Network Security Monitoring (NSM): The Three Pillars of Modern Network Defense

Q: What are the best tools for network security monitoring?

NSM is a multi-tool discipline, so the best tool depends on which pillar and category you need. Leading SIEMs include Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar, and Elastic Security. Leading NDR platforms include Corelight, Vectra AI, Darktrace, ExtraHop Reveal(x), and Cisco Secure Network Analytics. Leading packet capture platforms include Corelight, ExtraHop, Gigamon ThreatINSIGHT, NetWitness Platform, and the open-source Arkime project. Leading flow analytics platforms for security include Kentik, ElastiFlow, FlowMon by Progress, and ManageEngine NetFlow Analyzer. Leading DDoS defenses include NETSCOUT Arbor, Radware DefensePro, Cloudflare, and Akamai Prolexic. Most enterprises combine tools from several categories; Kentik provides the flow analytics and DDoS layers and integrates with the others.

Q: What is the role of BGP monitoring in network security?

BGP, the protocol that determines how internet traffic is routed between autonomous systems, has become an important attack surface. BGP hijacks, route leaks, and origin anomalies can be used to redirect, intercept, or disrupt traffic at scale, and they have been observed in attacks targeting cryptocurrency services, DNS infrastructure, and critical SaaS providers. Effective BGP monitoring detects unexpected origin changes, AS-path anomalies, and other indicators of routing-layer compromise. Kentik provides continuous BGP monitoring as part of its flow analytics platform, correlating routing events with the traffic flow data needed to understand impact.

Table of contents

Network Security Monitoring (NSM) is the continuous collection and analysis of network traffic, logs, and device telemetry to detect, investigate, and respond to cyber threats in real time. Unlike network performance monitoring, which focuses on availability, latency, and throughput, NSM specifically targets malicious activity — intrusions, unauthorized access attempts, data exfiltration, lateral movement, and the anomalies that indicate active or attempted compromise.

NSM is built on a simple assumption: highly skilled attackers will eventually breach perimeter defenses. The discipline exists to provide the continuous internal visibility, baselining, and historical forensic record needed to detect breaches in progress, contain them quickly, and reconstruct what happened afterward.

This article covers what NSM is, the three pillars of NSM data, how the discipline works in modern environments, how it differs from related disciplines like NPM, SIEM, NDR, and IDS/IPS, the leading tools and tool categories, and where Kentik fits as the network intelligence platform contributing the flow analytics layer.

At a Glance

Network Security Monitoring (NSM) is the continuous collection and analysis of network traffic, logs, and device data to detect, investigate, and respond to cyber threats.
NSM rests on three pillars of data: full packet captures (PCAP), transaction and flow data, and logs and alerts.
NSM is distinct from NPM: NPM watches for performance and availability problems; NSM watches for malicious activity.
Modern NSM operates on an “assume breach” philosophy — attackers will get past perimeter defenses, so continuous internal visibility is essential.
No single tool covers all of NSM. Most enterprises combine a SIEM, an NDR or packet capture platform, a flow analytics platform, DDoS-specific defenses, and often one or more open-source NSM stacks.
Kentik provides the flow analytics pillar at scale, with real-time anomaly detection, DDoS detection and mitigation via Adaptive FlowSpec, BGP route hijack monitoring, internet-path visibility, and long-retention forensic flow data across hybrid and multicloud environments.

What is Network Security Monitoring?

Network Security Monitoring (NSM) is the practice of continuously collecting, analyzing, and acting on network traffic, telemetry, and logs to detect and respond to cyber threats. The discipline was formalized in the early 2000s by security practitioner Richard Bejtlich, whose book The Tao of Network Security Monitoring established the foundational principle that defenders need continuous network visibility because perimeter defenses, alone, will fail.

In modern practice, NSM has converged on a simpler framing than Bejtlich’s original four data types. Today most NSM practitioners and platform vendors describe NSM in terms of three data pillars: packet captures, flow data, and logs and alerts. Together, these three sources provide the breadth and depth needed to detect threats, investigate incidents, and produce forensic evidence after the fact.

NSM is not a single product category. It is a discipline that spans multiple tool categories — SIEMs, network detection and response (NDR), packet capture and forensics, flow analytics, DDoS-specific defenses, and open-source NSM stacks. Most enterprises run several of these in combination, with each contributing a different layer of visibility.

