Vectra AI Reviews

In terms of deployment, we have one brain and seven physical sensors. We're currently working on deploying a large number of virtual sensors, but those aren't done yet. We also have a SIEM and an EDR.

There are a large number of difficult-to-manage devices on a network. Traditional security vendors do a great job of making sure that workstations and servers are properly protected, secured, and observed, but they fall short when we're talking about odd peripherals, such as printers, scan guns, tablets, guest devices, and things like that. That's what Vectra helps us see. I can't tell the number of employee guest phones that just show up on the network, and they're infected because they're not managed by us and people do things with their phones. Now, we're able to actually see those devices hit our internal LAN instead of our guest networks, and we can properly move them over, whereas earlier, we were blind. Now, we have some reasonable assurance that our internal tablets, scan guns, and things like that are not performing abnormal network behavior. So, that's what we use Vectra for.

We've got a centralized data center with a large number of physical locations throughout the country. So, our network is very distributed. It's very much like a campus. Vectra is really good at reducing the complication of deploying an NDR solution, and that really helps us because we have over 175 stores that we need to capture traffic from, as well as a number of sales offices, regular employee offices, and distribution centers distributed across the country. So, Vectra makes it really easy. We just drop or ship it over there, and it is up and running real quick once it gets there. Shipping takes longer than configuration. So, basically, our network is a centralized data center infrastructure with a large number of stores, distribution centers, and offices geographically dispersed around the country.

It provides visibility into behaviors across the full lifecycle of an attack in our network beyond just the internet gateway. We tap client to server, server to server, and client and server to internet traffic, and it does a good job. It doesn't have an issue with internal traffic. In terms of the full lifecycle of the attack, Vectra is not designed to interface with or inspect the host. So, we're not seeing host activity obviously. That's what our EDR is doing. Vectra does an okay job. If we get a weird detection, we're also able to see a large number of other activities that happened just before and just after the attack and relate those to it.

Before we deployed Vectra, we were not monitoring network traffic. So, there was definitely a need and a gap, and Vectra has filled it. We have reliable network logs that are readable, and it does a good job of doing a default set of detections for us. We're very happy with the gap that it has filled.

It has overall reduced the time to respond to attacks, especially with the PCAP function on the detection, where when it gets a detection, it PCAPs the session. So, we're able to get a lot of context to alerts that we were unable to get before we deployed this because we weren't doing a full PCAP. Because Vectra only PCAPs the session when it triggers a detection, we didn't have to deploy hundreds of terabytes of storage across our network. So, we saved a lot of money there. There are $50,000 to $100,000 storage cost savings because it only captures the full packet capture for traffic that triggers detections. In terms of time, it has saved hundreds of hours. I can't even explain how happy we are with the amount of time it has saved us. Imagine the amount of time it would have taken us to deploy to 175 stores plus dozens of distribution centers and dozens of remote offices. Even if it was just one hour per location for deployment, that makes it hundreds of hours. Vectra, with being so easy to deploy and so easy to maintain and administer, has saved us hundreds of hours just on deployment and standing up the environment alone. I am not counting the maintenance and administration that come along with the solution.

It does a reliable job of parsing out the logs of all the network traffic so that we can ingest them into our SIEM and utilize them for threat hunting and case investigations. It is pretty robust and reliable. The administration time that we spend maintaining it or troubleshooting it is very low. So, the labor hour overhead is probably our largest benefit from it. We spend 99% of our time in Vectra investigating cases, responding to incidents, or hunting, and only around 1% of our time is spent patching, troubleshooting, or doing anything else. That's our largest benefit from Vectra.

We've got machine learning and AI detections, but we also have the traditional ability to create our own custom detections and rules that are important to us for compliance. When we were demoing other vendors, a large number of vendors let you make your own rules, but they don't provide their own rules and ML and AI rule engine, or they provide AI and ML, but they don't allow you to make your own rules. Vectra is very nice in that sense. We have detection rules that Vectra provides that are very common to the security industry, such as whenever there's a major event like the SolarWinds event. Those rules get built and deployed for us really quickly. We can manage our own, but then we also have the ML and the AI engine. We really like that. It is one of the few platforms that we've found to be supporting all three options.

