competitive comparison between Vectra and cisco stealthwatch

Vectra vs. Cisco Stealthwatch

Are you looking for an alternative to Cisco Stealthwatch? Or perhaps researching the best tools? Network detection and response delivers the most comprehensive insight into hidden threats and empowers incident responders to act with confidence. Network traffic analysis is a core technology for detecting hidden threats, but there are several decision criteria that you are likely to consider, including the ones below.

  • How rich are the analytics?
  • Can the analytics import indicators of compromise (IoCs)?
  • What evidence is delivered by the analytics?
  • Does it work consistently for on-premises and cloud workloads?
  • What level of automated correlation is delivered?
  • What other cybersecurity tools does it integrate with?

Read the table below to learn how Vectra stacks up to Cisco Stealthwatch.

Network Detection and Response (NDR) is a new and fast-growing market. Organizations are experiencing more complex and targeted attacks in which traditional security approaches are not enough to stop bad actors. Download the Gartner Market Guide for NDR for a holistic assessment into the current state of the network detection and response market here.

GET gartner market guide FOR NDR

We also created detailed comparisons between Vectra and Corelight, Darktrace and ExtraHop.

The right data source is critical to expose attacks fast

Network metadata
Network metadata contains vital descriptors of the data itself to create a searchable index in real time and at a fraction of the size of full packet captures. Metadata as a source is the right data type, but used alone it lacks indicators of compromise that show analysts where to hunt.

Security-enriched network metadata
Enrichment techniques, used to identify data such as host ID and beaconing, are employed to augment network metadata. This data cocktail is essential to quickly  identify threat activity in security event messages and conduct more conclusive incident investigations.

NetFlow is network performance monitoring data remarketed for security. It shows connections that were made but does not show what these connections were used for. Network detection requires details, such as whether an SMB connection was used to authenticate a user, mount a share or execute code. NetFlow does not provide these details, rendering it blind to network visibility and incapable of detecting threats.

Full packet captures
Network packets provide deep network visibility but are difficult and expensive to scale. The sheer amount of packets causes slow search performance that makes incident investigations frustratingly painful.

graph showing SIEM, Netflow, IDS, PCAP and security-enriched metadata on a scale of relevance and visibility. Security-enriched metadata is the highest for both.

Metadata streaming to data lakes and SIEMs

Feed security-enriched metadata to data lakes and SIEMs, correlate it with other data sources and empower threat hunters to conduct conclusive incident investigations with a comprehensive source of truth.

And the quality of that data will impact your threat-hunting use cases.

NetFlow offers incomplete data and was originally conceived to manage network performance. PCAPs are performance-intensive and expensive to store in a way that ensures fidelity in post-forensics investigations. The tradeoffs between NetFlow and PCAPs leaves security practitioners in an untenable state.

The collection and storage of network metadata strikes a balance that is just right for data lakes and SIEMs.

Zeek-formatted metadata gives you the proper balance between network telemetry and price/performance. You get rich, organized and easily searchable data with traffic attributes relevant to security detections and investigation use-cases (e.g. the connection ID attribute).

And it does so without the performance and big-data limitations common with PCAPs. Network metadata reduces storage requirements by over 99%, compared to PCAPs. And you can selectively store the right PCAPs, requiring them only after metadata-based forensics have pinpointed payload data that is relevant.

Additional content to read: Cognito Stream – Network metadata with an opinion

Cognito Stream from Vectra delivers scalable, enriched network metadata that empowers security analysts and professional threat hunters to conduct conclusive incident investigations with a comprehensive source of truth.

read Cognito Stream Overview
Cognito just having pulled the attacker out of water is now holding him by the neck on an island

AI-derived metadata enrichments

There’s a consistent set of questions security teams must answer when investigating any given attack scenario. They will test their hypotheses by investigating the data to determine if they are looking in the right place or thinking in the right direction. Having access to the right data and insights can make all the difference in the investigation, both in terms of outcome and in the speed of achieving the outcome.