Kentik in brief: Kentik is a network intelligence platform that contributes the flow analytics pillar of Network Security Monitoring. It ingests NetFlow, sFlow, IPFIX, VPC flow logs, and streaming telemetry from on-prem, cloud, WAN, peering, and internet edges; baselines normal traffic patterns at scale; detects anomalies and DDoS attacks in real time; and retains full-fidelity flow data for forensic investigation. Kentik also provides BGP route monitoring for detecting route hijacks and origin anomalies, and Adaptive FlowSpec for automated DDoS mitigation. Kentik integrates with SIEMs, ticketing systems, and SOAR platforms so flow-based detections feed directly into existing security workflows.

The 10 Critical Use Cases for Network Intelligence

Learn how AI-powered insights help you predict issues, optimize performance, reduce costs, and enhance security.

The Three Pillars of Network Security Monitoring Data

NSM rests on three complementary data types. Each pillar answers different questions, has different storage and analysis economics, and is best provided by different tool categories.

The Three Pillars of Modern Network Security Monitoring

Pillar 1: Packet Captures (PCAP)

Packet capture records the actual data payloads moving across the network — every header, every byte. PCAP provides the highest possible fidelity and is often described as the “ground truth” of network traffic. For forensic investigation and incident response, packet captures are irrefutable evidence. They show exactly what crossed the wire and when.

The trade-off is storage. Full PCAP at line rate on a modern enterprise network can produce terabytes per day, which makes indefinite retention impractical. Most teams keep packet captures for a short window — hours to days — or use selective capture, recording only traffic of interest such as flows involving sensitive servers, suspect endpoints, or already-flagged threats.

Tools in the PCAP and packet forensics category include Corelight (built on the open-source Zeek/Bro framework), ExtraHop Reveal(x), Gigamon ThreatINSIGHT, NetWitness Platform, and the open-source Arkime project (formerly Moloch).

Pillar 2: Transaction and Flow Data

Flow data summarizes network conversations: who connected to what, on which ports, when, for how long, and how much data was transferred. Instead of recording every packet, flow data records metadata about every conversation — making it dramatically more compact than PCAP while still providing the visibility needed to answer most security questions.

Four characteristics make flow data uniquely valuable for NSM:

Scale and economics. Flow data is typically one to two orders of magnitude smaller in volume than full packet captures, which makes it practical to retain for months or years rather than hours or days. That long retention window is essential for incident response, where investigators often need to look back weeks or months to trace an attacker’s activity from initial compromise to data exfiltration.
Encrypted traffic visibility. As network traffic moves to TLS and other encrypted protocols, payload inspection becomes less informative. Flow metadata — source, destination, ports, byte counts, durations, timing — remains visible and useful regardless of encryption. Lateral movement, data exfiltration, command-and-control beaconing, and DDoS attacks all leave clear flow signatures even when payloads cannot be inspected.
Comprehensive coverage. Flow telemetry can be collected from routers, switches, firewalls, load balancers, cloud VPCs, and Kubernetes pods without requiring inline taps or SPAN ports. That makes it the only practical way to achieve ubiquitous visibility across hybrid, multicloud, and internet-edge environments.
Baseline and anomaly detection. Because flow data is collected continuously across the entire network, it is the natural foundation for traffic baselining and anomaly detection. Sudden changes in connection patterns, traffic volumes, or peer relationships are visible in flow data long before they appear in PCAP analysis or log correlation.

Flow data is typically collected using NetFlow (originally a Cisco protocol, now standardized as IPFIX), sFlow, or cloud-native flow log formats such as AWS VPC Flow Logs, Azure NSG Flow Logs, and Google Cloud VPC Flow Logs. Streaming telemetry from devices supporting gNMI and OpenConfig is increasingly used to complement flow data with sub-second device state.

Tools in the flow analytics category include Kentik, ElastiFlow, FlowMon by Progress, and ManageEngine NetFlow Analyzer. Kentik is purpose-built for large-scale, multi-source flow analytics across hybrid and multicloud environments, with native security features including DDoS detection, BGP route monitoring, and Adaptive FlowSpec for automated mitigation.

