Chief information Security Officers agree that their organizations are under attack from a greater volume of cyber-attacks than ever before. The almost daily reports of security breaches by cyber attackers is evidence that traditional tools and approaches to cyber security are no longer effective against continually evolving cyber-attacks.

One way of attempting to address this fact has been a switch in recent years away from prevention only to a security strategy that also includes detection. As a result, security professionals adopted detection technologies such as Endpoint Detection & Response (EDR) tools, Security Information and Event Management (SIEM) solutions, and Intrusion Detection systems (IDS).

However, in the face of rapidly evolving cyber-attacks, Endpoint Protection (EPP) and EDR have merged into Endpoint Protection, Detection & Response (EPDR) tools for discovering malicious behavior on desktops, laptops, and servers, while SIEM and IDS were forced to evolve into what can be considered next-generation IDS tools, which saw the emergence of Network Detection and Response (NDR) solutions that are aimed at helping security analysts discover evidence of current or past malicious activity on the network and in the cloud environment.

NDR tools are designed to help organizations detect attackers who have breached traditional security defenses with the aim of remaining undetected within corporate networks for long periods of time with the objective of evaluating security systems, stealing intellectual property, and cataloging data assets in preparation for ransomware attacks.

NDR tools should be seen as complementary to EPDR tools because they cover different IT environments and together will provide comprehensive malicious activity detection coverage of the typical modern IT estate across devices, on-prem, cloud, operational technology, industrial control systems, and industrial IoT (internet of things) devices.

Ransomware attacks are currently one of the most dangerous cyber-attacks because of their potential to disrupt normal business operations, but recent attacks have shown that attackers are increasingly gaining access to the networks of targeted organizations months in advance for surveillance purposes.

By establishing a presence on the targeted networks, attackers are able to identify what data assets to target in a ransomware attack, what data assets to copy and potentially threaten to leak to extort a second ransom payment, and to ascertain what kind of a ransom the organization is likely to pay.

A key differentiator for NDR solutions is the use of machine learning (ML) and even deep learning (DL) algorithms to identify anomalous traffic patterns, identify lateral movement and other malicious activity, and encrypted traffic analysis.

KuppingerCole Analysts believe that the future of NDR will be XDR, which is NDR + EPDR + User Behavioral Analysis (UBA) + Distributed Deception Platforms (DDP) + Cloud Workload Protection Platforms (CWPP).

However, this is likely to be only in the next five years. In the meantime, NDR could be a valuable addition to the cyber defender’s arsenal to provide comprehensive malicious activity detection across all data assets, and is also increasingly available as managed service for those organizations unable to deploy and maintain their own NDR capability.

Endpoint Protection Detection & Response (EPDR) agents are a must for every computing device that can run them. However, sometimes they may not catch every piece of malicious code. There are several reasons why NDR is a needed complement to EPDR and other security solutions

— John Tolbert, Lead Analyst at KuppingerCole

Because we understand the importance of network detection and response, and because we are committed to helping your business succeed, KuppingerCole has a wide range of content available in a variety of formats.


For a detailed analysis of NDR capabilities, an overview of the NDR market, and an examination of the innovative approaches to providing NDR solutions, have a look at the newly published Leadership Compass on Network Detection & Response, which will help you to find the solution that best meets your needs.

If you are considering investing in NDR technology, have a look at the Buyer’s Compass for Buyer's Compass Network Detection & Response (NDR).

However, if you are still undecided about whether or not your organization would benefit from an NDR solution, have a look at this Leadership Brief entitled: Do I Need Network Threat Detection & Response?

For a wider perspective on detection technologies and EPDR as a complementary technology set to NDR, have a look at this Market Compass for Endpoint Protection, Detection, and Response.

As mentioned above, the focus of security professionals in recent years has broadened to include detection capabilities. For more on how detection fits in to an effective response capability, have a look at this Leadership brief on Incident response management.

This Leadership Brief on The Information Protection Life Cycle and Framework explains how NDR support the detection phase of the IPLC.


If you would like to listen to what our analysts have to say about NDS in the context of detection and response, listen to the analyst chats on Network (Threat) Detection and Response, Protecting OT and ICS, and What (and why) is XDR?


For more information on XDR, have a look at the blog posts examining What is XDR?, which links NDR to EPDR and XDR and SOAR, and Attack Surface Reduction and XDR.


KuppingerCole analysts have participated in a number of webinars that tough on NDR and related topics. Have a look at the list below and choose the topics that are most relevant to your needs:

Tech Investment

In addition to the Leadership and Market Compass reports mentioned above, organizations investing in technologies to improve their detection and response capabilities can have a look at some of the related technology solutions that we have evaluated: