Empowering SOC Teams

• Contents
• What do NDR solutions do?
• What do EDR Solutions do?
• What do XDR Solutions do?
• What do SIEM Solutions do?
• What do SOAR Solutions do?
• Why is Packet Capture an Ideal Complement to NDR, EDR, XDR, SIEM and SOAR tools?
• What Extra Visibility Does Full Packet Capture Enable?
• What are Benefits of Combining Packet Capture with NDR, EDR, XDR, SIEM and SOAR Tools?
• What Are the Challenges of Integrating Packet Capture with Other Security Tools?
• Final Words

What do NDR solutions do?

NDR (Network Detection and Response) tools are security tools used to detect and investigate malicious activity on the network. NDR tools continuously monitor network activity, analyzing network traffic and/or network metadata to look for anomalous behavior - often using behavioral analytics and machine learning - that might indicate security threats.

NDR typically combines network telemetry (packets or flow metadata) with information from other sources such as threat intelligence feeds, vulnerability information, and user identity and access management systems.

Alerts raised by NDR tools are often fed to SIEM and SOAR tools (see below) which then correlate alerts with other telemetry sources to give security operations center teams an integrated view of network-based threat activity and enable some investigation and response activities to be automated.

NDR tools may also provide some level of automated response capability - such as isolating devices that are suspected of being compromised, and working with firewalls to block traffic to or from suspect hosts.

What do EDR Solutions do?

EDR tools focus on detecting threats on endpoint devices such as desktops, laptops, servers and mobile devices such as phones or tablets, printers and other connected devices. Endpoint devices may also include IoT (Internet of Things) devices like security cameras, thermostats and medical monitoring devices as well as OT (Operations Technology) devices in industrial control systems (ICS) networks such as programmable logic controllers (PLCs), Human-to-Machine interfaces (HMIs), and Supervisory Control and Data Acquisition (SCADA) systems.

EDR tools typically deploy agents onto endpoint devices to monitor for anomalous changes in behavior - such as suspicious file activity, unusual processes, privilege escalations, unusual login behavior, or unauthorized program installations.

One of the limitations of EDR tools when it comes to monitoring IoT and OT devices is that many of these devices were never designed to be able to host endpoint agents - which means network monitoring is often the best or only option for detecting IoT and OT threats.

As with NDR tools, EDR tools often provide automated investigation and response capabilities - such as isolating compromised hosts, collecting and archiving evidence, prioritizing alerts and can also feed alert and telemetry data to SIEM and SOAR tools.

What do XDR Solutions do?

XDR (eXtended Detection and Response) is the term that has been used to describe tools that expand on the traditional scope of NDR and EDR tools and telemetry used - they typically analyze both endpoint and network data as well as application and cloud telemetry data - to provide a broader and more unified view of possible threat activity.

XDR tools often provide the ability to automate aspects of threat investigation and response. And, similar to NDR and EDR tools, XDR tools are often used together with SIEM and SOAR solutions to provide SOC teams with integrated threat visibility and enable SOAR tools to automate investigation and response activities.

What do SIEM Solutions do?

Security Information and Event Management (SIEM) tools collect, aggregate, collate and analyze telemetry data from a wide range of sources – event and application logs, server logs, identity and access management data, vulnerability data, threat intelligence feeds, network metadata, alerts from monitoring tools (including firewalls, IDS, NDR, XDR and EDR solutions) and more.

This data is then aggregated and correlated in order to provide a holistic view of related events so that SOC or NOC analysts can identify how events are related, and what these events show, when they are investigating an incident. SIEM tools can also generate alerts themselves when they identify correlated events that together comprise an indicator of compromise or that a potential issue has arisen. Some SIEM tools may also offer some level of automated response, or the alerts they raise may trigger a response in a separate SOAR tool.

What do SOAR Solutions do?

Security Orchestration and Response (SOAR) tools are designed to automate workflows to reduce the amount of manual work that SOC (and NOC) teams need to do before they can respond to an incident. Ideally, they can also completely automate simpler, repetitive (and predictable) processes, freeing analysts up to deal with the more complex incidents.