Flow Analytics Drill-Down by Source and Destination Country in Kentik Data Explorer

Pillar 3: Logs and Alerts

The third pillar consists of logs and alerts from security tools (firewalls, IDS/IPS, endpoint detection and response, VPNs, identity providers) and core infrastructure systems (operating systems, applications, cloud control planes). These records describe events that the systems themselves recognized as worth recording — successful and failed authentications, policy denials, configuration changes, detection alerts.

Logs and alerts are essential for understanding what the systems on the network think is happening. They are the dominant data type for SIEM platforms, which aggregate logs from across the environment, normalize them, correlate them, and apply detection rules to identify patterns that suggest threats.

Tools in this category include Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar, Sumo Logic Cloud SIEM, and Elastic Security.

How the three pillars work together

No single pillar is sufficient on its own. PCAP provides forensic fidelity but cannot scale to comprehensive long-term retention. Flow data provides scale and visibility but lacks payload detail. Logs provide system-level context but only describe what the systems chose to record.

Mature NSM programs use all three pillars together: flow data for continuous monitoring and baseline anomaly detection, selective PCAP for deep investigation of flagged events, and logs and alerts integrated into a SIEM for correlation and case management. Each pillar complements the others; none replaces them.

How Network Security Monitoring Works

Modern NSM operational workflows generally follow three steps: establish baselines, detect anomalies, and integrate the findings into broader security operations.

1. Establish baselines

Effective NSM begins by characterizing normal network behavior across many dimensions — which hosts talk to which hosts, on which ports, at which volumes, at which times of day. Baselines may be statistical (average, percentile, standard deviation), behavioral (machine-learned models of normal), or peer-based (comparing one host or subnet to similar peers).

Baselining requires sufficient telemetry volume and history. Networks that collect only sparse samples or short retention windows cannot reliably distinguish normal variation from anomalous behavior. This is one of the reasons flow data — which can be collected ubiquitously and retained cost-effectively for months or years — is the natural foundation for baselining.

2. Detect anomalies

Once baselines exist, the detection layer continuously compares current traffic to expected patterns and flags significant deviations. Anomalies that often indicate possible threats include:

Sudden traffic spikes that may indicate DDoS attacks
New or unexpected peer connections that may indicate lateral movement
Unusual data egress volumes that may indicate exfiltration
Beaconing patterns — regular small connections at fixed intervals — that may indicate command-and-control activity
Unexpected BGP origin changes that may indicate route hijacks
Connections to known-bad IP ranges or unusual geographies

The anomaly detection layer typically combines rule-based detection (write a rule, fire on match), statistical detection (deviation from baseline), and machine learning (behavioral pattern recognition). Strong implementations also incorporate threat intelligence feeds to enrich raw detections with context about known-bad actors and indicators.

3. Integrate with SIEM and security operations

Detections from NSM platforms feed into broader security operations workflows — typically a SIEM for correlation and case management, a SOAR platform for automated response actions, and a ticketing or incident response system for investigator hand-off. Effective NSM platforms expose detections through APIs, webhooks, and direct SIEM integrations rather than acting as isolated dashboards.

For network-layer threats like DDoS attacks, the integration layer may also include automated mitigation — for example, programmatically pushing BGP FlowSpec rules to routers to drop attack traffic at the network edge before it reaches its target.

Kentik DDoS Mitigation Orchestration Across RTBH, Adaptive FlowSpec, and Third-Party Scrubbing

NSM vs. NPM: Two Different Disciplines on the Same Telemetry

Network Security Monitoring and Network Performance Monitoring (NPM) share much of the same underlying telemetry — flow data, device metrics, packet captures — but ask different questions and serve different teams.

Dimension	Network Performance Monitoring (NPM)	Network Security Monitoring (NSM)
Primary question	Is the network healthy and performant?	Is anything malicious happening?
Primary user	Network operations, NetOps, infrastructure teams	Security operations, SOC, incident response
Key signals	Latency, jitter, packet loss, throughput, availability	Anomalies, baselines, IOCs, attack patterns
Time horizon	Real-time monitoring, capacity planning	Real-time detection plus long-retention forensics
Tooling overlap	Both rely on flow data, SNMP, streaming telemetry, synthetic tests	NSM adds packet capture, SIEM integration, threat intelligence
Response model	Operational remediation (routing, capacity, configuration)	Containment, mitigation, investigation, attribution

The two disciplines overlap meaningfully in practice. A traffic anomaly might first be detected by a NetOps team as a capacity issue, then reclassified as a DDoS attack and handed to the SOC. A flow analytics platform like Kentik supports both disciplines from the same telemetry, which is why mature operations increasingly treat NPM and NSM as adjacent capabilities sharing a common data plane rather than fully siloed practices.

