Vectra Threat Labs™

Vectra artificial intelligence augments security operations

Vectra AI meets today’s cybersecurity challenges by blending human expertise with a broad set of data science, machine learning techniques and deep learning to automate the manual, time-consuming work associated with security analysts.

By automating cyberattacker detection, analysis and incident response, Vectra AI condenses days or weeks of work into minutes, reducing the threat investigation workload by up to 29X.

Vectra is the sole visionary in the Gartner Magic Quadrant for IDPS

How Vectra AI works

Using behavioral detection algorithms to analyze metadata from captured packets, Vectra AI detects hidden and unknown attacks in real time, whether traffic is encrypted or not. Vectra AI only analyzes metadata captured from packets, rather than performing deep-packet inspection, to protect user privacy without prying into sensitive payloads.

Global learning

Global learning identifies the fundamental traits that threats share across all enterprise organizations. Global learning begins with Vectra Threat Labs, a full-time group of cybersecurity experts and threat researchers who continually analyze malware, attack tools, techniques, and procedures to identify new and shifting trends in the threat landscape.

Their work informs the data science models used by Vectra AI, including supervised machine learning. It is used to analyze very large volumes of malicious and attack traffic and distill it down to the key characteristics that make malicious traffic unique.

Local learning

Local learning identifies what’s normal and abnormal in an enterprise’s network to reveal attack patterns. The key techniques used are unsupervised machine learning and anomaly detection. Vectra uses unsupervised machine learning models to learn about a specific customer environment, with no direct oversight by a data scientist.

Instead of concentrating on finding and reporting anomalies, Vectra looks for indicators of important phases of an attack or attack techniques, including signs that an attacker is exploring the network, evaluating hosts for attack, and using stolen credentials.

Integrated intelligence

Vectra condenses thousands of events and network traits to a single detection. Using techniques such as event correlation and host scoring, Vectra performs the following:

  • Correlates all detection events to specific hosts that show signs of threat behaviors.
  • Automatically scores every detection and host in terms of the threat severity and certainty using the Vectra Threat Certainty Index™.
  • Tracks each event over time and through every phase of the cyberattack kill chain.

Vectra puts special focus on events that may jeopardize key assets inside the network or are of strategic value to an attacker. Devices that exhibit behaviors that cover multiple phases of the cyberattack kill chain are also prioritized, as shown below.

College students are exploiting free electricity on campus to do cryptomining while others become unwary victims of cryptojackers.
Defeating and abusing machine learning detection technologies

Learn about AI in cybersecurity

Defeating and abusing machine learning threat-detection technologies

CTO Oliver Tavakoli explains the fundamentals of supervised and unsupervised machine learning techniques, how adversaries might use them, and most importantly, how to be prepared.

White Papers

The data science behind Cognito AI threat detection models

Cognito AI blends human expertise with a broad set of data science and machine learning techniques. It delivers a continuous cycle of intelligence based on threat research, global/local learning models, deep learning, and neural networks.

Download the German version
Download the French version

How to augment security operations centers with AI

This paper examines obstacles in the fight against cyberattacks and how AI speeds-up detection and response in the SOC. AI augments the work of SOC teams to make operations more efficient and mitigates cyberthreats before damage is done.


  • Fighting the ransomware pandemic

    15 May 2017

    A ransomware attack is spreading very rapidly among unpatched Windows systems worldwide. This morning, the attack was initially believed to target the UK National Health Service, but throughout the day, it has become apparent this is a global attack.

  • Moonlight: Targeted attacks in the Middle East

    26 October 2016

    Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.

  • Triggering MS16-030 via Targeted Fuzzing

    11 October 2016

    The need to analyze the patch for MS16-030 recently presented itself to us due to some related product research. After the analysis was complete, we realized that the attack surface of the patch was pretty interesting and determined it may be beneficial to share part of the analysis. This post will focus on triggering a patched bug from MS16-030.

  • Reverse engineering the Shadow Brokers dump: A close look at NOPEN

    12 September 2016

    While digging and reversing my way through the Equation Group dump, I've come across a few interesting pieces that probably are not getting the attention they deserve. While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.

