Arista NDR vs. ExtraHop

This ExtraHop comparison illustrates why Arista NDR's advanced network traffic analysis outperforms simplistic unsupervised learning. Technologies that use basic anomaly detection tend to create noise for the security team in the form of false positives. Additionally, technologies like ExtraHop Reveal(x) miss threats that are already in the environment before the unsupervised training period begins. Most organizations change constantly and for legitimate reasons and thus not every anomalous activity is malicious. This leads to the need for retraining, which increases operational overheads beyond "just" the false positives and negatives.

Analyst firm EMA conducted an independent competitive review of network traffic analysis solutions including ExtraHop and named Arista NDR the "Value Leader", ranking it #1 for time to value because of its frictionless approach that delivers answers rather than alerts. ExtraHop requires customers to upload "wire data" to a cloud service hosted on Amazon Web Services. In contrast, Arista NDR is able to deliver value without uploading any customer data to a third party location.

Download a comprehensive breakdown in the Extrahop Reveal(x) vs. Arista NDR Security guide.

Data Arista NDR ExtraHop
. Richness of Data Sources L2 - L7 network data Wire Data
. Visibility Devices, Users, Applications,
External Networks, Organizations & Domains
Limited to network parameters
. Organizational Data Privacy Yes No
Data Science Arista NDR ExtraHop
. Automated Entity Correlation . Yes . Limited
. Extracted Detection Features ~1200 security specific features ~4700 network performance metrics
. Security Knowledge Graph Yes No
. Behavioral Analytics . Yes . Limited
. Machine Learning . Yes . Limited
. Explainability . Yes . Limited
. Training Period Hours 4+ Weeks
Use Cases Arista NDR ExtraHop
. User Experience & Workflows . Yes . Limited
. Detect Known Attacker TTPs . Yes No
. Retrospective Detection Yes . Limited
. Encrypted Traffic Visibility Network Based Encrypted Traffic Analysis . Endpoint Agent Based .
. Automated Campaign Analysis . Yes Limited
. Query Language & Threat Hunting . Yes . Limited
. Free Text Search No Yes
. Full Digital Forensics . Yes . Yes
Deployment & Extensibility Arista NDR ExtraHop
. Deployment Considerations . Yes . Limited
. Integrations with other Security Tools . Yes Yes
. Supported Deployments Sensors: Physical, Virtual, and Cloud
Analytics: Physical, Cloud
Sensors: Physical, Virtual, and Cloud
Analytics: Cloud
. Threat Intelligence Integration Yes Yes
Corporate Background Arista NDR ExtraHop
. Expertise & Security DNA Yes Limited


Customers looking for ExtraHop alternatives, or a replacement, would do well to consider a solution that has been built from the ground up to focus on security. ExtraHop Reveal(x) is built as a layer above a network performance monitoring and diagnostics (NPMD) platform. This clearly manifests itself in the Reveal(x) user experience and workflows that rely more on network metrics and less on parameters relevant to security professionals. In contrast, Arista NDR was built for security professionals, by security professionals and has the benefit of input from hundreds of security teams.

Additionally, from a data science perspective ExtraHop primarily uses unsupervised learning to ascertain a device's normal behavior. This approach is noisy since "normal behaviors" change often for very legitimate business purposes–e.g. new software deployments, etc. In addition, this approach also fails when devices are already compromised before the baseline is established. Arista NDR's ensemble approach to machine learning compares against past behaviors, but also to similar entities and across the rest of the organization. This helps eliminate both the false positives and negatives that are rampant with solutions like ExtraHop.

The anomaly detection approach has another significant drawback. ExtraHop delivers detections with very little context and explainability, which presents a challenge for a security analyst to then understand why something is being detected or what to do about it. The Reveal(x) product also does not provide the ability for the security analyst to tweak the detection model. Arista NDR offers every customer the ability to create their own detection models as well as view and modify Arista NDR's models.

Arista NDR customers also have access to a deeper set of use cases in comparison to ExtraHop. For instance, while ExtraHop does classify detections by stage of the kill chain, it still treats every detection as an individual alert, leaving it to the security analyst to triage, connect the dots and stitch together the larger attack campaign manually. Arista NDR's entity tracking and query capability allows the platform to automatically correlate complex attacker activities, identifying all of the devices, protocols, and threats that are a part of the overall campaign. This, in turn, helps reduce alert fatigue and makes the information more actionable and easily consumable for the security team.

All product names, logos, and brands are the property of their respective owners. All company, product, and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.