East-west traffic coverage
NDR sees what crossed the wire between servers and segments. EDR sees endpoints; SIEM sees logs; NDR sees the network. Programs running EDR plus SIEM without NDR have a visibility gap.
OpenText • Security operations
OpenText Network Detection and Response
Network Detection and Response covers east-west traffic, behavioral detection, and packet capture so SOCs see the network layer that EDR and SIEM cannot see, with native correlation into Core Threat Detection and Response and the rest of the OpenText SecOps line.
A Merito NDR engagement maps sensor placement across cloud and on-prem, tunes behavioral baselines against the customer's actual traffic patterns, and integrates the signal into Core TDR so east-west visibility joins the existing SOC operating model rather than running as a standalone telemetry feed.
- Best for
- SOC leaders adding east-west visibility to existing EDR plus SIEM, Network security architects designing NDR sensor placement, Threat hunting teams using NDR for behavioral detection
- Hosting
- Hybrid
- Time to value
- First sensors deployed and detection live in two to four weeks. Behavioral baseline tuned in four to eight weeks. Enterprise rollout across portfolio typically runs three to nine months.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-26
What it is
OpenText Network Detection and Response in the enterprise stack
Network Detection and Response is the network-layer SOC product inside the OpenText SecOps line. It analyzes east-west traffic (server-to-server inside the network), runs behavioral detection on traffic patterns, and captures packets for forensic-grade investigation. Where EDR sees what happens on the endpoint and SIEM sees what was logged, NDR sees what crossed the wire. Programs running EDR plus SIEM without NDR have a visibility gap that lateral-movement attacks exploit.
Behavioral detection is the load-bearing capability. Signature-only NDR is detection theater on modern threats; lateral movement, beaconing, and data exfiltration patterns rarely match a static signature. Behavioral detection looks at traffic shape (volume, periodicity, destination patterns, protocol anomalies, encrypted-traffic-pattern analysis) and flags deviations from baseline. Programs running NDR without behavioral detection miss the patterns NDR exists to catch.
Packet capture for forensics is the depth advantage. When the SOC investigates an incident, the question is usually what was actually transferred. Behavioral detection and flow data show patterns; packet capture shows content. Programs subject to regulated breach investigations or operating in environments where adversary attribution matters need packet-level forensic data, and NDR without packet capture is a partial answer.
What undermines NDR adoption is sensor placement. The product needs network telemetry from the right places (north-south at the perimeter, east-west between segments, internal-to-internal across critical infrastructure) and programs that deploy sensors only at the perimeter miss the lateral-movement attacks NDR is supposed to catch. Merito's engagement maps the network for sensor placement before deploying anything, and validates the coverage against the lateral-movement scenarios the SOC is responsible for catching.
Ideal use cases
- East-west traffic visibility complementing EDR and SIEM
- Behavioral detection of lateral movement, beaconing, and data exfiltration
- Packet capture for forensic-grade investigation
- NDR signal correlated into Core Threat Detection and Response inside the OpenText SecOps line
- Regulated network detection evidence for SOC 2, HIPAA, and PCI DSS
What it is best at
Where OpenText Network Detection and Response earns its seat
Behavioral detection beyond signatures
Traffic-shape analysis, protocol anomaly detection, and encrypted-traffic-pattern analysis. Signature-only NDR misses modern lateral movement.
Packet capture for forensics
Beyond flow data and behavior into packet content. Programs subject to regulated breach investigations need this depth.
Native correlation with Core TDR and OpenText SecOps
NDR signal flows into Core Threat Detection and Response, Core Behavioral Signals, and Threat Intelligence inside the SecOps line. Programs running the full line get unified SOC operations.
Hybrid sensor deployment
Cloud, on-prem, and hybrid sensor architectures. Programs running mixed environments get one product across the network.
Core capabilities
OpenText Network Detection and Response capabilities, grouped by outcome
Detection
What NDR actually does on the network layer.
