Respond to the earliest signs of an attack


Take action early and often
Gartner-validated approach to identifying behaviors in the early stages of an attack like command-and-control and reconnaissance behaviors found in today’s compromises.

Add efficiency to your security workflow
Vectra customers achieved a 34X workload reduction for Tier-1 SOC analysts in detection, triage, correlation and prioritization of security incidents.This enables security operations teams to focus on compromised devices that pose the highest risk.

“This solution excels at rolling up numerous alerts to create a single incident to investigate that describes a chain of related activities, rather than isolated alerts that an analyst then has to piece together.”
Gartner Research


Protect against the compromise of privileged accounts


Identify privileged accounts, hosts and services
The Cognito platform uses AI to continuously monitor the behaviors of users, hosts and services in your network, cloud or SaaS applications. By observing how access is being used, rather than how privilege is assigned you gain complete visibility into the privileged assets that attackers target in your network, and can detect internal threats such as rouge admins.

Anticipate attacks in progress
Look at interactions between privileged accounts, hosts and services to identify:

  • Attackers who use stolen accounts to access a host
  • Internal users who maliciously access services
  • Unusual accounts that access hosts and services
  • Opportunistic attackers who access hosts
  • Opportunistic attackers who make brute-force attempts to access services

The Cognito network detection and response platform dynamically adjusts risk scores as attacks unfold and automatically integrates privileged analytics into incident rollups.


Identify theft of intellectual property and confidential data


Identifying data access and theft
The Cognito platform implements a suite of detection algorithms that identify hidden attackers who gain access to critical resources. This often indicates that operational disruption or data exfiltration is imminent.

To identify these malicious behaviors, supervised and unsupervised machine detection algorithms identify the early tell-tale signs of attack, including:

  • An internal host acquires large amounts of data from one or more internal servers and subsequently sends it to an external system
  • An internal host communicates with outside IPs using DNS, HTTP or HTTPS. This indicates a hidden tunnel that uses multiple sessions over longer periods of time while mimicking normal traffic
  • A host transmits unusually large volumes of data to destinations that are not considered normal for the network
  • An internal host sends data to another internal host that acts as a relay, which indicates an attempt to obfuscate communication with the external system


Secure cloud workloads and critical assets


Extend AI-driven cyberattacker detection and threat hunting to IaaS workloads.

  • Extend AI-driven cyberattacker detection and threat hunting to multicloud, infrastructure-as-a-service (IaaS) deployments
  • Advanced agentless architecture reduces the complexity and risk of security gaps and blind spots in the cloud
  • Track all stages of an attack and correlate detections between hybrid and multicloud components
  • Dramatically increase threat-hunting efficiency by feeding Zeek-formatted security-enriched metadata to data lakes and SIEMs

Vectra goes cloud native with Amazon Web Services

The network threat detection and response platform from Vectra secures AWS deployments across hybrid and multicloud architectures
Learn more

Cognito goes native with the Azure Virtual TAP

Learn more

Intelligence-driven threat hunting


Hunt using security-enriched network metadata
Whether sourced from an analyst’s daily workflow or open source intelligence, the first step in threat hunting is to make sure that the attributes necessary to answer investigative queries are readily available.

This is precisely why Vectra uses AI engines to extract security insights that are embedded in our metadata. Notable security enrichments include beaconing activity, domain rarity and privilege level of relevant entities.

Security-enriched network metadata is fed directly to data lakes and SIEMs. Or dive deep into the metadata using Cognito Recall, Vectra’s investigative workbench optimized for threat hunting, incident analysis and sub-second searches at scale.


The right data to build effective security models


Build security models on machine-learning building blocks

  • The Cognito platform enables security analysts to build customized models to monitor and detect any type of malicious behavior, including suspicious and emerging threats, compliance violations and internal misuse or industry-specific attack vectors.
  • Security insights and machine-learning building blocks embedded in Cognito metadata combine with other security attributes to create powerful custom models as well as detections that correlate with a specific host and user account.
  • Security-enriched network metadata can be fed directly to data lakes and SIEMs. Or use the Cognito Recall investigative workbench for threat hunting, incident analysis and sub-second searches at scale.


Identify policy violations and meet compliance mandates


Gain visibility into security and compliance gaps

  • Categorize compliance holes to meet requirements for regulations that include National Institute of Standards and Technology (NIST), General Data Protection Regulation (GDPR), MITRE ATT&CK framework and PCI compliance
  • SMB exposed to the internet - SMB has many known vulnerabilities, including exploits that enable the spread of ransomware
  • Identify SMBv1 activity - From anonymous NTLM logins to man-in-the-middle to EternalBlue, SMBv1 opens a broad spectrum of attacker exploits
  • Identify TLS 1.0/1.1 activity - No longer PCI DSS compliant, TLS 1.0/1.1 is being deprecated by major vendors due to security vulnerabilities
  • Telnet and unencrypted FTP - Telnet and FTP are unsecure protocols, can be used to pass credentials in the clear, and are vulnerable to sniffing attacks