Product overview

PT Network Attack Discovery is a network detection and response (NDR/NTA) system for detecting attacks on the perimeter and inside your network. The system makes hidden threats visible, detects suspicious activity even in encrypted traffic, and helps investigate incidents.
  • Provides network visibility

    PT NAD identifies over 85 protocols and parses the 30 most common ones up to and including the L7 level. Get a full picture of what is going on in the infrastructure to identify the security flaws that enable attacks.
  • Detects hidden threats

    The system automatically detects attacker attempts to penetrate the network and identifies hacker presence on infrastructure based on a wide range of indicators, including use of hacker tools and transmission of data to attacker servers.
  • Makes SOCs more effective

    PT NAD provides security operations centers with full network visibility: know whether an attack was successful, reconstruct the kill chain, and gather evidence. To do this, PT NAD stores metadata and raw traffic, helps quickly find sessions and identify suspicious ones, and supports traffic export and import.

PT NAD users can see threat data in a single feed

With the new version of PT NAD, you can detect attacks using new analytics modules, collect up-to-date information about network hosts, and centrally learn about detected threats in a single feed.
Read more

Detects malicious activities in east/west traffic


PT NAD analyzes both north/south and east/west traffic and detects lateral movement, attempts to exploit vulnerabilities, and attacks against end users on the domain and internal services.

PT NAD detects

  • Threats in encrypted traffic

    Thanks to advanced analytics, PT NAD pinpoints malware hidden by TLS or custom protocols.
  • Lateral movement

    PT NAD detects attacker attempts to expand their presence by observing as they engage in reconnaissance, remote command execution, and Active Directory and Kerberos attacks.
  • Use of hacker tools

    The PT Expert Security Center (PT ESC) investigates complex attacks, constantly explores new threats, and monitors hacker activity. Armed with this knowledge, experts create PT NAD rules for detecting all popular hacking tools in action.
  • Exploitation of vulnerabilities

    Our unique vulnerability database is constantly updated with data about new vulnerabilities, including ones that have not yet been included in the CVE database. The result: PT NAD detects exploitation attempts in record time.

    Positive Technologies is a MAPP member. We receive information about zero-day vulnerabilities in Microsoft’s products. That’s why PT NAD’s customers get protection faster.

  • Malware activity

    PT NAD detects activity of malware on the network. Hackers can easily hide malware from antivirus scanners, but hiding their network footprint is much more difficult. By analyzing network activity, PT NAD helps localize threats.
  • Past attacks

    Every time the PT NAD database is updated to fight new cyberthreats, the system checks traffic retrospectively. Even previously unknown threats don’t slip through the cracks.
  • Malicious evasion from security tools

    PT NAD detects DNS, HTTP, SMTP, and ICMP tunnels used by attackers to steal data, communicate with C&C servers, and hide their activity from security tools.
  • Connection to automatically generated domains

    Machine learning in PT NAD identifies connection with domain names that have been created with the help of domain generation algorithms (DGA). This helps detect malware that uses DGA to maintain connection with the attacker’s C&C server.
  • Non-compliance with IS policies

    PT NAD detects weak passwords, transmission of unencrypted data, VPN tunnels, TOR, remote access utilities, proxies, and messengers usually prohibited by security policies at major companies.


Learn how the network detection and response system PT Network Attack Detection can identify 117 adversary techniques described in MITRE ATT&CK.
Check it out

Detects even modified malware


PT NAD alerts about all dangerous threats and detects even modified versions of malware. To describe the full range of cyberthreats, our experts constantly explore the latest malware samples and hacker tools, techniques, and procedures. Each rule they create covers an entire malware family.


How it works

PT NAD captures and analyzes traffic on the perimeter and inside infrastructure. This allows for the detection of hacker activity at the earliest stages of network penetration, as well as during attempts to gain a foothold on the network and develop the attack.

Keeps attacks private


PT NAD is an on-premise solution. All data is stored on client infrastructure, never leaving the corporate perimeter. Information on attacks and damage is not transmitted to the outside, minimizing reputational risks.

Use cases


Security policy compliance

PT NAD detects IT configuration flaws and cases of non-compliance with security policies, which otherwise can offer attackers a way in. Filters help to quickly identify credentials stored in cleartext, weak passwords, remote access utilities, and tools that hide network activity. Pin filters of interest in a separate widget for quick reference. Here is a widget displaying all non-encrypted passwords:

Security policy compliance

Detection of attacks on the perimeter and inside the network

Thanks to embedded machine learning technologies, advanced analytics, unique threat detection rules, indicators of compromise, and retrospective analysis, PT NAD detects attacks both at the earliest stages and after attackers have already burrowed into infrastructure.

The PT Expert Security Center updates rules and indicators of compromise twice a week. Updating the database does not require a constant connection to the Positive Technologies cloud.

Advanced analytics modules enable identification of complex threats and network anomalies. They take into account many parameters of the attacker’s behavior and are not tied to the analysis of individual sessions, unlike the rules for attack detection.

Detection of attacks on the perimeter and inside the network

Investigation of attacks

Because PT NAD saves copies of raw traffic and session data, forensic investigators can:

  • Localize attacks.
  • Reconstruct kill chains.
  • Detect vulnerabilities in infrastructure.
  • Take measures to prevent similar attacks.
  • Gather evidence of malicious activity.
Investigation of attacks

Threat hunting

PT NAD is ideal for threat hunting and detecting hidden threats that standard cybersecurity tools miss. A security analyst, possessing the necessary skills and infrastructure-specific knowledge, can empirically test hypotheses. So PT NAD makes it possible to determine whether a hacker group, insider threat, or data breach is truly present, and if the hypothesis is confirmed, take proactive measures accordingly.

Threat hunting


Key features

Attack detection
The system informs of incidents and automatically assesses how dangerous they are. The dashboard provides key information about all attacks: how many, which types, the degree of danger, and when they occurred. Click to view details for any attack.
Response at a glance
Information for each attack shows the affected hosts, event time, session data, and hacker tools, techniques, and procedures (TTPs) per the MITRE ATT&CK classification. With attack staging information, you can take the right surgical measures to get the job done.
Learn about new attacks and threats in a single feed
Activity feed collects a list of identified threats in one place, combines messages about similar activities into one, and allows you to manage them. You can mark the issue as resolved or no longer track such activity.
Monitor network hosts
PT NAD users now have up-to-date information about network hosts. Changes in the hosts are also tracked. PT NAD users will know if a new host has appeared on the network, an application protocol has changed, or the OS has changed. Such data can also help identify suspicious activity.
Session filtering
Filtering sessions offers a way to look for malicious activity, indicators of compromise, and configuration errors. PT NAD can quickly sort through sessions by any of 1,200 parameters and display detailed information for each.

Integrates with SIEM and sandbox solutions


By taking advantage of powerful integration support, users can manage incidents and detect malicious content in file traffic.


Extra materials

Key Product info

Get in touch

Fill in the form and our specialists
will contact you shortly