Gardaí NDR

The main articles are:

• Firewall
• Antiviruses

2025

Integration with F6 Malware Detonation Platform module

F6 and the Garda group of companies on November 20, 2025 announced the technological integration of the F6 Malware Detonation Platform module with the Garda NDR network threat detection and response system.

The Malware Detonation Platform module of the F6 Managed XDR solution is an advanced sandbox that forcibly opens - "detonates" - and then checks potentially dangerous files and links in an isolated virtual environment. Thanks to this, MDP effectively protects corporate mail, servers, workstations and network traffic of the company from all types of modern cyber threats and HVEs: steelers, keyloggers, viruses and ransomware, minimizes the risks of data leaks.

The Garda NDR system analyzes network traffic and telemetry, uses AI to detect circumvention of perimeter information protection, compromise of accounts and other threats, and also provides the ability to actively respond to incidents.

Solution integration creates a powerful proactive protection loop. "Garda NDR" detects anomalies in traffic and deviations from normal behavior, automatically transfers artifacts for examination to the F6 MDP for "forced detonation" and detailed study. The sandbox simulates the actions of a real user, forcing the malware to detect itself. If the file is found to be malicious, it is blocked, and the information security team receives a detailed report. Product synergy allows you not only to detect, but also to prevent the spread of malicious objects, significantly increasing the degree of business security.

For us, this partnership is a strategic step in ensuring user freedom. We do not limit the ability to automatically analyze files with solutions from closed monovendor ecosystems, but provide our users with the ability to work with solutions from various suppliers. Integration with the F6 Malware Detonation Platform allows us to create a holistic defense loop where solutions strengthen each other by closing the key vectors of modern attacks - from the hidden movement of an attacker on the network to the delivery of the final malicious payload, commented the head of the Garda NDR product Stanislav Gribanov.

Organizations protected by Garda NDR, thanks to the integration of the system with F6 MDP, will receive an additional level of protection against current cyber threats and complex ones targeted attacks that are not recognized. antiviruses Our Sandbox integrates flexibly API with other systems, works both with and with OS Windows the Russian operating systems based on. Linux Technical cooperation between F6 and Garda will increase user protection by combining the advantages of solutions, - said Dmitry Chernikov, business head of the threat detection and prevention department (MXDR) of F6.

The Malware Detonation Platform module is part of F6 Managed XDR, a comprehensive solution that enables the full cycle of cyber defense, combining the capabilities of classic SOC - from threat monitoring and analysis to prompt incident response.

MITRE ATT&CK Matrix Filtering

The Garda NDR update has been released, which helps Russian companies identify and eliminate cyber threats faster, reduce the burden on analysts and increase the efficiency of information security centers . Additional automation and visualization tools increase control over network security, reduce attack response time, and increase business resilience to cyber risks. Garda Technology reported this on November 11, 2025.

Proactive protection in Garda NDR has become more accessible thanks to filtering on the MITRE ATT&CK matrix. The system allows you to search for attacks by tactics, techniques and sub-equipment, as well as by IP addresses and logical groups. This approach helps information security center (SOC) teams more accurately formulate hypotheses and quickly identify signs of complex attacks like "horizontal movement." Added filters make it easier to find threats, reduce analyst effort, and reduce response time.

Increases investigation speed and analytics quality by adding the export of user activity logs and system messages to SIEM. Now specialists can analyze events and build a complete attack chain in a single interface, without switching between systems.

Advanced payload retrospective search capabilities allow you to quickly find the right pieces of traffic. Support for control sequences and working with symbols directly from the traffic impression make investigations flexible and visual. Analysts can instantly upload data for further analysis to the Wireshark analysis program, which speeds up the search for the root cause of the incident and generate a report.

Enhanced protection of Active Directory environments with a tool for detecting sophisticated attacks that could previously remain out of sight. The added Kerberos authentication protocol command decoding function closes a vulnerability through which invisible attacks could have previously passed - from brute-force passwords to kerberoasting. Now Garda NDR analyzes Kerberos traffic for TCP and UDP, allowing you to build widgets and filters based on protocol parameters.

The accuracy of machine analysis has also grown: improved ML models are now more effective at detecting anomalies and reducing the number of false positives. In addition, the ability to massively change policies and monitor network metrics - application and network delay, which helps to more accurately assess the quality of communication and respond to network failures.

