The Extrahop Visibility Platform
for Uncompromising Performance Analysis
As organizations scale to support a seamless digital experience despite unprecedented complexity, IT must identify network and application issues, diagnose them, and take action faster than ever before. The ExtraHop Performance Platform gives you comprehensive visibility on all OSI layer levels and helps you to uncover the cause of performance problems in a matter of seconds, thus reducing application downtime enormously.
With an analytics first workflow based on machine learning and robust integrations for investigation automation, ExtraHop Performance helps you deliver a best-in-class customer experience from the core to the edge to the cloud.
ExtraHop Performance provides real-time visibility into everything from database to cloud traffic through reliable decoding and decryption of over 50 enterprise protocols, including SSL/TLS-encrypted sessions, at 100 Gbps line rate. With the help of stream processing, ExtraHop converts your network data into structured line data in real time, while machine learning additionally helps you uncover and respond to hidden problems and opportunities without compromising your application performance.
- Automatic detection and classification of all network devices from the data center to the cloud.
- Recognize performancenomalities with machine learning trained on 4600+ line data metrics.
- Move from contextualized insights to forensic evidence in seconds.
Rise Above the Competition
With a dynamic real-time view of all transactions in your environment, any team from NetOps to SecOps can quickly identify and resolve problems.
ExtraHop decrypts SSL/TLS (including TLS 1.3) in real time so you can ensure both security compliance and complete visibility into troubleshooting.
From a high-level map of all assets in your organization to specific package payloads for incident resolution, ExtraHop provides context and precision in a single central user interface.
Machine Learning, which is based on the most objective, complete data source, provides high fidelity analysis that reduces the mass of false alarms.
ExtraHop learns how a device should behave based on empirical, observed activity, and then shows unusual behavior in the full context of what will be affected and why.
Integration with other analysis tools and orchestration platforms to automate response processes and easily scale limited resources.
Stream Processing
The backbone of Extrahop’s technology is the real-time stream processor, which converts unstructured network packets at up to 100 Gbps into ordered line data. Designed for parallel processing, the Stream Processor distributes processing tasks across multiple cores – and scales as new generations of server processors are expanded with more cores – giving you deeper insight at a fraction of the cost per Gbit/s analysis compared to other real-time analysis platforms.
Once the real-time stream processor receives a copy of the network traffic, ideally from a network tap, packet broker, or mirror port, it continues under the hood:
The stream processor decrypts SSL/TLS-encrypted traffic, including encryption suites such as Perfect Forward Secrecy (PFS), at line speed with native hardware acceleration. This bulk decryption can scale up to 64,000 SSL-TPS with 2048-bit keys that no other real-time analysis can achieve in a single unified appliance. Read this quick technical guide for details on Extrahop’s decryption method.
Starting from the most basic level, the stream processor creates the TCP state machines for each sender and receiver communicating on the network. As a prerequisite for deeper application protocol and universal payload analysis, this allows the platform to understand all TCP mechanisms and their effects. Since TCP is the meeting point of network and application, this approach helps you to clearly identify whether problems are a network or application problem from the start.
The real-time stream processor decodes IP-based protocols to understand, define, and implement the unique application boundaries of this protocol. This enables the processor to create complete operations, sessions and transactions for a fluid application, which in turn enables higher order content analysis through a complete recombination into line data (derived from the line network itself).
While in a perfect world all of this would run pretty smoothly from start to finish, traffic patterns such as microbursts can actually lead to packet loss through a switch or SPAN; in these cases, the processor is automatically resynchronized and restored.
After compiling packets into full streams, the stream processor analyzes the payload and content of layers 2-7 and automatically detects and classifies all devices or clients communicating on the network. The processor also continuously maps the relationships between all clients, applications and infrastructure communicating on the network, measuring and recording over 4,700 metrics.
