APT detection on a ministry network
A ministry detected state-sponsored actors exfiltrating data via DNS tunneling with Deep Discovery and blocked them.
Trend Micro · Cybersecurity
Deep Discovery (Network Detection)
Network analytics platform for targeted-attack and APT detection.
Quick answer
Trend Deep Discovery is an NDR (Network Detection and Response) solution that analyzes corporate network traffic in real time. It detects targeted attacks (APTs), lateral movement and data exfiltration via custom sandbox and deep protocol analysis.
Deep Discovery Inspector (DDI) is an NDR appliance attached out-of-band to the corporate network via SPAN/TAP. It deeply analyzes 100+ protocols and detects both known and unknown threats.
The Custom Sandbox component runs the corporate gold image (Windows 10/11 + corporate software) in the sandbox to detect targeted attacks tailored to the customer's environment. APTs may evade generic cloud sandboxes when they recognize the host; a customer-specific image closes that evasion.
It feeds Vision One XDR as the NDR sensor — network events correlate with endpoint + email + identity events. It is a critical component for lateral-movement detection.
Key features
What it offers
- Custom sandboxing
- Lateral movement and C&C detection
- 100+ protocol deep inspection
- SIEM and SOAR integration
- Vision One NDR component
- Out-of-band (SPAN/TAP) operation
- Threat intelligence feeds
- Annual IDS signature update
Tech Summary
Important technical data
- Form factor
- 1U/2U physical + virtual option
- Output capacity
- 100 Mbps → 10 Gbps models
- Sandbox
- On-board custom + Cloud Sandbox
- Connection mode
- SPAN port or TAP
- Protocols
- 100+ (HTTP/S, SMTP, DNS, SMB, RDP, etc.)
- SIEM forwarding
- syslog CEF, REST API
Use CasesGovernment Banking Energy Healthcare
When would you choose this product?
SWIFT network monitoring
A bank places Deep Discovery on the SWIFT segment and monitors known SWIFT-targeting TTPs (tactics, techniques and procedures) in real time.
OT lateral-movement detection
An energy producer detects lateral-movement attempts at the IT-OT boundary within hours with Deep Discovery.
Patient-data exfiltration prevention
A hospital chain has Deep Discovery alarm on large-volume data exfiltration patterns and escalate to the SOC team.
Who is it for?
Critical infrastructure, government, banking and large enterprises with mature SOC teams.
Frequently Asked Questions
Frequently asked questions
Does it run inline or out-of-band?
Out-of-band. Traffic is observed via SPAN port or TAP; the network flow is not interrupted. It is therefore detection-focused; for blocking it is used together with TippingPoint or an NGFW.
How does the custom sandbox work?
We load your Windows 10/11 golden image and the applications you use (e.g., SAP GUI, Citrix) into the sandbox image. Suspicious files are detonated against this image; APTs that recognize the environment cannot evade as easily.
Does traffic leave the data center?
No — the on-board sandbox runs locally. If Cloud Sandbox is added, suspicious samples are sent to the cloud (optional). KVKK-sensitive organizations remain in local-only mode.
Which protocols are analyzed?
HTTP/HTTPS, SMTP, FTP, SMB, DNS, RDP, Kerberos, LDAP, IMAP, POP3, SNMP, SSH, Telnet, TFTP, VoIP (SIP/RTP), IRC, P2P and more — 100+ protocol catalog.
What is the performance impact?
Out-of-band, so zero impact on network traffic. Only SPAN port and appliance CPU/RAM are consumed; a typical 2 Gbps Deep Discovery appliance occupies 2U.
Does it run in cloud environments?
Yes — Virtual Deep Discovery (DDvI) runs on AWS, Azure and VMware ESXi. Traffic comes via VPC Mirroring on AWS and vTAP on Azure.
How is it integrated with SIEM?
It sends event data to Splunk, Sentinel, QRadar and Elastic SIEM via syslog CEF, REST API and webhook. Native integration into Vision One is available.
How does it differ from TippingPoint?
TippingPoint is inline IPS (blocking). Deep Discovery is out-of-band NDR (detection). Different layers; deployed together.
What is the licensing model?
Hardware one-time + annual threat intelligence and sandbox subscription. Payment is one-time CAPEX + annual OPEX.
Is there MITRE ATT&CK mapping?
Yes. Detected events are tagged with MITRE ATT&CK tactic/technique IDs. The Vision One interface visualizes the kill chain.
Vendor's official product page
Opens the vendor's original technical documentation and product page in a new tab.
Trend Micro — Deep Discovery (Network Detection) →From the same brand
Trend Micro family — other products
Trend Vision One
AI-driven platform unifying XDR, ASRM and cyber risk management in a single console.
DetailsApex One
AI-driven enterprise endpoint protection (EPP + EDR).
DetailsWorry-Free Business Security
Cloud-based endpoint + email protection for SMBs.
DetailsDeep Security / Server & Workload Protection
Hybrid workload security for physical, virtual and cloud servers.
DetailsComparable Solutions
Similar solutions from other brands
Deep Discovery (Network Detection) licensing + deployment + support
Sora Yazılım handles licensing, deployment, training and ongoing management — all from a single team.