They use a proprietary logging format that is probably 90% similar to Bro Logs. Their biggest area of improvement is finishing out the remaining 10%. That 10% might not be beneficial to their ML engine, but that's fine. The industry standard is Zeek Logs or Bro Logs, or Bro or Zeek, depending on how old you are. While they have 90% of those fields, they're still missing some fields. In very rare instances, some community rules do not have the fields that they need, and we had to modify community rules for our logs. So, their biggest area of improvement would be to just finish their matching of the Zeek standard.

They could provide distributed endpoint logging capability. We have a lot of remote workers nowadays in the day of the pandemic. If they're not connected to our VPN, then we're not capturing that traffic. So, the ability to do the traffic analysis for endpoints that are distributed would be cool. I have no idea how they would do that. I'm not aware of a single vendor that does that, but it would be cool if they could do that. To my knowledge, that's not really possible with the amount of compute power it would take on endpoints. It would be ridiculous. They'd have to really invent something new and novel that doesn't exist today in order to accomplish that. If they do, that would be great. Because I'm a customer already, I would use it. 

Cost-wise, they're not cheap. They were definitely the most expensive option. Their licensing model is antiquated. We have to pay for licensing based on four different things. They need to simplify their licensing down to just one thing.

We have been using this solution for around 18 months.

I'm very happy with it. In the 18 months, I cannot recall any outage. We keep up on all the patching and maintenance, and there have been very few bugs. The SaaS product Recall has always been there when we use it. Our on-prem version has never broke. It seems very stable.

It has got no problem with scaling. We picked Vectra because it was able to scale up to our size fairly easily without scaling up the deployment and administration overhead. So, it scales really well. It has no problem handling our volume of data.

Their technical support is pretty good. They're very responsive. Nine out of 10 times, they understand my problem. They're not perfect, obviously, but at the end of the day, I got answers for the few issues for which I've had to use support. I can only think of one instance where it was painful, and that's why I say nine out of 10 instead of 10 out of 10. The guy just didn't understand what I was asking, and about seven emails later, it got triaged, and the next guy figured it out. Other than that, the first person I email in at support is able to answer my question in that initial response or just one extra email.

We did not use any similar solution. 

We have a couple of SaaS-based products. We use Cognito, Recall, and Stream. Recall is their SaaS-based product where all the logs go into their hosted elastic search instance, which allows us to search and create custom rules and everything like that, and then we pull data from that environment into our on-prem environment. In terms of the deployment of the brain, that's all on-prem. All the sensors are on-prem obviously, but we do use Recall.

In terms of the effort involved in deployment considering that some of the pieces we use are SaaS-based, it was literally just a toggle switch and an API client and key in the interface, and then it was working. We had to wait for accounting to approve it, and it added a little bit more time to our deployment because of paperwork, but technically, it was pretty simple. We told them we wanted this, and by the time that we got our paperwork done, everything at their end was stood up and ready to go for us.

It does take two to three weeks for the brain to baseline and establish its ML baseline. The moment it was done with the two-week to three-week machine learning period, it was good. So, it started providing value after three or four weeks after deployment.

Their licensing model is antiquated. I'm not a fan of their licensing model. We have to pay for licensing based on four different things. You have to pay based on the number of unique IPs, the number of logs that we send through Recall and Stream, and the size of our environment. They need to simplify their licensing down to just one thing. It should be based on the amount of data, the number of devices, or something else, but there should be just one thing for everything. That's what they need to base their licensing on. 

Cost-wise, they're not cheap. They were definitely the most expensive option, but you get what you pay for. They're not the cheapest option. I know that their prices scared away a couple of people who have demoed it in the past. Once they got their quote, they were like, "Well, see you later. We can't do this." So, that is an area that they come up short against other people.

We did evaluate other options. We evaluated rolling Bro or Zeek on our own. We evaluated Security Onion. We also evaluated Corelight and almost picked them. We also investigated a couple of solutions that are significantly more involved than Vectra, just like full managed solutions, but we decided not to do that.

The main reason for choosing Vectra over all the other solutions was twofold. One was the deployment time and routine administration costs. Its deployment was very simple. The amount of time it would take to deploy and configure was very low. The time it would take to maintain the environment was significantly lower than the other solutions and on par with Corelight.

The second reason for picking it up is that it allowed us to create our own detection rules. They build rules for us when there are major events, as well as they have the ML and AI engine. This was the only solution that was easy and fast to deploy and maintain, and that was giving us all three options for rule detection. That's why we went with them. Some of the solutions provided all three options, but they were a pain to configure and maintain, and some of them were easy to deploy and maintain, but they didn't provide all three options.

