What is Network Detection and Response?

Network Detection and Response (NDR) is a burgeoning field of cybersecurity that enables organizations to monitor network traffic for malicious actors and suspicious behavior, and react and respond to the detection of cyber threats to the network. The rise of NDR systems reflects the growing number of systemwide attacks by criminal actors ranging from hackers to nation-states.
Gartner established the NDR solution category in 2020, renaming what it previously called “network traffic analysis.” The evolution of the category underscores the growing importance of response capabilities, which can include automatic responses such as sending commands to a firewall so it drops suspicious traffic, or manual responses such as threat hunting and incident response.

How did Network Detection and Response evolve?

Why do I need Network Detection and Response?

How does Network Detection and Response work?

How do I integrate Network Detection and Response?

What is IronNet Network Detection and Response?

Behavioral analytics for Network Detection and Response

Advanced network detection leverages machine learning, expert analysis, and threat sharing so you can see rated unknown threats faster, accelerating triage and response. See how in one minute.

How did Network Detection and Response evolve?

Monitoring network traffic is not a new practice. In the beginning, network metadata was captured to analyze network performance characteristics. Is our network running okay? But as data volumes soared, many organizations were unable to harness network activity, leaving it as an untapped resource for cyber defense.

Eventually, computing power caught up, giving companies network traffic visibility and behavioral analysis detection methods for computer security – technology first called network traffic analysis (NTA). And while NTA remains a fixture in enterprise security operations centers (SOCs), the market category has evolved and broadened to network detection and response. Organizations increasingly value the response capabilities in NDR solutions to address threats detected by network traffic analysis tools, which focus mainly on detection-only threats and mostly around basic variations of known threats.

Today, increasingly sophisticated behavioral analytics; machine learning; and artificial intelligence (AI) of cloud, virtual, and on-premise networks form the backbone of NDR solutions. By harnessing these technologies, NDR vendors have enabled organizations to improve detection capabilities, determine the confidence and risk level of a threat, and increasingly automate tasks manual tasks performed by analysts such as the acquisition of relevant third-party contextual telemetry information and the application of standardized investigative playbooks to further prioritize threats by risk, thereby enabling them to focus strategically on triage and rapid response. By analyzing network behavior using machine learning models, advanced NDR tools can detect sophisticated evasion methods or “known unknown” cyber threats to brand new zero-day threats or “unknown unknowns.”

To learn more:

See our response to Gartner's shift to Network Detection and Response

IronNet-Resource-Downloadable Cover-8 cybersecurity challenges and how to solve them

Network detection and response tools can detect threats that slip past endpoint detection tools and firewalls.

What network detection means to Thomson Reuters

Richard Puckett, VP of Security Operations, Strategy and Architecture at Thomson Reuters, shares how the move to a cloud-first strategy requires behavioral analytics to detect evolving threats.

Why do I need Network Detection and Response?

One common misconception is that Security Information & Event Management (SIEM) and Endpoint Detection and Response (EDR) solutions sufficiently protect the enterprise. These tools are a good start. But with the widespread adoption of IoT, cloud computing, and digital transformation, networks have become an increasingly valuable target for sophisticated adversaries – making NDR solutions an indispensable tool within the SOC Visibility Triad for threat detection.
IronNet-What is NDR-Stay ahead of cyber criminals-Icon@2x

Stay ahead of cyber criminals

Attackers now have widespread access to what were previously nation-state level tools designed to evade specific security tools. NDR solutions provide an extra layer of security against both sophisticated network attacks and highly organized threat actors.
IronNet-What is NDR-The truth is in the traffic-Icon@2x

The truth is in the traffic

Network traffic is massive and pervasive. The sheer amount of network metadata, protocol logs, and network artifacts makes it extremely difficult, if not nearly impossible, for an adversary to hide their activities across or disable an entire network.
IronNet-What is NDR-Move beyond logos and endpoint security-Icon@2x

Move beyond logs and endpoint security

SIEMs have blind spots, and endpoints detection capabilities can be evaded or disabled by a determined adversary. Both SIEM and endpoint tools struggle with detecting adversaries that are not specifically malware-based, such as lateral movement using stolen credentials.
IronNet-What is NDR-Protect your IoT devices-Icon@2x

Protect your IoT devices

Many IoT devices are either too tiny (like your internet-connected thermostat), too many to manage at scale (think every device that has an IP address), or simply too old (in case of manufacturing systems) and simply do not have the ability to run endpoint security software or analytics. NDR enables organizations to protect these devices by analyzing their network activity without the overhead of having to manage individual device software.
IronNet-What is NDR-Get fewer alerts-Icon@2x

Get fewer alerts

With NDR systems, after a threat is detected, rules are applied to the analytic result to contextualize knowledge of an organization and its threat landscape. This approach further adjusts the initial risk score of an alert by determining whether the alert is indeed a high priority or if the alert can be downgraded in severity based on contextual enrichment.
IronNet-What is NDR-Bolster your overall defense-Icon@2x

Bolster your overall defense

High-maturity clients use NDR and other network-based technologies as one of the layers in their SOCs, alongside endpoint-, log- and cloud-based technologies for threat visibility. For this reason, NDR solutions have earned a place on Gartner’s SOC Visibility Triad.