NSM vs. SIEM, NDR, IDS/IPS, and EDR

NSM as a discipline interacts with — and is sometimes confused with — several adjacent security tool categories. The distinctions matter for tool selection and integration.

SIEM (Security Information and Event Management). SIEMs aggregate, normalize, and correlate logs and alerts from across the environment. They are the dominant tool for security operations case management and compliance reporting. SIEMs are part of NSM workflows but cover the logs-and-alerts pillar specifically — not flow data or packet capture.
NDR (Network Detection and Response). NDR platforms specialize in detecting threats from network traffic, typically combining packet inspection with machine-learning anomaly detection. NDR is one tool category within NSM, focused on the PCAP and traffic-analysis pillars.
IDS/IPS (Intrusion Detection / Prevention Systems). Signature-based and rule-based systems that detect known attack patterns in network traffic. Modern open-source IDS/IPS implementations like Suricata and Snort are often used as components within broader NSM stacks.
EDR (Endpoint Detection and Response). Focused on endpoints — laptops, servers, workloads — not the network. EDR is complementary to NSM rather than a substitute. Many attacks are visible from both perspectives, and correlating endpoint signals with network signals often produces stronger detections than either alone.

In practice, most enterprise security programs use NSM as the network visibility layer that feeds the SIEM, complements the EDR, integrates with the SOAR, and provides forensic depth that signature-based IDS/IPS cannot match on its own.

Why Network Security Monitoring Matters in the Cloud Era

NSM was originally formulated for a world of on-premises networks with clearly defined perimeters. That world has largely dissolved. Today’s networks span public cloud regions, SaaS dependencies, branch offices, remote workers, and partner connections — and most internal traffic is encrypted. Each of these shifts has made NSM more important, not less.

The perimeter is no longer a reliable line of defense. Attackers compromise SaaS accounts, exploit cloud misconfigurations, and use legitimate-looking traffic patterns to blend in. Internal visibility is the only reliable detection layer.
Encrypted traffic limits payload inspection. As TLS adoption approaches universality, deep packet inspection becomes less informative. Flow metadata, by contrast, remains visible and useful — making flow analytics increasingly central to modern NSM.
Hybrid and multicloud environments break traditional tool architectures. Packet-capture appliances cannot be installed inside a public cloud VPC. Cloud-native telemetry — VPC flow logs, security group logs, cloud audit logs — must be ingested alongside on-prem telemetry to produce unified visibility.
Ephemeral workloads change the asset model. Container, serverless, and short-lived cloud workloads break asset-centric models that assume long-lived hosts. NSM has to baseline behavior on traffic patterns rather than fixed identities.
Internet-edge threats have grown in scale and frequency. DDoS attacks, BGP hijacks, and supply-chain compromises operate at the internet layer — outside any single organization’s perimeter. NSM programs increasingly need internet-path visibility and BGP context to detect and respond to these threats.

For modern enterprises, NSM is no longer optional or aspirational. It is one of the few defensive disciplines that scales with cloud adoption and pervasive encryption rather than being undermined by them.

Unified Cloud and On-Prem Topology Visualization in Kentik Map

Categories of Network Security Monitoring Tools

NSM is a multi-tool discipline. Most enterprises run at least one tool from several of the following categories, with each tool contributing a different layer of detection, visibility, or response. There is no single “best NSM tool” — the right composition depends on threat model, environment complexity, regulatory requirements, and team size.

SIEM platforms

SIEMs aggregate logs and alerts from across the environment, normalize them, and apply correlation rules and detection content. They are typically the operational center of gravity for security operations teams. Leading SIEM platforms include Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar, Sumo Logic Cloud SIEM, and Elastic Security.

Network Detection and Response (NDR)

NDR platforms specialize in detecting threats from network traffic using a mix of packet inspection, behavioral analytics, and machine learning. They are typically the dedicated network-threat-detection layer of an NSM program. Leading NDR platforms include Corelight (built on Zeek), Vectra AI, Darktrace, ExtraHop Reveal(x), and Cisco Secure Network Analytics (formerly Stealthwatch).

