Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Compare Network Traffic Analysis Solutions

Learn how Cisco Stealthwatch compares with other Network Traffic Analysis (NTA) products. The solution is agentless and scales easily, giving you visibility across the entire network and cloud, and even into encrypted traffic. Stealthwatch uses multiple analytical techniques like behavioral modeling and machine learning to find advanced threats lurking in the organization, reducing the time to detect and respond.

Cisco Stealthwatch

Darktrace

Vectra AI

Plixer

Expand all

Detection

Malware analysis and detection in encrypted traffic - without decryptionStealthwatch can perform analytics on encrypted traffic to detect malware and to ensure cryptographic compliance, without decryption, using Encrypted Traffic Analytics . Probes usually require traffic in the clear to do their work.  Engineers must be aware of encrypted links and ensure that their probes obtain the data prior to or after encryption, or they must have a decryption capability either offboard or built-in.  Decryption onboard is very difficult to maintain in a large environment. Newer protocols are less likely to be decrypted.Probes usually require traffic in the clear to do their work.  Engineers must be aware of encrypted links and ensure that their probes obtain the data prior to or after encryption, or they must have a decryption capability either offboard or built-in.  Decryption onboard is very difficult to maintain in a large environment. Newer protocols are less likely to be decrypted.
Stealthwatch can perform analytics on encrypted traffic to detect malware and to ensure cryptographic compliance, without decryption, using Encrypted Traffic Analytics . Probes usually require traffic in the clear to do their work.  Engineers must be aware of encrypted links and ensure that their probes obtain the data prior to or after encryption, or they must have a decryption capability either offboard or built-in.  Decryption onboard is very difficult to maintain in a large environment. Newer protocols are less likely to be decrypted.Probes usually require traffic in the clear to do their work.  Engineers must be aware of encrypted links and ensure that their probes obtain the data prior to or after encryption, or they must have a decryption capability either offboard or built-in.  Decryption onboard is very difficult to maintain in a large environment. Newer protocols are less likely to be decrypted.
Data hoarding detectionEvents accumulate in the Data Hoarding Index, which is metered either by an absolute limit or by learned behavior of the host or groups.LimitedCan detect an anomaly but not a specific data hoarding event.
Events accumulate in the Data Hoarding Index, which is metered either by an absolute limit or by learned behavior of the host or groups.Can detect an anomaly but not a specific data hoarding event.
Lateral movement detectionProvides worm detection and visual tracking of malware across the network.LimitedMay detect an anomaly but has no published ability to specifically call out lateral movement.Many specific detections focused on lateral movement.
Provides worm detection and visual tracking of malware across the network.May detect an anomaly but has no published ability to specifically call out lateral movement.Many specific detections focused on lateral movement.
Complete network audit trailCan log every conversation on the network using Flow Collectors and Flow Sensors.LimitedUses sensors only, so is likely to miss some traffic.LimitedUses sensors only, so is likely to miss some traffic.Flow traffic stored on box.
Can log every conversation on the network using Flow Collectors and Flow Sensors.Uses sensors only, so is likely to miss some traffic.Uses sensors only, so is likely to miss some traffic.Flow traffic stored on box.
Reconnaissance detectionCan detect fast and slow scanning using a unique algorithm that is highly sensitive to very low scan-rate events.LimitedCan detect reconnaissance, but not likely to be as sensitive as Stealthwatch's unique scan algorithm.LimitedCan detect reconnaissance, but not likely to be as sensitive as Stealthwatch's unique scan algorithm.With optional Flow Analytics.
Can detect fast and slow scanning using a unique algorithm that is highly sensitive to very low scan-rate events.Can detect reconnaissance, but not likely to be as sensitive as Stealthwatch's unique scan algorithm.Can detect reconnaissance, but not likely to be as sensitive as Stealthwatch's unique scan algorithm.With optional Flow Analytics.
