Vectra AI President and CEO Hitesh Sheth has put network telemetry back at the center of the Windows security conversation. In a July 2026 interview with BankInfoSecurity, he argued that network data remains "the most useful common source of truth" for making security operations predictive—and for Windows-heavy enterprises, ignoring it leaves a critical blind spot.

This isn't a product launch or a software update; it's a strategic pivot that could reshape how Windows administrators and security teams think about detection. With attacks growing more sophisticated and often sidestepping endpoint defenses, Sheth's message is clear: your Windows security stack needs to hear what the network is saying.

The Elevator Pitch: Network Data as the Common Denominator

Sheth's case is built on a simple observation. Endpoint tools, identity systems, cloud platforms, and SaaS applications all generate valuable security signals. But they tell fragmented stories. Network data records how systems actually communicate—and that makes it uniquely suited to spot behavior that falls outside normal patterns.

"Even when adversaries use valid credentials, living-off-the-land tools, or encrypted traffic, they still have to move data and communicate with systems," Sheth noted. That means lateral movement, command-and-control traffic, credential abuse, and unexpected connections between cloud workloads all leave traces in network flows. For Windows environments where Active Directory is the authentication backbone and remote management tools are part of daily ops, these traces are often the only consistent thread connecting a multiphase attack.

Why Windows Enterprises Can't Rely on Endpoint Alone

Windows endpoints are heavily defended these days—Microsoft Defender, EDR agents, application control, and credential guards. But the evidence of an intrusion is rarely confined to a single device. An attacker might authenticate through Active Directory, use legitimate RDP or PowerShell remoting to pivot, then exfiltrate data to a cloud service without ever triggering a malware alert. Endpoint logs may show normal admin activity; identity logs may show valid logins. The network, however, will record that a workstation suddenly started talking to a server it never touches, or that a domain controller is making outbound connections to an unfamiliar IP.

Network-level visibility ties those events together. It adds the context that endpoint and identity logs lack on their own. For Windows shops, this is especially critical because so many "living-off-the-land" techniques abuse built-in Windows tools—tools that endpoint monitoring often trusts by default.

From Alerts to Attack Signals: The Vectra Play

Vectra AI sells network detection and response (NDR) technology, so the interview is also a product narrative. The company's pitch: security teams need systems that reduce large volumes of raw telemetry into prioritized "attack signals," not another flood of alerts for an already overwhelmed SOC.

The distinction between an alert and a signal matters. Traditional monitoring leaves analysts to correlate endpoint detections, authentication events, DNS lookups, firewall logs, and cloud audit records by hand. A predictive model, Sheth argues, is only useful if it surfaces meaningful changes early enough to investigate or contain them. Network data, because it is harder for attackers to avoid entirely, can serve as the backbone of that model.

The catch? The quality of the insight depends heavily on where sensors are deployed, how encrypted traffic is handled, and whether the platform has enough baseline data to distinguish routine activity from genuinely suspicious behavior. A hospital, for instance, may see large volumes of medical imaging data moving between systems every night; a tool that flags any heavy transfer as anomalous will create noise, not signals.

How We Got Here: The Return of Network-Centric Detection

Network-based detection isn't new. Intrusion detection systems (IDS) and network security monitoring (NSM) have been around for decades. But the industry's shift to endpoint-first security—fueled by the rise of EDR and later XDR—pushed network telemetry to the background. Many organizations came to view the network as a dumb pipe, assuming that if endpoints were locked down, the rest would take care of itself.

Recent attack trends have forced a rethink. Ransomware operators, state-sponsored groups, and supply-chain attackers all use techniques that blend into normal traffic. Encrypted threats have spiked; attackers increasingly use HTTPS, DNS tunneling, and VPNs to hide command-and-control. At the same time, cloud adoption has stretched enterprise networks far beyond the traditional perimeter, making it impossible to rely on castle-and-moat defenses.

Vectra's 2025 acquisition of Netography, a network visibility startup, signaled its intent to double down on this space. The combination aims to give security teams the ability to see and analyze east-west traffic in data centers and cloud environments—not just north-south traffic at the perimeter. For Windows administrators, this means the network conversation is coming back to the table, and it's bringing new expectations for integration with the Microsoft security stack.

What This Means for You—By Audience

For everyday Windows users and small businesses: The immediate impact is minimal. This is an enterprise-grade discussion. But it underscores a broader truth: no single security tool catches everything. If you run a small network with Windows devices, make sure your router or firewall logs are turned on and retained for at least a week. They're your simplest form of network telemetry.

For Windows system administrators: Network telemetry should be treated as a core detection data source, right alongside Microsoft Defender, Active Directory logs, identity provider events, and cloud audit trails. Review your current collection: Are you ingesting NetFlow, sFlow, or IPFIX data from your switches, routers, and firewalls into your SIEM? Are you capturing DNS query logs from your Windows DNS servers? If not, you're missing a critical layer.

For security operations (SOC) analysts: The shift from alerts to signals could change your workflow. An NDR platform that correlates network anomalies with Windows event logs and Azure AD sign-ins can reduce the manual correlation you do today. But the platform's real value depends on integration—look for direct connectors to Microsoft Sentinel, Defender for Endpoint, and your ticketing system.

For IT decision-makers: The market is pushing behavior-driven analytics. Before buying into any "predictive security" claims, ensure your network is instrumented well enough to provide meaningful data. Garbage in, garbage out applies.

The Validation Checklist: What to Ask Before You Buy

If your team is evaluating network detection and response tools, Sheth's insights translate into a concrete list of requirements:

  • Ensure visibility across all key segments: Core server VLANs, remote access paths, data center east-west traffic, and cloud network flows must all be covered. Blind spots are where attackers hide.
  • Confirm correlation with Windows identity data: The tool must tie network events to specific users, devices, and Active Directory objects. A detection that says "192.168.1.50 talked to a suspicious IP" is useless without knowing what machine that is and who was logged on.
  • Test encrypted traffic handling: How does the platform handle TLS 1.3? Does it rely on decryption, or does it use metadata analysis (JA3/JARM fingerprints, timing patterns, packet lengths)? Decryption adds complexity and potential privacy issues; metadata-based detection avoids those but may be less accurate.
  • Measure analyst workload in a trial: A "high-fidelity" signal that still requires 15 minutes of manual enrichment will not solve alert fatigue. Run a proof-of-concept and track mean time to acknowledge, investigate, and resolve for samples of network-derived incidents.
  • Require integrations with your existing stack: The tool should push detections to your SIEM (Microsoft Sentinel, Splunk, etc.), enrich alerts in your XDR platform, and create tickets in ServiceNow or Jira automatically. If it's an island, you'll end up swivel-chairing between consoles.

The Bottom Line

Vectra's message is less about buying a specific product and more about a mindset shift. Network data isn't a nice-to-have; it's the connective tissue that can make your existing Windows security tools smarter. Attackers can't avoid traversing the network, which means they can't avoid leaving traces there. For Windows enterprises, the immediate task is to make sure those traces are collected, retained, and correlated before you rely on any tool to predict the next attack.

What to Watch Next

Vectra is likely to integrate Netography's capabilities deeper into its platform throughout 2026, bringing more cloud-native network visibility to its NDR line. On the Microsoft side, watch for closer integrations between network telemetry sources and Microsoft Sentinel, particularly as Azure Virtual Network flow logs and DNS analytics become more accessible. The broader industry trend toward unified security operations platforms will continue to blur the lines between network, endpoint, and identity detection—making Sheth's argument about network data as a common source of truth even more relevant.