Behavioral traffic analysis
Traffic-shape, periodicity, destination-pattern, and protocol-anomaly analysis. Catches lateral movement and beaconing patterns signatures miss.
Encrypted-traffic-pattern analysis
Behavioral detection on encrypted flows without decryption, surfacing C2 patterns inside TLS.
Protocol coverage
Standard protocols (HTTP, HTTPS, DNS, SSH, RDP, SMB) plus industrial and OT protocols where applicable.
Threat-intel enrichment
Native enrichment with OpenText Threat Intelligence for IOC matching on traffic.
Investigation and forensics
Network depth for SOC investigation and IR.
Packet capture
Selective and continuous packet capture for forensic-grade investigation.
Flow records and metadata
Long-retention flow data and metadata for post-incident hunt and timeline reconstruction.
Investigation workflow
Integration into Core Threat Detection and Response case management for unified investigation.
Sensor architecture
Where NDR sees the traffic.
Cloud sensors
AWS VPC traffic mirroring, Azure vTAP, GCP Packet Mirroring. Cloud-native east-west visibility.
On-prem sensors
Span-port and TAP-based deployment in on-prem networks with high-throughput coverage.
Hybrid orchestration
Unified policy and visibility across cloud and on-prem sensors.
Where it fits in the stack
How OpenText Network Detection and Response connects to the rest of your landscape
OpenText SecOps line (native)
Native- OpenText Core Threat Detection and ResponseNDR signal correlated into SOC investigations.
- OpenText Core Behavioral SignalsUEBA scoring enriched with NDR signal.
- OpenText Threat IntelligenceCurated IOC feeds for traffic enrichment.
- OpenText Security Log AnalyticsLong-retention flow and metadata storage for hunt and forensics.
Network and cloud ecosystems (certified)
Certified- AWS VPC, Azure vTAP, GCP Packet MirroringCloud-native traffic mirroring for east-west visibility.
- Network TAPs and SPAN portsOn-prem sensor placement.
- ServiceNow, JiraIncident and case management integration.
Custom integrations
Custom- Internal sensor architecture and proprietary networksSensor placement design for non-standard network architectures and OT environments.
- Custom SOAR and response workflowsBespoke response automation and SOAR integration.
- Federal compliance reportingFederal-aligned compliance evidence packages.
Deployment and implementation
How it rolls out
- Hosting
- Hybrid (North America, EMEA, APJ)
- Implementation complexity
- High
- Typical time to value
- First sensors deployed and detection live in two to four weeks. Behavioral baseline tuned in four to eight weeks. Enterprise rollout across portfolio typically runs three to nine months.
- Prerequisites
- Network architecture inventory and sensor-placement priority
- TAP, SPAN, or cloud-mirror access decisions
- Named SOC and network-security owner
- Behavioral-baseline tuning policy
- Integration plan with Core Threat Detection and Response
- What Merito usually handles
- OpenText NDR runs as cloud-deployed, on-prem, or hybrid sensors with management plane in SaaS or on-prem. Merito handles sensor-placement design, deployment, behavioral-baseline tuning, and Core TDR integration.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Network Detection and Response is licensed by sensor count, traffic volume, packet capture retention, and deployment shape. Pricing depends on coverage breadth and forensic depth. Merito holds the partner relationship and scopes the SOC program separately.
- Editions and modules
OpenText NDR cloud sensors
Cloud-deployed sensors for AWS, Azure, and GCP east-west visibility.
Best for: Cloud-native programs with limited on-prem footprint.
OpenText NDR hybrid
Cloud plus on-prem sensors with unified management.
Best for: Programs running mixed cloud and on-prem environments.
OpenText NDR with packet capture
Includes continuous packet capture for forensic-grade investigation.
Best for: Programs with regulated breach-investigation requirements.
- Common expansion areas
- Add Core Threat Detection and Response for unified SOC operations
- Add Core Behavioral Signals (UEBA) for behavioral depth
- Add Threat Intelligence for IOC enrichment
- Add Security Log Analytics for long-retention forensic store
Merito services
How Merito helps you win with OpenText Network Detection and Response
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Network Detection and Response Implementation
Sensor-placement design, deployment, behavioral-baseline tuning, Core TDR integration.