To save initial analysis time and speed up decision-making to address threats, the Home section is now divided into Incidents and Events. Incident cards contain data on MITRE * classifiers, the number of unique events and hosts for each information security policy. The analyst immediately sees the scale of the attack and the spread vector, without the need to manually aggregate information.

We strive to ensure that analysts receive the maximum information without unnecessary action. In version 4.3, we focused on automation, enhanced search capabilities, and blind spot resolution. This gives our customers confidence that no threat will go unnoticed, - said Stanislav Gribanov, head of the Garda NDR product.

Integration with AxelNAC

Garda Group and Axel PRO product studio have completed the integration of Garda NDR and AxelNAC solutions. The result is the automation of active incident response in corporate networks, which allows customers to increase the level of cyber resistance. Garda announced this on August 20, 2025.

The integration of Garda NDR and AxelNAC reduces customer response time, reduces risk, and increases resilience IT infrastructures to today's threats. Together, systems can automatically respond to incidents ‒ attacks isolate a compromised host when anomalies or signs are detected, break a suspicious connection, and eliminate the threat in real time. At the same time, critical business processes customers will not be affected.

"Automatic response out of the box allows you to block attacks and gives the customer real protection, not its visibility. Unlike outdated Russian NTAs based on signature analysis, Garda NDR detects and blocks advanced threats using behavioral analysis and machine learning. This is especially important in conditions when the reaction speed determines whether the incident will be point or develop into a crisis, "‒ said Stanislav Gribanov, head of the Garda NDR product.

Axel PRO is developing a cybersecurity ecosystem. In partnership with Garda, we have combined our expertise in network control with the analytical capabilities of NDR. We have created an integration that helps customers respond faster to incidents and prevent damage, ‒ said Nikolai Sanagursky, Head of Product Development at Axel PRO.

2024

"Garda NDR 4.1" with improved network threat detection efficiency

The updated Garda NDR complex increases the efficiency of detecting network threats through a combination of signature and non-signature methods, reduces the response time to incidents and the burden on information security specialists, optimizes the work of security analysts, allowing them to quickly make informed decisions and assess current risks and take measures to protect assets. Garda Technology reported this on December 10, 2024.

The updated machine learning algorithm detects repeated sequences of unique network requests to control centers (C&C) of malicious software. In addition, the updated version of Garda NDR detects communications with cryptomining hosts without using the database of known IDS threats and reputation lists.

"Garda NDR 4.1" more accurately detects network threats through a combination of signature and non-signature analysis methods - an option to control the number of threats has been added to the release. It combines the analysis of the behavior of an individual host with the triggers of IDS signatures, helps to detect an excess of the number of unique IDS signatures that arrive on the host or initiated from the host over a period of time.

Reducing the response time to incidents and the burden on information security team specialists allows with integration sandboxes Check Point and - AV Soft "Garda NDR" automatically sends extracted for files verification. This greatly simplifies the analysis of suspicious files.

The efficiency and speed of decision-making by analysts with "Garda NDR 4.1" provides improved navigation between events and policies. Now you can go from a policy card to an anomaly or to a dashboard to aggregated incidents for a specific policy.

The NDR garda detects advanced malicious software used by attacking frameworks: Cobalt Strike, Brute Ratel C4 and Sliver even in HTTPS, DNS and DNS-over-HTTPS connections, ‒ added Stanislav Gribanov, head of the Garda NDR product. ‒ Machine learning without binding to IDS bases and Threat Intelligence reputation lists allows customers to better detect hidden threats and effectively detect networks.

A new Threat Map widget has been added to the system to quickly assess current risks and quickly take measures to protect assets. The tool displays a geographic map with color marking of countries by the level of threats of triggered IDS signatures.

Integration with AVSoft Athena

Anti-Targeted Attack Protection SystemAVSOFT ATHENA based on antivirus multiscaner and sandbox technologies has been integrated with the system to detect cyber attacks, investigate network incidents and protect the network from penetration by Garda NDR, which will allow customers to significantly increase the level of protection against cyber attacks, as well as expand the ability to monitor and analyze malicious objects. Integration, unlike monovendor ecosystems, provides customers with flexible file validation scenarios. Gardaí announced this on December 4, 2024.

