Vectra Cognito vs. ExtraHop Reveal(x)

Not all Network Detection and Response solutions are created equal

“Vectra clearly outperformed ExtraHop. Vectra detected red team activity during the proof-of-concept. That was the first time we ever detected a threat.”

Information security architect
Beauty industry retailer

Get Case Study

Network security has changed

The new network

Today’s network includes cloud, IoT devices, data centers, and the enterprise network.





More detections =
more work

Solutions that claim to provide more detections are merely making more work for security analysts.





Hiding in plain sight

Attackers create use legitimate credentials and use your existing processes to remain hidden. We focus on attacker behavior, not signature or anomaly-based detections.





5 Top Mythbusters: Facts and Realities

1 Threat Detection Requires Decryption

RESET Myth

YES

correct.

Decryption is not necessary.

‍Reality: Vectra detects attackers in encrypted SSL/TLS 1.3 traffic without requiring decryption.

‍Fact: Strong security is possible without decryption. Vectra does not decrypt because it violates privacy laws, slows network performance and increases packet storage costs.

that's a myth.

ExtraHop claims it support SSL/TLS 1.3 decryption while Vectra has no decryption support.

Decryption is not needed to expose attackers.

‍Reality: Strong security is possible without decryption.
‍
Reality: Vectra detects attackers in encrypted SSL/TLS 1.3 traffic (Hidden HTTPS Tunnel) without requiring decryption.
‍
Fact: Vectra does not decrypt because it violates privacy laws, slows network performance and full decryption is impossible.

YES

NO

Fun Fact

ExtraHop requires an endpoint agent to decrypt TLS 1.3. ~70% of enterprise devices cannot run the agent.

2 Throughput measures security efficacy

RESET myth

YES

correct.

Throughput does not mean efficacy.

Reality: Raw throughput is not the governing factor in determining the scale of monitoring. The primary factor is the maximum number of hosts that are continuously monitored for threats.

Fact: Vectra supports 40 Gbps sensor and 55 Gbps of active threat monitoring with the X80 Cognito appliance.

that's a myth.

ExtraHop claims to support 100 Gbps monitoring while Vectra only supports 20 Gbps.

Throughput does not mean efficacy

Reality: Raw throughput is not the governing factor in determining the scale of monitoring. The primary factor is the maximum number of hosts that are continuously monitored for threats.

Fact: Vectra supports 40 Gbps sensor and 55 Gbps of active threat monitoring with the X80 Cognito appliance.

YES

NO

Fun Fact

ExtraHop can only monitor 16,000 hosts a time whereas Vectra can monitor up to 300,000 hosts.
ExtraHop will hit their host cap long before they hit their throughput cap. It’s like having a Formula 1 race car with city traffic laws – just go from red light to red light really fast.

3 The number of protocols monitored is critical

RESET myth

YES

correct.

Threat behavior monitoring and data streams are not synonymous.

Reality: The majority of ExtraHop protocols only collect network performance monitoring metrics and do monitor for hidden attackers.

Fact: Vectra records more than 15 different data streams and monitors for hidden threats in traffic over countless protocols.

that's a myth.

ExtraHop claims to support over 70 protocols while Vectra only supports 10.

Reality: Threat behavior monitoring and data streams are not synonymous.

Reality: The majority of ExtraHop protocols only collect network performance monitoring metrics and do not monitor for hidden attackers.

Fact: Vectra records more than 15 different data streams and monitors for hidden threats in traffic over countless protocols.

YES

NO

Fun Fact

While there are no data streams for FTP, Telnet, Postgres, etc., they are all still monitored for security.

4 ExtraHop has more effective machine learning

RESET QUESTION

YES

correct.

Reality: Vectra is focused on detecting behaviors related to adversarial tactics, techniques and procedures (TTPs).

Fact: Pure anomaly detection produces overwhelming volumes of false-positive alerts that require examination.

Fact: With anomaly detection, the distinction between user behaviors and attacker behaviors is nebulous, even though they are fundamentally different.

that's a myth.

ExtraHop claims it supports full Layer 2-7 behavioral anomaly detection while Vectra has limited behavioral anomaly detection.

YES

NO

Fun Fact

Vectra has 15 patents surrounding our application of machine learning to threat detection, and 20 patents pending.
We use a combination of supervised and unsupervised machine learning based on the type of data. Some threat detection requires local knowledge (such as remote access trojans) while others don’t (such as C2 traffic).

5 ExtraHop has more scalable cloud monitoring

RESET myth

YES

correct.

Reality: ExtraHop is limited by the number of critical hosts it can monitor. Throughput is not the limiting factor.

Reality: ExtraHop incorporates network context that you must search for manually, whereas Vectra's security insights automatically surface and label hosts and accounts using network metadata.

Fact: Vectra supports 8 Gbps cloud monitoring with an r5n.4xlarge instance type.