utilize just our existing Microsoft security stack.

Overall, I would rate Vectra AI an eight out of ten. I am basing my whole security portfolio and roadmap around Vectra, which means that in the future I need to get more automation, remove some of the cross-tracking that we do with the Microsoft security stack, and then become much more reliant on the data coming through from Vectra AI.

We've introduced Vectra AI to our clients and had it in proof of concepts with other technologies like Darktrace for network detection and response.

Vectra AI can bring the ability to detect intrusion on the network more so than legacy IDS tools. It goes beyond just doing sample packet capture as Corelight does and provides value to the customer regarding their reporting and what the tool is doing.

The solution's marketing is not good. It probably needs to refresh its branding because a lot of it is confusing. People see it as an expensive tool for what it actually does.

I have been working with Vectra AI for five years.

With tools like Vectra, the more you want to scale, the more you have to ingest, and the higher your costs are. So scalability can be there, but it also comes with an increased price.

The solution's customer support is fairly strong.

Vectra AI didn't have a SaaS model until recently. Companies don't like deploying something complex that'll turn customers away. From what I understand, Vectra AI is somewhat complex in its deployments.

The technology is strong, but everything around the technology outside of support is weak. Vectra AI needs to find a way to make it more cost-effective for customers to compete with some of the other tools on the marketplace that customers are buying. Vectra AI should do sample packet captures for clients with different use cases. They're trying to forcefully push their tool on the market when the market wants something else.

Overall, I rate Vectra AI a five out of ten.

We wanted something to understand what's happening on the network of the company, and we wanted something to protect us against attacks and cyber activities. We wanted visibility into our network and all the threats that we're facing.

It has helped improve our mean time to identify, but I don't have the metrics on time savings because we didn't have anything for that previously.

It hasn't had any effect on the productivity of our organization’s SOC, but it has had a great effect on security.

In terms of the effect of Vectra AI Attack Signal Intelligence for empowering security analysts within our organization to take intelligent action, we are looking at the right risks and nothing more. We save some time for sure, and we empower our security with it. Previously, we couldn't see anything, but now, we are seeing some of the things, and we have already stopped some attacks with it.

The automatic filtering that they provide is valuable. The logic inside that makes some detections instead of us is very useful. We are confident that if we are just looking into it and there is nothing, nothing could happen. That's great.

It's simple to implement. It's simple to analyze. The dashboard is very smart and clean. It's very easy to check something. There are a lot of tools to analyze the detections. It's great.

We got two problems that couldn't be solved because of the philosophy of the product. We are using SMB 3.0, which is an encrypted protocol. When we get some alerts or something, we cannot go deep into the protocol to see what's wrong because it's encrypted. We need to decrypt the protocol in another way, which is quite difficult. We might go back to SMB 2.0 just for this reason, but that's not a good solution.

We did some penetration tests and tried to get some hashes or encrypted passwords from Active Directory. Those hashes didn't provide alerts into Vectra. Vectra doesn't survey them, which is quite problematic because it's a very common attack. They said that it's not the only aspect that would come with that kind of attack, but when somebody tries to get a lot of hashes, we would like that there is an alert because that seems like the start of an attack.

For the hashes issue, it could be very easy for them to make the improvement. They can just change a rule, and that's it, but for encrypted protocols, it could be trickier.

We have been using this solution for two to three years.

There is no problem with stability. Sometimes, alerts can come later. For example, for Office 365, we got the alert one day late, but the problem was coming from the Microsoft side.

We just have one, and that's enough for our needs. Its scalability is good for us because we just have one with multiple probes at the same cost, so that's fine for us.

Their support is very good. They have knowledgeable people with great knowledge of cyber security and cyber risks. I'd rate them a 10 out of 10.

Positive

We weren't using any solution before. We went for Vectra AI because we wanted something to have visibility. We were completely blind to what could happen on the network. With Vectra AI, we aren't so blind.

