Richard Bejtlich, a cybersecurity veteran and author of numerous SOC operations publications, describes the current era as the "Mythos Era"—a period where organizations collect vast telemetry from endpoints, cloud, and SIEM tools, yet still cannot answer fundamental investigation questions: where did the attacker come from, where did they go, and what did they exfiltrate. For B2B companies building or expanding security operations centers, his case for Network Detection and Response (NDR) is particularly timely.
The Problem of Alert Overload Without Context
A typical SOC in 2026 receives thousands of daily alerts from EDR, firewalls, IAM systems, and cloud platforms. Analysts spend most time triaging false positives and closing tickets rather than conducting deep investigations. Bejtlich notes that EDR sees what happens on the host—but not the full network traffic picture: lateral movement between segments, DNS tunnels, non-standard protocols, and C2 communication masked as HTTPS traffic.
NDR fills this gap through real-time network traffic analysis—at packet, flow, and behavioral levels. These solutions use machine learning and behavioral rules to detect anomalies invisible or deliberately hidden on the endpoint by attackers.
What NDR Answers That EDR Cannot See
- Lateral movement – traffic between servers in the same subnet without endpoint login events.
- Data exfiltration – patterns of sending large data volumes to external IP addresses.
- DNS tunneling – hiding C2 channels in DNS queries.
- Shadow IT – unauthorized devices and services on the corporate network.
NDR-Based SOC Architecture
Bejtlich recommends treating NDR as a complementary layer, not an EDR and SIEM replacement. Integration involves correlating network alerts with endpoint events—for example, an NDR alert on unusual HTTPS traffic from a database server triggers automatic artifact collection from the host via EDR. This model reduces investigation time from hours to minutes.
Organizations without internal SOCs can use MDR services based on NDR, where the provider supplies both network sensors and analyst teams. In the context of IT infrastructure, we design monitoring architectures combining NDR with existing SIEM and EDR investments without cost duplication.
NDR Implementation in Practice
The first step is mapping network traffic in the organization—baseline normal behavior. NDR requires tap points (SPAN ports, TAPs, virtual cloud sensors) and data retention policies compliant with GDPR. Teams should define playbooks linking NDR alerts to network segment isolation procedures and IR escalation.
For hybrid infrastructure (on-premise + cloud) companies, NDR must cover east-west data center traffic and SaaS-bound traffic. Cloud solutions offer virtual sensors but require conscious configuration—default settings often lack full visibility.
The Mythos Era and CISO Accountability
Bejtlich uses "Mythos" deliberately—referring to the myth that owning security tools guarantees protection. A CISO reporting installed EDR agent counts and SIEM rule counts to the board but unable to answer within an hour "did customer data leak" operates in that very illusion. NDR provides language and data for board conversations based on facts, not tool metrics.
Polish organizations subject to NIS2 and national cybersecurity law should treat network visibility as required to demonstrate technical measure effectiveness. Auditors increasingly ask not just "do you have EDR" but "can you trace the full attack path through the network."
NDR and Existing SIEM Investments
Organizations that invested in SIEM often ask whether NDR duplicates functionality. Bejtlich's answer is clear: SIEM aggregates logs from many sources but does not see traffic generating no logs—such as lateral movement via non-standard protocols. NDR provides data endpoint logs cannot capture. NDR → SIEM integration (alert enrichment) maximizes both investment values without platform replacement.
For mid-size B2B companies without full SOC budgets, NDR-as-a-Service from MDR providers can be an entry point—lower cost than building internal network analyst teams, with significant visibility improvement over EDR alone.
NDR solution selection should consider organization scale: small companies can start with cloud-delivered NDR, mid-size with hybrid (on-premise sensors + cloud analytics), large with full deployment and dedicated network security team. A 30-day proof of concept on one network segment assesses false positive rate before full deployment—a key parameter affecting SOC workload.
Conclusion
Bejtlich's case for NDR is a call for SOC operational maturity—from alert response to full network traffic understanding. B2B companies should assess visibility gaps in their architecture and plan NDR deployment as EDR complement. We offer support designing and implementing monitoring solutions through our AI and security solutions and IT services for businesses.
Source: The Hacker News – Surviving the Mythos Era: Richard Bejtlich on the Case for NDR