Machine learningUses multilayer machine learning to provide high-fidelity detection.Via graph analysis.LimitedHas limited baselining capabilities based on broad traffic counts.
Uses multilayer machine learning to provide high-fidelity detection. Via graph analysis.Has limited baselining capabilities based on broad traffic counts.
Exfiltration detectionGenerates a "suspect data loss" alarm for hosts exfiltrating more data (including encrypted data) than normal.LimitedUses only sensors rather than telemetry from network hardware, and detection is limited to sensor-placement locations.Uses only sensors rather than telemetry from network hardware, and detection is limited to sensor-placement locations.
Generates a "suspect data loss" alarm for hosts exfiltrating more data (including encrypted data) than normal.Uses only sensors rather than telemetry from network hardware, and detection is limited to sensor-placement locations.Uses only sensors rather than telemetry from network hardware, and detection is limited to sensor-placement locations.
Command-and-control detectionCan detect multiple security events using analytics and threat intelligence to detect C&C peers.LimitedUses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.Uses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.LimitedNo specific algorithms for C&C.
Can detect multiple security events using analytics and threat intelligence to detect C&C peers.Uses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.Uses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.No specific algorithms for C&C.
Anomaly detectionHas a mature and proven anomaly detection system with more than 150 algorithms.LimitedUses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.LimitedMore focused on known bad behaviors; detects some anomalous behavior via graph analysis.LimitedWith optional Flow Analytics.
Has a mature and proven anomaly detection system with more than 150 algorithms.Uses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.More focused on known bad behaviors; detects some anomalous behavior via graph analysis.With optional Flow Analytics.
Malware detectionCan provide zero-day exploit detection.LimitedUses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.Uses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.LimitedWith optional Flow Analytics.
Can provide zero-day exploit detection.Uses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.Uses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.With optional Flow Analytics.
DDoS Attack DetectionCapable of detecting DDoS and DoS threats by identifying both the victims and attackers.LimitedWith optional Flow Analytics.
Capable of detecting DDoS and DoS threats by identifying both the victims and attackers. With optional Flow Analytics.
Zero-day/unknown exploit detectionCan detect new or unique malware for which signatures do not yet exist using a behavioral method with more than 90 parameters.Uses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.Uses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.LimitedHas limited baselining capabilities based on broad traffic counts.
Can detect new or unique malware for which signatures do not yet exist using a behavioral method with more than 90 parameters.Uses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.Uses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locations.Has limited baselining capabilities based on broad traffic counts.
Exploitation detectionCan detect insider threats like data exfiltration and command-and-control communications, plus long and slow attacks. Security events feed the indexes to trigger alarms by means of behavioral algorithms and absolute limits that can be set by the operator.Detection of a number of exploits is called out but the scope is unknown.LimitedDetection of a number of exploits is called out, with ability to identify particular exploit behaviors and associating them with known malware. Limited to Windows - scope does not focus on other operating systems, IOT, etc.No concern index or anything similar to it..
Can detect insider threats like data exfiltration and command-and-control communications, plus long and slow attacks. Security events feed the indexes to trigger alarms by means of behavioral algorithms and absolute limits that can be set by the operator.Detection of a number of exploits is called out but the scope is unknown.Detection of a number of exploits is called out, with ability to identify particular exploit behaviors and associating them with known malware. Limited to Windows - scope does not focus on other operating systems, IOT, etc.No concern index or anything similar to it..

