ExtraHop Reveal(x) vs. Darktrace

It's the Data, Not the Math

How does ExtraHop Reveal(x) network traffic analysis compare to Darktrace Enterprise Immune System?

Get the Datasheet

number 1

Wire Data

number 2

Analytics at Scale

number 3

Decryption Capabilities

number 4

Automated Investigation

ExtraHop Reveal(x) Darktrace
Data Sources Wire Data
Packet Headers (L2-L4)
Protocol Decoders 40 5
Analytics Machine Learning Cloud-Based On-Prem
Decryption SSL/TLS None
Behavioral Analytics
Critical Asset Prioritization
Metrics 4000 400
Investigation Capabilities Anomaly Correlation ML-Driven Manual
Transaction Indexing
Forensics Continuous Packet Capture Reactive Packet Capture
Scalability Throughput 100Gbps Sustained 6Gbps Unsustained
Deployment Options On Premises (Hardware, Virtual)
Extensibility REST API
Integration Partners 30+ <5
Custom Metrics
Custom Dashboards

Why These Differences Matter

Analytics At Scale, Immediately

Reveal(x) analyzes data at a sustained 100Gbps per appliance, automatically discovering and classifying all endpoints and transactions in real time so you'll start receiving useful insights as soon as you plug in. Darktrace caps out at 6Gbps per appliance and requires human analysts to build out reports, so the first 3-4 weeks of your deployment delivers zero value.

Limited scalability for Darktrace means that even if you pay for six times more hardware and associated management costs, Darktrace will still provide less timely, less thorough information than you'd get from one Reveal(x) appliance.

Darktrace throughput comparison
Darktrace decoders comparison
Darktrace decryption comparison
Darktrace workflow comparison

See Inside Encrypted Traffic

ExtraHop decrypts SSL/TLS at line rate, including Perfect Forward Secrecy (PFS) implementations. Darktrace offers zero decryption capabilities, leaving the majority of network traffic completely opaque—so insiders and attackers can roam freely and exfiltrate data unseen.

70% of cyber attacks will use encryption in 2019 (Cisco). Encryption helps them get through the firewall and then reconnoiter and implement their attacks within your network. Without decryption capabilities those attacks will be invisible to your security team.

Better Data Yields Better Analysis

Wire data is to packet headers what the full color spectrum is to black and white. Unlike Darktrace, ExtraHop gives you real-time visibility into 50+ enterprise protocols so you can not only understand which assets are communicating, but also what they're actually saying.

This rich data set permits machine learning to be more focused and precise, taking advantage of the variations in behavior that have the most value and meaning while suppressing false positives.

Live Activity Maps

Cut Effort by

Threat detection can't solve the talent crisis or the rising tide of attackers unless you back it up with robust investigation automation capabilities. Without those additional capabilities, threat detection can even make the problem worse.

Darktrace will alert you to potential threats all over your environment with no prioritization or forensic evidence attached, no correlation between anomalies, and no custom dashboards or response options—and human analysts still need to intervene and weed out false positives.

green checkmark

Auto-discover, classify, and prioritize assets so critical systems receive deeper analytics (enabling faster response)

green checkmark

Correlate transactions and packets in real time to automate the investigation process and streamline forensic analysis

green checkmark

Integrate with popular SIEM platforms out of the box and utilize the Open Data Stream (and the REST API) for rededication and automation

Timeline of a Breach

Reveal(x) tells the whole story. No plot holes.

Reveal(x) vs. Darktrace

Client attempts and fails DB login several times

Rare client attempts and fails DB login several times*

Unusual amount of SQL traffic between a DB and rare client

Client successfully logs into DB

Client logs into DB and receives confirmation from the DB

No packet data

Client requests info from DB using "select" command

Client requests info from DB using "select" command

No packet data

DB responds in the affirmative & begins delivering data

DB responds in the affirmative & begins delivering data

No packet data

Client issues "drop" command against DB audit table

Client issues "drop" command against DB audit table

No packet data

DB responds in the affirmative

DB responds in the affirmative

No packet data

Client initiates large data transfer to external host

Client initiates large data transfer to external host

Unusual volume of data transfer between client and rare extenal host

*That first alert from ExtraHop provides enough info to justify quarantining the device in question and launching a full investigation. But if the worst should happen, full attack chain visibility puts you in the best position to eliminate the threat.

Launch the interactive demo to explore the Reveal(x) workflow for yourself.