Network Detection and Response (NDR) is a glorious tool for spotting the stuff that slips past the velvet ropes. The weird lateral movement. The "why is Finance talking to a printer in Moldova" moment. The internal reconnaissance that looks harmless until it's suddenly not.
What can't NDR do? Trick question. It can't walk the dog, run a marathon, or explain to leadership why "just block Russia" isn't a complete strategy. NDR is your truth serum. It shows what actually traversed the network, who talked to whom, what was said, and when. It won't fix bad decisions, but it will absolutely document them.
And yet, like any powerful tool, NDR comes with a special set of self-inflicted injuries. These sins aren't always "technology problems" as much as "people, process, and architecture" problems. But fear not weary travelers! Below are the seven deadly sins, and why most of them collapse under the same cure: investigation-ready telemetry, clean pivots, and hard evidence with less interpretive dancing.
Sin #1: The "we have logs" delusion
"We already have firewall logs and EDR"
That's like saying you have a smoke detector, so door locks are unnecessary. EDR only works where you can install it. Your switches, CCTV, printers, badge readers, and mystery IoT gremlins aren't lining up for agent enrollment. If one of those devices gets compromised, how would you know? The network is the one place where the truth is unavoidable.
Firewall logs, while useful, are basically the network's receipt tape: IPs, ports, protocols, timestamps. They are great for proving a conversation happened, but terrible for telling you whether it was a friendly chat, a shady back-alley deal, or an attacker rehearsing their signature coup de grâce (that's French for "killing blow", mind you). Without richer context—who, what service, what behavior, what "normal" looks like you end up treating every connection like a crime scene, which is exhausting and mostly unproductive.
And then the real pain shows up: you can't pivot cleanly from behavior to ownership and intent. Investigations slow down because the "what" and the "why" are missing, leaving your analysts stuck doing network forensics with vibes and caffeine.
The antidote: Cover the un-agentable
The cure is network evidence that doesn't require agent permission slips. Corelight sits off to the side on a TAP/SPAN/packet broker, observing traffic. No installers. No "sorry, that printer can't run EDR." No IoT gremlin negotiating terms. If it talks on the wire, Corelight sees it, turns it into Zeek-grade telemetry, and hands your SOC the one thing it actually needs: clean pivots and hard evidence instead of vibes and caffeine.
Sin #2: The encryption excuse
"It's all TLS, so network detection is pointless"
This is usually followed by everyone giving up and going home early for the wrong reason. It's the security equivalent of seeing a locked suitcase and concluding, "Welp, guess we'll never know what's inside," while the suitcase is loudly beeping and rolling itself toward the exit.
Encryption hides payloads, not behavior. You still have timing, destinations, handshakes, certificates, and traffic geometry. If you ignore that, you miss the classics: low-and-slow beaconing, brand-new domains, destination rarity, certificate oddities, protocol mismatches, and those "this host has never spoken to that service in its life" moments.
Attackers love TLS because it lets them blend in with normal web traffic—and because it makes defenders feel helpless. Do not grant them that second benefit for free. Sure, you could aim for full line-rate decryption—in the same way you could tow a yacht with a bicycle. The compute and cost curve is brutal, so the practical answer is encrypted-traffic visibility: fingerprints, certs, handshake patterns, and behaviors that still tell the story.
The antidote: Hunt the shape, not the payload
The cure is treating TLS like a mask, not a cloak of invisibility. Using Corelight's encrypted traffic collection does not need to crack payloads to catch badness. Instead, It leans on what TLS cannot hide: handshakes, certs, SNI, and JA3/JA4 fingerprints, and behavioral patterns that scream "C2" even when the content is zipped up tight. Translation: you still get actionable pivots and evidence, not a helpless shrug just because the attacker wrapped it in HTTPS.
And Post Quantum Cryptography (PQC) is the next excuse waiting in the wings. As "post-quantum" encryption rolls out, the math gets fancier, the handshakes get chunkier, and someone will inevitably say, "welp, encryption got stronger—guess we're blind now." We're not. You still cannot hide the fact that you connected, who you connected to, how often, and how weird it looks compared to normal. Keep collecting encrypted-traffic metadata and fingerprints, and PQC becomes just another wardrobe change for TLS—not an invisibility cloak.
Sin #3: "Trust me bro" AI black-box detections
"It's industry leading, so I trust it"
This is when an NDR tool throws an alert like "Suspicious Behavior Detected" and offers no explanation, no evidence, and no breadcrumb trail. It is basically a smoke alarm that refuses to tell you which room in the building is on fire because it's "proprietary."
