Vectra AI EU Alternative 2026: CLOUD Act Risk in NDR-Based Identity Threat Detection

Post #1274 in the sota.io EU Cyber Compliance Series

Network Detection and Response (NDR) platforms occupy a uniquely privileged position in your infrastructure: to detect lateral movement, they must observe every network packet crossing your environment. Every Kerberos authentication ticket. Every SMB file access. Every DNS resolution that reveals which user went where. Every LDAP query that maps your organizational structure. This total network visibility — the defining feature that makes NDR effective — is also what makes NDR-based Identity Threat Detection a category-one concern under the US CLOUD Act.

Vectra AI has built one of the most sophisticated NDR-based ITDR platforms in the market. Its Attack Signal Intelligence processes north-south traffic at the perimeter and east-west traffic between internal systems — the lateral movement plane where identity-based attacks live. This architectural completeness is precisely the source of its largest compliance exposure: a US government order served on Vectra AI's Delaware entity yields a near-complete map of your organization's identity and network behaviour.

This is post #2 in our EU Identity Threat Detection and Response (EU-ITDR) series. We examine Vectra AI, CrowdStrike Falcon Identity, SentinelOne Identity, and Semperis against the CLOUD Act, NIS2, GDPR Art. 44–49, and the EU-US Data Privacy Framework.

What Is Vectra AI?

Vectra AI was founded in 2012 in San Jose, California. The company offers an AI-driven Network Detection and Response (NDR) platform with expanding ITDR capabilities built on top of network telemetry.

Core Products:

• Vectra AI Platform: Integrated NDR + CDR (Cloud Detection & Response) + ITDR, unified under a single console.
• Attack Signal Intelligence (ASI): Vectra's proprietary AI engine that correlates network metadata into attack narratives. ASI ingests raw network telemetry and surfaces prioritised alerts with host and account attribution.
• Cognito Detect: The NDR component that processes network traffic for threat patterns — including Kerberos abuse, SMB lateral movement, C2 beacons, and credential harvesting.
• Cognito Recall: A queryable data lake of network metadata, enabling retrospective investigation of past traffic.

What Vectra AI Processes:

Vectra operates as a passive network sensor that receives full or sampled network traffic from span ports, TAPs, or cloud flow logs. The platform extracts and analyses:

• Kerberos TGT and TGS request patterns (Kerberoasting, AS-REP Roasting detection)
• NTLM authentication flows and relay patterns (Pass-the-Hash, Pass-the-Ticket)
• LDAP queries revealing organisational structure, group memberships, and admin account enumeration
• SMB session metadata (lateral movement, remote service creation, file share access)
• DNS resolution patterns (which hosts query which domains, C2 channel detection)
• RDP and SSH session metadata (remote access patterns, brute-force detection)
• HTTP/HTTPS metadata with JA3/JA4 TLS fingerprinting
• Cloud API calls (Azure AD sign-in logs, AWS CloudTrail events via cloud integrations)

This data set — the complete network metadata fabric of your organisation — constitutes an identity map far exceeding what a traditional SIEM captures.

Funding and Corporate Structure:

• Series A–C: Khosla Ventures, Accel Partners, Atlantic Bridge Capital (2012–2016)
• Series D: $36M — Khosla Ventures lead (2018)
• Series E: $100M — TCV (Technology Crossover Ventures), Khosla, Atlantic Bridge (2019)
• Series F: $130M — Silver Lake (US PE, $100B+ AUM), TCV, Khosla (2021)
• Total raised: ~$350M+

Legal Entity: Vectra AI, Inc. — incorporated in Delaware, USA, headquartered at 550 S. Winchester Blvd, San Jose, CA 95128.

Silver Lake — a US private equity firm with deep ties to enterprise technology and government contracts — holds a significant stake following the 2021 Series F. Khosla Ventures and TCV are both Sand Hill Road VC firms subject to US jurisdiction.

CLOUD Act Analysis: Vectra AI Scores 19/25

We apply the five-dimension CLOUD Act risk matrix used throughout this series.

D1 — Corporate Jurisdiction (5/5)

Vectra AI, Inc. is incorporated in Delaware, USA, and headquartered in San Jose, California. This is the definitive trigger for US CLOUD Act jurisdiction under 18 U.S.C. § 2713. The statute compels US-incorporated entities to disclose data held "outside the United States" when served with a qualifying government order — regardless of where data physically resides.

