NDR works with traffic mirrored via SPAN/TAP or with network metadata (NetFlow, Zeek/Suricata). The metadata approach scales better than full-packet capture but loses inspection depth.
What NDR is
NDR (Network Detection and Response) is a category of security platform that analyzes east-west and north-south network traffic in real time to detect anomalous behavior, communication with command-and-control (C2) infrastructure, lateral movement between internal assets and data exfiltration. Unlike classic IDS, it doesn't just match traffic against signatures: it combines deep inspection, machine-learning behavior models and threat intelligence enrichment.
Why it matters
Many modern attacks bypass endpoint defenses through "living off the land" techniques, legitimate use of admin tools and abuse of valid credentials — scenarios where EDR has blind spots. NDR provides the missing view: it sees the whole network, which assets talk to which, detects traffic to suspicious domains, periodic C2 beacons, DNS tunnels and exfiltration disguised as normal traffic. In cloud and OT/IoT environments, where deploying agents on every asset isn't always possible, NDR is one of the few viable defensive coverages. For NIS2, DORA or ISO 27001 compliance, NDR provides the technical evidence of continuous monitoring that auditors expect to see.
Key points
The key difference vs classic IDS/IPS is the behavior layer: NDR learns a baseline of normal traffic and detects deviations, not just known signatures.
It detects offensive indicators hard to see on endpoints: C2 beacons with subtle timing patterns, large incremental transfers to a single destination, internal scanning from an asset that normally doesn't scan.
NDR + EDR + SIEM is the triangle many analysts consider the operational baseline of a modern SOC. XDR is an architecture that tries to bring them together.
Example: hidden C2 over HTTPS detected by NDR
An internal server starts establishing short, very regular HTTPS connections (every 60 seconds) to a recently registered domain in a region with no business relevance. EDR detects nothing because the connection is initiated by a legitimate, signed binary, but NDR identifies the beacon pattern: temporal regularity, domain with low reputation, uncommon JA3 fingerprint and small constant payload size. It raises a "possible HTTPS C2" alert, the SOC validates with packet capture and confirms it's an implant. The asset is segmented, the domain is blocked at WAF and firewall, and incident response kicks off.
Common mistakes
- Deploying NDR without a real baseline. It needs at least 2-4 weeks observing traffic to distinguish normal from anomalous. Switching to block mode on day one produces noise and legitimate disruptions.
- Ignoring encryption. Much modern traffic is TLS 1.3, and NDR sees metadata (JA3, SNI, length, timing) but not content. If you expect payload inspection, combine NDR with controlled decryption at a proxy.
- Not integrating NDR with threat intelligence. Cross-referencing IPs and domains against feeds of active campaigns multiplies precision.
- Applying NDR only to north-south traffic. East-west lateral movement is where it adds the most value. Internal VLANs, cloud segments and inter-DC links must be covered.
Related terms
Related services
This concept may relate to services such as:
Frequently asked questions
Does NDR replace traditional IDS/IPS?
It doesn't replace them, it complements them — and in many modern designs operationally supersedes them. IDS/IPS works by signature and inline blocking; NDR adds behavior, machine learning and orchestrated response. New architectures prioritize NDR; legacy environments often run both side by side.
What's the difference between NDR and XDR?
NDR covers the network layer. XDR is an architecture that correlates telemetry from multiple sources (endpoint, network, cloud, identity, email) in one platform. A good XDR usually includes or integrates NDR-like capabilities.
Can NDR see encrypted traffic?
It sees metadata of encrypted traffic (JA3 fingerprint, SNI, timing patterns, volumes) but not the content. With that metadata it can detect a lot of anomalous behavior. If payload inspection is required, combine NDR with controlled decryption at a proxy or firewall.