  • In-depth technical analysis: Own a printer, own a network with point and print drive-by

    12 July 2016

    Printers present an interesting IoT example because they are more powerful than most other IoT devices but are not always considered real computers by most network administrators. This dichotomy is at the forefront of the printer watering-hole vulnerabilities CVE-2016-3238 (MS16-087) and CVE-2016-3239 discovered by Vectra Threat Labs.

  • How to interpret network-based malware detection

    23 May 2016

    This research paper by Vectra CSO Günter Ollmann examines the ecosystem nuances of network-based malware detection and the limits imposed on intelligence extraction of captured malware samples. It also explains the impact on organizations that strive to mitigate malware threats using network-based detection systems.

  • Insights from inside the kill chain

    20 April 2016

    The Spring 2016 Post-Intrusion Report from Vectra reveals that cyber attackers know they're being watched and are responding by blending in with users and hiding in normal network traffic. The report analyzed data from 120 Vectra customer networks comprised of more than 1.3 million hosts over the first quarter of 2016. All organizations showed signs of targeted attacks, including internal reconnaissance, lateral movement or data exfiltration.

  • Turning a webcam into a backdoor

    12 January 2016

    Reports of successful hacks against Internet of Things (IoT) devices have been on the rise. Most of these efforts have involved demonstrating how to gain access to such a device or to break through its security barrier. Most of these attacks are considered relatively inconsequential because the devices themselves contain no real data of value (such as credit card numbers or PII). The devices in question generally don't provide much value to a botnet owner as they tend to have access to lots bandwidth, but have very little in terms of CPU and RAM.

  • Critical vulnerabilities in Adobe Reader and Internet Explorer

    14 October 2015

    Today, Vectra researchers discovered critical vulnerabilities that impact the security of Adobe Reader, VBScript, and Internet Explorer. The vulnerability in Adobe Reader (CVE-2015-6687) is a use-after-free bug that could lead to arbitrary code execution. An analysis of this and other recently patched Adobe vulnerabilities can be found here. Additionally, researchers found additional critical vulnerabilities (MS15-106 and MS15-108) that allow attackers to bypass Address Space Layout Randomization (ASLR) protections. These vulnerabilities are particularly significant because ASLR protects against memory corruption attacks by making the layout of memory unpredictable. As a result, any vulnerability that bypasses ASLR is highly valuable to attackers.

  • Belkin F9K1111 V1.04.10 firmware analysis

    18 August 2015

    Researchers in the Vectra Threat Labs recently analyzed vulnerabilities in the Belkin F9K1111 wireless repeater. This analysis includes a close inspection of the vulnerabilities, how they could be exploited, as well as fixes from vendor.

  • Zero-day vulnerability discovered in Internet Explorer 11

    14 July 2015

    Researchers in the Vectra Threat Labs recently discovered a high-severity vulnerability in the Internet Explorer 11 web browser. It's an exploitable use-after-free vulnerability that occurs within a custom heap in JSCRIPT9.

  • Post-Intrusion Report

    23 June 2015

    We observed spikes in reconnaissance and lateral movement, changes in command-and-control attack techniques, and a penchant for using hidden tunnels to conceal communication within HTTPS traffic. Check out the cool infographic

  • A technical analysis of Hola

    1 June 2015

    Lab researchers found that user machines that are loaded with the Hola privacy and unblocker application can enable a targeted, human-driven cyber-attack on the network they're connected to.

  • Post-Breach Industry Report

    5 November 2014

    This groundbreaking inaugural report reveals what cyber-attackers do inside your network after they evade perimeter defenses. Ironically, once inside, their actions create opportunities to stop them.


Analysis of industry threats

  • An analysis of the Shamoon 2 malware attack

    By Greg Linares, Vectra Threat Researcher, 7 February 2017

    During a recent analysis, Vectra came across a malicious component that appears to be used in conjunction with spear-phishing-delivered malicious documents. These documents use PowerShell to download and execute the reconnaissance tool to start their foothold in the victim’s network.

  • Shamoon 2: Same or better than the original?