It is pretty straightforward. Plug it in and use aggregators in front of the sensors to aggregate multiple tap sources into a single sensor. The sensors can handle it. They de-duplicate everything. There is no need to purchase a sensor for every tap. Truncate all that traffic into an aggregator and have it come out one feed into the sensor. There is no issue there with the Vectra sensor being able to carve out all that. They're powerful enough to do that. Vectra recommends that. So, if someone is purchasing Vectra, they're going to hear that from them. With Vectra, you're picking reliable and fast among cheap, reliable, and fast.

In terms of Vectra's ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation, we do not generate a lot of incidents. We're pretty quick off the gun on detections. We're responding to detections before subsequent detections are detected and become an incident. We maybe get one incident a week, so I don't know if I can comment on that effectively.

We don't use privileged account analytics from Vectra for detecting issues with privileged accounts. In terms of its detection model for providing security around things like Power Automate or other anomalies at a deeper level, we don't use Power Automate, but we use their anomaly detection, and it is very interesting. While it always does provide us something interesting to look at, more times than not, it is our IT admin who does anomaly detection. So, we learn a lot, and it brings odd things to our attention, but with anomaly detection, it has usually been our IT admin.

In terms of Vectra helping our network's cybersecurity and risk-reduction efforts in the future, I'm hoping that one day, we can achieve even client-to-client inspection. Vectra should stay up with the times, and they shouldn't start coasting, which I don't see at all. They fill a good gap, and they do that well. We're just going to leave them filling that gap until the time comes where that is no longer a need, which I don't foresee. So, I don't know if they're going to do anything more than inspect network traffic and provide us an alerting engine on anomalous or malicious network traffic. That's their niche, so that's what they're going to do, probably just more of it. As we grow, we'll deploy more Vectra sensors to capture that extra traffic. I see them scaling very well.

I would rate this solution a solid eight out of 10. It loses a star for not adhering to Bro Logs in my book, and there is no perfect 10.

Our primary focus lies in identifying weaknesses to address customer concerns regarding visibility into network operations. This is especially crucial due to the presence of various managed devices within the network. Detecting and managing these devices and enhancing visibility is done by Vectra AI. It also has the capability to detect potential threats and correlate diverse events that occur on the network. Hackers often target systems from different domains, requiring cross-domain correlation. Net NDR solutions, particularly Vectra, excel in fulfilling these needs using AI-driven algorithms. Over time, these algorithms learn from the data, aiding in automatic post-event analysis. 

Within Vectra, multiple models exist, including an AI model which is very important. Vectra is very compatible with various cloud providers, such as Amazon and Azure AD. This is helpful as customers often migrate their network infrastructure to the cloud. 

Additionally, Vectra provides managed detections and responses, enhancing a company's network detection capabilities. The platform also has attack signal intelligence to identify attackers based on their tactics and techniques, preventing them from compromising critical network devices. So it acts as a detection platform, essential for halting potential threats, including clouds like Amazon and Microsoft 365. 

We offer two solutions, Vectra and ExtraHop in the Qatar market. However, ExtraHop has better features that seem more advantageous when compared to Vectra. During demos, I encountered challenges with Vectra when demonstrating its capabilities, such as dealing with expired SSL certificates. Vectra AI is capable but ExtraHop is able to provide comprehensive insights and easier data querying. It excels in data query capabilities which is helpful for customers to access and manipulate their data effortlessly. This is where Vectra needs to enhance its capabilities. Customer support and handling high network traffic are additional areas that it needs to work on. There should be more flexible options to handle customers’ needs. Also, customers desire performance enhancements and integration capabilities with a single solution and cyber security. 

I have been using Vectra AI for two years. 

I would rate the stability an eight out of ten.

I would rate the scalability an eight out of ten.

We have a strong local presence and support in this market, and our company's origins in Turkey also contribute to robust local assistance. While comprehensive support is provided during major incidents and upgrades, we excel in offering immediate assistance for failover situations and downtime prevention. The team is highly specialized in cyber security and SOC technologies. We are quite strong and are able to help ourselves in the field of technical support.

Positive

The initial setup is straightforward. I would rate the setup an eight out of ten.

In the case of deployment, 70% of the public prefers the public cloud while the rest prefer private. These are the only two forms of deployment.