Yet, with examples like beaconing, it is hard to differentiate between innocuous and malicious behaviors. How do you discover and identify the potentially malicious communication? And if you find that communication is malicious, how do you respond?

The first step is to make sure that the attributes necessary to answer these questions are readily available to the security analyst.  These are best surfaced using metadata that is enriched with insights that can only be derived from machine learning techniques.

Cognito about to grab attacker while he peeks his head out of a floor tile

Additional content to read: The data science behind Cognito AI threat detection models

The Vectra AI approach to threat detection blends human expertise with a broad set of data science and advanced machine learning techniques. This model delivers a continuous cycle of threat intelligence based on cutting-edge research, global and local learning models, deep learning and neural networks.

read White Paper

One machine-learning algorithm cannot solve every problem

There are numerous techniques for creating algorithms that are capable of learning and adapting over time. Broadly speaking, we can organize these algorithms into one of three categories: Supervised, unsupervised and reinforcement learning.

Machine learning is the technique, not the objective. This is critically important as more tools leverage and advertise machine learning for threat detection. Unlike Vectra, other vendors use a small subset of machine learning algorithms to solve a problem. Specific attacker behaviors require different applications of machine learning.

The goal of supervised machine learning is to learn a functional mapping between the input space that the data is drawn from to a desired or target space that describes the data.

In contrast, unsupervised machine learning refers to scenarios in which an algorithm or agent must learn from raw data alone, without any feedback or supervision in the form of target values. This often means learning to group together similar examples in the data – a task known as clustering – or learning something about the underlying distributions in the input space from which the data are drawn.

You can read more about supervised and unsupervised machine learning in our dedicated blog post on how algorithms learn and adapt.

Deep learning refers to a family of machine learning algorithms that can be used for supervised, unsupervised and reinforcement learning. A neural network is presented with some input, and activity propagates throughout its series of interconnected neurons until reaching a set of output neurons. These output neurons determine the kind of prediction the network makes.

Image of robot sitting on a pile of books reading

You can read more about deep learning in our dedicated blog post about neural networks and deep learning.

Just like no single algorithm can solve every problem, no single method can find every threat. Vendors who apply a single algorithmic approach run the risk of drowning a few good detections in a massive flood of false positives. Conversely, machine learning is overkill when a simple list of indicators of compromise (IoCs) could suffice, such as detecting known malicious IP or URL addresses.

Additional content to read: IDC Innovators – Artificial intelligence-infused security solutions

"Vectra is focused on core steps in the cyberattack kill chain with high accuracy of detections and the ability to provide a high-fidelity signal," according to the new IDC Innovator assessment.

read idc innovator report

Aggregates individual alerts into incidents with full PCAP on-demand for forensic investigation

Deciding  where to focus an analyst's time and how to respond requires an understanding of the assets impacted and the risk to your business. You want your vendor’s solution to roll up a chain of events into single incidents.

To understand the severity of an attack, analysts need to connect the dots of related attacker behaviors to expose the relationship between hosts across internal detections, external advanced command-and-control detections, and connectivity to common command-and-control infrastructures.

Additional content to read: Vectra blog – Security automation isn't AI security

The automation of security event handling doesn’t require AI – at least not the kind or level of AI that we anticipate will cause a global economic and employment transformation.

read blog post

Tracks cyberattacks across the enterprise and shows all compromised workloads and devices

It is imperative to prioritize the risk level of hosts, including workloads, servers and IoT. This ensures that analysts are responding to the highest risks first to reduce the total cost and risk of a breach.

The goal should be to reduce the workload so an analyst can focus on the events that matter most. Part of that means providing human-readable outputs from machine learning algorithm detections, including PCAP and guidance on what a detection means and what next steps an analyst should take to verify and respond.

As attackers perform reconnaissance and move laterally from host to host in a network, their behaviors need to be correlated across all involved hosts and detections to present a view of the entire attack campaign.