Full Content Analysis supports dozens of protocols and provides key indicators such as database methods used and their processing time, user file access, memory access time and error, DNS response time and error, Web URI processing time and status codes, SSL Certificates with expiration date, and load balancer and firewall latency. The stream processor also collects sophisticated network metrics such as window size, retransmission timeouts, and nagle delays.
We find that not everyone is interested in knowing every detail about every level of their environment, but don’t worry – while you always have the full analysis capabilities at your fingertips, it’s also easy to customize your view of the data so you only see the exact metrics and insights you need.
Once the stream processor has done its job and started delivering line data metrics, it’s time to take control of what you see and in what depth.
ExtraHop uses an event-driven programmable interface called Application Inspection Triggers to connect you to the stream processor and all stream transactions. Triggers allow you to programmatically extract line data events and correlated metrics that are specific to your business, infrastructure, network, clients and applications.
With Application Inspection Triggers, you can be as surgical or verbose as you want, and extract almost anything from a header to full application payload. For HTTP payloads, for example, this data can include sales, order IDs, unique user IDs in cookies or URIs, and even web page titles or error descriptions embedded by a developer in a 500 status code. And it doesn’t matter what HTTP goes through – it could be SOAP/XML, REST, JSON, AJAX, JavaScript or HTML5.
The same principle and functionality applies to all Extrahop natively decoded protocols. You can also use triggers to extract, measure and visualize data from defined fields or to decode proprietary protocols based on TCP and UDP.
Machine Learning
The cloud-based Machine Learning Service tracks detections in eight categories in your environment:
- Authentication, authorization and access control
- network file system
- network infrastructure
- database
- email server
- web server
- Remote access server and method
- Internet communication and telephony
Within each of these categories, Machine Learning evaluates multiple protocols and hundreds of ExtraHop metrics, all with user-defined logic, to find and correlate active problems.
Unlike typical SaaS solutions, Extrahop’s Machine Learning Service only transfers de-identified metadata into the cloud. This means that no payloads, file names, strings, or other categories of data that could contain sensitive data leave your organization. ExtraHop has received SOC 2, Type 1 Conformity Certification for its Machine Learning Technology, which you can read more about here.
ExtraHop uses the following combination of local technology and cloud services to support the entire machine learning process:
- An on-site device, fully controlled by you, analyzes network traffic to extract and store more than 4,700 metrics, including IP addresses, URIs, database queries, CIFS file names, VoIP phone numbers, and other potentially sensitive data; you can configure this device to collect custom metrics according to your needs.
- When the Machine Learning service is enabled, a subset of these on-premise metrics are de-identified and sent to a custom cloud computing instance in Amazon Web Services operated by ExtraHop.
- ExtraHop Machine Learning then creates predictive models for the behavior of devices and applications and detects significant deviations from these predictions as anomalies.
- Anomaly events are sent back to your local device, but you can also choose to receive e-mail notifications (which do not contain sensitive data). Once events are back in your environment, you can use your private key to reidentify and decrypt them for alerts and investigations.
On the performance side, Extrahop detects problems such as VoIP quality problems associated with increased latency and errors, or system startup and logon delays associated with DHCP server errors.

Data Indexing and Storage
ExtraHop uses three complementary formats to index and store your line data:
The streaming datastore, optimized for time-sequenced telemetry, enables user-definable dashboards that can be filled with more than 4,700 possible metrics in real time. This allows you to easily view all communications in your entire environment or focus on specific data sets.
Since the metrics are indexed in the data store, newly discovered devices are automatically classified based on heuristic analysis of machine information and behavior, and ExtraHop begins building baselines for all systems, applications, and networks.
You can use your existing NAS infrastructure to expand the streaming data repository for long-term visibility, which is useful for capacity planning, demonstrating compliance efforts or continuous improvement, and analyzing business activity over time. By default, your data memory stores fast (30 seconds), medium (5 minutes) and slow (1 hour) key figures locally. However, you can store 5-minute, 1-hour and 24-hour key figures externally.