Deployment

ScalabilityCan scale to 6 million flows per second, handle 100 Mbps to 10 Gbps interface connections, spikes in traffic above rated levels, and can collect telemetry from thousands of sensors.LimitedUses only sensors rather than telemetry from network.LimitedDepends upon probes rather than flow from network hardware.LimitedSignificant configuration and customization is required to support consolidated reporting and flow maps across multiple Plixer collectors.
Can scale to 6 million flows per second, handle 100 Mbps to 10 Gbps interface connections, spikes in traffic above rated levels, and can collect telemetry from thousands of sensors.Uses only sensors rather than telemetry from network.Depends upon probes rather than flow from network hardware.Significant configuration and customization is required to support consolidated reporting and flow maps across multiple Plixer collectors.
Data storageOn average, the system can store 30-45 days' worth of flow data, and often much more, for deeper forensic investigation.LimitedNo reported data to confirm storage capabilities.LimitedNot a touted capability but large amount of storage on probes may provide such support. Timeframes not published.
On average, the system can store 30-45 days' worth of flow data, and often much more, for deeper forensic investigation.No reported data to confirm storage capabilities.Not a touted capability but large amount of storage on probes may provide such support. Timeframes not published.
Data compressionAs flows are received by the collector, they are synthesized into bidirectional, memory-resident flows. This reduces false positives and allows efficient data storage and accurate host-level reporting.Not applicableUses only sensors rather than telemetry from network.Not applicableUses only sensors rather than telemetry from network.LimitedSome information is discarded.
As flows are received by the collector, they are synthesized into bidirectional, memory-resident flows. This reduces false positives and allows efficient data storage and accurate host-level reporting.Uses only sensors rather than telemetry from network.Uses only sensors rather than telemetry from network.Some information is discarded.
Deployment modelSee noteDoes not require deployment of sensors or expensive probes. Telemetry can simply be turned on from network devices to analyze the network traffic. See noteCustomers must purchase sensors and choose links to monitor rather than simply enabling telemetry from network devices and getting all conversations; model is expensive and difficult to scale. See noteCustomers must purchase sensors and choose links to monitor rather than simply enabling telemetry from network devices and getting all conversations; model is expensive and difficult to scale. See noteCan consume most flow-based telemetry sources.
Does not require deployment of sensors or expensive probes. Telemetry can simply be turned on from network devices to analyze the network traffic. Customers must purchase sensors and choose links to monitor rather than simply enabling telemetry from network devices and getting all conversations; model is expensive and difficult to scale. Customers must purchase sensors and choose links to monitor rather than simply enabling telemetry from network devices and getting all conversations; model is expensive and difficult to scale. Can consume most flow-based telemetry sources.
Endpoint visibilityWith Cisco AnyConnect 4.2 and later, the Endpoint Data License collects endpoint telemetry using the Cisco Network Visibility Flow (nvzFlow) protocol.Lacks features such as enable password, configuration presets for NAD types, and TACACS+ proxy.
With Cisco AnyConnect 4.2 and later, the Endpoint Data License collects endpoint telemetry using the Cisco Network Visibility Flow (nvzFlow) protocol. Lacks features such as enable password, configuration presets for NAD types, and TACACS+ proxy.
Cloud visibilityCan monitor all major public cloud environments like AWS, Microsoft Azure, and Google Cloud Platform agentlessly without any probes or sensors, as well as private cloud environments, Kubernetes and serverless through the SaaS-based Stealthwatch Cloud solution.LimitedNot agentless - uses sensors to monitor the cloud network and a Cloud Connector for particular apps.LimitedPartially agentless - uses sensors and AWS VPC logs to monitor the cloud network.LimitedConsumes AWS VPC logs, which are similar to flows.
Can monitor all major public cloud environments like AWS, Microsoft Azure, and Google Cloud Platform agentlessly without any probes or sensors, as well as private cloud environments, Kubernetes and serverless through the SaaS-based Stealthwatch Cloud solution.Not agentless - uses sensors to monitor the cloud network and a Cloud Connector for particular apps.Partially agentless - uses sensors and AWS VPC logs to monitor the cloud network.Consumes AWS VPC logs, which are similar to flows.
Data exportSee noteHas integrations with security information systems and offers APIs for custom integration; also supports SOAP and REST APIs.See noteHas a Splunk connector that takes JSON syslog input from a Darktrace appliance and displays security incidents on Splunk; also links them to reports on the Darktrace Threat Visualizer.See noteData export and integrations supported with third-party tools.See noteSupports REST API and log outputs.
Has integrations with security information systems and offers APIs for custom integration; also supports SOAP and REST APIs.Has a Splunk connector that takes JSON syslog input from a Darktrace appliance and displays security incidents on Splunk; also links them to reports on the Darktrace Threat Visualizer.Data export and integrations supported with third-party tools.Supports REST API and log outputs.
Alarm notificationsSee noteProvides email or syslog export to the SIEM system, Netcool, Remedy ticketing system, etc., with email, SNMP, and syslog notifications.See noteProvides formatted syslog output.See noteProvides formatted syslog output.See noteProvides outbound logging and alerting.
Provides email or syslog export to the SIEM system, Netcool, Remedy ticketing system, etc., with email, SNMP, and syslog notifications.Provides formatted syslog output.Provides formatted syslog output.Provides outbound logging and alerting.