Packet capture and forensics

Packet capture platforms provide full-fidelity recording of network traffic for forensic investigation. They are essential for deep incident response but expensive to scale to comprehensive long-term retention. Leading PCAP and forensics platforms include Corelight, ExtraHop, Gigamon ThreatINSIGHT, NetWitness Platform, and the open-source Arkime project.

Flow analytics for security

Flow analytics platforms provide scalable network visibility based on flow telemetry — NetFlow, sFlow, IPFIX, and cloud VPC flow logs. They are the practical foundation for ubiquitous baselining, anomaly detection, DDoS detection, and long-retention forensic flow data. Leading flow analytics platforms include Kentik, ElastiFlow, FlowMon by Progress, and ManageEngine NetFlow Analyzer. Kentik is purpose-built for large-scale, multi-source flow analytics across hybrid and multicloud environments, with native security features including DDoS detection, BGP route monitoring, and Adaptive FlowSpec for automated mitigation.

DDoS-specific defenses

DDoS defenses are purpose-built for detecting and mitigating volumetric, protocol-based, and application-layer denial-of-service attacks. They are typically deployed alongside broader NSM and may include both detection (often based on flow analytics) and mitigation (scrubbing centers, BGP FlowSpec, RTBH). Leading DDoS defense platforms include Kentik, NETSCOUT Arbor, Radware DefensePro, Cloudflare, and Akamai Prolexic. Kentik provides DDoS detection and Adaptive FlowSpec-based mitigation as part of its flow analytics platform — see NETSCOUT Arbor alternatives and Deepfield Alternatives for a deeper comparison.

Open-source NSM stacks

Open-source tools remain widely used in NSM, both as standalone stacks for organizations with the skills to operate them and as foundational components inside commercial platforms. Leading open-source NSM tools include Zeek (formerly Bro), Suricata, Snort, and the integrated Security Onion distribution.

Choosing across categories

Most enterprises run a SIEM for log correlation and case management, an NDR or packet capture platform for deep network threat detection, a flow analytics platform for scalable ubiquitous visibility and baseline anomaly detection, and dedicated DDoS defenses where exposure warrants. Smaller organizations may consolidate fewer tools or rely more heavily on open-source stacks. The right composition depends on threat model, environment complexity, regulatory requirements, and team size.

Where Kentik Fits in Network Security Monitoring

Kentik contributes the flow analytics pillar of NSM at enterprise scale. The platform ingests NetFlow, sFlow, IPFIX, VPC flow logs, and streaming telemetry from across hybrid and multicloud environments, baselines normal traffic patterns, and detects anomalies in real time. Several capabilities make Kentik particularly well-suited to NSM workflows:

Real-Time DDoS Defense Dashboard in Kentik with Attack Activity and Alert Breakdowns

Scale and retention. Kentik is built on a horizontally scalable big-data architecture that supports continuous ingestion of high-volume flow telemetry and long retention of full-fidelity flow records. Long retention is critical for incident response, where investigators often need to look back weeks or months to trace an attacker’s activity.
Real-time DDoS detection and mitigation. Kentik provides flow-based DDoS detection and integrates Adaptive FlowSpec for automated mitigation, programmatically pushing BGP FlowSpec rules to routers to drop attack traffic at the network edge. See How to Detect DDoS Attacks Using Flow Analytics for the workflow in detail.
BGP route monitoring. Kentik monitors BGP for route hijacks, route leaks, and origin anomalies — a domain that flow data alone cannot cover but that is increasingly central to internet-edge security.
Internet path visibility. Kentik’s combination of flow data, BGP context, and synthetic testing provides hop-by-hop visibility into how traffic traverses the internet, helping detect and investigate threats that operate at the internet path layer.
Encrypted traffic visibility. Because Kentik analyzes flow metadata rather than payloads, encryption does not blind the platform. Lateral movement, exfiltration, beaconing, and DDoS attacks all leave clear flow signatures regardless of TLS adoption.
Hybrid and multicloud coverage. Kentik ingests cloud-native flow logs — AWS VPC, Azure NSG, Google Cloud VPC, Oracle Cloud — alongside on-prem flow telemetry, providing unified visibility across environments where traditional appliance-based tools cannot reach.
SIEM and SOAR integration. Kentik exposes detections and alerts through APIs, webhooks, and direct integrations so flow-based findings feed into existing security operations workflows rather than living in a separate dashboard.

