NDR (Network Detection and Response) analyzes network traffic for threats — using ML, behavioral analysis, and protocol inspection. Complements EDR (endpoint visibility) with network visibility.
NDR sees: lateral movement (east-west traffic), C2 beaconing, data exfiltration, network scanning. Captures: full PCAP, NetFlow, or Zeek logs. Tools: Darktrace, Vectra, open-source (Zeek + Suricata + Arkime/Moloch). NDR covers devices without EDR agents (network printers, IoT, legacy systems).