For example, a SOAR tool might automate the process of isolating a suspicious host and removing it from the network until it can be checked by a SOC analyst. Or it may automate the collection of evidence from a range of telemetry sources and make it available on an “evidence board” – thereby reducing the amount of work an analyst needs to do before jumping in to investigate the incident.

SOAR tools typically enable “playbooks” of actions to be assembled into workflows, which can then be automatically triggered when specific conditions are met. Playbooks can be chained together to form quite complex workflows – and can include prompting for human intervention at specific points before continuing. For example to confirm an intended automated action or actions.

Why is Packet Capture an Ideal Complement to NDR, EDR, XDR, SIEM and SOAR tools?

Put simply, Packet Capture's value lies in being a complete and accurate record of exactly what happens on the network. Packet capture provides unparalleled visibility into network traffic by recording the raw data packets that traverse a network. This granular level of detail enables security operations teams to gain a deeper understanding of network activity, which significantly enhances their ability to detect, investigate, and respond to security threats effectively. Since most security attacks involve the network at some stage, this complete record of network activity gives SOC teams a definitive, and tamper-resistant source of evidence that they can correlate with other telemetry sources to establish an accurate timeline for, and complete picture of, attacker activity: before, during and after detected events.

Packet capture offers comprehensive network visibility beyond what other security tools provide. While XDR, NDR, and EDR tools aggregate alerts and telemetry from endpoints, networks, and cloud environments, they often rely on metadata, logs, or summarized information. In contrast packet capture (or PCAP) data is a complete record of the full content of network communications, including payloads, headers, and protocols used. This means SOC (Security Operations Center) teams can analyze every byte of data transmitted, uncovering hidden or subtle malicious activities such as unauthorized data exfiltration, command-and-control communications, or attempts at lateral movement across on-prem enterprise networks, cloud infrastructure and industrial OT environments.

PCAP data enhances accurate threat detection by providing the raw evidence needed to identify complex or emerging threats that may evade detection by automated systems. For example, sophisticated cyber threats often use encrypted or obfuscated traffic patterns that can be challenging to detect through standard network security monitoring alone. With access to the actual packet data, security analysts can apply deep packet inspection (DPI), advanced analytics, behavioral analysis, and threat intelligence to identify anomalies and identify malicious files that would otherwise remain hidden.

Lastly, packet capture is invaluable for incident investigation and forensic analysis. When a security incident is detected, having access to historical packet data allows SOC teams to reconstruct the entire chain of events leading to the compromise. This, combined with analyzing log data, network traffic flows, and security events provides the full context necessary to understand attacker tactics, techniques, and procedures (TTPs). This detailed investigation capability supports accurate threat response and helps in preventing future attacks by identifying vulnerabilities exploited during the incident.

What Extra Visibility Does Full Packet Capture Enable?

With access to full packet data, SOC teams can accurately reconstruct threat actor activity that they simply would not be able to do with access to log files or metadata alone, such as:

• Data exfiltration via covert channels: Attackers may hide data exfiltration inside seemingly benign traffic or obscure protocols. Packet capture lets analysts reconstruct the actual content of these communications, enabling detection of these subtle leaks.
• Man-in-the-middle (MITM) attacks: By analyzing packet sequences and content, SOC teams can detect alterations or interceptions in communications that indicate MITM attacks.
• Zero-day exploits using unusual protocol behavior: Packet capture can expose abnormal protocol usage or malformed packets that are indicators of exploitation attempts, which signature-based tools might not recognize. For example, analysis of DNS packet data enabled many organizations with access to recorded packets to accurately determine whether or not they had fallen victim to SolarFlare attacks.
• Internal reconnaissance and lateral movement: Packet capture helps identify unauthorized scanning, credential theft, or suspicious internal communications that often precede larger attacks - enabling attackers to be thwarted earlier in the kill chain before they can escalate attacks.
• Suspicious payloads: Transferred files can be reconstructed from packet data - enabling suspect files to be extracted from PCAP data and sent for sandbox analysis to check if they are malicious. Even when recorded data is encrypted, metadata and the pattern of packets captured can help enable teams to infer malicious activity, guiding deeper inspection or decryption efforts. Many of our customers use solutions from our partners – such as Gigamon, Keysight, Palo Alto Networks and others – to decrypt traffic before it’s recorded by their EndaceProbes.

