What is NDR?
Network detection and response (NDR) tools analyze traffic across a network to find threats that other controls miss. Instead of relying on agents installed on endpoints, NDR watches the network itself: north-south traffic crossing the perimeter and east-west traffic moving between internal systems. It builds a baseline of normal behavior and flags deviations such as lateral movement, command-and-control activity, data exfiltration, and reconnaissance.
How NDR works
Most NDR tools combine several techniques: signature-based detection (often using engines like Suricata), behavioral analytics, machine learning, and full or selective packet capture for forensics. Many are built on or integrate the open-source Zeek and Suricata projects. Detections are typically mapped to the MITRE ATT&CK framework and fed into a SIEM, EDR, or XDR for correlation and response.
NDR vs EDR vs XDR
EDR (endpoint detection and response) watches endpoints; NDR watches the network; XDR (extended detection and response) correlates signals across endpoint, network, identity, and cloud. The three are complementary, and many organizations run NDR alongside EDR to cover traffic from unmanaged or agentless devices.
NDR tools to compare
NDR tools and vendors include Corelight, Darktrace, Vectra AI, ExtraHop, Stamus Networks, Arista NDR, and Fidelis. Compare their capabilities, deployment options, and sources in the directory.