Product - how it works

Cognito AI from Vectra enhances security operations

The Cognito network-detection and response platform captures network metadata, enriches it with machine learning-derived security intelligence, and applies it to your detection and response use-cases.

1. Capture data

Sensors extract relevant metadata traffic or logs in from cloud, SaaS, data center and enterprise environments.

A uniquely efficient software architecture developed from Day 1, along with custom-developed processing engines, enable data capture and processing with unprecedented scale.

2. Normalize data

Traffic flows are deduplicated and a custom flow engine extracts metadata to detect attacker behaviors. 

The characteristics of every flow are recorded, including the ebb and flow, timing, traffic direction, and size of packets. Each flow is then attributed to a host rather than being identified by an IP address.

3. Enrich data

Vectra data scientists and security researchers build and continually tune scores of self-learning behavioral models that enrich the metadata with machine learning-derived security information. 

These models fortify network data with key security attributes, including security patterns (e.g. beacons), normal patterns (e.g. learnings), precursors (e.g.weak signals), attacker behaviors, account scores, host scores, and correlated attack campaigns.

How it works: data from the web is funneled into the Cognito AI Platform where the platform normalizes data, enriches data, detects threats and responds. Shows Cognito eating an attacker at the bottom of the funnel.

4. Detect and respond


  • Scores of custom-built attacker behavior models detect threats automatically and in real time, before they do damage.
  • Detected threats are automatically triaged, prioritized based on risk level, and correlated with compromised host devices.
  • Tier 1 automation condenses weeks or months of work into minutes and reduces the security analyst workload by 37X.


  • Machine learning-derived attributes like host identity and beaconing provide vital context that reveals the broader scale and scope of an attack.
  • Custom-engineered investigative workbench is optimized for security-enriched metadata and enables sub-second searches at scale.
  • Puts the most relevant information at your finger tips by augmenting detections with actionable context to eliminate the endless hunt and search for threats.

The data science behind Cognito AI

How Cognito AI works

Using behavioral detection algorithms to analyze metadata from captured packets, Cognito AI detects hidden and unknown attacks in real time, whether traffic is encrypted or not. Cognito AI only analyzes metadata captured from packets, rather than performing deep-packet inspection, to protect user privacy without prying into sensitive payloads.

Get the white paper The data science behind Cognito AI threat detection models

Pie chart split into three parts, and then two parts within each third. 1) global learning: global data set of threats, threat researchers 2) local learning: local content, user behavior 3) integrated intelligence: progression over time, host and asset context

Global learning

Global learning identifies the fundamental traits that threats share across all enterprise organizations. Global learning begins with the Vectra Threat Labs™, a full-time group of cybersecurity experts and threat researchers who continually analyze malware, attack tools, techniques, and procedures to identify new and shifting trends in the threat landscape.

Their work informs the data science models used by Cognito AI, including supervised machine learning. It is used to analyze very large volumes of attack traffic and distill it down to the key characteristics that make malicious traffic unique.

: Find the hidden traits that all threats share in common.
Why: Fast detection of bad behavior, no local learning required.
How: Supervised machine learning and deep learning.

Local learning

Local learning identifies what's normal and abnormal in an enterprise's network to reveal attack patterns. The key techniques used are unsupervised machine learning and anomaly detection. Cognito uses unsupervised machine learning models to learn about a specific customer environment, with no direct oversight by a data scientist.

Instead of concentrating on finding and reporting anomalies, Vectra looks for indicators of important phases of an attack or attack techniques, including signs that an attacker is exploring the network, evaluating hosts for attack, and using stolen credentials.

What: Learns normal behavior and finds signs of attack.
Why: Reveals attack patterns that are unique to the network.
How: Unsupervised machine-learning, k-means clustering.

Integrated intelligence

Correlate, score, prioritize

Cognito condenses thousands of events and network traits into a single detection. Using techniques such as event correlation and host scoring, Cognito performs the following:

Correlates all detection events to specific hosts that show signs of threat behaviors.

Automatically scores every detection and host in terms of the threat severity and certainty using the Cognito Threat Certainty Index™.

Tracks each event over time and through every phrase of the cyberattack lifecycle.

Cognito puts special focus on events that may jeopardize key assets inside the network or are of strategic value to an attacker. Devices that exhibit behaviors that cover multiple phases of the cyberattack lifecycle are also prioritized, as shown.

What: Automated scoring of hosts to reveal the overall risk to the network.
Why: Quickly boil down many events to reveal the key elements of an attack.
How: Bayesian networks.