The data store also allows you to create alerts based on current or past behavior and events such as unusual payload size or expiring SSL Certificates.
ExtraHop allows you to perform a multidimensional analysis of your line data, even if you do not know any query languages. Think of this as the search capabilities you would find in a log analytics platform, except that you search and analyze line data – a much richer, more consistent, and more reliable source of information than machine logs can provide.
There are two basic types of records in the ExtraHop user interface: flow and transaction. Flow Records show the communication between two devices on the network layer over an (L3) IP protocol, while L7 Records show details of individual messages or transactions over one of the three supported L7 protocols (transaction-based, message-based, and session-based). ExtraHop allows you to search and filter only for L7 traffic or query both Flow and L7 entries.
How ExtraHop collects and stores built-in records and more details about record types and formats can be found in ExtraHop’s documentation.
Your transaction, message, and flow records are all stored in a robust cluster based on scalable Elasticsearch technology, so you can easily add nodes as your data grows.
You can either start with individual metrics, users, devices, or packages associated with a particular transaction, or simply access that information from a parent view. ExtraHop delivers packages that offer the full payload, which you can download and further analyze as needed.
ExtraHop provides an advanced forensic review at a much lower price than any other real-time analytics platform, considering that you can add up to 1920TB of extended storage units per deployment to Extrahop with no data charges.
Data Visualization and Exploration
One of the most demanding aspects of real-time analytics in business is, well, the size itself. ExtraHop does its best to make it as easy as possible for you as a user to analyze the immense wealth of information and gain meaningful insights, no matter from which perspective you come.
We start with a simple, intuitive user interface that automatically includes completed role-based dashboards for teams in your organization. These dashboards work on a drag-and-drop model, so you can further customize them with unique widgets; if you want to create your own widget, all you have to do is select the desired data source and metrics, select a visualization type, and save it to your dashboard of choice. Export charts and background data points quickly and easily to PDF, Excel or CSV.
Extrahop’s visual search language gives you the ability to refine or change your search queries by clicking interface elements that control everything from grouping to filtering to time domain selection. Whether you adhere to the hundreds of built-in record attributes or define your own, this functionality means that any user can quickly respond to performance and security questions without having to learn a query language.
For example, if you experience poor audio quality compared to VoIP, you can search VoIP traffic for accelerated forwarding tags and quickly determine which packets might lag behind less time-sensitive traffic due to an incorrectly configured tag.
In addition to traditional methods of data visualization such as charts and graphs, ExtraHop uses live activity maps to provide a dynamic and intuitive view of your environment. Instead of manually creating and updating network diagrams when your IT environment changes, you can use live activity maps to visualize protocol-based connections between devices and applications in real time.
By allowing you to filter by time intervals and expand or limit your scope as needed, Activity Cards make it easier to answer multipart questions such as “How do devices interact within a given level and how have these devices interacted across the network in the last hour”? Anomalous behavioral detections also appear on live activity maps, so you can see the context of the detection before you click into the transaction or even into the exact packages directly from the map.
This blog post goes into much more detail about the latest features of live activity maps and offers some more ideas on how you can use them in your everyday life.
While extensive query and research workflows are provided within the ExtraHop interface, Extrahop also makes it easy for you to integrate line data metrics with the other data stores, query tools and analysis platforms in your stack. Open Data Stream allows you to merge data from multiple sources into a single, comprehensive set that can be queried and visualized using the tools your team prefers.
Visit the Extrahop Technology Partners page to learn more about specific integrations such as Extrahop’s partnerships with AppDynamics, the FireEye Threat Analytics Platform, Elastic, MongoDB and many more.
Protocols Decoded by Extrahop
ExtraHop decodes the following enterprise protocols in real time at the application level. Protocol modules provide different levels of analysis, starting with L7 classification, and application inspection triggers can be used to create a custom metric.