No corporate restructuring, EU data residency commitment, or contractual DPA removes this obligation. The Delaware entity can be compelled to act.

CLOUD Act D1 Score: 5/5 — Delaware C-Corp, San Jose HQ, definitive US jurisdiction.

D2 — Intelligence Partnerships (4/5)

Vectra AI has disclosed US government and defence sector customers including US federal agencies. Several structural factors elevate D2 significantly:

1. Silver Lake PE Exposure: Silver Lake Equity is one of the largest private equity firms focused on technology businesses with government exposure. Its portfolio includes companies deeply embedded in US DoD and intelligence contracting. Silver Lake's Delaware-based funds are subject to US jurisdiction, and its board representation in portfolio companies has been cited in national security reviews.

2. US Federal Customer Base: Vectra has publicly referenced US government customers in sales materials and case studies. Vendors with active US government contracts are subject to enhanced cooperation requirements under existing procurement frameworks.

3. FedRAMP Positioning: Vectra AI's platform architecture and US government customer base position it on the FedRAMP trajectory. Vendors pursuing FedRAMP authorisation establish formal channels with CISA and NIST that create structured (and auditable) government access pathways.

4. CISA Attestation: As a cybersecurity vendor providing capabilities to US critical infrastructure operators, Vectra is subject to CISA secure-by-design attestation requirements — creating ongoing regulatory touchpoints with US government cybersecurity structures.

CLOUD Act D2 Score: 4/5 — Silver Lake PE + US federal customer base + FedRAMP trajectory + CISA touchpoints.

D3 — Data Sensitivity (5/5)

Vectra AI's NDR-based ITDR creates the highest possible D3 exposure in this series. The platform's core function requires comprehensive network metadata — the aggregate of which constitutes a complete organisational identity map.

The Network-Identity Overlap:

Traditional ITDR tools (like Silverfort) operate at the identity plane — observing authentication requests. Vectra operates at the network plane, which is simultaneously more and differently exposing:

• Kerberoasting detection requires observing all TGS requests for service accounts — revealing every service principal, their requestors, and access patterns across the organisation.
• Lateral movement detection requires baselining normal SMB, RDP, and WMI communication patterns for every host pair in the network — creating a complete internal communication graph.
• DNS exfiltration detection requires inspecting every DNS query — revealing every external domain accessed by every internal host, mapped to machine identity.
• LDAP reconnaissance detection requires monitoring all LDAP queries — exposing the full Active Directory enumeration surface including group memberships, OU structure, and privileged account locations.

The union of these data streams produces something more sensitive than any single source: a temporal map of your organisation's identity and access behaviour, enriched with the network layer that reveals how identities move through your infrastructure.

Cognito Recall — The Retention Amplifier:

Vectra's Cognito Recall feature stores enriched network metadata in a queryable data lake for retrospective investigation. Retention periods vary by deployment but commonly extend to 30–90 days or longer. This means a US government order for Vectra's data yields not just real-time intelligence but a historical archive of organisational network behaviour.

CLOUD Act D3 Score: 5/5 — Full network metadata fabric including identity-layer flows, retained in Cognito Recall.

D4 — Infrastructure and Data Residency (3/5)

Vectra AI offers cloud-hosted deployment on AWS and Azure, with EU region availability for some deployments. However, several infrastructure factors reduce the effectiveness of EU residency commitments:

Multi-cloud US-controlled routing: Vectra's cloud infrastructure uses AWS and Azure regions. Both are US-incorporated entities subject to CLOUD Act jurisdiction regardless of the physical data centre location. AWS EMEA SARL (Luxembourg) does not negate the CLOUD Act obligations of its US parent Amazon.com, Inc.

On-premises sensor architecture: Many Vectra deployments include on-premises sensors (hardware or virtual appliances) that ship enriched metadata to the cloud back-end for AI processing. The cloud back-end — where Attack Signal Intelligence runs — is the US-jurisdiction component regardless of where the sensors are deployed.

EU region partial availability: Vectra offers EU-region cloud deployments for some product tiers, but the Attack Signal Intelligence engine and Cognito Recall back-end processing occurs on US-controlled infrastructure even in EU-region configurations (per Vectra's published architecture documentation as of 2025).

