NDR Sensor Deployment: Network Detection and Response in Practice

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Endpoint detection and response covers servers, laptops, and the subset of cloud workloads where an agent will install. It does not cover printers, cameras, badge readers, building management systems, medical devices, OT equipment, contractor laptops, or the ESXi hosts that an agent will void support on. In most enterprises 30 to 50 percent of network-attached devices fall into the no-agent category, and that is where attackers increasingly land first.
Network detection and response fills that gap by analyzing traffic regardless of endpoint instrumentation. A well-deployed NDR catches lateral movement, command-and-control beaconing, data staging, and anomalous protocol usage that never touches an EDR-instrumented host. It also catches the attacker who turned off the EDR agent on the box they compromised; the network does not lie.
This guide is vendor-agnostic. The principles apply to Corelight, ExtraHop, Vectra, Darktrace, Arista Awake, the open-source Zeek and Suricata stack, and the network analytics modules inside XDR platforms. The hard problems are placement, tuning, and integration, not the choice of vendor.
Sensor Placement: Where to Tap and Where to Listen
Placement decisions follow two axes: inline versus out-of-band, and north-south versus east-west. Out-of-band sensors receive a copy of traffic via a network TAP or a SPAN/mirror port on a switch; they cannot block, but they cannot fail open either, which matters for high-availability requirements. Inline sensors sit in the traffic path and can block, but introduce a failure domain. For most enterprise deployments, out-of-band is the right starting point; revisit inline only for specific high-trust segments where automatic blocking is justified. North-south placement at the internet egress and DMZ catches C2 beaconing, data exfiltration, and inbound exploitation. East-west placement at the data center core or between security zones catches lateral movement, which is where the high-value detections live. For VLANs that aggregate at a single core switch, SPAN the uplink trunk; for spine-leaf data center fabrics, deploy sensors at each spine or use a packet broker (Gigamon, Garland, Niagara) to aggregate and filter before delivery to the sensor. Plan sensor capacity at 2x peak observed throughput so you do not drop packets during incident bursts; dropped packets are the first thing a sophisticated attacker probes for.
Coverage Gaps That EDR Cannot Close
Enumerate the device classes the NDR is meant to cover. IoT and OT: building HVAC, badge readers, cameras (notoriously vulnerable to default credentials), VoIP phones, conference room hardware. Medical devices in healthcare environments: infusion pumps, imaging workstations, EHR endpoints with proprietary OS. Printers and MFPs: often unpatched, frequently used as a foothold for credential capture via fake SMB shares. Embedded Linux appliances: load balancers, storage arrays, NAS devices, network equipment management interfaces. Contractor and BYOD: laptops that connect to a guest or contractor VLAN without your EDR. Hypervisor management: ESXi, Hyper-V, KVM hosts where agent installation is unsupported. ESXi in particular has become a primary ransomware target because attackers know it is unmonitored; an NDR sensor at the management VLAN that watches for outbound traffic from ESXi hosts to the internet or for unusual SSH activity catches the prelude to a hypervisor encryption event. Map each device class to a specific network segment and confirm the segment is in coverage; coverage gaps in the device class to sensor placement map are the gaps an attacker will find first.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Tuning to Avoid Alert Storm
Out of the box, an NDR will alert on roughly 10 to 50 times more events than your SOC can triage. The tuning phase is non-optional and typically takes 60 to 90 days before the alert rate is sustainable. The framework: baseline normal first, then suppress, then alert. Baseline normal by running the sensor in observe-only mode for 14 days and exporting the top 100 source-destination-port tuples by volume; verify each is expected business traffic and add to the allowlist with an owner and a review date. Suppress expected scans: vulnerability scanner traffic, monitoring system SNMP polls, backup agents, configuration management agents (Ansible, Puppet, Chef). Whitelist by source IP, not by signature, so a compromised scanner host still alerts. Tune the protocol anomaly thresholds; the defaults for SMB write volume, DNS query rate, and HTTP request rate are usually set for a small office and will fire constantly in a data center. Document every suppression in source control with a justification, an owner, and a 90 day review date; suppression rules without expiration accumulate into a security gap nobody remembers creating.
Encrypted Traffic Analysis: JA3, JA4, and Certificate Anomalies
TLS 1.3 plus encrypted SNI removes most of the content-based detection options that worked in the TLS 1.2 era, but it does not remove metadata-based detection. JA3 (and the newer JA4, JA4S, JA4H, JA4L family from FoxIO) fingerprint the TLS client hello and server hello based on the ordered cipher suites, extensions, and elliptic curves; the fingerprint is stable per TLS library version and effectively identifies the client software regardless of the user agent string. Malware families have distinct JA4 fingerprints, and an unfamiliar JA4 from an internal host to an internet destination is high-fidelity signal. Certificate anomalies are equally valuable: self-signed certificates outbound from a workstation, certificates with very short validity windows from non-Let's-Encrypt issuers, certificates with mismatched SNI versus subject CN, certificates from issuers not normally seen by your environment. TLS timing patterns matter too: C2 beaconing produces regular intervals (every 60 seconds plus jitter) that stand out from human-driven web traffic. Build detections that combine multiple weak signals (uncommon JA4 plus regular timing plus low-reputation destination IP) rather than relying on any single one; this is where the NDR product's analytics engine earns its license cost.