AAA: RADIUS*
AAA: DIAMETER*
CIFS*
Citrix ICA*
DHCP
DNS
Database: DB2*
Database: Informix*
Database: Microsoft SQL*
Database: MongoDB*
Database: MySQL
Database: Oracle*
Database: Postgres
Database: Sybase*
Database: Sybase IQ*
FIX*
FTP
ActiveMQ*
AJP
DICOM*
HL7*
LLDP
MSMQ*
Telnet
SMTP
VoIP: SIP*
VoIP: RTCP XR*
Redis*
NFS*
LDAP
VNC
ICMP
STP
HTTP/S
HTTP-AMF
DSCP
iSCSI*
MS-RPC
WebSocket
SSL
SSH
SMPP*
VoIP: RTP*
VoIP: RTCP*
POP3
Memcache*
Kerberos
Syslog
IBM MQ*
SNMP
RDP
ARP
GRE
ICMP6
IEEE 802.1X
IKE
IMAP
IPSEC
IPX
IRC
ISAKMP
LACP
L2TP
MPLS
NTP
OpenVPN
RCoIP
ModBus
*Add-on modules (not included in base license)
Reveal(x) - Network Detection and Response
for a Secure Company
Complete transparency. Real-time threat detection. Intelligent Defense.
Cloud adoption, cluttered tools and increasingly complex encryption methods present resource-poor security teams with the tricky challenge of how to leave outdated solutions and workflows behind and accelerate operations in their hybrid enterprises.
ExtraHop Reveal(x) is an industry-leading solution for Network Detection and Response (NDR) that provides complete visibility, real-time threat detection within the network perimeter, and options for intelligent response at any scale. Reveal(x) outperforms Darktrace, Vectra and other security tools:
ExtraHop | Darktrace | NetWitness | Stealthwatch | Vectra | |
---|---|---|---|---|---|
Throughput | 100 Gbps | 6 Gbps | 10 Gbps | (Flow data only) | 20 Gbps |
Enterprise Application Protocols | 70+ | 5 | 8 | None | 10 Gbps |
Decryption (on premise and in the cloud) | SSL/TLS 1.3 | SSL | Limited | No | No |
Prioritization of critical assets | Yes | No | No | No | Server/Clients |
Investigation automation | Detection, Correlation | No | Limited detection | Limited detection | Limited detection |
Indexation of transactions | Yes | No | No | Limited | Price according to volume |
Forensics | Continuous Packet Capture | Minimum Packet Capture | Continuous Packet Capture | No PCAP, only data enrichment | Minimum Packet Capture |
Integration partners | 30+ | 14+ | 30 | Under 5 | Approx. 14 |
Extensibility (customized dashboards, universal payload analysis) | Yes | No | Only prefabricated | Limited | Yes |
AMI deployment | Yes | No | No | No | No |
Cloud scale | 25 Gbps sustainable | 5 Gbps | Not published | (Flow data only) | 2 Gbps |
Cloud integrations (Azure, AWS, GCP) | Yes | Yes | Yes | Yes | Yes |
Cloud-native security | Yes | No | No | Yes | No |
PCAP | Yes | Yes | Yes | No | Yes |
Threat detection. Nothing is left in the dark.
ExtraHop Reveal(x) analyses data streams to automatically capture and classify all transactions, sessions, devices and resources in your company at up to 100 Gbps. The tool also decodes over seventy company logs and extracts more than 4,800 characteristics for accurate and precise evaluation using machine learning. Take advantage of our NDR solution for the hybrid cloud with Reveal(x) Cloud and Reveal(x) for Azure.
- New, suspicious and unmanaged devices on the network are automatically detected, so you always have an overview of all active resources.
- Advanced attacks are fully detected thanks to ML-based behavioral analysis, rules and user-defined mechanisms.
- Relevant contextual information and evidence is evaluated with just a few clicks, enabling analysts to resolve incidents effectively and reliably.
Insight instead of data trash
- Automated Inventory: Reveal(x) maintains an up-to-date inventory by automatically recording and classifying all network activity without the need for manual intervention.