The use of antivirus multiscaner and dynamic analysis technologies to assess the security of each detected artifact in traffic is a necessary element in building a high-quality security system. The joint application of solutions significantly strengthens the perimeter of protection of the customer's IT infrastructure thanks to a flexible traffic analysis system and prompt detection of anomalies.

The examination of AV Soft in terms of identifying malicious software code and the Garda group of companies - in terms of technologies for deep analysis of network traffic - became the basis for agreements on further cooperation. In the future, the integration of various solutions from partner portfolios is planned to be expanded.

Integration with ATHENA will provide customers with the ability to strengthen security with Garda NDR protection through a comprehensive analysis of network traffic packet metadata. Detection of anomalies and deviations from normal behavior on the network, which will allow you to identify even hidden attacks and advanced threats and respond to network incidents.

Integration with AxelNAC

The Axel PRO product studio and the Garda group of companies have joined forces to ensure integrated protection of the network infrastructure of Russian business and increase the responsiveness to current threats. Gardaí announced this on August 29, 2024.

To achieve strategic goals, the companies integrate Garda NDR and AxelNAC. Read more here.

Ability to prevent hard-to-detect network attacks

The Garda Group of Companies has updated the NDR system designed to identify and prevent cyber attacks. The company announced this on August 28, 2024. Customers now have the ability to prevent hard-to-detect network attacks. Using machine learning models based on autocorrelation technology, Garda NDR detects anomalies in network traffic and determines calls to botnet control centers.

Experts from the Garda group of companies added a machine learning model to the list of NDR system tools to identify calls to botnet control centers (Command & Control Center, C&C) with support for autocorrelation.

The technology allows you to identify repetitive sequences from several unique requests from bots to their control centers. The system detects hidden dependencies in network traffic, more accurately detects anomalies that indicate the presence of bots and their activity in the network. As a result, Garda NDR is useful for countering even hard-to-detect network threats.

The model is encryption resistant and supports detection even when using DNS-over-HTTPs tunnels.

In 2021, we released the first version of behavioral ML models (machine learning models) and made a strategic decision to develop non-signature methods for detecting threats and anomalies, which are a key element of functionality for NTA/NDR solutions, - said Pavel Shubin, head of product development at Garda NDR. - Since that moment, the Garda NDR ML models have evolved significantly, now they are able to detect even non-obvious deviations in the behavior of devices and users that cannot be determined by other methods. Behavioral models (profiling), taking into account the ever-increasing complexity of attacks, are still the most effective tool for detecting them.

We clearly understand that the Russian approach to NTA solutions, based on a combination of IDS and DPI, is outdated and does not meet the tasks of the market and the current threat landscape. We are constantly improving ML models and have released a new model for detecting calls to C&C, which allows detecting masking sequences from several unique "taps," added Stanislav Gribanov, head of the Garda NDR product.

Garda NDR plans to use machine learning methods to identify cyber threats in large volumes of network data flows

The Garda Group of Companies and the Engineering Center of the National Research State University named after N.I. Lobachevsky developed a solution for identifying threats to information security in large volumes of network data flows using machine learning methods. Garda announced this on July 23, 2024.

Experts of the Garda group of companies, together with scientists from the Engineering Center of Lobachevsky University, completed a study on the use of machine learning methods to identify cyber threats in large volumes of network data streams. Its results will be used in Garda network security products, such as Garda NDR, and will improve the accuracy of detecting known threats and the effectiveness of detecting zero-day attacks. The solution will increase the degree of security of large network infrastructures, where network traffic monitoring is most effective using NetFlow.

The developed solution uses a cascade of ML algorithms and a set of synthesized features based on network traffic parameters available via the NetFlow protocol. As a result of the studies, the optimal parameters of the algorithms were established, the performance of the solution was assessed on various types and volumes of network traffic, taking into account variability, seasonality and other factors.

The subject of a joint study was the current information security (IS) tasks, protection against both well-known and previously unknown classes of threats. The task of detecting and classifying threats was investigated and solved by methods of matstatistics and artificial intelligence. A large amount of network traffic data made it possible to take into account the seasonality factor, the dependence of parameters on a number of external factors, and determine the conditions for detecting an unknown threat. A number of extensive studies were conducted together, the desired current solution and valuable practical experience were obtained, which we will gladly share with our students during the training process. We look forward to further fruitful cooperation with the Garda group of companies, says Vadim Turlapov, project manager, Doctor of Technical Sciences, Professor of the Department of High Performance Computing and System Programming, Institute of Information Technologies, Mathematics and Mechanics, N.N.

