// Trust & Security Report
Vectra AI, Inc.
AI-driven Network Detection and Response (NDR) platform (Vectra AI Platform / Attack Signal Intelligence) covering on-prem, multi-cloud, identity, M365 and IoT/OT visibility, plus the Vectra Recall investigation/threat-hunting add-on; distinct product SKUs (NDR Quadrant UX, NDR Respond UX, Recall) each have their own pentest attestations.
Certifications held
4
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on vectra.ai“Vectra AI, a leader in network detection and response (NDR), today announced it has successfully completed its Service Organization Control (SOC 2) Type 2 certification [for] Cognito Detect and Cognito Recall cloud and enterprise software.”
Verify on trust.vectra.ai“Compliance ... Vectra SSAE SOC2 - 2025 ... Vectra SSAE SOC2 Bridge Letter - 2025”
> Show 6 unconfirmed / not-held certifications
source: trust.vectra.aiTrust Center's Compliance section lists only 'VPAT', 'CSA Star - Level 1', and 'Vectra SSAE SOC2 - 2025' as certifications/attestations; no ISO 27001 certificate is listed or found on any vectra.ai domain page.
source: trust.vectra.aiNo public evidence on vectra.ai or trust.vectra.ai of ISO 27017, 27018, or 27701 certification.
source: vectra.aiNo public evidence of ISO/IEC 42001 certification; Vectra publishes general educational content about AI governance frameworks but does not claim its own ISO 42001 certification.
source: vectra.aiMeeting regulatory requirements for healthcare security (HIPAA, GDPR, and regional mandates) requires clear visibility and strong incident response, which Vectra AI helps organizations achieve. (Marketing language describes the product helping customers meet HIPAA; no vendor claim of Vectra's own HIPAA compliance, certification, or BAA offering was found.)
source: trust.vectra.aiNo PCI DSS attestation is listed in the Trust Center's Compliance section; only VPAT, CSA STAR Level 1, and SOC 2 appear there.
source: vectra.aiSearch snippet describing 'FedRAMP authorized vendor' refers to reseller Carahsoft Technology Corp. selling Vectra through its contract vehicles, not to Vectra AI itself; no FedRAMP marketplace listing or vendor-domain claim of Vectra's own FedRAMP authorization was found. Vectra's federal solutions page describes NIST/Zero Trust alignment but makes no FedRAMP authorization claim.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
US-headquartered (San Jose, CA); subprocessor list shows AWS hosting in US (Oregon, Ohio), Canada (Central), and Europe (Ireland, Paris, Frankfurt) plus Microsoft cloud hosting in multiple regions. Cross-border transfers from EEA/Switzerland/UK rely on Standard Contractual Clauses; Vectra also certifies to the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. DPF.
Vectra's ML/behavioral-detection models are inherent to an NDR product (models learn from network/identity telemetry to detect attacker behavior), but no vendor-domain page makes an explicit public statement on cross-customer model training or an opt-out mechanism for this. The privacy policy and privacy/products page discuss data processing agreements and privacy datasheets but do not address AI model training practices directly; treat as unconfirmed rather than assumed.
// Security controls
Encryption in transit and at rest
Trust Center lists 'Is sensitive data encrypted in transit and at rest?' as an answered common question; specific technical details are gated behind NDA-based document access and were not independently verified beyond the trust center listing.
trust.vectra.aiThird-party penetration testing
Trust Center lists separate current pentest attestations for Vectra NDR (Respond UX) - 2025, Vectra Recall - 2025, and Vectra NDR (Quadrant UX) - 2025, plus a Vectra Recall Disaster Recovery Test.
trust.vectra.aiTrust Center access model
Documents (SOC 2, CAIQ, pentest attestations, policies) are gated: access requires a request, approval, and signing a one-way NDA valid for one year, rather than public download.
trust.vectra.aiWritten security policies
Trust Center lists named internal policies including Acceptable Use Policy, Asset Management Policy, Business Continuity Plan, Code of Conduct, Change Management Policy, Clean Desk Policy, Data Classification Policy, and Encryption Policy (titles only; content gated behind NDA request).
trust.vectra.aiSubprocessors disclosed
Named subprocessors include AWS and Microsoft (cloud hosting/storage), Salesforce (support/billing), Pendo (product analytics), Starburst Galaxy and Databricks (data analytics).
trust.vectra.ai// Products & data scope
data: Network traffic metadata, cloud/identity telemetry (M365, IaaS), IoT/OT signals across customer's monitored environment
Primary enterprise product; covered by the current SOC 2 attestation and separate pentest attestations for its Quadrant and Respond UX variants.
data: Retained network metadata for historical investigation and disaster-recovery-tested storage
Has its own CAIQ, pentest attestation, and disaster recovery test listed separately in the Trust Center, indicating a distinct compliance scope from the core NDR platform.
// What to watch
- ISO 27001 is not currently listed among Vectra's own Trust Center compliance artifacts; some third-party vendor-risk aggregator sites (Panorays, Nudge Security) assert Vectra is 'ISO 27001 compliant', but this could not be corroborated with any vendor-domain proof, so it is graded held=false. Recommend rechecking if a vendor-domain ISO 27001 certificate surfaces.
- A search snippet described Vectra as an 'American built, American owned and FedRAMP authorized vendor' but on inspection that statement describes reseller Carahsoft, not Vectra AI itself -- classic host/reseller-vs-vendor cert conflation; graded FedRAMP held=false for Vectra.
- An unrelated company, 'Vectra Corp' (vectra-corp.com, an IT consultancy offering ISO 27001 audit services), surfaced in search results due to name similarity -- confirmed this is a different entity and excluded it from this assessment.
- CSA STAR held is Level 1 (vendor self-assessment) per the Trust Center listing, not the more rigorous third-party-audited Level 2 certification -- listing copy should specify 'Level 1 self-assessment' rather than implying a full independent audit.
- Most Trust Center documents (SOC 2 report itself, CAIQ, pentest attestations, policy text) are gated behind an NDA request/approval flow, so specific control details (encryption algorithms, exact SOC 2 report period/Type) could not be independently read; grading is based on the Trust Center's document titles and vendor press release only.
- No explicit public statement found on whether/how customer network telemetry is used to train Vectra's detection models across customers, or whether an opt-out exists -- flagged as unconfirmed rather than assumed either way.
// At a glance
Pricing model
Enterprise sales-led (demo/quote-based); no self-serve public pricing found on vectra.ai
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Vectra AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.vectra.ai