- Matching with peer groups: By automatically dividing devices into precise peer groups, Reveal(x) detects abnormal behavior with only a few false positives.
- PFS Decryption: Reveal(x) passively decrypts SSL and TLS 1.3 in real time, enabling you to meet compliance requirements and fully disclose encrypted threats.
- Advanced Machine Learning: Machine Learning and over 5,000 extracted characteristics allow Reveal(x) to identify, prioritize, and highlight threats to your critical assets.
- Automated examinations: Reveal(x) adds valuable contextual information about the nature and severity of the risk to identified threats based on the entire transaction, allowing you to better coordinate your response.
- Convincing orchestration of your response: Reveal(x) takes care of threat detection and investigation, while powerful integration with solutions such as Phantom and Palo Alto Networks enables automated countermeasures
Threat detection and response
Tracking active threats may be the first thing people think of when they imagine the SOC at work, but there are few fully trained threat hunters. This is not due to a lack of talent. It’s because many SecOps teams rely on a combination of firewall logs, server logs and signature-driven alerts that lead to a flood of false positives rather than actionable intelligence.
By combining rule-based and behavioral analysis, ExtraHop Reveal(x) can help your SOC stand out from the noise to identify real threats faster – and automate data collection and correlation for radically more efficient investigation. Reveal(x) is the industry leader in Network Detection and Response (NDR) with enterprise-class network traffic analysis that helps you identify suspicious behavior, prioritize investigations of the most risky threats, and automate response.
- Complete Visibility: Reveal(x) eliminates dark space in your network by converting raw network traffic (including SSL/TLS encrypted traffic) into line data with up to 100 Gbps sustained throughput This gives you real-time visibility into every device, user and asset in your enterprise.
- Real-time detection: With full-spectrum detection based on a blend of machine learning and rule-based analysis, Reveal(x) intercepts threats that signature-based detection alone is likely to overlook, such as insiders, rogue and low-and-slow attacks
- Intelligent Response: In addition to one-click exams for each detection, Reveal(x) automatically prioritizes your most important assets so you can easily focus your time and energy. Integration with Phantom, Palo Alto Networks, Nessus, Anomali, Splunk, and others enables lean security teams to respond quickly and confidently to the most important threats.
Turn Tier 1 analysts into Tier 3 experts
Reveal(x) automatically detects and classifies every device on the network and then analyzes every transaction. Even SSL/TLS encrypted traffic is no match for the 70+ enterprise protocols that Reveal(x) can decrypt at up to 100Gbps. In addition to dramatically accelerating detection so that you can reduce the time threats stay in your environment from the current 101-day average to none at all, Reveal(x) offers one-click scanning for every detection.
SecOps teams can click directly into transaction details and even complete packages from anywhere in the Reveal(x) interface. Quick insights help you act quickly and with confidence where human intelligence is needed, while deep integrations with partners such as Phantom, Azure, ServiceNow, Splunk and Palo Alto Networks allow you to automate response workflows such as blocking malicious IP addresses. To the point? Reveal(x) helps you make faster decisions based on more comprehensive knowledge, with far less effort.
Service level discovery and detection for IoT
The incredible proliferation of IoT devices has greatly increased the attack surface for businesses, but discovering, managing and protecting these devices by traditional means is a labor-intensive nightmare. At the same time, with the proliferation of applications and the exploding number and variety of devices on the network, security teams have the task of doing the near impossible: Prevent attackers from using these devices as entry points and attack vectors for lateral movement, on a large scale.
ExtraHop Reveal(x) provides a passive, scalable enterprise IoT solution that you can deploy right out of the box to identify and profile IoT devices, discover and detect the service level. With advanced machine learning that automatically profiles all devices, derives which services they belong to, and identifies violations and threats for rapid remediation, Reveal(x) makes it easy for security and IT teams to support and secure the technologies that drive business growth.
