Vectra Cognito vs. ExtraHop Reveal(x)
Not all Network Detection and Response solutions are created equal
Show Me Why“Vectra clearly outperformed ExtraHop. Vectra detected red team activity during the proof-of-concept. That was the first time we ever detected a threat.”
Information security architect
Beauty industry retailer
5 Top Mythbusters: Facts and Realities
1
Threat Detection Requires Decryption
YES
correct.
Decryption is not necessary.
Reality: Vectra detects attackers in encrypted SSL/TLS 1.3 traffic without requiring decryption.
Fact: Strong security is possible without decryption. Vectra does not decrypt because it violates privacy laws, slows network performance and increases packet storage costs.
that's a myth.
ExtraHop claims it support SSL/TLS 1.3 decryption while Vectra has no decryption support.
Decryption is not needed to expose attackers.
Reality: Strong security is possible without decryption.
Reality: Vectra detects attackers in encrypted SSL/TLS 1.3 traffic (Hidden HTTPS Tunnel) without requiring decryption.
Fact: Vectra does not decrypt because it violates privacy laws, slows network performance and full decryption is impossible.
YES
NO
Fun Fact
ExtraHop requires an endpoint agent to decrypt TLS 1.3. ~70% of enterprise devices cannot run the agent.
2
Throughput measures security efficacy
YES
correct.
Throughput does not mean efficacy.
Reality: Raw throughput is not the governing factor in determining the scale of monitoring. The primary factor is the maximum number of hosts that are continuously monitored for threats.
Fact: Vectra supports 40 Gbps sensor and 55 Gbps of active threat monitoring with the X80 Cognito appliance.
that's a myth.
ExtraHop claims to support 100 Gbps monitoring while Vectra only supports 20 Gbps.
Throughput does not mean efficacy
Reality: Raw throughput is not the governing factor in determining the scale of monitoring. The primary factor is the maximum number of hosts that are continuously monitored for threats.
Fact: Vectra supports 40 Gbps sensor and 55 Gbps of active threat monitoring with the X80 Cognito appliance.
YES
NO
Fun Fact
- ExtraHop can only monitor 16,000 hosts a time whereas Vectra can monitor up to 300,000 hosts.
- ExtraHop will hit their host cap long before they hit their throughput cap. It’s like having a Formula 1 race car with city traffic laws – just go from red light to red light really fast.
3
The number of protocols monitored is critical
YES
correct.
Threat behavior monitoring and data streams are not synonymous.
Reality: The majority of ExtraHop protocols only collect network performance monitoring metrics and do monitor for hidden attackers.
Fact: Vectra records more than 15 different data streams and monitors for hidden threats in traffic over countless protocols.
that's a myth.
ExtraHop claims to support over 70 protocols while Vectra only supports 10.
Reality: Threat behavior monitoring and data streams are not synonymous.
Reality: The majority of ExtraHop protocols only collect network performance monitoring metrics and do not monitor for hidden attackers.
Fact: Vectra records more than 15 different data streams and monitors for hidden threats in traffic over countless protocols.
YES
NO
Fun Fact
While there are no data streams for FTP, Telnet, Postgres, etc., they are all still monitored for security.
ExtraHop can’t even agree upon how many protocols they support! 70+ in one public collateral and 50 in another.
4
ExtraHop has more effective machine learning
YES
correct.
Reality: Vectra is focused on detecting behaviors related to adversarial tactics, techniques and procedures (TTPs).
Fact: Pure anomaly detection produces overwhelming volumes of false-positive alerts that require examination.
Fact: With anomaly detection, the distinction between user behaviors and attacker behaviors is nebulous, even though they are fundamentally different.
that's a myth.
ExtraHop claims it supports full Layer 2-7 behavioral anomaly detection while Vectra has limited behavioral anomaly detection.
Reality: Vectra is focused on detecting behaviors related to adversarial tactics, techniques and procedures (TTPs).
Fact: Pure anomaly detection produces overwhelming volumes of false-positive alerts that require examination.
Fact: With anomaly detection, the distinction between user behaviors and attacker behaviors is nebulous, even though they are fundamentally different.
YES
NO
Fun Fact
- Vectra has 15 patents surrounding our application of machine learning to threat detection, and 20 patents pending.
- We use a combination of supervised and unsupervised machine learning based on the type of data. Some threat detection requires local knowledge (such as remote access trojans) while others don’t (such as C2 traffic).
5
ExtraHop has more scalable cloud monitoring
YES
correct.
Reality: ExtraHop is limited by the number of critical hosts it can monitor. Throughput is not the limiting factor.
Fact: Vectra supports 8 Gbps cloud monitoring with an r5n.4xlarge instance type.
that's a myth.
ExtraHop claims it can sustain 25 Gbps cloud monitoring and Vectra only processes 2 Gbps.
Reality: ExtraHop is limited by the number of critical hosts it can monitor. Throughput is not the limiting factor.
Fact: Vectra supports 8 Gbps cloud monitoring with an r5n.4xlarge instance type.
YES
NO
Fun Fact
- ExtraHop can only monitor 16,000 hosts.
- Classification of which hosts are ‘critical’ is a manual process.
Why Vectra
“Vectra detected the threat in minutes and we shut them down.”
Information security architect
Beauty industry retailer
