We changed our name from IT Central Station: Here's why
Find out what your peers are saying about Arctic Wolf AWN CyberSOC vs. Netsurion Managed Threat Protection and other solutions. Updated: January 2022.
563,148 professionals have used our research since 2012.

Read reviews of Arctic Wolf AWN CyberSOC alternatives and competitors

CISO at a hospitality company with 1,001-5,000 employees
Real User
Top 10
They take care of all first-line alerts, with eyes on glass, fingers on keyboard; they're doing the work, allowing me to focus elsewhere
Pros and Cons
  • "I also use their mobile app. It's very easy to use and very convenient to be able to respond to alerts wherever you are. I love the app. You can respond and communicate, per ticket, with their SOC in near real-time. The response is very quick."
  • "The updated UI is actually pretty bad. Regarding the intuitiveness, it is fairly easy to use, but the responsiveness, on a scale of one to 10, is a one. It's really poor performance."

What is our primary use case?

We needed a SOC operation, and we weren't going to build it in-house, so we were looking for exactly what they offer. They're an MDR service, and we were looking for somebody that would manage the SIEM tool as well as the endpoint management tool and have the ability to take action, when necessary, on endpoints and function as a full, hands-on SOC. That is why we selected them.

The service doesn't require us to make use of any hardware. The software required is Splunk, as a SIEM tool, which provides options as to how it's managed. We opted to have CRITICALSTART fully manage it, so we're hands-off with the SIEM tool, and it's hosted in AWS. Then you have to have an endpoint endpoint detection tool that CRITICALSTART has approved. I don't know what their current selection is, but a year-and-a-half ago it was either Cylance or Carbon Black. We're using Cylance.

Our use of the service covers 100 percent of our endpoints. We're covering 1,100 endpoints.

How has it helped my organization?

We didn't have a security team before. If I were to say the service had improved our organization, it might lead you to think we were doing security a certain way before, but we weren't. I came into the company as the first security professional for them.

The service has increased efficiency for me to the point that I can focus on other areas of the business. Again, as a department of one, and not having to attempt a one-person SOC operation, I'm able to focus on the strategic security posture, the architecture, for the company, and focus on where our keys to the kingdom are. I can also pay attention to compliance, which is part of my role. I'm able to do my job because I have this outsourced SOC.

What is most valuable?

The most valuable part of the service is that they are 100 percent taking care of all first-line alerts. With eyes on glass, fingers on keyboard, they're doing the work. If they have a question, or they haven't seen something in our environment before, then they will escalate it to me. The service takes care of Tier-1 and Tier-2 triage. They actually provide a report that gives details on how much that saves us. I looked at it when we first started, and it was multiple FTEs, on an annual basis, that they're saving us.

I also use their mobile app. It's very easy to use and very convenient to be able to respond to alerts wherever you are. I love the app. You can respond and communicate, per ticket, with their SOC in near real-time. The response is very quick. I can close tickets, I can escalate them. I have very close to all of the capabilities that I have on my desktop. All the things that I need to do in a ticket, I can typically do them from the app. I am a one-man show. I'm the only security analyst for our organization. I couldn't really do my job without the app. I can't sit in front of a computer all the time, so it's critical for us.

I communicate with CRITICALSTART's security analysts. I haven't spoken with them over the phone, except for one time, in a year-and-a-half, but their accessibility is very high. I always receive quick responses to my escalated tickets. When I'm commenting, they're following up, and they're very fast.

I feel I have full transparency to their SOC. Anything I want to go look at, I can do so. I can see all of the comments and discussions that the SOC team has on behalf of us. I have full transparency.

In terms of CRITICALSTART contractually committing to paying a penalty if it misses a one-hour SLA to resolve an escalated alert, I honestly haven't looked at the contract in a year and a half, so I don't remember if it's monetary. I believe that it is. They're very proud of their SLA and not missing it, so I've not ever had an issue or concern or had to think about it. This high commitment to SLAs was our CIO's primary concern when we were looking at CRITICALSTART. After seeing their record, 18 months ago, of not missing a single SLA, it became a moot point. It was a concern at the time but they satisfied that concern.

What needs improvement?

The updated UI is actually pretty bad. Regarding the intuitiveness, it is fairly easy to use, but the responsiveness, on a scale of one to 10, is a one. It's really poor performance.