SIEM Integration Without the Alert Storm
The integration anti-pattern is to forward every NDR detection to the SIEM as a separate alert, which creates noise and duplication. The correct pattern is two-tier: the NDR maintains its own console for first-line triage and the SIEM receives only correlated, multi-signal detections plus a stream of context events for retrospective hunting. Forward NDR detections to SIEM at three priority levels: high (immediate triage, paged), medium (queued for next-shift review), low (suppressed from alert queue, available in the data lake for hunting). Pipe Zeek-style connection logs and protocol metadata into the SIEM at low priority so analysts can pivot from an EDR or identity alert into network context without context-switching to the NDR console; this is more valuable than the alerts themselves. For SOAR enrichment, build playbooks that take an NDR alert with a suspicious internal IP and automatically pull the asset inventory, EDR detection history, and recent identity events for the user assigned to the host. Avoid forwarding raw packet capture metadata into the SIEM at scale; the volume will wreck your ingestion budget and the SIEM is the wrong tool for pcap analysis.
Cloud Network Visibility Options
On-premises NDR sensors do not see cloud traffic. The options for cloud network visibility, in increasing order of fidelity and cost: flow logs (VPC Flow Logs in AWS, NSG Flow Logs in Azure, VPC Flow Logs in GCP) give 5-tuple data and byte counts but no payload, sufficient for connection-level anomaly detection and lateral movement scoping but not for protocol analysis; cloud-provider IDS services (AWS Network Firewall with managed rule groups, Azure Firewall Premium IDPS, GCP Cloud IDS) give signature-based detection inline; traffic mirroring (VPC Traffic Mirroring in AWS, vTAP in Azure, Packet Mirroring in GCP) sends a copy of full packet streams to an NDR sensor running in a cloud VM or appliance, giving full protocol visibility at substantial cost. For most workloads, flow logs plus a managed IDS service is the right starting point; reserve traffic mirroring for the highest-value subnets (DMZ, PCI scope, sensitive data tiers). Tag the cloud visibility coverage gap in your asset inventory so you know which workloads have only flow-log-level visibility versus full protocol inspection.
The bottom line
NDR is not a replacement for EDR; it is the visibility layer for everything EDR cannot reach. Deploy out-of-band first at internet egress and at the east-west choke points where lateral movement crosses zones, tune aggressively for the first 90 days, and integrate with the SIEM as correlated alerts plus context-only metadata.
Measure coverage as the percentage of network segments that have an active sensor with verified packet flow, not as the count of deployed sensors. Sensors that are silently missing traffic are worse than no sensor, because they create the false impression of coverage during an incident.
Frequently asked questions
Open-source Zeek and Suricata or a commercial NDR?
Both have a place. Zeek plus Suricata plus Elastic or OpenSearch is the most flexible option and the underlying engine of several commercial NDRs (Corelight is essentially a hardened Zeek distribution). The trade-off is operational: open-source requires you to write and tune detections, manage sensor health, and build the analytics yourself, which is a team commitment of 2 to 4 engineers minimum. Commercial NDR ships with curated detections, anomaly models trained on cross-customer data, and managed updates, at a license cost of $100k to $1M+ annually depending on traffic volume. Choose open-source if you have the team and want maximum control; choose commercial if you need time-to-value in months rather than years.
Do we need NDR if we already have a next-gen firewall with IDS/IPS?
NGFW IDS gives you north-south signature-based detection at the perimeter; NDR adds east-west visibility, behavioral and ML-based detection, and protocol metadata at depth. The two are complementary, not duplicative. Most organizations find that the NGFW IDS catches commodity threats at the perimeter while NDR catches post-compromise behavior internally. If budget forces a choice and you have a mature NGFW already, prioritize east-west NDR sensors in the data center and at user-to-server boundaries; that is where NGFW typically has no visibility.
How does NDR handle encrypted east-west traffic?
TLS-encrypted east-west traffic is analyzable by metadata (JA4 fingerprints, certificate attributes, connection timing) but not by content unless you terminate TLS at a network device. TLS interception introduces operational complexity (certificate distribution, application breakage, regulatory concerns for PII traffic) and is generally not worth it for east-west; metadata-based detection is sufficient for most lateral movement and C2 use cases. For specific high-value segments (DMZ ingress, payment processing zones) where you need content inspection, deploy a forward proxy with TLS termination and feed the decrypted traffic to the NDR sensor; otherwise, accept the metadata-only visibility.
What is the right ratio of NDR sensors to network throughput?
Plan sensor capacity at 2x sustained peak throughput, measured over a 30 day baseline at 5 minute granularity. A 10 Gbps sensor handles roughly 5 Gbps of sustained traffic comfortably; bursts above sustained will cause packet drops, and dropped packets create silent detection gaps. For 40 Gbps and 100 Gbps backbones, use a packet broker to load-balance across multiple sensor instances rather than buying a single large appliance, because the load-balanced design handles sensor failures gracefully. Monitor packet drop rate as a primary sensor health metric and alert at >0.1% sustained.
How do we measure NDR detection value over time?
Track three metrics. First, true positive rate per detection rule per quarter; rules with persistent false positive rate above 10% need tuning or retirement. Second, mean time to detection for confirmed incidents where NDR was the first-detecting source, compared to the same metric for EDR and identity-driven detections; this surfaces the coverage areas where NDR is uniquely valuable. Third, ATT&CK technique coverage attributable to NDR, especially Lateral Movement (TA0008), Command and Control (TA0011), and Exfiltration (TA0010); these are the tactics where NDR should be the primary detection layer. Report these metrics quarterly to make the renewal case.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
