How does ExtraHop Reveal(x) security analytics compare to Darktrace Enterprise Immune System?

Wire Data

Analytics at Scale

Decryption Capabilities

Automated Investigation
ExtraHop Reveal(x) | Darktrace | ||
---|---|---|---|
Data Sources | Wire Data | ||
Packet Headers (L2-L4) | |||
Protocol Decoders | 40 | 5 | |
Analytics | Machine Learning | Cloud-Based | On-Prem |
Decryption | SSL/TLS | None | |
Behavioral Analytics | |||
Critical Asset Prioritization | |||
Metrics | 4000 | 400 | |
Investigation Capabilities | Anomaly Correlation | ML-Driven | Manual |
Transaction Indexing | |||
Forensics | Continuous Packet Capture | Reactive Packet Capture | |
Scalability | Throughput | 100Gbps Sustained | 6Gbps Unsustained |
Deployment Options | On Premises (Hardware, Virtual) | ||
Cloud | |||
Extensibility | REST API | ||
Integration Partners | 30+ | <5 | |
Custom Metrics | |||
Custom Dashboards |
Why These Differences Matter
Analytics At Scale, Immediately
Reveal(x) analyzes data at a sustained 100Gbps per appliance, automatically discovering and classifying all endpoints and transactions in real time so you'll start receiving useful insights as soon as you plug in. Darktrace caps out at 6Gbps per appliance and requires human analysts to build out reports, so the first 3-4 weeks of your deployment delivers zero value.
Limited scalability for Darktrace means that even if you pay for six times more hardware and associated management costs, Darktrace will still provide less timely, less thorough information than you'd get from one Reveal(x) appliance.




See Inside Encrypted Traffic
ExtraHop decrypts SSL/TLS at line rate, including Perfect Forward Secrecy (PFS) implementations. Darktrace offers zero decryption capabilities, leaving the majority of network traffic completely opaque—so insiders and attackers can roam freely and exfiltrate data unseen.
70% of cyber attacks will use encryption in 2019 (Cisco). Encryption helps them get through the firewall and then reconnoiter and implement their attacks within your network. Without decryption capabilities those attacks will be invisible to your security team.
Better Data Yields Better Analysis
Wire data is to packet headers what the full color spectrum is to black and white. Unlike Darktrace, ExtraHop gives you real-time visibility into 50+ enterprise protocols so you can not only understand which assets are communicating, but also what they're actually saying.
This rich data set permits machine learning to be more focused and precise, taking advantage of the variations in behavior that have the most value and meaning while suppressing false positives.

Cut Effort by
50%
Threat detection can't solve the talent crisis or the rising tide of attackers unless you back it up with robust investigation automation capabilities. Without those additional capabilities, threat detection can even make the problem worse.
Darktrace will alert you to potential threats all over your environment with no prioritization or forensic evidence attached, no correlation between anomalies, and no custom dashboards or response options—and human analysts still need to intervene and weed out false positives.

Auto-discover, classify, and prioritize assets so critical systems receive deeper analytics (enabling faster response)

Correlate transactions and packets in real time to automate the investigation process and streamline forensic analysis

Integrate with popular SIEM platforms out of the box and utilize the Open Data Stream (and the REST API) for rededication and automation
Timeline of a Breach
Reveal(x) tells the whole story. No plot holes.
Reveal(x) vs. Darktrace
Client attempts and fails DB login several times
Rare client attempts and fails DB login
several times*Unusual amount of SQL traffic between a DB and rare client
Client successfully logs into DB
Client logs into DB and receives confirmation from the DB
No packet data
Client requests info from DB using "select" command
Client requests info from DB using
"select" commandNo packet data
DB responds in the affirmative & begins delivering data
DB responds in the affirmative & begins delivering data
No packet data
Client issues "drop" command against DB audit table
Client issues "drop" command against
DB audit tableNo packet data
DB responds in the affirmative
DB responds in the affirmative
No packet data
Client initiates large data transfer to external host
Client initiates large data transfer to
external hostUnusual volume of data transfer between client and rare extenal host
*That first alert from ExtraHop provides enough info to justify quarantining the device in question and launching a full investigation. But if the worst should happen, full attack chain visibility puts you in the best position to eliminate the threat.