The initial deployment should ideally be completed within two weeks. However, due to the need for fine-tuning, false positive elimination, and deriving enhanced value, an extended period of around two months is necessary. This allows users to cover all the potential threats and risks, ensuring comprehensive coverage

The solution is low-cost and affordable. 

Vectra faces robust competition, but it substantiates its abilities. Depending on client needs, it can easily work with other IT solutions. Yet, for pure network detection and response, Vectra excels, particularly for enterprises demanding very good solutions. It offers superior detection coverage for heightened security. It has an encryption-based approach, enabling threat detection without decrypting any data. Moreover, Vectra stands out with its broad integration capabilities with third-party tools and I personally find it a successful feature.

Overall, I would rate Vectra AI an eight out of ten. 

Our primary use case for this solution is for security policy and to detect potential attacks on our networks.

This solution helped our mean time to identify as we can have more precise detection and documentation. At the moment, we're seeing daily detection of between 10 and 20 and if it's on the cloud, we can do 50 to 100 per day.

As we are just beginning to use Vectra AI, I find the simplicity of implementation to be quite valuable. The UI is easy to use and when we send detection to everybody, they easily understand what we are asking at the time. The sections are very precise. 

There is room for improvement in the documentation. We would like to have more details on how it detects what we see. 

I have been using Vectra AI for about four months.

This solution is stable.

This solution is quite scalable. In the beginning, we had one point of network capturing the traffic. After that, we added two points on top of it and it worked perfectly. At first, we had five gigabits per second and now we have 30 so I'll say it's a good service.

I would rate their support a ten, on a scale from one to ten, with one being the worst and ten being the best. The reason for this rating is that they were with us every step of the way to help and guide us through the process seamlessly.

Positive

Prior to Vectra AI, we used Gatewatcher and Microprobes and also the IPS/IDS firewall. Vectra AI is an additional layer of security.

My opinion – and a strong point for Vectra AI – is that the deployment is not complex and is quite straightforward. It was an easy deployment and someone from the company helped us on each point and guided us through important milestones. If I recall correctly, it lasted for about two weeks.

It's a bit expensive, as you can have a lot of different solutions for free. So, in the beginning, it's more expensive, but as time passes it gets better.

The issue Vectra AI helps us solve is threat prevention.

Overall, I would rate this solution a seven, on a scale from one to ten, with one being the worst and ten being the best. The reason for this rating is that we are still in a tuning phase and it's too early to say anything about detection, but I would put ten for support.

Our company is in the retail arena, and we have stores, warehouses, and a data center. Right now, we're using Vectra AI in our offices and the data center. The major issue we had was that we were completely blind inside our data center in terms of seeing what traffic we had. Our main focus with Vectra AI was to see what's happening inside the data center through virtual sensors.

We're going to expand it to include our stores because the franchisees requested that we monitor the networks in all of the stores. Every shop in our company is a franchise, and they can do whatever they want to in their shops. We won't have any idea as to what's on the network in the shops. By using Vectra AI, we will have visibility into the network.

We have started the proof of concept for our warehouses as well.

We discovered a lot of things in our network and are correcting several misconfigurations. We are learning how some apps work together and how some things shouldn't happen. It's also easier for us to identify the source of a brute force, whereas before, we didn't even know we had a brute force.

The platform is well-designed around the quadrant. We know quickly how to investigate, and the detections are clear. I like Vectra AI's integration with Active Directory and the fact that it's easy to take in hand.

We have had a few issues with the integration of Vectra AI with EDR. Some filters have not been working. We've also had issues with the brain not being powerful enough.

In the next release, I would like to see more triage choices. From my point of view, Vectra is missing a lot of choices. This is an area that they could focus on.

Vectra is also moving to a full cloud model, and I am not sure if going full cloud and leaving the on-premises environment is the way to go. We are not sure whether we'll move to the cloud with Vectra because it's hosted by AWS, which is one of our competitors. We don't like to work with anything that works on AWS.

We did a proof of concept two years ago and then deployed it in March, 2022.

We've had issues with stability. Vectra said that they underestimated the power we needed on our brain as it's very slow. We have delays that can be up to 40 seconds. We also had a hard drive that died. In one year, we've experienced three major issues.

We have different types of deployment that impact scalability a lot. The good part is that if we want to see everything that gets into the data center, we only need a single sensor in the data center. However, if we want to go in-depth in every store, then it will be a long process because we'll have to deploy thousands of sensors.