What are Benefits of Combining Packet Capture with NDR, EDR, XDR, SIEM and SOAR Tools?

One of the chief benefits of packet capture for SOC teams is that it supports faster and more effective incident response. By providing precise context about the nature and scope of an attack, SOC teams can reduce false positives, prioritize security alerts more efficiently and conclusively identify the root cause of security threats. This lets them contain threats quickly, isolate infected endpoints or network segments, and apply remediation measures with confidence. Integrating packet capture data with security automation tools further accelerates response times by enabling security operations workflows to be automated.

Additionally, packet capture enriches the contextual intelligence available to security teams by integrating with other security solutions and threat intelligence platforms. This unified approach allows for correlation of threat data across multiple sources, improving proactive threat detection and enhancing the overall security posture. It also helps operations teams monitor network resources more effectively, identify suspicious network traffic early, and enforce security rules with greater precision.

What Are the Challenges of Integrating Packet Capture with Other Security Tools?

In order for packet capture data to be useful for SOC teams it must be:

• Complete: when packet capture solutions only capture some of the packets - such as with "triggered capture" solutions - SOC teams can't rely on having the forensic data that they need to investigate issues. Always-on packet capture ensures teams always have access to all the packets - because it's difficult or impossible to determine before an event takes place what packet data might be crucial to investigating it.
• Easy to Use: it must be quick and easy for SOC analysts to find the packets-of-interest that are relevant to the investigation they are engaged in. Going directly from a specific incident investigation or threat hunt from within whatever security tool they're using - SIEM, NDR, XDR etc - to analyzing the related packets quickly dramatically accelerates investigations, reduces mean-time-to-resolution (MTTR) and enables analysts to complete investigations without context-switching between incidents while they wait for searches to complete.
• Ubiquitous: it's essential that packet data is available from the entire network - not just on-premise networks but also cloud environments and OT networks. That way, SOC teams have deep visibility into all network activity and can follow tried-and-true investigation processes and workflows regardless of where incidents take place.
• Scalable: packet capture solutions need to scale to keep pace with increasing network speeds and loads. Look for solutions that enable you to seamlessly scale storage capacity and capture speeds without replacing your existing infrastructure. Storage capacity needs to store enough recorded traffic to give security teams sufficient historical look back. This may be several days or even weeks to months depending on the organization's specific needs.

Final Words

Endace's recent experience being part of the SOC teams at the SOC at RSAC 2025 and Cisco Live 2025 once again reinforced the value of PCAP data in the SOC. This value is expertly described in this great post from Cisco's Steve Nowell who was in the SOC at Cisco Live:

https://blogs.cisco.com/security/the-value-of-pcap-in-firewall-investigations

With access to full PCAP data, SOC team analysts were able to more quickly triage and investigate security alerts, proactively hunt for vulnerabilities and notify affected users, and automate activities such as reconstructing files for malware analysis.

These two blogs show just two of the many use cases that the Cisco Live 2025 SOC team found PCAP data indispensable for:

Case Study: Hunting Cleartext Passwords in HTTP POST Requests

Case Study: Malware Upatre! (Encrypted visibility Engine Event)

Packet capture is a truly valuable component of the SOC that complements XDR, NDR, EDR, SIEM and SOAR tools by delivering (in-context) detailed, real-time and historical insight into network activity. It empowers security analysts and SOC teams with the data they need for proactive threat detection, comprehensive and accurate investigations, and rapid incident response.

By leveraging packet capture alongside their other security tools, SOCs can strengthen their defenses against cybersecurity threats, safeguard sensitive data, and maintain robust network security in an ever-evolving threat landscape.