- Complete visibility: ExtraHop Reveal(x) automatically identifies and profiles all assets on the network, including enterprise IoT devices such as printers, VoIP phones, smart TVs and more, and groups them based on observed behavior. In addition to providing a comprehensive and dynamic view of all IoT devices and services without agents or operational impact, Reveal(x) applies machine learning techniques such as peer group clustering to infer service levels and privilege levels without manual configuration.
- Real-time detection: Monitoring and detection with Reveal(x) is passive and hands-free. When Reveal(x) detects threats and anomalous behavior, such as attackers attempting to gain access to IoT devices or moving sideways, Reveal(x) detects threats and anomalous behavior and alerts your team, providing full context, what device may have been compromised and why, what other assets are affected, and what the potential risk is. Because Reveal(x) extracts rich L2-L7 data from network traffic, it enables deeper analysis and continuous behavior monitoring and detection for IoT devices such as VoIP phones, printers, IP cameras, wearables and smartboards.
- Intelligent Response: In addition to automatically correlating detections across the attack chain so that you can quickly and easily understand the extent of an ongoing attack, and providing recommended next steps for your investigation, Reveal(x) enables automatic policy enforcement based on derived device groups. For example, by integrating enforcement with your existing firewalls and NAC solutions, Reveal(x) allows you to immediately and automatically interrupt network communications following segmentation violations.
Automated audits, faster investigations, easier reporting
As environments become more complex and compliance and encryption regulations become stricter, SecOps is finding it increasingly difficult to answer questions such as “What hardware and software assets use weak encryption methods” or “Is the new device doing something malicious on our network and if so, what? Perimeter and endpoint monitoring can only answer these questions, and neither of them will help you proactively maintain hygiene and compliance on a large scale.
ExtraHop Reveal(x) provides the complete visibility, automated auditing and guided investigation capabilities that help SecOps teams keep a close eye on all the tools and systems at work in their hybrid infrastructures on a large scale. As the industry leader in Network Detection and Response (NDR), Reveal(x) gives you instant answers to complex questions without impacting performance and with far greater accuracy than protocols or humans combined.
- Complete Visibility: Reveal(x) converts raw network traffic (including SSL/TLS encrypted traffic) into line data analysis with sustained throughput of up to 100 Gbps and automatically detects, classifies, and assigns each asset, device, and user in your environment in real time: no more visibility gaps.
- Real-time detection: With machine learning trained on more than 5,000 line data metrics, there is no faster or more accurate source of information about what is really going on in your organization – and because Reveal(x) performs network traffic analysis out-of-band, there is no risk of network latency because Reveal(x) detects problems and threats.
- Smart Response: Because Reveal(x) takes the heavy work out of security hygiene and compliance audits for you, it’s easy to answer questions about encryption strength, data security, and potential vulnerabilities as quickly as you can ask them. When a threat penetrates your security, you get not only the real-time insight you need to stop it quickly, but one-click investigation workflows that simplify and accelerate compliance reporting.
Analysis and automation for a more efficient SOC
The Internet Security Centre calls for various standards or controls for SecOps to keep their environments secure. Number one and two? Inventory and control of hardware and software assets. Reveal(x) does the first part for you by automatically detecting and classifying every device communicating over the network and analyzing over 70 enterprise protocols at up to 100Gbps.
On the control side, Reveal(x) goes all the way to parsing transactions at the application layer (L7) and automatically detects any weak ciphers used in your organization. Reveal(x) also alerts you when certificates are about to expire (or have already expired) and can automate audits for all types of compliance requests. You’ll know what’s on your network, what each device says, when new devices are connected, and exactly where you need to use human expertise.
Not only does Reveal(x) provide unmatched visibility into your environment, it’s also the only NDR solution that provides role-based, on-demand decryption for SSL/TLS 1.3 encrypted traffic: Decrypt only the exact packets you need to investigate a threat, while respecting data protection requirements.