I have shared this next point with them already, but I would like to see a monthly report to talk about advancements or new alerts, anything to do with what we call IOCs — indicators of compromise. When there is anything that they have changed on behalf of their customers on the backend, they should say, "Hey, we have made these modifications. We're now looking at these types of alerts." It would give the customer a sense that they're actively looking for new IOCs. So I would like a monthly recap of what they have done, not specifically for me, but what they've done for all of their customers. That would be good.

For how long have I used the solution?

I have been using CRITICALSTART for a year and a half.

How are customer service and technical support?

I would rate the customer support, post-deployment, as highly as it can be rated. Their focus on doing the right thing for the customer is how you would hope that every company you deal with would respond to customers. They are 100 percent focused on doing the right thing for the customer, and they back it up. I've seen that multiple times.

In terms of project management, in the lifespan of managed detection and response companies, I'm an old customer now, at 18 months. Back then, the project management was poor and that was part of the reason our roll-out was delayed. CRITICALSTART took all of the necessary steps to revamp that department and correct their mistakes, and that's why we were compensated monetarily, as well. It was poor then, and I haven't had the experience of working with the revamped project management team, because I'm already established.

In terms of delivering services on time, on budget, and on spec, we're a little bit of a unique customer. I know that because we had some early growing pains. They did miss the scoping of our network, which did impact the budget. I brought it to their attention and they stepped up. From a monetary standpoint, they made it right, with no fight. They just recognized it. They have a great ability to put themselves in the customer's shoes and do the right thing on behalf of the customer without any friction.

Which solution did I use previously and why did I switch?

Prior to CRITICALSTART, we were a customer of Arctic Wolf.

It's really not even fair to compare the two companies, because Arctic Wolf was not a 24/7 SOC operation, even though they sold themselves as that. It was more like a managed SIEM service. They used a proprietary SIEM. I cannot say anything positive about that company. Not a single thing. Right from the time for migration and sending the SIEM tools back to them, it was a very bad experience. They don't do what CRITICALSTART does. Even though they try to market themselves as an MDR, they're really not an MDR. They don't manage the endpoint tool, so it was really apples and oranges.

How was the initial setup?

There wasn't really an initial setup required at our end to use this service. The implementation of the endpoint tool, in this case Cylance, was a requirement for us. That involved some GPOs and the Splunk forwarders that we implemented in our environment. But as far as man-hours on our side to do the setup, it was very low.

It was straightforward. Pushing out software is something we do. Creating GPOs to make sure that the correct data from servers was being pushed and directed to the Splunk forwarders was all typical, sysadmin-type work. Nothing was complicated.

There were no data sources that this service wasn't able to integrate with.

From the time we entered into an agreement to use them, it was about four to five months until we started using it, but a lot of that was dependent on our ability to get the product rolled out, and our activity for base-lining the system, or our environment. Some of that time span was us, and some of it was them, but they made monetary compensations for the delay that we had. While it didn't go as fast as we wanted, the end result was positive.

What was our ROI?

We are absolutely seeing return on our investment from CRITICALSTART's services. They're doing the job of a 24/7 SOC at a fraction of the price that it would cost me to run it myself.

What's my experience with pricing, setup cost, and licensing?

You get what you pay for.

Which other solutions did I evaluate?

Compared to the competitors that we looked at, CRITICALSTART had a longer history, even though they were a young company. I liked that they were not using proprietary tools in the environment. That allowed us the freedom to move, if we wanted to, to another provider. They were just ahead of everybody else in terms of maturity.

What other advice do I have?

In terms of advice, I don't feel that implementing this service is any different than implementing any other system into your environment. A lot relies on your project management skills.

I would attempt to test your MDR choices against a framework. The framework that comes to mind is the MITRE ATT&CK framework, which everybody is familiar with. Have realistic expectations about what vulnerabilities your MDR partner is really going to mitigate. That's the lesson I have learned.

In terms of CRITICALSTART's Trusted Behavior Registry and the way it resolves things that are known as trusted, so that the focus is on resolving unknown alerts, I'm obviously not looking at all of the alerts that they work on. But what they escalate to me, only the alerts that I'm seeing —which is a small percentage — if I were to rate them on a scale of one to 10, I'd rate this aspect at eight. There are a few things that slip through, things that they'll escalate that I know should not have been escalated, but it's a very small percentage of what they actually escalate. It's a very small percentage where I'll have to just say, "Hey, did you mean to do this one, because we've been through this before," or a virus total shows that it's 100 percent clean, so why did it get escalated? It's not common but it does happen.