Explore service02MAPS Assessment
SOC program scoping for OpenText NDR alongside ExtraHop, Vectra, and Darktrace.
Explore service03DevOps Consulting
NDR signal integration into SOC operations and IR workflows.
Explore service04Premium Support
Named engineer, priority SLAs, and release-time coverage for OpenText NDR.
Explore service05Managed Services
Long-term run support including sensor-architecture maintenance, behavioral-baseline evolution, and integration upkeep.
Explore service06Training and Enablement
Role-based training for SOC analysts, network security architects, and IR teams.
Explore service07Staff Augmentation
Merito-placed SOC engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText NDR licensing
License the sensors. Design the placement. Same engagement.
OpenText NDR pricing arrives with sensor-placement design, deployment, behavioral-baseline tuning, and Core TDR integration that turn NDR into east-west visibility the SOC actually uses rather than a perimeter-only feed.
Merito point of view
EDR sees the endpoint. SIEM sees logs. NDR sees what crossed the wire.
Merito has audited SOCs running rigorous EDR (CrowdStrike, SentinelOne) and SIEM (Splunk, Sentinel) and missing every lateral-movement attack because nothing was watching east-west traffic. EDR shows what happened on the endpoint; SIEM shows what was logged; NDR shows what crossed the wire. Programs running EDR plus SIEM without NDR have a visibility gap that modern attackers exploit.
Merito recommends OpenText NDR specifically for programs already running OpenText Cybersecurity or modernizing onto Core Threat Detection and Response, when network-layer visibility is the gap, and when packet capture for forensic investigation matters. For programs picking specialist NDR breadth, ExtraHop, Vectra, or Darktrace are competitive depending on the program shape. Merito surfaces those alternatives honestly.
Sensor placement is the operational point of failure. Programs that deploy sensors only at the perimeter (north-south) and skip east-west see only what crosses the boundary, which is the easy half. Lateral-movement attacks live east-west and need east-west visibility. Merito treats sensor-placement design as central work in the implementation rather than a checkbox.
What buyers usually underestimate
- Deploying NDR sensors only at the perimeter and skipping east-west, missing the lateral-movement attacks NDR is supposed to catch.
- Running signature-only NDR and missing behavioral patterns of modern attacks.
- Adopting NDR without packet capture and finding out during a regulated investigation that the forensic evidence is not there.
- Treating NDR as standalone instead of correlating signal into Core Threat Detection and Response.
- Skipping behavioral-baseline tuning and generating false-positive volumes the SOC ignores.
Related from Merito
Continue exploring OpenText Network Detection and Response on Merito
Related solutions
Related services
Related products
- OpenText Core Threat Detection and ResponseSaaS SIEM that consumes NDR signal for unified SOC operations.
- OpenText Core Behavioral SignalsInterset UEBA companion for behavioral analytics.
- OpenText Threat IntelligenceCurated IOC feeds for NDR enrichment.
- OpenText Security Log AnalyticsLong-retention forensic store for NDR flow and metadata.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Network Detection and Response FAQs
Consultation request
Talk to Merito about OpenText Network Detection and Response
Share your network architecture, current EDR and SIEM footprint, and east-west visibility goals. A Merito OpenText specialist follows up within one business day.
East-west visibility
What crossed the wire
Behavioral detection and packet capture across cloud and on-prem. Programs running EDR plus SIEM alone have a visibility gap.
Native SecOps integration
Correlated with Core TDR
NDR signal flows into Core Threat Detection and Response, UEBA, threat intel, and long-retention logging.
Next step
Cover east-west, not just the perimeter.
A Merito OpenText NDR engagement starts with sensor-placement design and behavioral-baseline tuning. Perimeter-only NDR misses the lateral-movement attacks NDR is supposed to catch.