Anatomy of a BGP Hijack: The 2018 BGP and DNS Attack Targeting myetherwallet.com

Kentik is not a SIEM, NDR, packet-capture platform, or endpoint detection system. It is the network intelligence platform that contributes the flow analytics layer of NSM and complements the other tools in a security stack. Many Kentik customers run Kentik alongside a SIEM (such as Splunk or Elastic), often an NDR or packet capture platform, and dedicated security operations tooling.

For deeper coverage of Kentik’s security capabilities, see Kentik for Network Security and Compliance, Detect and Mitigate DDoS, Investigate Security Incidents, and Harden Network Policy Management.

FAQs about Network Security Monitoring

What is Network Security Monitoring (NSM)?

Network Security Monitoring is the continuous collection and analysis of network traffic, logs, and device telemetry to detect, investigate, and respond to cyber threats in real time. It is built on the assumption that perimeter defenses will eventually fail and that continuous internal visibility is necessary to detect breaches in progress and reconstruct what happened afterward. Kentik supports NSM by providing the flow analytics layer — ingesting NetFlow, sFlow, IPFIX, and cloud VPC flow logs at scale, baselining normal traffic, and detecting anomalies and DDoS attacks across hybrid and multicloud environments.

What are the three pillars of network security monitoring data?

The three pillars of NSM data are packet captures (PCAP), transaction and flow data, and logs and alerts. PCAP provides the highest-fidelity ground truth of network traffic but is expensive to retain at scale. Flow data summarizes network conversations (who connected to what, when, for how long, how much data was transferred) and provides scalable visibility with long retention. Logs and alerts describe events that security tools and infrastructure systems chose to record. Mature NSM programs use all three pillars together; Kentik provides the flow data pillar at enterprise scale.

How does Network Security Monitoring differ from Network Performance Monitoring?

Network Security Monitoring and Network Performance Monitoring often use the same underlying telemetry but ask different questions and serve different teams. NPM answers “Is the network healthy and performant?” and is owned by NetOps. NSM answers “Is anything malicious happening?” and is owned by security operations. The two disciplines overlap meaningfully in practice — for example, a traffic anomaly may be triaged first by NetOps as a capacity issue, then reclassified as a DDoS attack and handed to the SOC. Kentik supports both disciplines from the same flow telemetry data plane.

How does Network Security Monitoring work?

NSM workflows generally follow three steps: establish baselines of normal network behavior, detect anomalies by comparing current traffic to those baselines, and integrate detections into broader security operations through a SIEM, SOAR, or ticketing system. Effective baselines require sufficient telemetry volume and history; anomaly detection typically combines rules, statistics, machine learning, and threat intelligence; integration ensures detections feed existing workflows rather than living in isolated dashboards. Kentik supports this workflow with baselining and anomaly detection at scale, plus APIs and SIEM integrations for downstream handoff.

What is the role of flow data in network security monitoring?

Flow data is the most scalable and broadly applicable source of network visibility for security purposes. It summarizes every network conversation with metadata (source, destination, ports, byte counts, durations, timing) without recording payloads — making it dramatically more compact than packet capture and practical to retain for months or years. Flow data is also unaffected by encryption, which makes it increasingly valuable as TLS adoption approaches universality. Kentik specializes in large-scale flow analytics and uses flow data as the foundation for baselining, anomaly detection, DDoS detection, and forensic investigation.

How does NSM differ from SIEM, IDS/IPS, NDR, and EDR?

NSM is a discipline that incorporates several adjacent tool categories. SIEMs (like Splunk Enterprise Security or Microsoft Sentinel) aggregate logs and alerts and cover the logs-and-alerts pillar of NSM. IDS/IPS (like Suricata or Snort) detect known attack patterns in network traffic. NDR platforms (like Corelight or Vectra AI) detect threats from network traffic using packet inspection and behavioral analytics. EDR (like CrowdStrike Falcon or SentinelOne) focuses on endpoints rather than the network. NSM as a discipline combines several of these to provide layered detection. Kentik supports NSM as the flow analytics layer and complements — rather than replaces — these other categories.