Шаблон:Quote 'author=noted Vladimir Ponomarev, First Deputy General Director of Garda Technologies (part of the Garda group of companies).

"NDR 4.0 Garda" with 8X More Network Stream Content

Garda NDR developers have repeatedly increased the performance of the solution, the updated version will allow customers to optimize equipment costs and reduce network load. The developer announced this on June 19, 2024.

The key change "Garda NDR 4.0" affected the performance of the network stream content recording subsystem. The recording speed has been increased by 8 times. Thus, one combined server, which includes a sensor, storage and control system, supports processing up to 10GB/s of network traffic.

One co-located server processes up to 10 Gb/s, while supporting centralized deployment, security policy management, and horizontal performance scaling. We were the first of the domestic vendors to implement in the NDR system the functionality of active response full packet capture - dynamic traffic recording when policies are triggered, "said Stanislav Gribanov, head of the Garda NDR product.

"Garda NDR 4.0" allows you to optimize the cost of hardware power for storing traffic. Due to the active response option, customers with high network infrastructure bandwidth were able to save the contents of a full copy of all traffic for several hours or not at all, and information security incidents for up to several weeks.

The updated version of Garda NDR quickly detects compromised devices, thereby protecting the organization's network from possible attacks. The option is implemented by improving the functionality of the ML-model of beacon detection of botnets. The system detects the facts of infected devices accessing command centers (C&C) inside dns tunnels and even inside dns-over-https tunnels if common attacking frameworks Cobalt Strike, Sliver, Brute Ratel C4 penetrate the network.

The mechanism for creating security policies has become more understandable to the user: it is tied to scenarios for detecting threats and anomalies. Specialists of the information security competence center of the Garda group of companies have developed more than 60 such policies with an emphasis on ML and threshold behavioral models that are available out of the box. All policies correspond to the MITRE matrix ATT&CK and Kill Chain.

Due to security policies based on behavioral models, the efficiency of detecting unknown threats (zero-day) has been increased over deep network packet analysis filters (DPI traffic filters) in the new version of Garda NDR 4.0. This significantly distinguishes the system from outdated NTA class solutions, focused on a large number of signatures and grouped simple rules.

The functionality of widgets has been expanded, it helps in creating informative dashboards and reports.

2023: Garda NDR 3.4

The manufacturer of the family of products for data protection and network security, the Garda Group of Companies, on December 26, 2023 presented an updated version of the Garda NDR 3.4 network threat detection and response system. Updates allow you to quickly detect attacks on the corporate network, more quickly and accurately respond to incidents. Updated custom reporting forms make it easier to monitor suspicious events on the network and easier to analyze data for effective incident response.

The updated version of the Garda NDR system analyzes and processes network data more efficiently by supporting the NSEL protocol. Optimization of NetFlow data processing, including session grouping, made it possible to more clearly display events and reduce reporting time.

Garda NDR 3.4 has improved the detection process by malicious software (software) introducing a hash count mechanism files and a link for automatic virus scanning. The option helps to enrich information the malware, as a result, to perform in-depth data analysis and take effective response measures.

We added the ability to transfer data to SIEM and support external integrations through Python scripts for ML and threshold behavioral models, "said Stanislav Gribanov, Garda NDR Product Manager of the Garda Group of Companies. - This will significantly improve the ability to actively respond to incidents and provide a more complete view of what is happening.

In this release, restrictions on the number and nesting of logical information asset management groups have been lifted, so the user can more conveniently create and distribute assets into the full hierarchical structure of groups. This makes working with assets and analyzing them in traffic more understandable and convenient to use.

Release 3.4 introduces an updated report editor that allows you to customize widgets to suit users' individual needs, receive scheduled reports, and therefore control the application. The form of reports has become more flexible, which expands the capabilities of analytics. Now widgets can be exported and imported - this is how the developers made it easier to transfer dashboard configurations and simplified customization for customer tasks.