We stopped some attacks. An attack could cost a lot more than the cost of Vectra. For example, we got an attack before that cost us $100,000. So, Vectra's cost is not so high. The cost of an attack could be worse. If we got encrypted data, it could be worse because we would have to stop the factory, which would cost a lot.

Its cost is too much. It's an investment that we can afford. It's a lot, but it's worth it.

We evaluated Darktrace and one more solution. We also evaluated some SOC and SIEM systems, but we found Vectra AI to be better in comparison to other solutions. It was simple to implement and analyze.

I'd rate Vectra AI a 10 out of 10.

We use Vectra AI to detect incidents because we have offices in 50 countries and 30 to 40 sensors around the world.

We want to be able to have a sensor or a foothold in as many offices as possible, and Vectra AI helps us achieve that goal.

Vectra AI helps us to have more visibility in terms of what happens in our network and the network at large. It increased our understanding and our ability to respond and clean up.

In terms of valuable features, I like the ability to record the traffic and the metadata in the traffic. I also like the ability to rewind the past and be able to understand what happened. Some of my colleagues like the ability to investigate incidents.

Vectra AI has had a positive effect on the productivity of our company's top teams. They use it a lot to understand what's going on. However, we still need to teach people how to use it to its full potential because it's quite a complicated product.

The Sidekick MDR service is quite important to our organization’s security monitoring and management. The Sidekick team is able to give us the ins and outs of what's going on with some incidents. They are able to triage and help us to focus on a particular part of detection. They also gave us advice on how to configure some parts of the product. The two people I worked with from the MDR service are really good at what they do, and it's quite nice to work with them.

The UI/UX and detection could be improved. More detections of specific security events could be useful. We've had a few incidents that were not detected by Vectra. The teams are working on it right now, but more detection is always better.

Vectra AI is quite good at threat detection, however, it cannot respond to threats and attacks in real time by itself. It has to have plugins with other components, such as EDR or other software, to be able to respond properly. By itself, Vectra AI cannot do much, but it's powerful enough to pilot other software.

I've been using Vectra for nine months now.

Vectra AI's stability is quite good.

Scalability-wise, we have many sensors, and Vectra AI seems to handle them all very well.

We have 30,000 devices across 50 countries with close to 2,000 offices. It's an enterprise-scale environment, and Vectra AI has not had any issues.

The engineer who deploys Vectra at my company seeks perfection, and he wasn't happy with everything. However, Vectra's technical support staff handled all of his requests quite well. I would rate them an eight out of ten.

Positive

The product is quite good, and we have a good relationship with the customer success managers and other teams as well.

Overall, I would rate Vector AI an eight on a scale from one to ten with ten being the best.

Our key challenges are:

1. People Management: It is always a struggle to coordinate the few people that we have with the necessary skills to put them on the most important topics or projects.
2. Cloud adoption complexity: You need to figure out which systems, applications, and interfaces are talking to which cloud component in terms of data flow. That is a rather complex topic and usually sold well by the external supplier in terms of marketing to a company. Practically speaking, it is very difficult to elaborate all the connection requirements, on-prem to cloud, cloud to cloud, e.g., what is running where, what should run, and what is not running as it should.

Cognito Platform: We are using the latest on-premises version and some of the cloud services too.

We are mainly operating out of Switzerland. The IT Departments are based in our headquarters.

We have a large network with a lot of points of sales and other geographical locations that are interconnected. We need visibility of all the client-initiated traffic to and from our main data centers and to the Internet. We have good network coverage. Vectra is deployed on different hotspots in our network.

We can detect systems that are not behaving right because they are not configured correctly. We detect access to malicious sites or domains that should not be there, which should have been picked up by our security services that we implement at different times at different types of levels in the network. This is kind of an add-on to all the existing prevention mechanisms and helps us with network hygiene.

Due to an optimal signal-to-noise ratio that Vectra delivers, it gives us confidence to have a realistic chance of catching and stopping real attacks on time.

