NDR: the critical missing component in XDR solutions

06 March 2025

Bill Munroe, Head of Partner Success and Product Marketing Owner, WatchGuard

In the evolving landscape of cybersecurity, Extended Detection and Response (XDR) has emerged as a powerful approach to consolidating security tools, improving visibility, and automating threat response. Yet, for all its advantages, many XDR solutions lack a crucial element: Network Detection and Response (NDR). Without NDR, XDR platforms fail to detect and respond to attacks that have bypassed endpoint or identity defenses and are operating undetected inside the network.

NDR is unique in that it is the only effective method to monitor activity occurring inside the network (on-premise, cloud or hybrid) to uncover and surface attacks that are in the command and control, lateral movement, privilege escalation, internal network reconnaissance, data staging, and data exfiltration stages. As threat actors refine their tactics, leveraging lateral AI and encrypted traffic, an effective security posture must include NDR to provide true extended detection and response.

Only NDR can detect vulnerability and credential compromises inside the network

Endpoint Detection and Response (EDR), Identity Access and Management (IAM), Cloud Security Management (CSM), and email security are all critical components of an XDR solution.

Attackers increasingly use living-off-the-land (LotL) techniques, where they exploit legitimate credentials or misconfigurations rather than deploying traditional malware. NDR fills this gap by continuously monitoring north-south and east-west network traffic the dataflows inside the environment and across firewalls to identify suspicious behaviours, policy violations, and expansion techniques utilised by attackers.

Attacks often bypass traditional defenses by using compromised credentials or exploiting misconfigured services. Since these activities do not trigger endpoint-based alerts, an XDR solution built around an EDR core will be blind to these attacks. For example, if an attacker gains access to an internal system using stolen credentials, IAM and EDR solutions may not immediately flag this activity. However, an NDR platform would recognise anomalous access patterns, unusual privilege escalation attempts, or lateral movement attempts toward high-value assets.

Cloud and on-premise coverage

The modern enterprise operates in a hybrid world, with applications, data, and users spread across on-premise, cloud, and multi-cloud environments. Attackers take advantage of this complexity, exploiting misconfigured cloud permissions, API vulnerabilities, and unmonitored network segments to infiltrate organisations.

Many security solutions focus on either on-premise or cloud environments, but NDR is uniquely positioned to provide unified visibility across both. By analyzing network traffic via netflows and packets and complementing that data with log data from SaaS applications and cloud environments along with logs from identity platforms, NDR can identify indicators of compromise (IoCs) regardless of where they originate.

NDR enhances security by:

  1. Cloud workloads: Monitors east-west traffic within cloud environments, identifying anomalous API calls, unusual user behavior, unauthorised data transfers, and misconfigured storage access.
  2. Hybrid networks: Detects unusual connections between on-premise and cloud infrastructure, flagging data exfiltration or compromised VPN credentials.
  3. Zero Trust environments: Supports Zero Trust implementations by continuously providing overwatch and analyzing all network traffic for policy violations and unauthorised access attempts.

Since XDR without NDR lacks deep network visibility, it creates dangerous blind spots, especially in hybrid environments where attackers can pivot between cloud and on-prem networks undetected.

Many XDR solutions omit NDR

Despite the rise of XDR as a preferred cybersecurity solution, many vendors do not integrate NDR capabilities natively. Instead, they rely primarily on EDR with agents deployed to as many different types of devices as possible.

The risks of XDR without NDR include:

  1. Missed insider threats: Malicious insiders and compromised accounts remain undetected without network-based behaviour analytics.
  2. Ineffective lateral movement detection: Attackers can move between systems undetected if no network-level visibility exists.
  3. Incomplete cloud security: API abuse and cloud misconfigurations go unnoticed without traffic analysis at the network layer.
  4. Ineffective supply chain attack detection: Vulnerability-based attacks are the single most devastating attack method in the adversary toolkit and will continue to be until NDR is widely deployed.
  5. Slow incident response: Without NDR insights, XDR platforms may only detect threats after damage has occurred, leaving mean time to respond (MTTR) times in the weeks and months and allowing ransomware to continue its successful exploitation of companies around the globe.

Many organisations assume that their EDR-based XDR solutions are comprehensive, but the absence of NDR creates a major detection gap.

An operational revolution

Historically, NDR solutions required expensive hardware appliances and significant on-premise deployment efforts. This barrier made adoption difficult for many organisations, leading them to rely solely on endpoint and log-based security solutions.

Today’s modern NDR platforms leverage cloud scalability, AI-driven analytics, and machine learning to provide real-time detection without the need for costly hardware appliances.

Benefits of cloud-based NDR include:

  1. Affordable and Scalable: No need for costly on-prem hardware, with pricing models that scale with usage.
  2. Faster Deployment: Can be deployed quickly across hybrid and multi-cloud environments.
  3. AI-Driven Detection: Machine learning enhances anomaly detection, reducing false positives and increasing accuracy.
  4. Seamless XDR Integration: Cloud-based NDR solutions can integrate with existing XDR platforms, providing the missing visibility layer.

This shift makes NDR accessible to organizations of all sizes, ensuring that network-level threat detection is no longer limited to enterprises with massive security budgets.

NDR is no longer optional

As cyber threats evolve, XDR solutions must move beyond just endpoints to incorporate full network visibility. NDR provides the only effective way to detect compromised credentials, lateral movement, and insider threats within hybrid cloud and on-prem environments.

Organisations relying on XDR without NDR are exposed to significant risk as attackers increasingly evade traditional detection mechanisms. With the rise of affordable, cloud-based NDR solutions, integrating network detection into XDR is no longer a luxury it’s a necessity.

For a truly comprehensive security strategy, NDR is the missing piece that XDR cannot afford to ignore.