Title
Create new category
Edit page index title
Edit category
Edit link
Overview
What MetaDefender NDR Does
MetaDefender NDR is a network detection and response (NDR) platform that turns mirrored network traffic into searchable security telemetry and actionable alerts. It continuously observes traffic across monitored network segments, parses protocols and reconstructs sessions, enriches extracted metadata with threat intelligence and file analysis verdicts, and applies signature-based, behavioral, and machine-learning (ML) detections to identify malicious activity, policy violations, and suspicious communications. Operators work with the resulting alerts and enriched event history through a centralized web interface, and downstream systems receive the same data through syslog and integration APIs.
The platform is designed for security operations center (SOC) teams, network security engineers, and threat hunters who need deep visibility into east-west and north-south traffic, context-rich alerts, and a single place to pivot between flows, files, and entities during an investigation.
High-Level Architecture
MetaDefender NDR follows a distributed architecture built around a central Manager and one or more network Sensors.
- Manager. The Manager is the central control and visibility plane. It hosts the web user interface, aggregates telemetry and alerts from all connected sensors, stores enriched events, applies detection policy, manages users and role-based access control (RBAC), and owns integrations with external systems. Administrators configure global and per-sensor policy from the Manager; analysts triage alerts, hunt, and investigate from the Manager.
- Sensors. Sensors are the traffic-inspection points deployed at network vantage locations. Each sensor connects to a network tap, switched port analyzer (SPAN) port, or virtual network interface; receives mirrored traffic; performs protocol parsing, session reconstruction, and file extraction; and publishes extracted metadata and carved files to the Manager for enrichment, correlation, and storage. Sensors scale horizontally: additional sensors can be deployed close to critical segments without restructuring the Manager.
A single deployment can range from one Manager with one co-located sensor (small site or evaluation) to one Manager with many geographically distributed sensors (enterprise or MSSP deployment).
Traffic Monitoring Pipeline
Each network event travels through a multi-stage pipeline that transforms raw packets into enriched, searchable records.
- Capture and parse. A sensor receives mirrored traffic, reconstructs sessions, decodes application protocols (HTTP, TLS, DNS, SMB, and others), and extracts per-transaction metadata and, where applicable, carved files.
- Enrichment. The platform augments extracted metadata with additional context: command-and-control (C2) indicator matches, InSights Threat Intelligence DB (TIDB) and Reputation DB (REPDB) hits, Autonomous System Number (ASN) and GeoIP lookups, and — for carved files — MetaDefender Core scan results.
- Aggregation. Per-event enrichments are stitched back onto the originating event so downstream consumers see a single, fully-enriched record rather than a stream of fragments.
- Detection and storage. The enriched record is evaluated against Suricata signatures, behavioral detections, ML anomaly models, and alert rules. Events and any resulting alerts are persisted to long-term storage and made available for search, drill-down, and export.
- Presentation. The Manager surfaces live and historical data through the Dashboard (overview and trending), the Hunt page (search, pivot, drill-down), and detail panes that link alerts back to the underlying flow, file, and entity context.
The pipeline runs in near real time: alerts typically appear in the Manager within seconds of the triggering traffic being observed.
Deployment Models
MetaDefender NDR supports several deployment models so operators can align the platform with existing infrastructure, data-residency requirements, and operational preferences.
- On-premises appliance. Manager and sensors install on dedicated physical hardware for production deployments with strict data-residency, performance, or isolation requirements.
- Virtual appliance. Manager and sensors install as virtual machines in an on-premises hypervisor environment. This model suits evaluation, lab use, smaller sites, and deployments that prefer consolidated virtual infrastructure.
- Cloud-hosted and hybrid. Sensors deploy in cloud environments (monitoring cloud network traffic) while connecting back to a centrally managed Manager. Hybrid deployments combine on-premises sensors and cloud-resident sensors under a single Manager to monitor distributed sites from one console.
Integration Points
MetaDefender NDR is designed to fit into existing security operations tooling rather than replace it. The platform exposes the following integration points:
- SIEM via syslog. The platform forwards alerts and selected events to one or more security information and event management (SIEM) systems over syslog. Destinations are configurable, and group-level filtering allows operators to route only the relevant subset of alerts to a given SIEM.
- MetaDefender Core. For deep file analysis on traffic-carved files, the platform integrates with MetaDefender Core for multiscanning and verdict enrichment. Scan results are stitched back onto the originating event and drive the MetaDefender file-scanning detection family.
- MetaDefender Sandbox. Selected files can be submitted for dynamic analysis to identify evasive or previously unknown threats, with results returned as additional context on the associated event.
- Directory services. The platform integrates with enterprise identity stores (Lightweight Directory Access Protocol (LDAP) / Active Directory (AD)) for centralized authentication and RBAC mapping, allowing administrators to reuse existing group membership to drive platform access.