2024 Global Cyber Confidence Index

Arrow pointing right
ExtraHop Logo
  • Productschevron right
  • Solutionschevron right
  • Why ExtraHopchevron right
  • Blogchevron right
  • Resourceschevron right

Professional Services Highlights

Credit Bundles

Available in three sizes, designed to fit all your needs. Buy either a starter, standard, or advanced credit bundle and then draw down from that pool of credits for any services you require for up to a year from the purchase.


60 Credits

The starter credit bundle is intended to provide a base level of credits with which you will rapidly implement, and integrate ExtraHop into their existing environment.


100 Credits

The standard credit bundle is intended to provide you with enough credits to integrate and deploy ExtraHop into the environment, drawing from several predefined use cases, training and integration options.


150 Credits

The advanced credit bundle is intended to provide you with ample credits to implement a fully customized solution-optimized to your unique environment and needs.

Quick Starts

Reduce Time-to-Value, Increase the Return on Your ExtraHop Investment

Application Monitoring and Troubleshooting

  • Build three-tier monitoring dashboard for a single application
  • Develop custom metrics as needed
  • Document the metrics being collected and their relationship overall performance

Network-Based Threat Hunting

  • Provide a hands-on, two- to three-hour threat hunting sessions
  • Offer saved queries, permitting the customer to reuse complex queries related to pattern matching and allowing for self-service in the future
  • Demonstrate use-case specific dashboards providing data access and visibility based on saved queries

Cyberattack Surface Reduction

  • Create a dashboard of vulnerable protocols
  • Create a detailed report describing top offenders and key high-risk vulnerabilities within the customer environment

Optimized Network Threat Detection

  • Deliver a hands-on tutorial via a collaborative multi-session engagement with the customer's security analysts to improve detection management, including reducing false positives; eight hours in total
  • Create critical asset groups to prioritize security incident visibility to the most important assets in the customer environment
  • Create specific-use device groups, such as external or internal vulnerability scanning systems, to reduce false positive detections

Asset Discovery and Classification

  • Build device groups
  • Explore up to three possible dashboard use cases
  • Explore opportunities to export data from Reveal(x) into asset management platforms
  • Create asset reports highlighting discovered, unclassified, and unknown assets for customer action
  • Review base sensor configuration
  • Review versioning of appliances
  • Review the data feed and apply specific dashboards related to data feed health and improvement
  • Patch where applicable, log support cases where applicable, and loop in success manager

Data Feed Workshop

  • Review base sensor configuration
  • Review versioning of appliances
  • Review the data feed and apply specific dashboard related to data feed health and improvement
  • Patch where applicable, log support cases where applicable, and loop in success manager

Sensor Upgrades

  • Compatible EDA-to-EDA migration

Sensor Patching

  • Preparation meeting
  • Firmware upgrade

Live Training

Analyze network traffic to reduce risk in your IT environment.

On-site Sessions

Any on-site class requires travel fees for our instructors

Expand all
ExtraHop Fundamentals
2 Days

On-site Fundamental Training utilizes live customer data. It provides a general overview of what ExtraHop is and how it collects, analyses and visualizes data in a network. It covers the layout and navigation of the ExtraHop UI, viewing and interpreting default network and application protocol metrics from different perspectives (such as a single device, a group of devices or an application container). It explains the workflow from high-level overviews to detailed analysis. It reviews the data exposed in the default dashboards, demonstrates other visualization features and provides hands-on experience with creating, using and sharing dashboards.

Advanced Training
1 Day

On-site Advanced Training utilizes live customer data. It provides a deep dive into relevant ExtraHop protocol metrics, including TCP, and covers hands-on creation of multi-tiered application dashboards. It focuses on customizations that extend the platform such as alternative device discovery, trend alerts and multi-criteria triggers (including integrating ExtraHop data with external sources) and demonstrates how to utilize and create solution bundles. Advanced Training includes an overview of best configuration practices, administration and maintenance of the ExtraHop ecosystem.

