NDR
A network detection and response system that analyses packets and flows to identify anomalies and known attack patterns in network traffic.
What is NDR?
NDR (Network Detection and Response) is a security solution that analyses network traffic to detect threats that are not visible at the endpoint level. An NDR system captures and analyses a copy of network traffic (typically from SPAN ports or TAPs), identifying anomalies, C2 server communication, lateral movement and data exfiltration.
NDR operates passively - it does not require agents to be installed on devices, which makes it particularly useful in environments where software installation is difficult or impossible: OT systems, IoT devices, legacy operating systems and network appliances.
Modern NDR platforms use behavioural analysis and machine learning to build a model of normal network activity and detect deviations from that baseline. They can decode application-layer protocols, identify encrypted tunnels and detect communication with attacker infrastructure even in encrypted traffic (based on TLS metadata).
Why does it matter?
An attacker who has gained access to a network must communicate - with a C2 server, with subsequent targets in the network, with exfiltration infrastructure. NDR sees this communication regardless of whether an EDR agent is running on the endpoint. This is a complementary layer of visibility, particularly important in OT networks.
In industrial environments, NDR is often the only way to monitor security without interfering with control systems. Passive analysis of network traffic does not affect process operations while still enabling detection of unauthorised changes in communication between controllers.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.