Investigation

Full-scope investigative workflowsCan investigate long-running security events. Generates context-based and custom alarms, ties username to IP address, monitors interface use, performs deep packet inspection, and logs every network conversation.LimitedClassifies the threat it detects and visualizes it on the Threat Visualizer interface.LimitedHas a set of dashboards focused on threats, entities, trends, groups, and history.LimitedLacks customizable interfaces, rapid historical trending, automated remediation capabilities, and root cause analysis tools.
Can investigate long-running security events. Generates context-based and custom alarms, ties username to IP address, monitors interface use, performs deep packet inspection, and logs every network conversation.Classifies the threat it detects and visualizes it on the Threat Visualizer interface.Has a set of dashboards focused on threats, entities, trends, groups, and history.Lacks customizable interfaces, rapid historical trending, automated remediation capabilities, and root cause analysis tools.
Effectiveness for enterprise customersSimplifies segmentation by logical host-group modeling to organize users by location, IP address, function, etc.; provides customized notification details and formats with alarm acknowledgment.LimitedUses only sensors rather than telemetry from the network, so scaling to enterprises is difficult.LimitedUses only sensors rather than telemetry from the network, so scaling to enterprises is difficult.LimitedSignificant configuration and customization is required to support consolidated reporting and flow maps across multiple Plixer collectors.
Simplifies segmentation by logical host-group modeling to organize users by location, IP address, function, etc.; provides customized notification details and formats with alarm acknowledgment.Uses only sensors rather than telemetry from the network, so scaling to enterprises is difficult.Uses only sensors rather than telemetry from the network, so scaling to enterprises is difficult.Significant configuration and customization is required to support consolidated reporting and flow maps across multiple Plixer collectors.
Flexible query and filtering systemCan query on all captured fields. Advanced search is available for encrypted traffic for encryption key exchange, encryption algorithm, key length, TLS/SSL version, etc.Not applicableNo comparison information available in published materials.LimitedInvestigation is far more directed and not as open-ended or flexible.LimitedLacks customizable interfaces, rapid historical trending, automated remediation capabilities, and root cause analysis tools.
Can query on all captured fields. Advanced search is available for encrypted traffic for encryption key exchange, encryption algorithm, key length, TLS/SSL version, etc.No comparison information available in published materials.Investigation is far more directed and not as open-ended or flexible.Lacks customizable interfaces, rapid historical trending, automated remediation capabilities, and root cause analysis tools.
Cyberthreats dashboardSee noteProvides pertinent information for SecOps personnel, such as which indices are populated with alerts, which alarms are active, which hosts have the most alarms associated with them, etc. Also provides the ability to obtain more details and associated telemetry.See notePrimarily a security tool and the workspace is focused on SecOps.See notePrimarily a security tool and the workspace is focused on SecOps.See noteDashboard-based for security and network monitoring.
Provides pertinent information for SecOps personnel, such as which indices are populated with alerts, which alarms are active, which hosts have the most alarms associated with them, etc. Also provides the ability to obtain more details and associated telemetry.Primarily a security tool and the workspace is focused on SecOps.Primarily a security tool and the workspace is focused on SecOps.Dashboard-based for security and network monitoring.
Visualization and mappingSee noteGenerates automatic maps such as worm propagation paths and custom relationship maps, allowing the visualization of any set of hosts and how they communicate to any other set.See noteHeavily graphics oriented.See noteHeavily graphics oriented.See noteSimple graphs and charts.
Generates automatic maps such as worm propagation paths and custom relationship maps, allowing the visualization of any set of hosts and how they communicate to any other set.Heavily graphics oriented.Heavily graphics oriented.Simple graphs and charts.
Incident investigationSee noteThe UI is organized around persona-based workflows, leading administrators immediately to the root causes and supporting information.See noteHas a Threat Visualizer that enables visibility and the handling of threats.See noteHas a specific dashboard for security incidents and investigations.See noteInvestigative workflows are provided.
The UI is organized around persona-based workflows, leading administrators immediately to the root causes and supporting information.Has a Threat Visualizer that enables visibility and the handling of threats.Has a specific dashboard for security incidents and investigations.Investigative workflows are provided.

