This blog post details how Clear NDR drastically reduces Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) by providing comprehensive evidence and detection logic with just two clicks. It emphasizes the importance of high-fidelity threat detection, eliminating false positives, and offering immediate access to PCAP, logs, and detection algorithms. Clear NDR's Declarations of Compromise (DoCs) and integrated GUI/API enable security teams to quickly validate threats and conduct efficient incident response, enhancing overall security posture.

One of the major challenges during Incident Response (IR) operations is quickly and definitively confirming whether an escalated detection event is:

1. a) NOT a False Positive (FP)
2. b) Supported by all the necessary evidence
3.  

Security teams don’t want to deal with black-box alerts that simply declare “this is bad” without logs, detection logic, or reviewable and sharable evidence. Ideally, these confirmations should happen the moment an incident is raised, minimizing detection and response times and reducing the time required for automation or security analysts to validate and investigate threats. 

If you are concerned about the related KPIs, MTTD and MTTR, this article is for you. 

This week’s blog takes a hands-on approach to Clear NDR detection and response routines that can significantly reduce an organization’s Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR).

By providing automatic threat detection, incident timelines, and extensive context, Clear NDR eliminates guesswork and ensures security teams have the clarity they need to act fast. Many organizations take this even further, leveraging Clear NDR’s advanced threat hunting and automated response capabilities to adopt a more proactive security posture.

High-Fidelity Threat Detection

Reliable threat detection is one of the most important ways to reduce the time to detect and respond to an incident. If Security Operations Center (SOC) personnel are spending all day sifting through a pile of false positives, this dramatically impacts both detection and response. 

Clear NDR addresses this by escalating the most serious and imminent threats via a mechanism we call Declarations of Compromise™ (DoC). These are ultra-high-confidence security events that are raised by Clear NDR. You can read more about DoCs in our Feature Spotlight blog here >>

Gathering Evidence for Incident Response

One of the most important steps in any incident response is evidence collection and analysis. Clear NDR supports this work from both its built-in graphical user interface and through its integration with other incident investigation tools such as a SIEM.

Using the Clear NDR Graphical User Interface (GUI)

With just 2 clicks in the GUI, Security Operations Center (SOC) personnel are able to view three important sets of evidence on the same screen: 

• All associated file transactions, anomalies, network protocol transactions, and flow logs
• Packet capture (PCAP) of the session surrounding the event and all extracted files
• Details about the detection algorithm that triggered the DoC event

Importantly, every detection event produced by Clear NDR includes these critical evidence characteristics—by default.

Using a SIEM or Pulling Data via the REST API

Because the Clear NDR interface is fully REST API-enabled, all information that is available to users via the GUI can also be accessed via API calls. This means Clear NDR integrates with existing SIEM deployments, providing a solution that enhances, rather than disrupts, your current workflows.

2 Clicks to Evidence

Doing most of the work for you, Clear NDR’s Declarations of Compromise™ feature definitively identifies serious and imminent threats. Because no system can automatically detect everything, Clear NDR logs every possible indicator of attack – otherwise known as “detection events”. 

These detection events can be used to create a powerful trail of evidence in an incident investigation. Additionally – as seen in other blog articles in the Uncovered series – they can also be used to inform a guided hunt for specific threat types or other unwanted activity. 

Let’s take a look at the current activity from a live network segment of a specific deployment. 

In the past 24 hours, the system has escalated 6 threats to DoCs impacting 3 assets and has generated approximately 193K detection events along with protocol, anomaly, flow, and file transaction logs as well as Host Insights for nearly 10,000 network endpoints/hosts. See the screenshot below.

You can see on the screenshot above that 3 DoCs are noted in the Data Visualization part of the screen.

Whenever this situation arises, one must ask two questions:

1. Which assets are impacted and what is the scope of any affected users?
2. Do I have all the accompanying evidence, including PCAP and detection logic for that incident?

Ideally, all of this should be available the moment an incident is raised—eliminating the need to log into other systems just to confirm whether something actually happened or why it was escalated.

The detection logic is just as crucial, as it provides the fastest way—alongside the evidence—to determine if an alert is a false positive. With Clear NDR, this verification can be done in just two clicks in the GUI or a single REST API call. 

Let me walk you through those two clicks.

Click One

Let’s use the DNS tunnel tunneling escalated DoC event as an example. 

Domain Name Resolution (DNS) is a protocol that resolves human readable domains to IP addresses. Attackers can use DNS tunneling to establish command-and-control (C2) callbacks, exfiltrate data, and evade detection.

So, first, we click on the threat “DNS Tunneling” (see below)

This click takes us to the “impacted assets” page, and here we view the condensed information to answer two simple questions: 

1. 1. What is the blast radius - aka impacted assets, their cyber footprint and characteristics and which users are logged into those assets?
2. 2. Where is the evidence supporting supporting - full logs/PCAPS/extracted files and detection logic?

See the screenshot below.

If needed, you can access an even more in-epth and detailed view of the impacted assets by pivoting to Host Insights - a very powerful feature included with Clear NDR. Host Insights tracks over 60 security-related network transactions and communication attributes of for every host it observes on the network – both internal and external hosts. This provides a single place to view many aspects of the network activity relative to a given host, such as network services, anomalies, users, or TLS fingerprinting forensic evidence. 

Once we know the impacted assets/hosts (their use and cyber footprint), users, and which part of the network the threat originated from, we need to see and add the evidence logs/PCAPs and detection logic for our Incident Response review case.

Click Two

Next, from the previous view we click on the “Investigate Events”  in the right upper corner.

This brings us directly into our Hunting and Evidence interface for that particular DoC  event. 

As highlighted on the screenshot below, we have 

• All associated (or other needed) file transactions, anomalies, network protocol transactions, and flow logs
• Packet capture files (PCAPs) and extracted files
• The detection logic/method associated with the algorithm that escalated the threat to a DoC event
  
  

For verification purposes, we also have – in this case – all the DNS logs accompanying the tunnel detection event as displayed on the screenshot below.

Conclusion

Having all the evidence—PCAP, correlated data, and exposed detection logic—immediately available during an Incident Response dramatically reduces Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). With Clear NDR, everything is provided and correlated, eliminating the need for security analysts or engineers to manually gather or spend time in engineering and verify critical details.

This is a key differentiator of Clear NDR. While many NDR systems offer only partial evidence—and rarely expose the detection logic behind a detection event—Clear NDR delivers full transparency, empowering teams to act with confidence.

To see Clear NDR in action and explore the enriched hunting interface, click the button below to schedule a live demo.