Network Detection and Response (NDR) has been the Rodney Dangerfield of security tools over the past few years – “it don’t get no respect.” Conceivably, this state of disrepute came from all the marketing money thrown at Endpoint Detection and Response (EDR) and eXtended Detection and Response (XDR). It could also be related to growth of encrypted traffic and the associated misguided belief that encrypted traffic all but blinded NDR technology (note: It didn’t).
Whatever the reason for NDR’s demotion in the security tools pecking order, I’m here to tell you that NDR insolent tales are not only untrue but may also introduce unnecessary risk to organizations adhering to these falsehoods. In my humble opinion, NDR is a security operations necessity today and value will only increase moving forward.
Allow me to elaborate. There’s an old cybersecurity saying, “the network doesn’t lie,” meaning that network telemetry is critical to monitor all activities – which traffic is mission critical, what traffic and protocols are traversing the wire, how the network is performing, and which traffic is being used for malicious activity. From a security perspective, NDR is essential as a complement to technologies like EDR, XDR, SIEM, and others, specifically for:
- Protecting and defending “agentless” assets. Oodles of IT assets like routers, network appliances, and IoT/OT devices don’t run EDR agents, making EDR blind to related attacks. Oh, and there have been a ton of them like the 2017 Triton / Trisis Attack (OT Safety Controllers), the 2021, Verkada Camera Hack, and of course, the granddaddy of them all, Stuxnet (2010). Effective EDR can monitor these devices, flag anomalous traffic patterns, and facilitate rapid response.
- Lateral movement detection. When adversaries do compromise an asset (for example, by disabling an EDR agent), NDR is crucial for sleuthing anomalous network traffic that may indicate lateral movement used as part of privilege escalation or critical data discovery. This is especially important for defending against “living off the land” attacks that closely emulate ‘normal’ network traffic activity.
- Data exfiltration. NDR is especially adept at detecting large or unusual data transfers, often tunneled to external servers via the DNS protocol. For example, the 2023 Decoy Dog malware toolkit exfiltrated sensitive data by slicing it into small chunks, encrypting or encoding the fragments, and then appending them as subdomains to attacker-controlled domains. The attacker's server then captured these inbound requests, stripped away the domain packaging, and reassembled the payload while remaining invisible to traditional firewalls. Again, leading NDR tools would have detected these stealthy and anomalous traffic patterns and then generated an alert.
- Supplemental and critical telemetry. AI models are only as good as the data they are built on. Network telemetry complements logs, EDR alerts, and other data sources with telemetry about risky protocols, anomalous traffic patterns, lateral movement indicating “low and slow” attacks, and encrypted traffic analysis (ETA). For example, network data telemetry can help autonomous security agents validate or dispute potentially compromised endpoint alerts by cross-referencing internal system logs against actual external traffic patterns. Ultimately, network telemetry strips away an attacker's invisibility cloak by correlating malicious lateral movement with other data sources in real-time.
- Better models for IoT/OT coverage. Industries like manufacturing, health care, and logistics continue to add new types of IoT and OT devices. For example, IDC's 2026 Worldwide Semiannual IoT Spending Guide projects that global spending on IoT/OT will cross. the $1.1 trillion mark by the end of 2026.Despite this growth, McKinsey & Company research indicates a “Visibility Gap,” where the average industrial enterprise still cannot identify 30% of the devices connected to its primary production network. NDR can discover assets and monitor traffic patterns and unique protocols, which can then be used for AI model development and agentic functionality. This could mean the difference between noisy alerts and accurate and succinct IoT/OT threat detection.
- A first line of defense response. Along with threat intelligence, NDR telemetry can help organizations predict attacks, visualize attack paths, and reinforce defenses. Armed with network and other telemetry, AI agents could trigger workflows to automatically isolate a compromised VLAN or update firewall rules in real-time if it identified behavior indicating high-confidence ransomware TTPs.
Okay, NDR makes sense on its own AND as part of an agentic SOC. So, how should organizations proceed? While the largest enterprises may have the budgets and skills to maintain an independent NDR tool, resource-constrained small enterprises and SMBs may benefit from an agentic SOC ‘platform’ that integrates NDR telemetry with other data sources like EDR, cloud logs, identity logs, and so on. In this way, an integrated platform produces a single source of truth data graph which can be used to create more accurate, consolidated, and customized AI models and agents tailored to each organization’s industry, location, and threat profile.
By doing so, CISOs can reduce TCO, rationalize security operations tools, and get the entire security team “singing from the same hymn book.” In other words, they can eliminate custom integration and coding while the entire security (and perhaps IT) team can share a common security operations interface, while learning and optimizing a single agentic SOC platform.
With all due respect to Rodney Dangerfield, NDR should get lots of respect – especially as organizations migrate from disparate security operations tools to an intelligent agentic SOC. Oh, and did I mention that the network doesn’t lie?