How does Network Detection And Response work?

Each NDR solution is unique. But here’s a quick look at common tools and techniques.

Machine learning

Machine learning leverages machine computing power to analyze large sets of data in order to make more accurate predictions. With NDR solutions, machine learning models can detect “unknown unknown” threats to your network using behavioral analytics. Machine learning algorithms can see cyber threats coming around the corner (e.g., ports suddenly being used that have never been used before), in turn enabling more rapid triage and mitigation. Machine learning models are also used to continually reweigh prioritization of potential threats based on real-world outcomes.

Deep learning

Deep learning is a powerful form of machine learning that uses artificial neural networks to enhance NDR capabilities. At IronNet, we use deep learning but constrain its use to only the NDR applications that are well-suited to the training data requirements and interpretability challenges of deep learning models.

Statistical analysis

Statistical analysis is a useful behavioral technique that is sometimes marketed as “AI” by a handful of NDR providers. These can range from simple outlier analysis (e.g., which URL has not be seen in this group of devices) to basic Bayesian analysis of network traffic pattern to other statistical methods. Commonly there is an element of sample to determine a baseline that is then used to identify which activity deviates from normal traffic usage, allowing SOCs to model normal network traffic and highlight suspicious traffic that falls outside the normal range.


Heuristic analysis detects threats by analyzing data for suspicious properties. In NDR solutions, heuristics extend the power of signature-based detection methods to look beyond known threats and spot suspicious characteristics found in unknown threats and modified versions of existing threats. Some network sandbox vendors position analysis of file-based malwares as a variation of network behavioral analysis.

Threat Intelligence Feeds

Threat intelligence feeds are data streams containing information on previously identified cyber threats. Threat intelligence, if timely and actionable, can assist NDR solutions in identifying known threats or providing additional contextualization for prioritization of a detected network anomaly by risk. The limitation of threat intel feeds is the need to actively procure, manage, and curate threat intel so that the information is relevant and timely to the enterprise, which can be beyond the scope of all but the most security mature enterprises.


Signature-based detection methods use a unique indicator of compromise (IOC) identifier about a known threat to identify that threat in the future. Signatures were effective a generation ago, but the process of using unique identifiers to guard against known threats has become increasingly ineffective in a world where custom malware, malware toolkits, and non-malware based attacks such as credential replay are the norm. Furthermore nearly three quarters of all network traffic today is encrypted, part of an upward trend that’s rendering signature-based tools ineffective by preventing the content inspection required to match certain categories of IOCs.

To learn more:

“Signature-based cybersecurity solutions are unlikely to deliver the requisite performance to detect new attack vectors. In fact, our data shows that 61% of organizations acknowledge that they will not be able to identify critical threats without AI.”
IronNet-What is NDR-Capgemini Report Cover
See Capgemini Report
IronNet-White Paper-AI for cybersecurity-Cover Image
White Paper

Does AI strengthen Network Detection and Response? Discover for yourself in our “AI: Hype or High Priority”?

How do I integrate Network Detection and Response?

As with any cutting-edge security tool, NDR solutions are not deployed in isolation and often complement existing solutions already in place. Here’s how NDR solutions integrate with common systems.

With your enterprise network

NDR solutions are engineered to introduce minimal friction into SOCs while still providing network threat detection. NDRs leverage sensors that are deployed off a SPAN or TAP port to passively monitor network traffic.

IronNet-Splunk IronDefense-Dashboard
With your SIEM

Integrations with SIEMs allows SOCs to seamlessly add NDR solutions to existing workflows. Why is this useful? Most organizations leverage their SIEMs as the central aggregation point for alerts related to malicious activity. Native integrations as a downloadable app for their preferred SIEM is often the preferred method for SOC teams to investigate, confirm and respond to those alerts. This allows the full visibility of the NDR to work within your SOC team’s workflow while allowing them to pivot into the NDR as needed for deeper analysis.

With your SOAR

Many NDR integrations occur within large enterprises with mature SOCs who prefer to leverage their own playbooks and workflows for response. Consequently the focus of NDR vendors is to provide integrations with market leaders in SOAR tools such as Splunk, Palo Alto XSOAR (Demisto), and Swimlane.

With your workloads in public or private cloud providers

As organizations move data and workloads to the cloud, NDR vendors are integrating with public cloud providers like Google and Amazon Web Services to enable NDR capabilities across cloud and hybrid cloud environments. Cloud integrations or private cloud environments should include the ability to monitor network traffic in their respective domain and not just deploy in a particular cloud or virtual network provider.

To learn more:

Discover IronNet integrations with existing technology tool

IronNet-IronDefense NDR Dashboard

See how IronDefense NDR integrations with Splunk and Splunk Phantom

What is IronNet Network Detection and Response?

IronDefense is a leading NDR solution that uses a combination of behavioral detection techniques – including machine learning and deep learning – plus statistical analysis and heuristic techniques to detect suspicious traffic. For response, IronDefense has strong manual hunt capabilities, enabling threat hunters to investigate across network flow data and pull packet capture on any flow. IronDefense’s AI-powered Expert System prioritizes threats and provides contextual information for incident responders.
IronNet-NDR Desktop Dashboard Screen