Black boxes have their place—like magic shows, certain kitchen appliances, and escape rooms (where confusion is literally the product). But in security operations, black-box detections turn your SOC into a courtroom where the witness keeps answering, "I can't disclose that."
Here's the part where your SOC starts aging in dog years: If you cannot explain a detection, you cannot operationalize it, tune it, reproduce it, or convert it into a hunting query. You cannot defend it to leadership when they ask why you isolated the CEO's laptop. And you definitely can't teach a new analyst how to handle it without resorting to ancient tribal knowledge and a ceremonial Slack thread from 2021.
The antidote: Pics or it didn't happen
The cure is AI with receipts, because AI is only as useful as the data you feed it. If the alert cannot show the network facts behind the verdict, it is not "intelligent," it is just confidently anxious. Corelight's Zeek-grade telemetry is the gold-standard diet here: dense, structured, investigation-ready evidence that lets detections (AI or otherwise) explain themselves. That's how you turn "trust me" into "here's why," and turn your SOC from guessing into proving.
And when it's time to turn that evidence into action, Corelight's Agentic Triage turns alert confetti into entity-centric investigations, so you get one case file instead of 400 little panic notifications. And it doesn't do "trust me bro" AI, it does show your work AI: every step exposes the playbook logic and the exact queries it ran. The verdict is defensible, the reasoning is explicit, and compliance can audit it without anyone performing interpretive dance in a conference room.
Sin #4: PCAP hoarding disorder
"Just record the entire internet"
This hoarding usually happens until budgets implode and someone disables capture "temporarily" which in corporate speak means "forever." It starts as an innocent idea. "What if we just keep everything?" Then your storage bill shows up wearing brass knuckles, and suddenly retention becomes a spiritual concept instead of a measurable number.
This is the network equivalent of deciding you're going to record every second of your life in 8K video. It feels responsible—right up until you realize you now need a data center to store the annual pilgrimage to the DMV.
Full PCAP at scale is not just expensive; it is operationally heavy. Costs explode, performance drops, and retention collapses. Worse, the "keep everything" strategy often ends with "keep nothing" because teams panic, and turn it off when the platform starts gasping for air. Now you have the worst of both worlds: a giant spend with no usable lookback, and investigations that still end in "we wish we had packets."
The real goal is not "infinite packets." The goal is fast, provable incident response. PCAP should be a scalpel, not a dump truck.
The antidote: packets on purpose
The cure is PCAP that behaves like a scalpel, not a lifestyle choice. "Full PCAP solutions" love saying it's full capture right up until the nightly backup window shows up like a firehose of low-value pain. Even packet vendors know nobody wants to forensically relive last night's backup job in 8K. The Corelight-shaped answer is: keep high-fidelity network metadata broadly (long retention, high utility), and pull PCAP surgically when a detection or investigation needs it. That gets you a longer lookback, faster proof, and fewer budget meetings that end with someone suggesting "maybe we just turn it off for a bit."
For federal folks, M-21-31 is not asking you to build a "packet landfill for a year." Even the memo's technical details carve out full packet capture as a short window (72 hours), because the point is investigative capability, not bankrupting yourself into compliance. And the CISA implementation guidance is blunt about the reality of encrypted traffic: if you are not doing full inspection/decryption, you should log the metadata available rather than pretending "no plaintext" means "no visibility."
Sin #5: Shiny dashboards, starved telemetry
"As long as it exports to PowerPoint…"
If your dashboard has more gradients than your logs have fields, you're not doing detection—you're doing interior design.
This sin shows up when a vendor optimizes for demo day instead of incident day. The UI is gorgeous. The charts are animated. The executive summary practically writes itself. Then an alert fires and your analyst does the thing analysts always do: clicks for the "why."
…And finds a conclusion looking for evidence.
Maybe you get a severity score, an IP address,or a graph that looks important. But what you do not get is the information that helps you make a decision: what protocol behavior triggered it, what the host actually did, who owned it, what it normally talks to, what changed, and what evidence supports the claim. It's like being handed a beautifully framed diagnosis that just says "bad feelings."
You bounce from NDR to firewall to DNS to endpoint to a wiki page from 2018 and back again, hoping the story assembles itself out of sheer determination.
The bigger problem is operational: pretty dashboards without evidence create false confidence. They make leadership feel like the environment is "covered" because the visuals are reassuring. Meanwhile, the SOC is stuck with low-quality evidence and high-stakes decisions. That mismatch is how teams end up either escalating everything (burnout) or trusting nothing (blindness).
