This page answers common questions from teams evaluating Agentic NDR (Network Detection and Response). Questions are grouped by topic — click a section to jump directly to your area of interest.
Deployment and traffic collection
Does connecting asset traffic affect business operations?
No. Agentic NDR uses a non-intrusive, out-of-band deployment mode. It captures traffic through mirroring — the original data path is never touched — so your services experience no added latency or jitter. Because mirroring is passive, there is no inline processing that could introduce risk to production traffic.
Does the traffic collection time refer to when collection starts or when the traffic occurs?
It refers to when the collection operation starts, not when the underlying traffic occurred. Agentic NDR supports three collection modes: immediate, scheduled, and recurring. Choose the mode that fits your operational schedule.
Asset management
Do I need to manually configure the asset list?
No. The asset list is populated and kept up-to-date automatically. No manual configuration is required.
If I have assets in multiple regions — such as Shanghai, Hangzhou, and Beijing — is the analysis combined or handled separately?
Agentic NDR analyzes each region independently. It is deployed on a per-region basis, so threats are detected and analyzed separately for each region's assets. To view threat analysis for a specific region, switch to that region in the console. Agentic NDR will then analyze the mirrored traffic from the assets in that region.
Storage and log management
Is manual storage or import required before analysis?
No. Asset traffic is analyzed directly within the product, so no additional storage configuration or data import is required. If needed, you can also retain original messages and download PCAP (Packet Capture) packages.
If protocol logs are not delivered to SLS (Simple Log Service), where are they stored?
The Agentic NDR platform stores the protocol logs internally. You can filter and search them in the log analysis module. Storage costs will apply after the service launches commercially.
Message viewing and payload analysis
Can I only view original messages by downloading them locally?
No. In addition to local downloads, the threat analysis feature lets you view message payloads directly in the console. It also highlights the fields that triggered a rule hit, so you can pinpoint the exact content without downloading a file.
Is response data included in the payload?
Yes. Agentic NDR performs bidirectional analysis, capturing both request and response data.
Can I see which part of the data triggered a rule hit?
Yes. Rule hit information appears on the alert card and in the alert details. The relevant payload section in the alert list is also highlighted, so you can identify exactly what triggered the alert without having to manually review the full payload.
Alerts and detection
Does the product distinguish between successful attacks and attack attempts?
Yes. Each alert includes an attack result field that indicates whether an asset has been compromised. Agentic NDR determines the outcome by correlating the original attack traffic with its full context.
Are protocol log filtering and message retention filtering logically the same?
No. The two filters operate on different dimensions:
| Filter type | Basis |
|---|---|
| Protocol log filtering | Protocol |
| Message retention filtering | 5-tuple (source IP, destination IP, source port, destination port, and protocol type) |
Performance and customization
How quickly can Agentic NDR retrieve messages?
Agentic NDR can retrieve 300 million streams in under 10 seconds. The platform also monitors the interface in real time and applies optimizations automatically when timeouts are detected.
Can I customize the detection fields?
No, not in the current version. The Agentic NDR detection engine uses a standardized, clustered deployment shared across all users, so detection field configuration is not available individually. If you have specific detection requirements, contact the pre-sales team.