The service missed a pen test, but I still have a high level of confidence with the data and the actions they take. We had hired a red team, so the situation was a red team test. Red teams are generally 100 percent successful, or very close to it. With them, you always expect to uncover the unknown. But I do have confidence in the tool and the data that they are looking at.

The number of escalated alerts we receive, compared to the number the service's Trusted Behavior Registry resolves, is probably less than 5 percent of the total.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Cyber Security Specialist at a financial services firm with 11-50 employees
Real User
Top 20Leaderboard
Allowed us to consolidate cybersecurity technology but there's a steep learning curve for onboarding and deployment
Pros and Cons
  • "I think Netsurion scales well. We've gone from a small number of agents up to thousands. So I would imagine that it would continue to scale. I don't see any issue with that."
  • "The agents on the endpoints seem to fail quite a bit, requiring manual involvement from the local administrators. I would like to see their product be much more ad hoc and update automatically."

What is our primary use case?

I manage 13 companies that have 300 to 400 companies underneath them altogether. We're a private equity company, so we manage one company, and they control 10 to 20 companies themselves. Our operations are decentralized, so there aren't many existing products suitable for our use cases. 

When we initially deployed, Netsurion didn't seem like a particularly robust solution. We had the reporting, and if I told them to look for something specific, they could look for it and report on it. We haven't given them anything outside of the box to look at. It tells us everything that you see. We haven't whittled it down to specific events yet.

Netsurion is on the endpoints. You install it, and it speaks to a web server. We have it on workstations and servers on AWS, Google Cloud Platform, Azure, and everything else. We're using it as a decentralized SIEM product, and it's one of the only ones out there. We use Netsurion for things like log forwarding, and we deploy it on every workstation. It's a manual process. There is an installed agent, and as long as it has internet connectivity, it goes and talks to the centralized server, and Netsurion's SOC monitors the logs for all those devices.

Because we don't have a centralized enterprise network, there are a lot of different companies involved, and they could be anywhere. They could be working from home, or there could be several employees in a coworking space. The Netsurion agent has to be installed on every endpoint and allowed to communicate directly to the internet.

How has it helped my organization?

We don't have the security staff needed to monitor log data constantly. It's too much data. You have to send it to a third party like Netsurion that specializes in that, and they have a 24/7 security operation center. We don't have the in-house staffing or the time, so we offloaded the task to a third party, and they only report on critical incidents. Then they have reporting criteria, so if it's urgent, they call us. If it's not so critical, then they email us. We don't have the capacity to do that ourselves.

Netsurion has allowed us to consolidate cybersecurity technology, including SIEM and network traffic analysis. It's not a decisive factor, but it's important. Having multiple tools keeps it centralized.

What is most valuable?

Netsurion's security operations center is critical for us because they provide 24/7 monitoring. We've never had another company meet the same need in the past. It's a valuable tool to have. Netsurion provides us with a lot of actionable threat intelligence. Their security people don't come in, but they know who to call. We tell them specifically who to call for a specific event or certain companies and they're good at that.

What needs improvement?

The product is based on an agent initially intended to talk internally, and they've simply tweaked it to talk externally. It's inside of a network versus talking on the internet. If they redeveloped the product to use internet options that are part of the operating system, it would add more security. Netsurion would keep pace with the computer as it updates and the technologies change. 

If it were to talk using the internet options inherent in the operating system, the communication would be better and more frequent. It would be part of the operating system. It would work like opening a browser and hitting the internet rather than being a standalone solution. I've suggested redeveloping the application to work more fluidly with current technology instead of working as an old solution in a new application.

For how long have I used the solution?

We've been using Netsurion for about a year or so now.

What do I think about the stability of the solution?

Netsurion is highly stable. I haven't had any issues. However, the agents on the endpoints seem to fail quite a bit, requiring manual involvement from the local administrators. I would like to see their product be much more ad hoc and update automatically. I'd like to know if it has errors or issues to support that. Otherwise, local people need to uninstall and reinstall, and it's very time-consuming to maintain the installed product. This should be automatic. We shouldn't have to deal with that on a routine basis.

What do I think about the scalability of the solution?

I think Netsurion scales well. We've gone from a small number of agents up to thousands. I would imagine that it would continue to scale. I don't see any issue with that.

How are customer service and support?

Our SLA with Netsurion doesn't require them to respond immediately. But I haven't had any issues with them from a communication perspective. They've been very good at communicating. If we're talking about the entire process from onboarding to scaling operations, I will give their support a six out of 10, and I'm only giving them a six because they're one of the only companies that provide this service. The installation and customer care at the beginning of the process have a lot of room for improvement.