CLOUD Act D4 Score: 3/5 — AWS/Azure hosting (both US entities), EU region partially available but AI processing US-controlled.

D5 — Contractual Protections (2/5)

Vectra AI offers standard GDPR DPA (Data Processing Agreement) and references the EU-US Data Privacy Framework. However:

DPF Limitation: The EU-US DPF (established July 2023) covers commercial data transfers but explicitly does not override US national security law. The CLOUD Act's government access mechanism is outside the DPF's scope. A DPF-compliant DPA does not prevent US government compelled disclosure.

No Technical Sovereignty Controls: Vectra does not offer customer-managed encryption key schemes, EU-only data processing guarantees with hardware security module (HSM) key custody, or technical controls that would render US government orders technically unenforceable.

Sub-processor Exposure: Vectra's sub-processor list includes AWS and Microsoft Azure — both US entities subject to their own CLOUD Act obligations for data processed on their infrastructure.

CLOUD Act D5 Score: 2/5 — Standard DPF/DPA, no technical sovereignty controls, US cloud sub-processors.

CLOUD Act Score Summary: Vectra AI 19/25

Three CLOUD Act Paradoxes

Paradox 1: The AI-SOC Sovereignty Paradox

Vectra's core value proposition is that its AI — Attack Signal Intelligence — surfaces the high-fidelity threats that overwhelm human analysts. This AI is trained continuously on the telemetry of Vectra's customer base, including EU organisations.

The paradox: the same AI capability that makes Vectra effective requires that your EU network telemetry flow to Vectra's US-jurisdiction AI processing infrastructure. An EU organisation cannot benefit from Vectra's AI without its network behaviour becoming part of a US-controlled data corpus.

Under NIS2 Art. 21(2)(d) — supply chain security requirements — organisations must assess the security practices of their technology suppliers. A supplier whose AI infrastructure is subject to US government compelled access does not meet the spirit of NIS2's supply chain risk framework, regardless of contractual DPA coverage.

Paradox 2: The NDR-ITDR Network Envelope Paradox

Vectra markets its ITDR capabilities as "Identity-based attack detection." But unlike dedicated ITDR tools that operate at the authentication plane, Vectra's ITDR capabilities are derived from network telemetry — the Kerberos packets, SMB flows, and LDAP queries that traverse the network.

This creates a compounded exposure: Vectra processes not just identity events (like Silverfort), but the full network metadata envelope that contains identity events. Under the CLOUD Act, a single order for Vectra's data yields:

1. The identity events themselves (who authenticated to what)
2. The network context of those events (from which source IP, to which destination, at what time, via which protocol)
3. The behavioural baseline that makes anomalies detectable (the normal pattern of your organisation's identity and access behaviour)

The network envelope data is more sensitive than the identity events alone — it enables a forensic reconstruction of organisational activity that no authentication log can provide.

GDPR Art. 9 relevance: Network behaviour baselines can reveal health conditions (hospital access patterns), union membership (labour negotiations research patterns), political affiliation (advocacy group communications), and religious practice (timing patterns of religious observance). The Article 9 exposure of aggregated network metadata is systematically underestimated in current DPIAs.

Paradox 3: The Retrospective Investigation Paradox

Vectra's Cognito Recall stores enriched network metadata for retrospective investigation. This is a genuine security capability — incident responders need historical data to trace how an attacker moved through the network weeks before detection.

The paradox emerges at the CLOUD Act layer: the same historical data store that enables EU incident response is the asset that a US government order would seize. A retrospective investigation capability is, by definition, a surveillance archive. Under the CLOUD Act, Vectra's retention of 30–90 days of EU network metadata creates a ready-made historical intelligence asset available to US authorities.

GDPR Art. 5(1)(e) — Storage Limitation: EU organisations relying on Vectra's retrospective investigation capability must weigh this against the storage limitation principle. Extended retention for legitimate security purposes creates extended CLOUD Act exposure.

Regulatory Framework: Where Vectra AI Creates Friction

NIS2 Art. 21 — Technical Security Measures

NIS2 Art. 21(2)(a–j) requires "essential entities" (critical infrastructure operators, cloud providers, digital service providers) to implement "appropriate and proportionate technical and organisational measures." Subsection (d) specifically addresses supply chain security — the security practices of vendors in the supply chain.