What are the best tools for network security monitoring?

NSM is a multi-tool discipline, so the “best tool” depends on which pillar and category you need. Leading SIEMs include Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar, and Elastic Security. Leading NDR platforms include Corelight, Vectra AI, Darktrace, ExtraHop Reveal(x), and Cisco Secure Network Analytics. Leading packet capture platforms include Corelight, ExtraHop, Gigamon ThreatINSIGHT, NetWitness Platform, and the open-source Arkime project. Leading flow analytics platforms for security include Kentik, ElastiFlow, FlowMon by Progress, and ManageEngine NetFlow Analyzer. Leading DDoS defenses include NETSCOUT Arbor, Radware DefensePro, Cloudflare, and Akamai Prolexic. Most enterprises combine tools from several categories; Kentik provides the flow analytics and DDoS layers and integrates with the others.

How does Network Security Monitoring work in cloud and multicloud environments?

Cloud and multicloud NSM is more difficult than traditional on-prem NSM because packet capture appliances cannot be installed inside a public cloud VPC and because cloud-native telemetry is fragmented across providers. Effective cloud NSM relies heavily on cloud-native flow logs (AWS VPC Flow Logs, Azure NSG Flow Logs, Google Cloud VPC Flow Logs), cloud audit and control-plane logs, and any available cloud-native security telemetry (such as AWS GuardDuty or Azure Defender findings). Kentik supports multicloud NSM by ingesting flow logs from all major cloud providers alongside on-prem flow telemetry and providing unified baselining, anomaly detection, and forensic flow retention across the entire environment.

What is the role of BGP monitoring in network security?

BGP — the protocol that determines how internet traffic is routed between autonomous systems — has become an important attack surface. BGP hijacks, route leaks, and origin anomalies can be used to redirect, intercept, or disrupt traffic at scale, and they have been observed in attacks targeting cryptocurrency services, DNS infrastructure, and critical SaaS providers. Effective BGP monitoring detects unexpected origin changes, AS-path anomalies, and other indicators of routing-layer compromise. Kentik provides continuous BGP monitoring as part of its flow analytics platform, correlating routing events with the traffic flow data needed to understand impact.

What are the best open-source tools for network security monitoring?

The leading open-source NSM tools are Zeek (formerly Bro) for protocol-aware traffic analysis and session reconstruction, Suricata and Snort for signature-based intrusion detection, and Arkime (formerly Moloch) for full packet capture and search. The Security Onion distribution integrates Zeek, Suricata, and several other tools into a deployable NSM stack and is widely used by organizations building NSM capability without commercial licensing. Open-source NSM stacks require skilled in-house operators and meaningful infrastructure investment, but offer flexibility and avoid commercial licensing costs.

How does Kentik fit into a network security monitoring stack?

Kentik is the network intelligence platform that contributes the flow analytics layer of NSM. It ingests NetFlow, sFlow, IPFIX, VPC flow logs, and streaming telemetry from across hybrid and multicloud environments; baselines normal traffic patterns; detects anomalies and DDoS attacks in real time; provides BGP route monitoring for internet-edge security; and retains full-fidelity flow data for long-term forensic investigation. Kentik integrates with SIEMs (Splunk, Sentinel, QRadar, and others) and SOAR platforms so flow-based detections feed directly into existing security workflows. Most Kentik customers run Kentik alongside a SIEM, an NDR or packet capture platform, and dedicated DDoS defenses — Kentik is the network visibility layer in that stack, not a replacement for the other tools.

Strengthen Your NSM Stack with Kentik

Kentik is the network intelligence platform that contributes the flow analytics layer of network security monitoring — providing real-time anomaly detection, DDoS defense, BGP monitoring, and long-retention forensic visibility across hybrid and multicloud environments.

Request a personalized demo to see Kentik’s flow analytics and security capabilities in action
Start a free trial and connect your own flow telemetry and cloud flow logs
Explore Kentik for Network Security and Compliance
Learn how Kentik powers DDoS detection and mitigation, security incident investigation, and network policy hardening
See how Kentik compares to legacy DDoS appliances in NETSCOUT Arbor Alternatives

Updated: May 27, 2026