One of its strongest parts is that the solution captures network metadata at scale and enriches it with security information. We forward events to our team, then we can correlate them even better.

We have almost our complete network covered. This solution is like the absolute base coverage for us. You don't get many alerts, and if you get one, you better look at it because it is a good quality alert. After verification, we respond accordingly. Vectra AI brings great visibility. Without it, we would be blind.

The solution has enabled us to do things now that we could not do before. With Streams enabled, we can easily find out who is using SMB v1, as an example. So, it is a kind of hunting in the network. If you have a detection and need proof, you have network capture. In terms of searching accounts or assets, it is a great platform that allows us to use the default search, i.e., searching for a hostname/IP or the advanced queries for complex searches. This allows you to search back in time, which is very convenient, i.e., if one specific host has had detections in the past.

Cognito Streams gives you a detailed view of what happens in the network in the form of rich metadata. It is just a super easy way to capture network traffic for important protocols, giving us an advantage. This is very helpful on a day-to-day basis. 

The Office 365 detection is a great add-on. It will not only see the local traffic, i.e., the local user but also how the user is connecting to the cloud. If communication has been initiated within our network, we would capture anomalies with on-premises mechanisms. If it is a connection from the Internet to O365 SaaS services, we gain visibility through the Vectra add-on. It depends where the communication was started, but we do have a good, complete picture in a single view.

Vectra AI is really focusing on the most critical, severe detections. That is the key point of this platform for us. It gives you enough details and data, if you need it. However, for daily operations, we are just getting the priority 1 alerts that we need, and nothing more.

We use the solution’s Privileged Account Analytics for detecting issues with privileged accounts. This is important to our organization because you need to monitor and control privileged accounts.

The detection model and correlation of events, e.g., you are only having one priority event a day, go hand in hand. They have awesome detection models and very good algorithms. Out-of-the-box, you get a decent severity matrix and great consolidation. This is what has made this platform so usable to us over the last three to four years. We can rely on these detections and on its event generating mechanism that clearly focuses on the most important priority one cases.

If you hit a certain number of rules, triage filters, or groups, the UX responds more slowly. However, we have a complex network and a lot of rules. So, our setup might not be a typical implementation example. We even had UX engineers onsite, and they looked at issues, improvements, and user feedback. Since then, it has gotten a lot better, they even built in features that we specifically requested for our company.

We know that Vectra AI sensors for cloud IaaS deployments have been released and we are planning to deploy those shortly.

We have been using it for four years.

Great! Currently, our Brain shows 190 days uptime (last reboot initiated by us). There have been no operational issues at all. I can't complain.

Scalability is another very good selling point. It is easy to deploy virtual sensors as well as other sensors, which is a big plus.

We have a team of three people, mainly security officers, who are investigating or following up on detections and alerts. We also use the Vectra AI Sidekick Services, which helps a lot by providing a skillful set of people who look into things with a great customer perspective. We have roughly 20 to 30 people who, from time to time, get details on detections or campaigns that they need to look at.

The technical support is fast, customer-oriented, and has a great skill set.

When we started with Vectra AI, we noticed certain things that could be done better from the UI experience and workflow. We had a lot of input. They built this into their software. Some of the features that customers use today are there because we said, "Well, guys do it like that because everybody can profit from that," and they said, "Well, that is a great idea. Let's do it."

Positive

We did not use another solution before Cognito.

The initial setup was straightforward. 

We already had an existing on-prem installation, so adding Office 365 detection was straightforward. It took about half an hour.

After we deployed this solution in our network, it took about two weeks for it to begin to add value to our security operations.

They brought in the requirements and said, "We need this amount of time, as well as this type of rack, space, power, and network configuration." We prepared that, then they were able to set things up in a very short manner. It took maybe a day, then we were set and traffic was flowing in. This was one of our smoothest installations in the last years. After two days, we saw all the needed network traffic. So, implementation and initial setup were very fast.