Abstract image of eye made up of 1's and 0's

Includes threat detection models specific to data center and cloud use-cases

Data center and cloud security goes beyond virtualization or perimeter detection and needs to include the underlying infrastructure and low-level tools used to manage workloads. You may want to consider a technology that provides threat detection that extends from the application layer down to the underlying hardware.

For example, a port knocking detection may reveal servers that are compromised by a rootkit, which could reside below the physical operating system itself. In addition, monitoring and detecting the improper use of low-level management protocols such as IPMI and iDRAC are critical.

Normally used by administrators for infrastructure-lights-out management of server hardware, these protocols are increasingly targeted by attackers because they open a persistent backdoor into the virtual environment, yet are not logged and are rarely monitored by security.

Abstract image of icons of clouds, people and padlocks

Additional content to read: Frost & Sullivan Visionary Innovation Leadership Report

“Vectra continues to raise the bar in AI-driven threat detection and is expected to maintain its growth on the strength of its cutting-edge Cognito platform,” according to the new Frost & Sullivan report.

read frost and sullivan visionary report

Integrates with incident response products for timely and thorough threat eradication

Not every attack is the same and not every response should be the same. An AI platform should provide intelligence to existing infrastructure to reduce the time to respond. More importantly, you should expect an AI platform to enable the correct response.

You should expect integration to be simple and straightforward. A complex deployment will erode any benefits you hoped to gain. Integration can occur through APIs, outbound events or automation platforms that provide standardization between products.

Integration flowchart: investigate, respond and enforce

Additional content to read: Vectra integrates with EDR, SIEMs, firewalls, security orchestration and virtualized data center solutions

The Cognito platform from Vectra integrates with an ecosystem of security technologies to fight cyberattacks. Vectra also offers API tools that save time and repetitive work using a Python library that simplifies interaction with the Vectra API, scripts that can be run from the command-line, and additional resources.

See our integration partners

Delivers a complete network-detection and response solution

Vectra delivers a complete platform for network detection and response with Cognito Detect, Cognito Recall and Cognito Stream. Vectra has the longest tenure and greatest investment in the development of AI for detecting attacker behaviors as well as collecting and enriching metadata for threat hunting and incident investigations.

Additional content to read: Cognito platform overview – The right data for network detection and response 

The Cognito platform accelerates customer threat detection and investigation using sophisticated artificial intelligence to collect, store and enrich network metadata with the right context to detect, hunt and investigate known and unknown threats in real time.

download cognito platform overview
Cognito Stream, Recall and Detect are all part of the Cognito Platform

What customers say about Vectra

Read Vectra verified customer reviews on Gartner Peer Insights


January 30, 2019
Reviewer Role
Security and Risk Management
Company Size
Gov't/PS/ED 5,000 - 50,000 Employees

Best detection tool we've had, and we've tried our fair share

Deputy CISO in the Education Industry
Of all the products we've tested in this category, this one is the least prone to false positives. It also focuses on detections that are relevant to our industry and our environment whereas many other products we've seen do not. Seven months in, we're very happy with the performance of the product.
Gartner peer insights logo


April 27, 2018
Reviewer Role
Security and Risk Management
Company Size
10B - 30B USD

Cornerstone Of A Global Cyber Security Incident Detection And Response Platform

Group IT Security Director
Cognito allows for outstanding response times due to the high quality alerts, industry leading user interface and resulting ease of use. Our Analysts love the product!
Gartner peer insights logo


March 22, 2018
Reviewer Role
Security and Risk Management
Company Size
1B - 3B USD

World Class Delivery Team. Exceptional Product, Clarity And Efficiency At The Core.

Head of Information Security Operations
World class sales and delivery team, ensuring the transition from discovery, through POC to implementation and ongoing support is first class. Customer engagement is second to none. UI is simple, clean and easy to use, whilst delivering the pertinent information required. Vectra clearly understands the needs of an analyst and built a product with the analyst in mind...
Gartner peer insights logo

What analysts say about Vectra

No items found.
View all analyst reports