Saw a LinkedIn ad from "that" NDR company. Yup. The one with the big F1 deal.

It said something along the lines of: our AI will learn your unique environment.

Well, in my experience that's total <insert expletive here>.

It completely fails to learn that process x is completely routine and happens day in, day out, 220 days a year. It blocks the process on the grounds of "suspicious activity".

It apparently can't do even half decent geolocation of VPN endpoints; it returns the country of registration of the ASN owner company, which isn't the same thing at all as where the VPN endpoint is.

And when I dug into the advanced search features and pcap files, I found it wasn't even managing the transition between BST and GMT. An NDR that can't tell the time. If this *is* a mis-configuration then... what the hell? You don't configure time anymore, you point at NTP servers.

Oh, yeah. And it mis-reports DNS. "Device x has done this!". Are you sure? Yep, definitely.

But device x has been offline for 2 days, and this event happened an hour ago. Dig about in the pcap and if you're lucky, you can find the actual DNS name of the device involved.