No need to cover IaaS or SaaS components: Gartner has made this decision for its inaugural Magic Quadrant of Network Detection and Response (NDR) solutions.
These elements were traditionally considered optional, including activities such as enriching metadata, native integration of Endpoint Detection and Response (EDR), the ability to operate the console as an alternative to a Security Information and Event Management (SIEM) system, and maintaining low false positive rates after initial configuration.
Functionally, providers were expected to offer, in broad strokes:
- Sensors (physical or virtual) that analyze packet data or network flows, deployable in cloud or on-premise, capable of monitoring both north-south traffic (between internal and external networks) and east-west traffic (within internal segments)
- Traditional detection methods (such as IDPS, heuristic analysis, etc.) alongside behavioral detection mechanisms
- Aggregation of alerts into incident reports
- Automation features for incident response, either directly or through integration with other security tools
- Detection capabilities leveraging internal and external threat intelligence feeds
Additionally, vendors had to offer a standalone (“air-gapped”) version of their NDR solution. They also needed to demonstrate at least 30 deployments with the “big three” cloud infrastructure providers (AWS, Azure, GCP). Moreover, the vendors had to meet at least two of the following three financial or operational thresholds:
- 2024 revenue of at least $30 million from the evaluated product
- By October 31, 2024, support for a minimum of 4 million devices under paid subscription
- By the end of 2024, at least 150 customer organizations, each with 5,000 or more employees
11 Vendors, 4 “Leaders”
The “Execution” axis of the Magic Quadrant reflects a provider’s ability to meet market demand, based on customer experience, pre-sales performance, and product quality. The rankings are as follows:
| Rank | Vendor |
| 1 | Vectra AI |
| 2 | Darktrace |
| 3 | ExtraHop |
| 4 | Corelight |
| 5 | Stellar Cyber |
| 6 | Gatewatcher |
| 7 | NetWitness |
| 8 | Trend Micro |
| 9 | ThreatBook |
| 10 | Arista Networks | 11 | Trellix |
Regarding the “Vision” axis, which reflects the strategic direction (sector-specific, geographic, commercial, marketing, product, etc.):
| Rank | Vendor |
| 1 | Vectra AI |
| 2 | Darktrace |
| 3 | Corelight |
| 4 | ExtraHop |
| 5 | Gatewatcher |
| 6 | Trend Micro |
| 7 | Stellar Cyber |
| 8 | ThreatBook |
| 9 | Trellix |
| 10 | Arista Networks | 11 | NetWitness |
Four vendors are positioned within the “Leaders” quadrant, which includes Corelight, Darktrace, ExtraHop, and Vectra AI, listed alphabetically. Meanwhile, the French company Gatewatcher is categorized as a “Visionary”.
Corelight and its “Outdated” User Interface
Gartner credits Corelight positively for its ability to deliver functionality and updates consistently. Overall, the company’s transition from traditional on-premise Intrusion Detection System (IDS) to a hybrid Network Detection and Response (NDR) that can be deployed with major cloud service providers is viewed favorably. The assessment also praises the range of available sensors (up to 100 Gbps capabilities) and the technology used for packet capture and storage.
However, the UI is criticized as outdated and unintuitive, especially for less experienced analysts. Additionally, there is caution regarding Corelight’s strategic focus, which has historically centered on government sectors, and its limited geographic footprint, with few partners outside the United States for sales and deployment efforts.
Darktrace’s Trend Toward Bundling…
Darktrace’s user interface is praised for being intuitive, complemented by a comprehensive library of detection models. Gartner also notes that all contracts include implementation services, and their “air-gapped” version offers comparable functionality to the connected version. Furthermore, the vendor’s ability to collect and incorporate customer feedback is recognized.
However, managing Darktrace’s NDR can be complex. To reduce false positives, it requires initial tuning and ongoing adjustments. Gartner also highlights the lack of service-level agreements outside the European Union and observes a tendency to sell solutions as bundles, which complicates pricing transparency.
Similarly, ExtraHop…
ExtraHop stands out with several features, including advanced search capabilities, packet storage, decryption options, and an Intrusion Detection System engine. It is also well-suited for various network configurations, supporting sensors up to 100 Gbps alongside an AI-powered assistant based on Generative AI (GenAI).
Nevertheless, Gartner urges caution regarding additional turnover within ExtraHop’s teams since the company became private again in 2021. There is also concern about the limited channel presence outside North America, as well as the tendency for bundling, which may hinder accurate pricing of specific components.
Is It Clearly NDR or XDR? – Potential Confusion with Vectra AI
Vectra AI scores highly for its threat detection capabilities powered by artificial intelligence, along with a “solid” and user-friendly interface. Gartner appreciates their migration program from competing products and their educational resources concerning NDR.
However, Vectra AI has the lowest customer retention rate among the vendors in the quadrant and does not sell directly. There is also concern that buyers may get confused, as the company has historically marketed its solutions as Extended Detection and Response (XDR), raising questions about product differentiation.
Gatewatcher’s Limited Impact Beyond NDR
Gatewatcher is noted for its growing customer base, clear R&D investment strategy, and a market-aligned approach to automation. Its strengths include the ability to develop specialized threat intelligence rulesets tailored to specific sectors and targeting the right buyer profiles.
Gartner points out the absence of a wide partner network in the Americas and limited language support for its customer service, which is primarily in English and French, with all teams based in France. The firm also struggles to effectively communicate its broader value proposition beyond the niche of NDR solutions.
According to Gartner, NDR remains a niche product, mainly targeted at large organizations with mature security programs. Expanding offerings could involve integrations with third-party solutions (like EDR, Identity Providers, Security Service Edge), managed NDR services (ranging from incident notification to threat co-detection), and a focus on operational technology (OT) protocols.