Context

Contextual data richnessIntegrated with Cisco Identity Services Engine (ISE). Enables host information look-up such as user ID, MAC address, device type, and switch port information; does not require a separate query to look up the associated user because user ID can be written into Stealthwatch's database. Integration into Cisco Threat Response and the SecureX platform greatly extends this contextual capability.LimitedIntegrated with Active Directory for user data.LimitedOffers integrations such as Active Directory and ISE, as well as others.LimitedOffers sensors focused on a variety of data, including app performance and DNS deep dives.
Integrated with Cisco Identity Services Engine (ISE). Enables host information look-up such as user ID, MAC address, device type, and switch port information; does not require a separate query to look up the associated user because user ID can be written into Stealthwatch's database. Integration into Cisco Threat Response and the SecureX platform greatly extends this contextual capability.Integrated with Active Directory for user data.Offers integrations such as Active Directory and ISE, as well as others.Offers sensors focused on a variety of data, including app performance and DNS deep dives.
Identity dataIntegrated with Cisco ISE, Cisco ASA products (NSEL), DHCP/RADIUS servers, and Active Directory authentication servers for identity-to-telemetry correlation.LimitedIntegrated with Active Directory for user data.LimitedIntegrated with Active Directory and ISE for user data.LimitedIntegrated with Active Directory and ISE for user data.
Integrated with Cisco ISE, Cisco ASA products (NSEL), DHCP/RADIUS servers, and Active Directory authentication servers for identity-to-telemetry correlation.Integrated with Active Directory for user data.Integrated with Active Directory and ISE for user data.Integrated with Active Directory and ISE for user data.
Routing and switching vendor integrationRouters, switches, firewalls, and wireless controllers are the primary data source. Can parse many versions of telemetry and NetFlow from multiple vendors natively, such as IPFIX and sFlow, plus other Layer 7 protocols. Uses only sensors rather than telemetry from the network. Requires SPAN or TAP for each monitored link and is limited to what's on the link.Uses only sensors rather than telemetry from the network. Requires SPAN or TAP for each monitored link and is limited to what's on the link.
Routers, switches, firewalls, and wireless controllers are the primary data source. Can parse many versions of telemetry and NetFlow from multiple vendors natively, such as IPFIX and sFlow, plus other Layer 7 protocols. Uses only sensors rather than telemetry from the network. Requires SPAN or TAP for each monitored link and is limited to what's on the link.Uses only sensors rather than telemetry from the network. Requires SPAN or TAP for each monitored link and is limited to what's on the link.
URL data captureSee noteFlow Sensors can extract URL data used by the Flow Collectors and Management Center. URL data can be queried based on operators. Also integrated with Cisco Security Packet Analyzer, which can download exact datagrams that the flow represents in PCAP format.See noteCompletely sensor-based and has visibility into packet data.See noteCompletely sensor-based and has visibility into packet data.See noteCan capture URL data using sensors.
Flow Sensors can extract URL data used by the Flow Collectors and Management Center. URL data can be queried based on operators. Also integrated with Cisco Security Packet Analyzer, which can download exact datagrams that the flow represents in PCAP format.Completely sensor-based and has visibility into packet data.Completely sensor-based and has visibility into packet data.Can capture URL data using sensors.
NetFlow generation for VMware environmentsUses the virtual switch NetFlow export feature or virtual flow sensor.Not applicableNot applicable because it uses sensors to log traffic.Not applicableNot applicable because it uses sensors to log traffic.Can consume NetFlow telemetry from Vmware.
Uses the virtual switch NetFlow export feature or virtual flow sensor.Not applicable because it uses sensors to log traffic.Not applicable because it uses sensors to log traffic.Can consume NetFlow telemetry from Vmware.
Collection of application and L7 flow dataMaintains flow state (active, inactive, or ongoing); generates NetFlow based on SPAN port monitoring or TAPs; has proxy integration; and provides application identity for multiple vendors such as Palo Alto Networks and L7 Defense; and uses NBAR and NBAR2 with the Flow Sensor.Uses probes that parse this data directly from raw packets.Uses probes that parse this data directly from raw packets.LimitedCan receive firewall data, flow from a SPAN with sensor, and app ID from a sensor or firewall. No NBAR support or proxy integration.
Maintains flow state (active, inactive, or ongoing); generates NetFlow based on SPAN port monitoring or TAPs; has proxy integration; and provides application identity for multiple vendors such as Palo Alto Networks and L7 Defense; and uses NBAR and NBAR2 with the Flow Sensor.Uses probes that parse this data directly from raw packets.Uses probes that parse this data directly from raw packets.Can receive firewall data, flow from a SPAN with sensor, and app ID from a sensor or firewall. No NBAR support or proxy integration.
Packet captureThe Stealthwatch Flow Sensor can provide basic packet capture solutions. To facilitate longer term storage of raw packet data, Stealthwatch provides the ability to integrate with third-party packet capture solutions. In an integration with third-party packet capture solutions, it is possible to do both full packet capture and/or event triggered packet capture through specialised APIs. Can perform on-demand capture.No ability for full packet capture.No ability for full packet capture.
The Stealthwatch Flow Sensor can provide basic packet capture solutions. To facilitate longer term storage of raw packet data, Stealthwatch provides the ability to integrate with third-party packet capture solutions. In an integration with third-party packet capture solutions, it is possible to do both full packet capture and/or event triggered packet capture through specialised APIs. Can perform on-demand capture.No ability for full packet capture.No ability for full packet capture.
Encrypted traffic analysisUses Encrypted Traffic Analytics or enhanced telemetry from the Cisco network to detect malware and to help ensure crypto compliance. Stealthwatch analyzes encrypted traffic using advanced machine learning and global threat intelligence, without any decryption.LimitedMight be able to detect some anomalous behavior in encrypted traffic.LimitedMight be able to detect some anomalous behavior in encrypted traffic.No ability to analyze encrypted traffic.
Uses Encrypted Traffic Analytics or enhanced telemetry from the Cisco network to detect malware and to help ensure crypto compliance. Stealthwatch analyzes encrypted traffic using advanced machine learning and global threat intelligence, without any decryption.Might be able to detect some anomalous behavior in encrypted traffic.Might be able to detect some anomalous behavior in encrypted traffic.No ability to analyze encrypted traffic.
Enterprisewide reputation scoringCreates index-based scoring for every host that tallies unusual activity by a host.UnknownAnomaly detection model might be using a global scoring mechanism.LimitedScoring is two-part, by threat and certainty; lacks the flexibility that index-based scoring offers.No concept of security indexes; triggers only raw alerts and alarms.
Creates index-based scoring for every host that tallies unusual activity by a host.Anomaly detection model might be using a global scoring mechanism.Scoring is two-part, by threat and certainty; lacks the flexibility that index-based scoring offers.No concept of security indexes; triggers only raw alerts and alarms.