Right now, our license is for 10,000 IPs, and we hope to increase it to 110,000. If we deploy Vectra AI in the warehouse as well, we will need 25,000 extra. When we upgrade the brain server, Vectra AI should be able to scale accordingly.

When I contacted technical support, they usually take control of my laptop for an hour or more, and I can't do anything during that time. They do not explain anything and mute themselves for an hour or more. I don't know what they're doing or if they're even working on the issue.

However, they have been proactive because they know we have issues with our brain. If I have a bug, I've noticed that they usually respond quickly.

Thus, on a scale from one to ten, I would rate technical support at six.

Neutral

I've done four deployments in total, and Vectra AI is easy to deploy. On the admin interface, it's also easy to set up the integration with EDR.

It is an expensive solution, but it's not the most expensive we've seen. We also know how much we're going to pay, unlike with some other providers where all of a sudden our license explodes.

We will probably need to deploy over a thousand physical sensors. This means that the cost will automatically go up to millions. They do not sell the smallest sensors that they had in the past, which we would be glad to have right now.

We looked at ExtraHop, a VMware NDR solution, Carbon Black, and a solution from a French organization.

Carbon Black is oriented around VMware products. As such, it would have been okay for the data center, but we would have had to upgrade the entire physical infrastructure inside the data center. It would have been very expensive, and thus, we eliminated Carbon Black. The French competitor was eliminated because the solution was a few years behind.

We then talked with Vectra AI and were happy with what they offered us. We spoke with other companies that use it and found out that they were happy with it. Thus, Vectra AI got the opportunity to do the proof of concept.

Overall, I would rate Vectra AI an eight out of ten.

We wanted to have an additional layer of protection. We have the standard IDSs and were looking for solutions that provide additional security features.

We are still in the deployment phase and hope to be in production mode soon.

I like the way that Vectra AI focuses on the internal network. Nowadays, most of the attackers are already inside, and they can be inside for many years before they start attacking. With normal monitoring, it's quite difficult to find them.

Vectra AI checks the behavior of the systems. It's much better than, for example, McAfee IDS, which also has some behavioral capabilities. With Vectra AI, it is possible to get some more hits.

What is most important for us is to have one place where we can manage a few brains because we are based on a zero-trust network. As a result, each customer needs to have a separate brain. For the SOC team, we need to have one place where the SOC analyst can go to visit the website and from that site manage all of the customers. Right now, Vectra AI doesn't have this capability, and I would really like to have this feature.

We have been using it for almost two years.

So far, the stability of Vectra has been good compared to that of McAfee IDS. I really like the automatic updates because I am the security engineer and responsible for the tools. I have less work to do, which is really nice.

In the beginning, when we had less throughput, the stability was quite nice, but now, we are reaching 25 GB of throughput. The current device is only capable of 20 GB. I do see some slowness, but I believe that it will be solved by the new brain.

To scale, you would need to know the data center and its average throughput to order the correct brain. We have around 13,000 IPs right now, but we're still growing. The only limitation I see with Vectra AI in terms of scalability is that we cannot have one place to manage all of the brains. Besides that, it's quite straightforward; at each site, we need to have a brain, a physical or virtual one.

Regarding technical support, I am in direct contact with a few people at Vectra. I enjoy cooperating with them. However, it hasn't gone that well with a ticket I created. We had to contact them after waiting for a few weeks. Overall, I'd give technical support a five out of ten.

Neutral

In the beginning, we had some problems because of a misunderstanding between my company and Vectra. During that time, it was quite challenging, but nowadays, everything is straightforward for us. For example, I'm planning the implementation of the new data center, and it's quite straightforward.

We have already deployed all of the sensors and brains. We are waiting for B101 because we need to have a bigger brain and also want to have one on standby. Once we receive the brains, we will deploy integrations with Vectra.

The pricing and licensing are quite straightforward because they're based on IP licenses. As a result, they are easy to count.

From a deployment and operations perspective, it's quite nice. Therefore, I'd give an overall rating of seven out of ten. However, I look forward to increasing the rating when we move into the production phase and see the real output from Vectra AI.