Remote Sessions

Expand all
Live Data Review
2 Hours

This training provides a data-driven review of your live environment. We explain what ExtraHop is seeing in your environment, what the metrics mean, review correlations between events and protocol data and discuss insights into possible impact and causes.

Protocol Deep Dive
2 Hours

This session provides an in-depth look at one protocol relevant to your environment. Different pivots on the metrics (apps vs Groups). We review the metrics ExtraHop collects and what they mean in the context of your environment. We discuss correlation between metrics and how to diagnose a problem or identify an improvement opportunity based on the data. We pivot on different views into the protocol (groups vs application containers) and create dashboards to show how best to visualize the health and performance of that protocol in your environment.

Creating Successful Dashboards
2 Hours

A dashboard is a fully customizable HTML page that displays both real-time and historic data. In this session we cover the reasons to use one, how to decide what data to include and how to find it in ExtraHop's UI and Metric Catalog. We build a basic dashboard, explore different chart types, and demonstrate the elements that make your dashboards effective. We expand our exploration of chart types and discuss which chart types to use when. We demonstrate different ways to organize and present data and how to provide context so that it is meaningful to your targeted audience. We demonstrate the concepts of a multi-tiered dashboard that visualizes communication across multiple tiers of an application.

Deep Dive into Devices
2 Hours

ExtraHop automatically discovers and classifies devices it sees communicating on the wire. In this session we explain ExtraHop's default device discovery process and the properties associated with a device. We explore which peers a device is communicating with, what protocols are in use, when a device acts as a client or a server and whether the device activity is normal or not. We demonstrate how to interpret the L2-L7 metrics and charts to help you determine if a device is having an issue, or if it is an application or network problem. We view the default device groups ExtraHop creates based on role or L7 protocol, and we create custom device groups based on a narrower scope, such devices that support one business application. We extend the discussion to customizing devices, such as changing device properties, creating custom devices and remote networks, and explain device limits and whitelisting.

Understanding Alerts
2 Hours

Alerts are notifications that can be configured to be sent to various recipient sources when an event of interest occurs. In this session we discuss the different types of alerts, the conditions that can be configured to alert on and how we can determine that an alert has fired. We create a basic threshold alert based on a condition in your environment you want to monitor, examine how we send an alert through email or integrate with other sources through SNMP or syslog. We then focus on trend alerts and their use cases, demonstrate how to configure multiple conditions and to monitor trend utilization and performance.

Using the Record Visual Query Language
1 Hour

Records are structured information about transaction, message, and network flows. This training provides a comprehensive review of accessing and searching records. We demonstrate how to view records, change record types, sort and group information and switch views. We show how to utilize the Visual Query Language to easily scope and filter results.

Creating and Using Record Formats
1 Hour

Record formats are schemas that let you display stored records in a formatted table (or table view) when you run a record query. In this session we explain how Flow and L7 records are populated and examine the formats used by standard record types. We explain how custom records and custom formats can be created.

Getting Started with Application Inspection Triggers
2 Hours

Application Inspection Triggers are the primary way of extending the ExtraHop platform. This session will cover the basics of planning and creating triggers. We will discuss when to write a trigger, view trigger resources and create a basic trigger. We will gradually build on that trigger to illustrate how to build application containers, add multiple criteria and events to the trigger and optimize the performance of the trigger. We will also discuss how to generate a packet capture, populate EXA records and how to use Open Data Stream (ODS) to integrate with third-party systems.

Custom Remote Training Session
1 Hour

This session is customer-driven, based on specific topics they may want a refresher on, or areas where they want more depth or clarity.

Using the Overview pages
1 Hour

Overview pages enable you to quickly evaluate the scope of suspicious activity on your network, learn about protocol activity and device connections, and investigate inbound and outbound traffic on your network. In this training session we focus on high-level visibility into the security detections that have fired in your environment in order to determine which detections or devices to investigate first, and review any relevant threat briefings about industry-wide security events. We explore common network health and security hygiene metrics which might signal weaknesses or issues in network performance or potentially suspicious activity. We view total active devices and common protocols in use, and traffic entering and leaving your network through connections with external endpoints.