Threat Intelligence

Threat intelligence feedUpdated hourly by threat research from Cisco Talos – which has over 300 researchers, analysts, and engineers, and is one of the largest commercial threat intelligence teams in the world.LimitedAlthough a multi-source threat feed is available, since there is no concept of user-defined host groups, user-defined custom threat feeds are not supported. LimitedAlthough a multi-source threat feed is available, since there is no concept of user-defined host groups, user-defined custom threat feeds are not supported. None, although Plixer has a DNS-focused appliance for detecting DNS issues.
Updated hourly by threat research from Cisco Talos – which has over 300 researchers, analysts, and engineers, and is one of the largest commercial threat intelligence teams in the world.Although a multi-source threat feed is available, since there is no concept of user-defined host groups, user-defined custom threat feeds are not supported. Although a multi-source threat feed is available, since there is no concept of user-defined host groups, user-defined custom threat feeds are not supported. None, although Plixer has a DNS-focused appliance for detecting DNS issues.
Threat intelligence sharingStealthwatch Threat Intelligence data is used by Cisco Talos, and vice versa. Cisco shares data with hundreds of partners, customers, and providers through the Aegis, Crete, and Aspis programs, and is a founding member of the Cyber Threat Alliance.
Stealthwatch Threat Intelligence data is used by Cisco Talos, and vice versa. Cisco shares data with hundreds of partners, customers, and providers through the Aegis, Crete, and Aspis programs, and is a founding member of the Cyber Threat Alliance.

Response

ResponseThe Response Management feature can be configured to automatically respond to an alarm through a variety of integration options both with Cisco and third-party products and allows users to configure actions associated with rules that can be triggered by Alarms, Security Events or Custom Security Policies. Also integrated with Cisco Identity Service Engine (ISE) – upon detection of a threat can automatically invoke ISE to change the access policy of a user/device, which can deny or limit access to the network and its services. Additionally, all Stealthwatch is integrated with Cisco Threat Response (CTR) and Cisco SecureX platform to extend investigation and response capabilities across endpoint, firewall, web and more.LimitedUses a propietary tool called Antigena for their response. However, this is no more than a simple TCP reset - it would have no effect on attacks based on UDP or ICMP.
The Response Management feature can be configured to automatically respond to an alarm through a variety of integration options both with Cisco and third-party products and allows users to configure actions associated with rules that can be triggered by Alarms, Security Events or Custom Security Policies. Also integrated with Cisco Identity Service Engine (ISE) – upon detection of a threat can automatically invoke ISE to change the access policy of a user/device, which can deny or limit access to the network and its services. Additionally, all Stealthwatch is integrated with Cisco Threat Response (CTR) and Cisco SecureX platform to extend investigation and response capabilities across endpoint, firewall, web and more.Uses a propietary tool called Antigena for their response. However, this is no more than a simple TCP reset - it would have no effect on attacks based on UDP or ICMP.