We are still a happy customer after four years.

In terms of detection, we have seen ROI from finding out stuff as well as preventing, hunting, and intelligence gathering.

Cost is a big factor, as always. However, I think we have a very good price–performance ratio.

We looked at least five different vendors, including Cisco and Darktrace, in PoCs.

Vectra AI said what they are able to do in terms of detection and performance in their sales pitch, which they proved later in their technical PoC, to the point. They were actually the only ones who could.

Vectra AI has a very short deployment time compared to other solutions that we tried.

Do a PoC. Only a PoC will show you if something works or not. I know it takes time but do a POC or a test installation. We did the PoC directly in the production network, which was the best thing to do as we got results very quickly.

Vectra AI enables you to see more. It is their visibility strength that makes the platform so great. Because they really look at severity conditions and do a great correlation, it is time invested wisely. If Vectra shows a high score threat, you must look after it.

In terms of our security stack, this is the most essential cybersecurity tool we use. We are planning to use Vectra as well in the cloud. If they are able to deliver the same performance and capabilities in the cloud sensor, then it will be a really strong foundation that everybody should have in one way or the other.

There is manual input i.e., Triaging is something that you have to do. But in terms of workflow, it has been designed by security people for security people. It provides a very smooth and fast way to set up manual rules or triage filters.

I would rate this solution as 10 out of 10.

The key challenges are employee weakness, getting alerted as soon as possible on our network and infrastructures to anything suspicious that is happening, and policy-type enforcement.

The challenge that it tends to solve is visibility. We put a lot of controls in place for what we suspect will be a risk. However, something like Vectra gives us more visibility and confidence that we have a better understanding of what is actually happening, rather than just the things that we have already planned for.

We adopted an Office 365 add-in with the product that looks over the Office 365 suite and data traversing that platform. In the future, we see this as a valuable asset that we already have in place to be able to better monitor that type of detection of information. We don't have an environment where there are many true positives, which is good. That has been consistent across the old and new. Our detections have usually been benign or more configuration-based rather than some sort of attack. Because it provides more context and raises things in a way that make it more actionable, it does help you understand the anomaly on a deeper level because it is not just a log that is being forwarded on and has context around it. Vectra AI does do a good job of providing the model information upfront about how its detections work, which is helpful.

We have an external SOC and most of the data or detections from Vectra now flows to them. The final design is that they are the recipient of those alerts in parallel with us. We also receive them directly at times, depending on the criticality. What it does for us is it improves the information and context that they are getting upfront, which means less questions for our internal IT team about what these assets are and what they are doing. Because the analysts at the SOC have more information to work from, it has reduced wasted time and improved the path that we are taking to a resolution, if there is a problem. It is more straightforward when you are getting quality information upfront about what you are actually investigating and why you are investigating it, rather than just, "This particular activity was detected on the network. Go and work out everything about it," Vectra gives you some context around it and a little bit of direction when you see these things, e.g., this is potentially what could be causing it. This improves workflow, reduces wasted time, and makes everyone's life a little bit easier.

It has given us an increased level of confidence in our information security that we have a tool like Vectra to back up some of the incidents that could take place, knowing we are going to get them detected as quickly as possible and identified to us. Nowadays, with threats on ransomware and information security types of techs, we believe that Vectra does give us a greater level of confidence that we will be able to detect those more quickly. If they do occur, we can shut them down more quickly, preventing further risks or damage to our systems or infrastructure.

Vectra AI provides visibility into behaviors across the full lifecycle of an attack in our network, beyond just the Internet gateway. It spells that out quite clearly in each detection. It is not just in the detection. You can look at detections individually, which are essentially individual events. Also, when you are looking at an asset that has multiple detections attached to it, you can see where those sit in the lifecycle of an attack. This gives you an idea of how far Vectra thinks that it has progressed. Having the ability to know where you are in an attack helps you prioritize things a bit better.