    27 January 2017

    Shamoon 2 is similar what we are seeing with ransomware attacks. For example, sometimes there is no command-and-control (C&C) activity to trigger a detection. That's because it is often disabled when the goal is to destroy, not steal. This enables Shamoon to evade perimeter defenses.

  • Canary in the ransomware mine

    30 March 2016

    The use of ransomware canary file shares - like canary accounts in Active Directory and email -- can be a cheap and effective threat-mitigation approach. Sometimes the simplest methods can be the most effective.

  • Duqu threat actor stars in sequel

    12 June 2015

    Duqu is back with a vengeance. The latest strain, dubbed Duqu 2.0, performs recon, spreads laterally using Kerberos pass-the-hash, and elevates domain admin privileges to deliver MSI packages that infect hosts.

  • Dyre malware

    7 May 2015

    The latest Dyre malware techniques are the tip of the iceberg in an ongoing cat-and-mouse game between malware authors and security researchers. Among other things, it now knows when it's being run in a malware sandbox.

  • Superfish

    4 March 2015

    Adware. Bloatware. Crapware. Whatever you call it, Superfish software vulnerabilities are a sobering reminder that devices can be compromised even before they come out of the box. It's like starting a baseball game from second base.

  • Carbanak advanced persistent threat (APT)

    19 February 2015

    The notorious banking malware infiltrated over 100 financial institutions, where attackers stole upwards of $1 billion. It's a stark reminder of the importance of tracking any and all forms of remote access tunnels in the network.

  • Regin malware

    3 December 2014

    Purpose-built for state-sponsored espionage, highly sophisticated Regin malware has the ability to quietly infect, spread and persist within a targeted network for extended periods of time.

  • Shellshock vulnerability

    29 September 2014

    Predicting when new vulnerabilities will appear and figuring out the creative ways attackers will exploit them might seem like a losing battle. But there are ways you can catch these attackers in the act.

  • Heartbleed vulnerability detection

    22 August 2014

    The Heartbleed brute-force cyber-attack is quite unusual in terms of the network pattern it leaves behind in its wake. The good news is that it can be recognized if you use the right analytics tools.

  • Heartbleed vulnerability on the inside

    1 May 2014

    It's only a matter of time before the world sees more targeted attacks leverage Heartbleed to acquire key account credentials and use those hijacked credentials to get to your crown jewels.


Data science

  • Alan Turing and the birth of machine intelligence

    By Sohrob Kazerounian, 15 March 2018

    For Turing, whether we refer to a machine as thinking or intelligent was irrelevant. All that could be determined was how well the machine could imitate the behavior of a human, and that could best be measured by how well the machine could fool an observer into believing that it too was human.

  • A sinuous journey through ``tensor_forest``

    By Sophia Lu, 11 December 2017

    The random forest (RF) model is a subclass of ensemble learning methods that is applied to classification and regression. An ensemble method constructs a set of classifiers – a group of decision trees, in the case of RF – and determines the label for each data instance by taking the weighted average of each classifier’s output.

  • Election 2016: The bungling of big data

    17 November 2016

    We live in the age where big data and data science are used to predict everything from what I might want to buy on Amazon to the outcome of an election.

  • Cybersecurity and machine learning: The right features can lead to success

    15 September 2015

    Is the need for lots of data justified? It depends on the problem machine learning is trying to solve. But exactly how much data is needed to train a machine-learning model should be associated with the choice of features.

  • Cybersecurity, data science and machine learning

    9 March 2015

    Data models that can distinguish normal benign network traffic from abnormal traffic can be used to build classifiers that provide a binary response -- good and bad -- to the traffic that's being analyzed.

  • Creating cybersecurity that thinks

    9 March 2015

    Malware-infected machines can be identified by observing their abnormal, post-infection behavior. Recognizing this behavior requires identifying what's normal and using rigorous analytical methods to detect anomalies.

  • How to detect insider threats

    10 January 2015

    There's usually not enough information available to determine an insider's intention or psychology in real-time. But many more cues can reveal themselves as the volume of collected behavior data increases.

  • Insider threats to critical infrastructure

    7 December 2014

    Remote access is a primary entry point for attacks due to the poor choice and design of remote access protocols. VPN tunnels and a restricted security zone (DMZ) for connections can minimize risk.