We started with it as a replacement for the functionality we had in our SIEM solution. We mainly wanted a detection metric and something that was smart enough to detect some of the more complex attacks because we can have flow data and do nothing with it. We wanted to have some strong alerting capabilities on that. We were looking to get a detailed attack and AI perspective on it. We didn't want something that only sees something as malicious and can alert on it but also detect things that are a little bit out of the ordinary, which was something we could get with this.

It has definitely improved our mean time to identify. In some specific cases, it's making it a lot easier because the enrichment features do help in getting a more detailed view of what's going on. For example, if we see a certain connection or something that's potentially a command and control channel, we can look at who logged in last and what other processes are there. We also have a connection to our SIEM solution, so we can check what's going on there as well. So, it really helps, but it's hard to measure the time savings because we previously didn't have a solution that had the same capabilities as Vectra AI.

It has definitely had an impact on our productivity. Previously, we did have some issues with getting a more detailed view of the network because we could only do it through event-based logs from the network devices, such as firewalls and switches that were providing us with additional information. Now, because it's more detailed and also across the branch offices—which was a big point for us—we do have a more efficient structure. We don't need to do that much additional effort to get to the root cause of problems, which was an issue before.

One of the things that we didn't expect to happen was that our network team also jumped on it faster than we thought. In most cases, if it's a security tool that's working on the network part, they can also use it to find out certain flaws that have been in the system. Certain flaws, related to some legacy stuff, were already there for quite a few years, which they couldn't explain at first, but we could explain them based on the timing of certain things. For example, there were about 200 SSH connections within a night. They had seen the traffic, but they couldn't relate it to anything specifically, whereas because we saw it, we knew that it was one of our main Unix machines. We knew it was doing some kind of backup at that time. We then went to talk to the system engineer, and he could confirm that he was using a badly written script that was doing 200 connections instead of just one and sending all 200 files across it.

It's well-built, so it does its thing as a Threat Detection and Response platform for detecting and responding to threats and attacks in real-time. We use the detections that come out of Vectra, and we send them over to our SIEM solution. Especially when it comes to high alerts or alerts with high certainty and high impact, we look at them immediately, and then someone also goes through it every day to clean up. If there are certain things that we need to check, we will check them anyway. Anything that's lower on the priority list is taken care of later in the day.

One of the things that we are missing a bit is the capability to add our own rules to it. At the moment, the tech engine does its thing, but we have some cool ideas to make additional rules. There should be an option in the platform to add custom rules, or there should be some kind of user group where we can suggest them for the roadmap and see if they get evaluated and get transparent communication on whether they will be implemented in the product or not. I understand that not everything can be implemented in the product, but if everyone presses the plus one button, then you know that there's a need for it. 

There is the concept of groups within Vectra. You have IP groups, host groups, and domain groups. Wild cards would be very handy there, or side ranges would be a good one to start with. One of the big things that some of our operational people complain about is that if it's an IP and it has reverse look-ups, why do they need to make two groups—an IP group and a hostname group—just to get the same feature set?

It has been almost three years, so it has been a while.

We haven't had any issues. It's very stable, so no problem.

Their support is pretty good. They follow up fast. It's not like most other support centers we've seen in the past. They are really focused on getting us faster input.

I'd rate them a nine out of ten because there is always a little bit of room for improvement, but normally, they follow up really nicely. As opposed to others, where you mostly hear good product, bad support, in this case, it's good product, good support. That's something to keep in mind.

Positive

We had a SIEM solution that was mainly focused on event-based logging, not necessarily on the network part. We were looking at more of a network IDS solution, and that's where Vectra came in. We wanted something that was easy to use as we didn't want too much platform maintenance. We wanted something to plug into the box and make it work. At first, we didn't believe that we would be able to find something like that after we had seen Darktrace, their biggest competitor, but in the end, Vectra was a perfect fit for us because it made it very easy to insert it into our branch offices as well.

We started from scratch. Three years ago, it was harder to start with than nowadays because back then, it was still in the beginning. The Belgian team that helped us with it also didn't have the experience at that time, whereas now, it's definitely not hard to set up. It's just a matter of knowing the right things, but the support portal really helps. There's good documentation on the setup as well.

From a security perspective, it's always hard to find a return on investment. If you look from the risk mitigation perspective and what's the worst that can happen, if we can stop attacks sooner, it would result in lesser costs on remediation afterward because we were fast on the initial attack.