The antidote: click to proof
The cure is telemetry first, dashboards second. With Corelight's gold-standard network data, your analyst does not click into a "risk score." They click into a story with timestamps, pivots, and receipts that hold up in daylight.
Sin #6: alert waterboarding
"If the SOC isn't suffering, are we even secure?"
You turn on NDR detections and immediately feel productive because the console is full of motion: beaconing, scanning suspicious TLS, "possible lateral movement", and "potential exfiltration." It is a firehose of "interesting"—which is a polite way of saying your tool just learned what a packet is and got emotionally attached.
Then the flood hits.
At first, the SOC tries to be heroic. Analysts click alerts the way people sing song lyrics they don't actually know—confidently, loudly, and incorrectly. One person escalates anything that moves because they would rather be wrong than blamed. Another closes anything that moves because they would rather be fast than buried. Both think they are right. The only consistent output is burnout. Real attacker behavior gets buried under a pile of vulnerability scanners, backup jobs, and the monthly patch cycle doing its best impression of an APT.
What you want is not fewer alerts—you want fewer useless decisions. A detection is not an outcome; It is a question. If your SOC answers the same question differently depending on who is on shift, you are running a choose-your-own-adventure SOC, and the "adventure" starts whenever a useless detection decides to notify you at 3 a.m.
The Antidote: Turn the flood into a funnel
The cure is fewer useless decisions, not necessarily fewer alerts. Corelight helps by giving analysts a way to follow the plot instead of chasing pop-ups—it assigns a UID per log record, so you can stitch events into a coherent session story. What kicked it off, what it talked to, what changed midstream, and how it ended, all tied together instead of scattered across forty alerts and yearning for simpler times. Once you can pivot by UID and build a timeline, you can suppress the known-good noise with confidence and keep the real attacker behavior from getting washed away in the alert flood.
And here's the part that keeps the funnel from turning back into a firehose: Corelight's behavioral detections give you the same "signatures won't catch this" coverage that people buy ML for—but without the confidence-score roulette. They analyze protocol semantics deterministically, which is a fancy way of saying fewer false positives and fewer "why is this critical" debates at 2 a.m. Corelight runs 100+ behavioral detection models alongside supervised and unsupervised ML, ensuring the system surfaces threats worth your time—not an avalanche that trains your SOC to ignore the word "Critical."
Sin #7: The great east-west blind spot
"Ownership politics"
It usually starts like this: one sensor at the internet edge, but none for east-west. SPAN ports oversubscribed. Capture loss labeled "normal," as if it's a personality trait. Everyone feels safe because the dashboard says "Internet Traffic: Monitored"—which is like hiring a bouncer for the front entrance while propping open the fire exit with a folding chair.
And yes, this is usually political, not technical. East-west visibility requires across team buy-in s=, and "monitoring" is the word that suddenly makes every department discover its boundaries. Then the budget discussion shows up, and everyone becomes an accountant: Security thinks it as shared infrastructure, app teams think Security should "just handle it," and Finance hopes it can be powered by sheer optimism. The result? East-west visibility becomes the compromise no one celebrates: "We'll do it later," which is corporate-speak for "we'll do it right after the breach postmortem."
Here's why that hurts: intrusions are rarely a single dramatic leap over the firewall. They are a slow internal tour. Initial access is the ticket stub. The main event is lateral movement, recon, privilege escalation, and quiet staging. Without east-west visibility, you are left excelling at one thing: detecting attacks that are already leaving.
The antidote: Put eyes where breaches spread
The cure is treating east-west like the main stage, not an optional bonus track. With Corelight, you can tap the internal lanes and turn lateral movement into hard evidence and clean pivots, at real data-center scale. One sensor can run at 100G-class speeds, and the platform is designed to scale out across multiple sensors and packet-broker feeds into hundreds of gigabits and beyond, so terabit-per-second networks stop being an excuse and start being observable.
Conclusion
NDR works best when it produces evidence you can pivot on, not just opinions you can screenshot. Avoid these sins, and your network becomes faster to triage, easier to tune, and far more defensible when it matters.
The theme is simple: stop buying vibes. Buy a case file. When your detections are anchored to investigation-ready telemetry, you stop arguing about whether something is "probably fine" and start answering the only question that matters: what actually happened. TLS stops being an excuse, AI stops being a black box, PCAP stops eating your budget, and east-west stops being "phase two" right up until the breach.
Plant your NDR flag atop of the castle of packet reality and proclaim victory. Then go home early—for the right reasons.