An NDR platform that:

• Processes full network telemetry for the entire organisation
• Stores that telemetry in a US-jurisdiction data lake
• Runs its AI detection engine on US-controlled infrastructure

...creates a supply chain risk that NIS2 Art. 21 frameworks must document and assess. Under the NIS2 implementing guidance, high-risk vendor relationships require enhanced due diligence, contractual controls, and — for critical infrastructure operators — technical measures that limit vendor access to sensitive data.

The challenge: Vectra's core capability requires full network visibility. You cannot deploy Vectra and limit its access to network metadata — the detection capability is the network metadata analysis.

GDPR Art. 44–49 — International Transfers

Every network metadata event processed by Vectra's US infrastructure constitutes a transfer of personal data to a third country (the USA). The legal basis for this transfer is currently the EU-US DPF (in place since July 2023). Vectra's DPA references DPF adequacy for US transfers.

However, the DPF has a documented survival risk: the framework was challenged (Schrems I, Schrems II) twice in the past decade, and a third challenge is pending before the CJEU (noyb filed challenge 2023). If the DPF is invalidated again, organisations relying on DPF-based transfers for their core security infrastructure face an acute compliance crisis with no short-term alternative.

For critical infrastructure operators (banks, hospitals, energy companies) deploying Vectra as their primary NDR/ITDR platform, a DPF invalidation creates an immediate choice: either cease transfers (disabling Vectra's cloud AI capabilities) or operate without a valid transfer mechanism.

DORA Art. 28 — ICT Third-Party Risk (Financial Sector)

Financial entities subject to DORA (EU banks, insurance companies, asset managers, payment processors) must maintain a Register of ICT Third-Party Providers and perform risk assessments against regulatory requirements. DORA specifically requires:

• Assessment of concentration risk from US-headquartered ICT providers
• Exit strategy documentation for critical ICT providers
• Contractual clauses ensuring regulatory audit access

For DORA-regulated entities, Vectra AI's US corporate structure triggers mandatory risk assessment documentation. The Silver Lake PE ownership creates a beneficial ownership transparency requirement under DORA's third-party risk framework — financial regulators (ECB, national competent authorities) may request visibility into Vectra's ultimate beneficial owners.

EU Alternatives to Vectra AI

The EU NDR/ITDR market is smaller than the US market, but credible alternatives exist with full EU jurisdiction and no CLOUD Act exposure.

SEKOIA.IO — Paris, France (EU-native, recommended)

SEKOIA.IO is a French cybersecurity company offering an integrated Cyber Threat Intelligence (CTI) + XDR + NDR platform. Founded 2016, HQ in Paris.

• Legal structure: SAS (Société par Actions Simplifiée) — French company law, no US entity.
• Funding: French investors (Elaia Partners, CEA Investissement) + Bpifrance (French public investment bank) — no US PE exposure.
• NDR capability: SEKOIA.IO's XDR platform includes network detection based on Suricata IDS and custom ML detection rules, with CTI integration.
• CLOUD Act score: 0/25 — French SAS, EU cloud (OVHcloud, Scaleway), Bpifrance-funded.
• NIS2 alignment: SEKOIA.IO is an ANSSI-qualified solution under the French national cybersecurity framework, directly aligned with NIS2 transposition requirements.

Stamus Networks — Paris, France (NDR specialist)

Stamus Networks is a Paris-based company offering open-source-based NDR built on Suricata — the EU-native open-source IDS/IPS engine (developed by OISF, a US non-profit, but the open-source engine is jurisdiction-neutral).

• Legal structure: French SARL — no US entity.
• Key product: Stamus Security Platform (SSP) — enterprise Suricata deployment with Scirius threat hunting front-end.
• CLOUD Act score: 0/25 — French entity, open-source engine, EU cloud deployable.
• Differentiation: Open-source core = full auditability of detection logic. No vendor lock-in on detection intelligence.

EclecticIQ — Amsterdam, Netherlands (Threat Intelligence + Detection)

EclecticIQ is a Dutch threat intelligence platform company offering detection engineering and hunt capability.

• Legal structure: B.V. (Besloten Vennootschap) — Dutch company law.
• Funding: European VC (including NX Technology Capital) + Invest-NL.
• Capability: Strong on CTI integration for detection, less focused on raw NDR packet analysis.
• CLOUD Act score: 0/25 — Dutch entity, EU infrastructure.