The solution correlates behaviors in our enterprise network and data centers with behaviors that we see in our cloud environment. In terms of a specific example, it links cloud identities to on-prem identities. This is something that we have never really had before, because we didn't have that visibility in our cloud environment. Now, it improves the visibility that we have of our security operations as a whole. Rather than sometimes viewing these things in silos and objects as individual objects, we are now viewing them as what they are, which is people undertaking action in our network and the pathways that they are taking to get to certain resources. By combining the cloud and on-prem data, it gives us context and helps us to get a proper view of what is actually going on.

An attractive thing about Vectra AI is the AI component that it has over the top of the detections. It will run intelligence over detections coming across in our environment and contextualize them a bit and filter them before raising them as something that the IT team or SOC need to address. 

While the device itself is deployed on-prem, the hybrid nature of what it can monitor is important to us.

Its ability to group detections for us in an easier way to better identify and investigate is beneficial. It also provides detailed descriptions on the detection, which reduces our research time into what the incident is. 

There are also some beneficial features around integration with existing products, like EDR, Active Directory, etc., where we can get some hooks to use the Vectra product to isolate devices when threats are found.

On a scale of good to bad, Vectra AI is good at having the ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation. My frame of reference is another product that we had beforehand, which wasn't very good at this side of things. Vectra AI has been a good improvement in this space. In our pretty short time with it so far, Vectra AI has done a lot to reduce the noise and combine multiple detections into more singular or aggregated alerts that we can then investigate with a bit more context. It has been very good for us.

There is a level of automation that takes place where we don't have to write as many rules or be very specific around filtering data. It starts to learn, adapt, and automate some of the information coming in. It works by exception, which is really good. Initially, you get a little bit more noise, but once it understands what is normal in your environment, some of the detections are based on whether an action or activity is more than usual. It will then raise it. Initially, you are getting everything because everything is more than nothing, but now we are not getting much of that anymore because the baseline has been raised for what it would expect to see on the network.

We use the solution’s Privileged Account Analytics for detecting issues with privileged accounts. Privileged accounts are one of the biggest attack vectors that we can protect ourselves against. This is one of the few solutions that gives you true insight into where some of those privileged accounts are being used and when they are being used in an exceptional way.

We have found that Vectra AI captures network metadata at scale and enriches it with security information. We have seen that data enriched with integrations has been available and implemented. This comes back to the integration of our EDR solution. It is enriching its detection with existing products from our EDR suite, and probably some other integrations around AWS and Azure. In the future, we will see that improve even further. 

One of the core features is that Vectra AI triages threats and correlates them with compromised host devices. From a visibility perspective, we can better track the threat across the network. Instead of us potentially finding one device that has been impacted without Vectra AI, it will give us the visibility of everywhere that threat went. Therefore, visibility has increased for us.

I would like to see data processed onshore. Right now, the cloud components, like Office 365, must be processed on servers outside of Australia. I would like to see a future adoption of onshore processing. 

I have been using it for two to three months.

We have only a few months of history with it, but the solution has been rock solid. I don't think it has gone down yet.

We have the ability to add agents in Azure and AWS Cloud if we want, but we still haven't made a decision yet. We can also add more agents or sensors on-prem with the VMware virtual machine that they provide. It is scalable in that way, but at some point, you will hit the limit of the device.

One of the selling points for us was, down the track, we can just add additional agents to the box from other sources without the need for additional licensing costs.

Internal to the business, there are only two users. External to the business (the SOC), there could be a team of up to 10 people who are watching alerts day-to-day as well as using the product and logging into the product to better identify what those alerts are. Being the owners of the system, we use it when we are triggered by alerts about something significant.

We have a small IT team with fewer than 10 staff, where there are only one to two information security focused staff. We leverage an external SOC, i.e., a third-party.

