What is NDR?
Network Detection and Response (NDR) is a security technology that continuously monitors and analyzes network traffic to identify suspicious activity that endpoint or log-based tools may miss. Rather than watching individual devices, it treats the network itself as the source of truth, looking at how systems communicate with each other. The category was formally defined by Gartner in 2020 and has become a core part of modern security operations as networks fill with cloud, remote, and connected devices.
What kinds of threats does NDR catch?
- Lateral movement: Attackers spreading from their first foothold create internal traffic patterns that the network view can see even when individual hosts cannot.
- Command and control: Recurring beaconing to an attacker’s server stands out as an anomaly in network behavior.
- Data exfiltration: Unusual outbound transfers or large volumes going to new destinations are flagged against a normal baseline.
- Reconnaissance and insider activity: Internal scanning and credential abuse are noisy on the network even when they are quiet on the host.
Why monitor the network and not just devices?
- Covers blind spots: Unmanaged, IoT, and guest devices often cannot run endpoint agents, but they are still visible to NDR because they communicate over the network.
- Resilient to evasion: If an attacker disables an endpoint agent or deletes logs, network traffic still reveals their activity.
- Sees encrypted threats: Modern NDR reads behavior and patterns, so it can flag suspicious activity even inside encrypted traffic.
How does NDR fit with EDR, SIEM, and MDR?
- Complements EDR and SIEM: NDR is the network leg of the visibility triad, working alongside endpoint (EDR) and log (SIEM) data rather than replacing them.
- Feeds XDR and MDR: Its network telemetry is frequently combined with endpoint and log data in an XDR platform or an MDR service to give complete, end-to-end coverage.