Alibaba Cloud Agentic NDR is a cloud-native Network Detection and Response (NDR) product built for the public cloud. Activate it in minutes with no deployment required, and start detecting threats immediately.
Cloud-native Agentic NDR vs. traditional and open source
| Feature | Alibaba Cloud Agentic NDR | Traditional commercial Agentic NDR | Open source Agentic NDR |
|---|---|---|---|
| Deployment speed | Fast — up to speed in minutes | Time-consuming — requires provisioning underlying resources | Relatively fast — but requires complex configuration |
| Cost-effectiveness | High — SaaS subscription, low Capital Expenditure (CAPEX) | Medium — high CAPEX and Operational Expenditure (OPEX) | Additional infrastructure costs, high OPEX |
| Operational efficiency | High — native integration, no extra IT resources | Medium — requires separate purchase, consumes IT resources | Low — requires custom development |
| Maintenance and updates | Real-time, in minutes | Automatic, dependent on vendor | Manual — dependent on community |
| Flexibility and scalability | Elastic Pay-As-You-Go (PAYG) | Low — requires purchasing an additional license | Manual — self-managed |
Get up and running in minutes
Zero-deployment, one-click access: No traffic forwarding configuration needed. Activate the service on demand and start protecting your environment without operational overhead, while accommodating diverse access requirements.
Non-intrusive out-of-band deployment: Automatically discovers and syncs all your cloud assets regardless of network architecture, with zero impact on your business operations.
East-west traffic detection: Monitors private network traffic to detect lateral movement and unauthorized transfers of sensitive data, helping you quickly identify compromised assets.
Retain and retrieve attack traffic at low cost
Automated attack traffic retention: Automatically captures traffic before and after each attack event. The retained footprint is 1/10,000th the size of full traffic logs, sharply reducing storage costs while meeting data retention requirements.
Customized retention for core assets: Define custom filtering rules to retain traffic only for the assets that matter most, reducing costs while meeting compliance and audit requirements. Retained traffic provides forensic evidence to accelerate incident response.
High-performance traffic search: Search 300 million logs in under 10 seconds using the advanced BPF-based search engine. Analyze attack payloads online and generate PCAP files directly from the console — no repetitive downloads needed.
Detect more threats and cut false positives
Bidirectional and asynchronous threat detection: Analyzes both request and response traffic to confirm attacks such as Remote Code Execution (RCE), SQL injection (SQLi), and Local File Inclusion (LFI). Covering both directions eliminates blind spots and significantly reduces false positives, lightening the load on your security operations team.
Multi-engine correlation analysis: Combines insights from signature-based rules, threat intelligence, file sandbox, behavior analysis, and exposure analysis. Alerts are displayed on a timeline, so your team can quickly identify anomalies and trace related threat events across a broader range of attack types.
ATT&CK framework mapping: Maps detected activity to attacker techniques and tools in the MITRE ATT&CK framework to identify intrusion paths and attack objectives. Security teams can use this mapping to prioritize patching, optimize firewall policies, shut down exposed services, and build evidence for legal action.
Uncover asset exposure and sensitive data risks
Context-aware asset exposure analysis: Automatically identifies the business services running on your cloud assets and maps their external exposure to uncover blind spots. Continuously surfaces daily risks such as vulnerable port exposure and weak password usage before they result in exploitation or regulatory penalties.
Sensitive data exposure risk management: Uses traffic analysis to detect sensitive data exposure within your services, identifies at-risk assets, and assesses potential data breach impact — streamlining risk management for business-critical workloads.
Retrieve, filter, and deliver protocol logs on demand
Protocol log retrieval: Retrieves Layer 7 protocol logs — including HTTP, DNS, and TLS — as well as 5-tuple logs. Detailed fields and payload information are extracted from raw traffic without installing any analysis software, supporting compliance and regulatory requirements.
Protocol log filtering: Filter and retain protocol logs on demand to focus data collection on core business services. Choose from a wide range of log types and apply 5-tuple filter conditions to reduce log analysis and storage costs.
Protocol log delivery: Deliver logs in near real time. Customize which log fields are included and define the data retention period to match your operational and compliance needs.