Vectra AI has enabled us to do things now that we could not do before. We are able to give our SOC a tool that can both reduce their time and potentially allow them to do more on our network. Potentially, they will look into isolating the threat a lot quicker. They can use some of the integrations to turn off endpoints when a threat, which is significant, is detected.

Through the different phases of deployment that we have gone through so far, we have been mainly assigned one technical resource to assist us with everything from beginning to end. He has been very knowledgeable and responsive. I can't say anything really negative about him. 

In terms of the ongoing support, we haven't had to leverage it much yet. We are now in the production phase, so we have been handed over to the main support desk, but I haven't had to use them yet.

Through deployment, the technical support was very responsive. I think every question that I asked, if it wasn't able to be answered, got passed onto someone who could then come back with something. I think they were pretty upfront as well when the solution couldn't do what we were after. We were told that they would go away and check, then they would come back with an answer about whether what we were asking for could be done. It has all been pretty good so far.

We already had a solution like this one in place, which was another competitor's product, where the three-year contract for that product was up. We wanted to retain the level of detection that the product provided, but adapt to the way our network had changed over three years to adopt a more hybrid cloud technology. This device sits on our internal network watching for any threats to our internal network. It looks at our Office 365 threats as well.

We were previously using DarkTrace. We went to the market for reasons of maturity over time for our network. We wanted to further adapt this product to a hybrid working model. We wanted it to be able to adapt to cloud technology that we were adopting. We also wanted something commercially competitive. After three years, they came back asking for a 20% increase in their renewal fees, which wasn't acceptable.

One of the main things that Vectra has brought to the table for us, over what we were previously using, was the ability to combine our on-prem packet data that we were watching with the cloud data that we needed to start including. We have one system monitoring a hybrid environment, rather than having separate systems for separate environments. That is a key thing that Vectra does that others might not. It comes back to visibility with network monitoring.

For critical alerts, there has been a huge reduction compared to our previous solution, approximately 80% less. What our previous tool would mark as high, we wouldn't, and Vectra AI aligns with that. Vectra gave us some classifications of the threats, where our previous tool would just trigger high risks on a lot of things that to us, as a business, were not high risk. This is because of fundamentally the way that Vectra looks at detections compared to the way that our previous product did. Every detection was its own entity within the previous one. Whereas, with Vectra AI, it is all about combining the detections and getting a more complete picture. When you are looking for more than just one indicator of compromise, and you are not viewing these things in isolation, you start to realize that one indicator oftentimes doesn't mean critical. That is what Vectra does pretty well.

The initial setup was straightforward. We had the existing competitor already in place, and it was architected in a pretty similar way. Someone without a device like this one in place would need to spend a little bit of time on the setup. However, that is not so much about Vectra as it is with the type of device that it is. No matter which device does this sort of thing, when you put it in place, you will need to set certain things up.

We unboxed the device, plugged it in, and it pretty much turned on. We didn't have to do much at all. Then, there was the config after the fact, which was all supported.

The initial deployment really only took a couple of weeks to get it to the point that we were relatively comfortable with what we were receiving. In terms of getting the box plugged in, that took a day. Then, we finished the whole deployment phase of it. which was to fine tune some of our detections and config. That has really been finalized in the last few weeks.

Vectra was extremely easy and quick to get into place. It was able to run inline with DarkTrace while we were evaluating it. Also, the implementation was not heavy in any way.

We went through a proof of concept with Vectra. We had already identified our functional requirements for the product and entered into our proof of concept arrangement with Vectra to assess that they could achieve all the functional requirements that we had.

The support for deploying it was ready to assist further, if needed, with the deployment. In our case, it was very straightforward. It was very quick to implement. The support that they gave us week-to-week kept us moving. They were also able to implement it in line with us.

Development and maintenance needs a tenth of a staff member. We mostly handle this ourselves. To be effective with the alerts that you are getting, you need security staff or people who are dedicated to this kind of thing. It is one thing to maintain and deploy the device.

It is another thing to action the information that the solution is giving you. We outsource that, so we don't do it in-house.