Detection Overview
1 Hour

When anomalous behavior is identified, the ExtraHop system generates a detection and displays the available data and investigative options. This session uses examples of security and operations detections to discuss the common elements within detection cards, such as the cause of the detection, the detection category and risk score, when the detection occurred, and the victim and offender participants. We expand our focus to the types of data provided on the detection detail page that are valuable for understanding, validating, and investigating a detection- related detections, activity maps, comparative behaviors and investigative data and links.

Detecting Tuning
1 Hour

Detection tuning enables you to better control which detections are visible or generated for your network. In this session we focus on the use cases and prerequisites for creating detection rules to hide detections based on the specific victim or offender or both, after the behavior has been investigated. We discuss how to manage detection rules and view hidden detections. We review the use of configuration settings and custom parameters- such as network localites, trusted domains, approved DNS and HTTP communications and more- to further scope and refine the detections that get generated. In addition we illustrate the use of the acknowledgement feature as part of detection investigation workflows. (NOTE: full write permission is required for this session).

Getting started with the REST API
1 Hour

The ExtraHop REST API enables you to automate administration and configuration tasks on your ExtraHop system. This session will first focus on configuring API access permission and key generation, and cross-origin resource sharing (CORS). We will introduce the REST API Explorer web-based tool and use it to view resources, methods, parameters, properties, and error codes. We will demonstrate locating object IDs, and performing operations directly through the tool. We will view the available code samples in Python, cURL, and Ruby.

Reviewing the Extrahop System Health
1 Hour

The System Health page provides a large collection of charts that enable you to make sure that your system is running as expected, to troubleshoot issues, and to assess areas that are affecting performance. We will discuss data for ingest rate, device count observations, monitor Trigger load and exceptions, follow Open Data Stream and Recordstore transmissions, view historical lookback estimates and any indicators of a sub-optimal feed. We will review system health features on the administration page and demonstrate how to alert on system health data and monitor specific metrics of interest in custom dashboards (NOTE: system admin permission is required for portions of this training).


Reduce Tools Complexity, Increase Productivity and Efficiency With Integrations



CrowdStrike Enterprise

Carbon Black

Microsoft Defender


Splunk for SOAR



QRadar Enterprise

Cortex for SOAR

Sumo Logic




Microsoft 365


Palo Alto Networks


Cisco Meraki


Microsoft Decryption






Splunk Enterprise

Red Hat Ansible Tower


Deploy Your ExtraHop Investment With Confidence

Project Kickoff

  • The ExtraHop delivery coordinator will schedule a kickoff call with all relevant stakeholders and . technical personnel to initiate this service, define the full project team, review timelines, review the bill of materials, and review scope.
  • ExtraHop will create an architecture design review and coordinate with the project team to review data center architecture, ExtraHop appliance placement, and packet acquisition methods to ensure the data feed will align with visibility goals.

Application Installation

  • The client team will perform necessary tasks to ensure appliances are powered on and accessible remotely, via IP, for configuration by ExtraHop.
  • The ExtraHop team will provide the customer with guidance and best practices around appliance installation, virtual resource requirements (if applicable), and packet acquisition.

Initial Configuration

  • The ExtraHop delivery coordinator will schedule a working session to ensure that appliance installation, initial setup, and administration tasks are completed within the Reveal(x) user interface (UI) of all deployed appliances.
  • An ExtraHop solutions architect will run through a post-installation checklist to ensure the proper functioning and setup of the appliance.

Data Feed Validation

  • An ExtraHop solutions architect will conduct a data feed review to confirm data fidelity, review data feed health, and confirm that visibility goals have been achieved. The solutions architect will review the following and troubleshoot as necessary:

Project Acceptance

  • Upon completion of the data feed validation, the ExtraHop delivery coordinator will confirm with the client team that the project has been completed according to the agreed upon scope and that the ExtraHop appliances are operational and have been successfully deployed.