What is NDR?
Network Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learning and behavioral analysis to detect threats that evade perimeter controls, providing visibility into east-west (internal) traffic and encrypted communications.
Definition
- NDR
- Network Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learning and behavioral analysis to detect threats that evade perimeter controls, providing visibility into east-west (internal) traffic and encrypted communications.
How NDR Works
NDR platforms collect full packet captures or flow records (NetFlow, IPFIX) from network sensors and apply ML models to establish normal communication baselines for every device, user, and application. Anomalies (unexpected protocols, unusual data volumes, new internal connections, connections to rare external destinations) surface as alerts without relying on signatures. This makes NDR effective against novel malware and living-off-the-land attacks that evade endpoint detection.
NDR provides the east-west visibility gap that firewalls miss. Firewalls focus on north-south perimeter traffic. When an attacker moves laterally between internal servers using SMB or WMI, NDR detects the behavioral deviation even without a specific exploit signature. Leading vendors include Darktrace, Vectra AI, ExtraHop, and Cisco Stealthwatch.
NDR integrates with XDR and SIEM to add network context to endpoint and log-based detections. The combination of NDR + EDR + SIEM provides detection coverage across all major attack vectors.
NDR in SOC Operations
NDR is particularly valuable for detecting C2 beaconing and lateral movement, two attack phases that are difficult to catch with signature-based tools alone. You use NDR dashboards to visualize network communication graphs and spot unusual peer-to-peer connections between hosts that should not be talking. NDR's ML-generated device profiles also help you scope incidents quickly by showing all hosts a compromised endpoint communicated with.
Practice NDR in a Real SOC
SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating ndr scenarios with zero consequences — free forever.
Related Terms
Extended Detection and Response (XDR) is a security platform that unifies telemetry from endpoints, ...
An Intrusion Detection System (IDS) monitors network traffic or host activity for signs of malicious...
Lateral movement is the attack phase where adversaries expand access from an initial foothold to add...
Command and Control (C2) refers to the infrastructure and communication channels adversaries use to ...
Security Information and Event Management (SIEM) is a platform that aggregates, normalizes, and corr...
More Tools Terms
Related SOC Training Resources
SOC Analyst (Tier 1) Career Guide — Salary & Skills
Tier 1 SOC Analysts are the front line. You monitor alert queues, triage incoming detections, classify them as true or f…
Read more Career PathSOC Analyst (Tier 2) Career Guide — Salary & Skills
Tier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more Career PathSecurity Engineer Career Guide — Salary & Skills
Security Engineers build and maintain the infrastructure that SOC analysts depend on. You deploy SIEMs, configure firewa…
Read more ComparisonSOCSimulator vs LetsDefend — Comparison
SOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator vs TryHackMe — Comparison
SOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more ComparisonSOCSimulator vs Hack The Box — Comparison
Different tools for different career paths. SOCSimulator trains defensive analysts. Hack The Box trains offensive securi…
Read more ToolSIEM Training Console — SOCSimulator
The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolXDR Training Console — SOCSimulator
The XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more TechniqueMITRE ATT&CK Techniques — Detection Training Library
Browse all MITRE ATT&CK techniques with detection strategies and example alerts.
Read more Career PathCybersecurity Career Paths — 2026 Guide
Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.
Read more PlaybookSOC Investigation Playbooks — Step-by-Step Guides
Practitioner investigation playbooks with decision trees and real SIEM queries.
Read more FeatureShift Mode — Real-Time SOC Simulation
Practice alert triage under realistic time pressure with SLA timers and noise injection.
Read more