The capturing of network metadata at scale reduces the time of investigations when researching incidents. Instead of having to look over multiple tools, that data can be somewhat aggregated, from a Vectra perspective. The time to detect and understand a threat has been reduced.

Vectra AI has reduced the time it takes us to respond to attacks. The amount of time depends on the specific detection or circumstance around it. Some things have been raised previously, then we would have good knowledge about what that detection meant and how to investigate it effectively. Other times, a detection might be viewed as more novel, where there may not be the immediate skills in place to investigate it effectively, whether that is the security team or me. There is a whole lot of research that needs to go into this to make sure that you have the knowledge to actually verify whether a thing needs to be dealt with.

Vectra AI provides you this information very well, with more context around the detection. Someone with a more general knowledge of some of these things can look at all the factors rather than just the detection to make a determination of how risky it is and how you might start investigating it. For example, with autodetection in an account, if it was just that detection, then your initial response might be to lock that account out. However, if you get a bit more context about it and can see what other activities were happening on the same asset around the same time, then you might not lock that account. You might just reach out to that user, and say, "Hey, what was this about?" because you are not so concerned about an immediate threat.

There is ongoing maturity from our security strategy, which this solution introduces. Down the track, we could look to extend this from an agent perspective to our cloud platforms in a more rigorous way than what has already been implemented. It gives us increased confidence over time as we do get these detections and alerts that are valid, so we are able to accurately resolve and stop them quite quickly. That is where we will see the bigger benefit. It will tick something and alert us as quickly as possible, then we can get to it and shut it down as quickly as possible. That means our security maturity is only strengthening, and we can respond and have visibility over events in the future.

The return on investment was passed over to our SOC. They were using our previous tool, DarkTrace, and now they are using Vectra. There will be a lot less in future reports because there will be a lot less that they are actually investigating.

From a pricing perspective, they are very commercially competitive. From a licensing perspective, just be conscious that some of their future cloud solutions come with additional subscriptions. Also, if you're outside of the US, you will get charged freight for the device back to your country. I tried to negotiate getting rid of this, but unfortunately, it just wasn't something they would take off the table.

I would like to see ways they can look to bring out new cloud functionality without introducing additional costs for them as additional subscriptions. They're about to bring out their AWS add-in, which has an additional cost. So, I would like to see them start to roll that into the product, as opposed to having it be offered as a separate subscription service. Because the more that that happens, the more it goes away from the core functionality of the product if we are just buying a lot of separate cloud processing pieces doing different functions. Why is that not being made as part of the core product?

They also have some additional threat hunting tools that I would like to at least consider leveraging, but the cost is just prohibitive.

After deploying this solution in our network, it began to add value to our security operations straightaway. We ran the Vectra product in line with DarkTrace and were watching the alerts from both. Because I was sometimes getting exactly the same detections on both platforms, the Vectra information was actually assisting me in understanding what DarkTrace was doing and what it was warning me about. Straightaway, I started to get a better understanding of the alerts that we had been receiving for a long time.

It pays to evaluate the market regularly on products like this. The industry and platforms change very rapidly, and there is always new technology coming out. Three years ago, these guys wouldn't have probably been around or been looked at. Now, they are. Therefore, going out to the market and actually assessing our existing investment, against what is out there today, was very worthwhile.

For EDR, we are using CrowdStrike.

The visibility of your threats will be easier to understand with Vectra AI. It provides you with a centralized dashboard of those threats and alerts. It gives you detailed descriptions for quicker research into what the identified threats and alerts are. It will integrate with existing products you may already be using. Overall, it reduces a lot of time spent on chasing false positives.

Right now, we are leveraging the on-prem appliance and the Office 365 Cloud component. We want to look to the future around potentially extending this to further parts of Office 365 and cloud environments, like Azure and AWS.

We haven't adopted Power Automate into our environment as of yet.

I would rate this solution as eight and a half out of 10.