From a licensing perspective, the Vectra detect platform is pretty doable. Also, the hardware prices are nothing that we're not used to. The stream part is a little overpriced compared to the detect part. The reason is that you need to stream data to detect events anyway, so the data is in there. The only thing that's not available is the UI to be able to look at the stream data, which is also on the appliances but is just not activated. That's mainly the thing that we want to improve on.

We looked at the SIEM solutions and flow-capturing devices. At the time, there was also an open-source product, but I don't remember the name. It was Suricata-based, but it fell off pretty quickly because of the high platform maintenance that would have come with it.

At the moment, we don't let them do intelligent blocks. We do it ourselves, so we are still putting a manual process in place for that. We also haven't yet used Vectra MDR services.

I'd rate Vectra AI an eight out of ten. They can still move a little bit further with the streams. Especially now that ChatGPT and AI have come into the picture, we all need to up our game on the AI part.

We need to move our whole data traffic over the core switches. We also want to secure our network and have it integrated into our vCenter and into our Active Directory.

We have 18,000 IP addresses, and in Recall, we have uploads from about 250 GB per day.

One year ago, we found notebooks that were compromised with Emotet. Vectra saw that the client performed search requests to the Active Directory for a keyword root and contacted domains that are known for Emotet.

Vectra AI also found that a notebook had permanent contact with a domain outside our network.

We often use the new feature to create PCAP files from the whole data traffic. It makes it much easier to find network problems such as whether the server is responding to a request. It has nothing to do with security, but it helps a lot to find other problems.

Vectra AI helped improve our mean time to identify. For example, the Sophos client doesn't recognize anything, and without Vectra AI, we wouldn't be able to identify problems. It does it quickly.

We use the Sidekick MDR service. It's very important to us because it gives us another layer of security and a second pair of eyes. We have learned a lot from the Sidekick.

For S&D account scans, it would be easier if Vectra AI could triage with users. If a client uses a lot of accounts, then it could indicate that these accounts are benign, for example. That would help a lot.

I've been using Vectra AI since 2020.

We have not had any problems with stability.

Vectra's technical support is very fast. They have been able to resolve the tickets I created very quickly. I would rate technical support a ten out of ten.

Positive

The initial deployment is easy. You have to give them an IP address, plug it into the switch, and then get started.

We have seen an ROI. The cost of security breaches outweighs the cost of Vectra AI.

Vectra AI is not a cheap solution.

We evaluated Vectra AI and CyberSense and did POCs with both. We observed that Vectra AI was better because we can see everything. CyberSense uses a different technology. For example, it creates an Active Directory that isn't used. If someone connects to this Active Directory or starts requests, then we will get an alert. However, we think Vectra uses a better way because we can see more. It also has better technology.

Overall, I would rate Vectra AI at ten on a scale from one to ten, with ten being the best.

Vectra AI is an NDR tool, and my company is using it for security and insider threat detection purposes.

What I like best about Vectra AI is that it alerts you about suspicious activities.

An area for improvement in Vectra AI is reporting because it currently lacks some details. For example, when you download a report from Vectra AI, you won't see complete information about the alerts or triggers.

Another area for improvement in the tool is that sometimes, an alert has high severity, yet it's marked as low severity. Vectra AI should have a mechanism to change the severity level from low to high or critical.

I've been using Vectra AI for two years now.

Vectra AI is a stable tool.

Vectra AI is a scalable tool.

My company has a dedicated support team for Vectra AI, so I have the support team's direct contact number and WhatsApp number.

The technical support is excellent, so my rating is five out of five.

The initial setup for Vectra AI wasn't that complex. It won't take long if your environment is ready, with all required ports open. Setting up Vectra AI would be easy.

We implemented Vectra AI together with their technical support team.

My company pays for the Vectra AI licensing fee yearly. I know the figure because my company recently renewed the license, and it's okay, at least for the financial sector.

I'm the admin of Vectra AI, a tool implemented in my company.

The tool was updated three or four months ago, but I'm unsure if I have the latest release.

My company has two SOCs in different areas, so all SOC analysts log in or use Vectra AI, with the alerts forwarded to Splunk. One person is the admin in-house, but he works with support because the tool is customized for my company, as any command can't be run in Linux.

I'd recommend Vectra AI to others looking for an NDR solution.

Vectra AI is excellent for NDR purposes, in general. I'm rating it as ten out of ten based on my experience because I'm investigating the Vectra AI alerts. It triggers alerts for suspicious activities, so it's an excellent tool.