// Trust & Security Report

    Vectra AI, Inc. logo

    Vectra AI, Inc.

    AI-driven Network Detection and Response (NDR) platform (Vectra AI Platform / Attack Signal Intelligence) covering on-prem, multi-cloud, identity, M365 and IoT/OT visibility, plus the Vectra Recall investigation/threat-hunting add-on; distinct product SKUs (NDR Quadrant UX, NDR Respond UX, Recall) each have their own pentest attestations.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Vectra AI, a leader in network detection and response (NDR), today announced it has successfully completed its Service Organization Control (SOC 2) Type 2 certification [for] Cognito Detect and Cognito Recall cloud and enterprise software.

    Verify on vectra.ai
    SOC 2 (current attestation)
    HELD

    Compliance ... Vectra SSAE SOC2 - 2025 ... Vectra SSAE SOC2 Bridge Letter - 2025

    Verify on trust.vectra.ai
    CSA STAR
    HELD

    Compliance ... CSA Star - Level 1

    Verify on trust.vectra.ai
    VPAT (accessibility)
    HELD

    Compliance ... VPAT

    Verify on trust.vectra.ai
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    Trust Center's Compliance section lists only 'VPAT', 'CSA Star - Level 1', and 'Vectra SSAE SOC2 - 2025' as certifications/attestations; no ISO 27001 certificate is listed or found on any vectra.ai domain page.

    source: trust.vectra.ai
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence on vectra.ai or trust.vectra.ai of ISO 27017, 27018, or 27701 certification.

    source: trust.vectra.ai
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 certification; Vectra publishes general educational content about AI governance frameworks but does not claim its own ISO 42001 certification.

    source: vectra.ai
    HIPAA
    NOT CONFIRMED

    Meeting regulatory requirements for healthcare security (HIPAA, GDPR, and regional mandates) requires clear visibility and strong incident response, which Vectra AI helps organizations achieve. (Marketing language describes the product helping customers meet HIPAA; no vendor claim of Vectra's own HIPAA compliance, certification, or BAA offering was found.)

    source: vectra.ai
    PCI DSS
    NOT CONFIRMED

    No PCI DSS attestation is listed in the Trust Center's Compliance section; only VPAT, CSA STAR Level 1, and SOC 2 appear there.

    source: trust.vectra.ai
    FedRAMP
    NOT CONFIRMED

    Search snippet describing 'FedRAMP authorized vendor' refers to reseller Carahsoft Technology Corp. selling Vectra through its contract vehicles, not to Vectra AI itself; no FedRAMP marketplace listing or vendor-domain claim of Vectra's own FedRAMP authorization was found. Vectra's federal solutions page describes NIST/Zero Trust alignment but makes no FedRAMP authorization claim.

    source: vectra.ai

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    US-headquartered (San Jose, CA); subprocessor list shows AWS hosting in US (Oregon, Ohio), Canada (Central), and Europe (Ireland, Paris, Frankfurt) plus Microsoft cloud hosting in multiple regions. Cross-border transfers from EEA/Switzerland/UK rely on Standard Contractual Clauses; Vectra also certifies to the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. DPF.

    Vectra's ML/behavioral-detection models are inherent to an NDR product (models learn from network/identity telemetry to detect attacker behavior), but no vendor-domain page makes an explicit public statement on cross-customer model training or an opt-out mechanism for this. The privacy policy and privacy/products page discuss data processing agreements and privacy datasheets but do not address AI model training practices directly; treat as unconfirmed rather than assumed.

    // Security controls

    Encryption in transit and at rest

    Trust Center lists 'Is sensitive data encrypted in transit and at rest?' as an answered common question; specific technical details are gated behind NDA-based document access and were not independently verified beyond the trust center listing.

    trust.vectra.ai

    Third-party penetration testing

    Trust Center lists separate current pentest attestations for Vectra NDR (Respond UX) - 2025, Vectra Recall - 2025, and Vectra NDR (Quadrant UX) - 2025, plus a Vectra Recall Disaster Recovery Test.

    trust.vectra.ai

    Trust Center access model

    Documents (SOC 2, CAIQ, pentest attestations, policies) are gated: access requires a request, approval, and signing a one-way NDA valid for one year, rather than public download.

    trust.vectra.ai

    Written security policies

    Trust Center lists named internal policies including Acceptable Use Policy, Asset Management Policy, Business Continuity Plan, Code of Conduct, Change Management Policy, Clean Desk Policy, Data Classification Policy, and Encryption Policy (titles only; content gated behind NDA request).

    trust.vectra.ai

    Subprocessors disclosed

    Named subprocessors include AWS and Microsoft (cloud hosting/storage), Salesforce (support/billing), Pendo (product analytics), Starburst Galaxy and Databricks (data analytics).

    trust.vectra.ai

    // Products & data scope

    Vectra AI Platform (Attack Signal Intelligence / NDR)Network Detection & Response, cloud/identity threat detection

    data: Network traffic metadata, cloud/identity telemetry (M365, IaaS), IoT/OT signals across customer's monitored environment

    Primary enterprise product; covered by the current SOC 2 attestation and separate pentest attestations for its Quadrant and Respond UX variants.

    Vectra RecallThreat hunting / investigation and metadata retention

    data: Retained network metadata for historical investigation and disaster-recovery-tested storage

    Has its own CAIQ, pentest attestation, and disaster recovery test listed separately in the Trust Center, indicating a distinct compliance scope from the core NDR platform.

    // What to watch

    • ISO 27001 is not currently listed among Vectra's own Trust Center compliance artifacts; some third-party vendor-risk aggregator sites (Panorays, Nudge Security) assert Vectra is 'ISO 27001 compliant', but this could not be corroborated with any vendor-domain proof, so it is graded held=false. Recommend rechecking if a vendor-domain ISO 27001 certificate surfaces.
    • A search snippet described Vectra as an 'American built, American owned and FedRAMP authorized vendor' but on inspection that statement describes reseller Carahsoft, not Vectra AI itself -- classic host/reseller-vs-vendor cert conflation; graded FedRAMP held=false for Vectra.
    • An unrelated company, 'Vectra Corp' (vectra-corp.com, an IT consultancy offering ISO 27001 audit services), surfaced in search results due to name similarity -- confirmed this is a different entity and excluded it from this assessment.
    • CSA STAR held is Level 1 (vendor self-assessment) per the Trust Center listing, not the more rigorous third-party-audited Level 2 certification -- listing copy should specify 'Level 1 self-assessment' rather than implying a full independent audit.
    • Most Trust Center documents (SOC 2 report itself, CAIQ, pentest attestations, policy text) are gated behind an NDA request/approval flow, so specific control details (encryption algorithms, exact SOC 2 report period/Type) could not be independently read; grading is based on the Trust Center's document titles and vendor press release only.
    • No explicit public statement found on whether/how customer network telemetry is used to train Vectra's detection models across customers, or whether an opt-out exists -- flagged as unconfirmed rather than assumed either way.

    // At a glance

    Pricing model

    Enterprise sales-led (demo/quote-based); no self-serve public pricing found on vectra.ai

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Vectra AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.vectra.ai

    > Browse all vendor trust reports