The fact that Netsurion's SOC is outside the United States hasn't been an issue for us. Most IT labor is offshored, but the communication server and the information are warehoused within the United States on Azure, I believe. I can't recall exactly what they have, but I know it is located in the US. The data itself is still housed domestically, and the third party monitors it. So I don't have a concern with it, and I think over the last 10 or 15 years, the IT industry has pretty much gone that way for the labor component.

How would you rate customer service and support?


How was the initial setup?

The onboarding process was complex. There was quite a learning curve, and few of our technical staff knew what they were talking about on the Netsurion side. But we were expected to do all the work. There were issues with the installers and the availability of people who could work through the code. I had a lot of concerns about what was being installed and how it was communicating online. It was not communicating securely.

I was hoping Netsurion could meet my expectations and have their developers fix the application to work more smoothly. Unfortunately, it took quite a bit longer than it should have to onboard. I have five companies that have a bunch of subsidiaries. Those five are using this product on probably a thousand endpoints total. We started with the first one about this time last year, and we've only just finished onboarding. The onboarding should have taken less than a month or two, but it ended up taking a year. That was a problem that we had with them, and it could potentially impact future business.

After we onboarded the first company, the learning curve went down. I found most of the cybersecurity issues in the initial deployment and would not move forward until we resolved them. That took a few months of our time. Netsurion showed some organization from a project management perspective, but there should have been more of a technical push from their side. 

As the customer, we had to provide many technical solutions, and I believe the onboarding would have gone faster if Netsurion had provided more technical resources, not just project people. The project people would push things to the next week instead of scheduling a technical person to fix that issue specifically. They were just logging hours rather than helping us move forward.

We expected that we would be fully deployed on all the discovered devices discussed before the start of the project within 90 days after we signed the contract. Things happen, so I wouldn't expect it all to get done in 90 days, but it should've been mostly done. You need to be at 80 to 90 percent before going to the SOC level and getting reports. That should've happened in under 90 days. Regardless of how many endpoints there are, there should be a real push to bring everything in within the first 90 days.

I think that's a short deadline. At 90 days, I would expect to have the devices onboarded at a minimum. At between 90 and 120 days, I expect to start seeing reports, even if they're very generalized. I expect to see what's talking and what's not. And If we're talking about the total maintenance, it's split. I would hope that Netsurion would be managing their web server, which is the receiving server that takes all the logs in. I'm doing some sorting that allows the agent that's installed to talk back. 

What was our ROI?

It saves us from hiring someone to do the same thing. IT is a cost center, so we don't make money. We spend it. But in terms of a return on investment, it's cheaper than hiring an employee and it's providing actionable results about threats like ransomware that could be costly if we don't catch them in time. That's a kind of savings, but it's theoretical. It's not something that was accrued. It's a potential for loss. I would say that there's a return in that sense. 

I don't have a hard number because there wasn't a pre-existing solution to compare it to. But to manage the logs the same way that Netsurion does, we would need someone working at least 40 hours a week. To hire someone at the SOC analyst level, you would have to pay an annual salary of between $70,000 to $100,000. However, paying a full-time analyst 40 hours a week still wouldn't give us 24/7 service like Netsurion.  

What's my experience with pricing, setup cost, and licensing?

Netsurion's pricing is competitive. At the same time, they're the only ones who do what we want to do the way we want it. I can't say we would've paid more, but we would've had to have come up with our own solution if they weren't providing that. I believe they have a good niche where they're the only ones providing this type of service that we specifically need in our business model. 

Which other solutions did I evaluate?

We tried out a couple of competing solutions, including Comodo and Arctic Wolf.

What other advice do I have?

I'd rate Netsurion six out of 10. I'm only going above the five because there aren't a lot of other products in that niche for a decentralized SIEM product. To anyone skeptical about the need for managed security services, I would say that they need to look at whether they have the resources to provide the service themselves. I think most don't, and I believe that the cost of hiring even temporary personnel to provide that function doesn't make business sense compared to bringing in a third party like Netsurion. Cost savings, management, and 24/7 monitoring — you can't get all that for the same price.

Which deployment model are you using for this solution?

Hybrid Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Find out what your peers are saying about Alert Logic vs. Arctic Wolf AWN CyberSOC and other solutions. Updated: January 2022.
563,148 professionals have used our research since 2012.