Darktrace — Cambridge, UK (Post-Brexit Risk)

Darktrace (DARK.L, LSE-listed) is a Cambridge, UK AI cybersecurity company with strong NDR/ITDR capability. Post-Brexit caution applies:

• IPA 2016: The UK Investigatory Powers Act grants UK authorities bulk data collection rights broadly comparable to US CLOUD Act reach, plus GCHQ capabilities under UKUSA (Five Eyes).
• US-UK CLOUD Act Bilateral: The August 2022 US-UK bilateral agreement under the CLOUD Act allows direct US government requests to UK companies, bypassing UK government intermediation.
• Darktrace US Operations: Darktrace operates a US subsidiary (Darktrace Inc., Delaware) for its North American business, creating dual US-UK jurisdiction exposure.

For EU organisations, Darktrace's post-Brexit UK jurisdiction makes it a higher-risk choice than SEKOIA.IO or Stamus Networks.

EU-Native NDR/ITDR Stack (0/25 CLOUD Act Exposure)

For organisations requiring zero CLOUD Act exposure in their network detection infrastructure:

This stack provides NIS2 Art. 21-compliant network detection without any US-jurisdiction data flows. All components are deployable on EU cloud infrastructure (OVHcloud, Hetzner, Scaleway) with no US sub-processors.

Implementation note: EU-native NDR stacks require more integration work than commercial platforms like Vectra. The operational overhead is the legitimate trade-off for sovereignty. EU organisations should assess this trade-off against their NIS2 classification (essential vs. important entity) and their specific threat model.

Decision Framework: Vectra AI vs. EU Alternatives

Procurement Checklist for EU Organisations

Before deploying Vectra AI (or any US-headquartered NDR/ITDR platform), EU compliance teams should assess:

Legal Basis for Transfers (GDPR Art. 44–49):

• Document transfer mechanism (currently DPF adequacy)
• Assess DPF survival risk — include contingency clause in vendor contract
• Confirm sub-processor list and transfer mechanisms for AWS/Azure

NIS2 Supply Chain Assessment (Art. 21(2)(d)):

• Classify Vectra as "critical ICT provider" under NIS2 framework
• Document CLOUD Act exposure in supply chain risk register
• Define acceptable risk threshold for network metadata in US jurisdiction

DORA Compliance (Financial Sector — Art. 28):

• Add Vectra to ICT Third-Party Provider Register
• Document Silver Lake PE ownership in beneficial ownership section
• Include exit strategy in contract (Art. 28(5)(g))

DPIA (GDPR Art. 35):

• Assess D3 data sensitivity — network metadata as Article 9 adjacent data
• Document Cognito Recall retention against storage limitation principle
• Evaluate residual risk of US government access

Conclusion

Vectra AI is a genuinely capable platform — its AI-driven attack signal intelligence represents serious engineering effort, and its NDR-based ITDR capability closes detection gaps that identity-plane-only tools miss. For US organisations, or EU organisations that have made an informed risk decision to accept CLOUD Act exposure, Vectra is a credible choice.

For EU organisations operating under NIS2 essential entity classification, DORA financial sector requirements, or any situation where network telemetry confidentiality is a compliance requirement, the 19/25 CLOUD Act score reflects a structural risk that cannot be contractually mitigated.

The AI-SOC Sovereignty Paradox is the sharpest edge: Vectra's AI capability is what makes it effective, and that AI capability is what places your network metadata in US jurisdiction. You cannot have the detection without the exposure.

EU alternatives exist. SEKOIA.IO and Stamus Networks both provide credible NDR/ITDR coverage from EU-native companies with no CLOUD Act exposure. The trade-off is integration effort and less mature AI capability — a legitimate engineering challenge, not an insurmountable barrier.

This analysis is part of the sota.io EU Cyber Compliance Series, examining major US SaaS and security vendors against CLOUD Act, NIS2, GDPR, and DORA requirements. Next in the EU-ITDR series: CrowdStrike Falcon Identity Protection — the endpoint telemetry ITDR paradox.

sota.io helps EU companies deploy cloud infrastructure that stays within EU jurisdiction — no US parent, no CLOUD Act exposure. Explore sota.io →