Breach Detection Systems

Breach detection systems (BDSs) are a relatively new area of system security. You have a duty to protect the private data of others on your system and you also need to protect your business’s operating data. Find out how breach detection fits into your system security strategy.

How they differ from IPS & IDS systems?

You may think you already know about breach detection systems. Intrusion detection systems (IDS) and intrusion prevention systems (IPS) have been around for some time now. However, if this is what you were thinking about when you read breach detection systems, you are looking in the wrong direction. The two are not the same thing.

Here is our list of the ten best breach detection systems:

  1. CrowdStrike Falcon Prevent EDITOR’S CHOICE (FREE TRIAL) A cloud-based endpoint protection platform that is termed a next-generation antivirus system. This package is the base unit for the coordinated system-wide CrowdStrike Falcon Insight, which operates from the cloud and interfaces to all Prevent instances. Start a 15-day free trial.
  2. BreachSight A cloud-based risk assessor and system breach scanner from UpGuard.
  3. Trend Micro Deep Discovery Detector A highly-rated threat protection hardware device that includes constant port and protocol monitoring plus software event tracking.
  4. Imperva Data Activity Monitoring Protects data in databases and files, on-premises and on the cloud.
  5. FortiSandbox A proactive advanced threat detection system that is available as an appliance, as a VM, or as a cloud-based service.
  6. Change Tracker Spots unauthorized alterations to a system that might correspond to an expected alteration that is part of a change management process.
  7. InsiderSecurity A Singapore-based threat protection monitor. Available from the cloud or for on-premises installation.
  8. HackWatchman A BDS from ActiveReach that creates a ghost device that acts as a honeypot to attract any intruders that get onto the network.
  9. Lastline Defender Breach protection tool for email systems, networks, cloud resources, and IoT devices.
  10. SpyCloud Locks down system user accounts and particularly highlights abandoned but live accounts.

How do BDSs work?

While intrusion detection systems try to prevent network break-ins by outsiders, breach detection systems look for malicious software activity on the network. Breach detection is a new term for an old problem. The difference between BDS and a firewall is that breach detection operates within the network, whilst firewalls are boundary tools that try to block malware at the point of entry.

The definition of BDS sounds a lot like an antivirus system. It is. However, an antivirus program checks on a single computer for known malware but a BDS watches activity on a network and throughout an IT system. A BDS can be implemented as software or as a hardware device.

The security threats detected by BDS are a little wider in behavior than the activities detected by a typical anti-malware system. The malicious software that the BDS looks for could be part of a suite of attacking software, launched manually by an intruder.

Each individual program run might seem compatible with the normal activities of the business. It might be the execution of legitimate software already resident on your system. BDS doesn’t just look at each individual process but detects combinations of programs that could be combined for malicious purposes.

The ten best breach detection systems

The definition of BDS is new and so there aren’t many suppliers for this type of system yet.

Our methodology for selecting a breach detection system 

We reviewed the market for breach detection packages and analyzed tools based on the following criteria:

  • Malware detection systems on endpoints and network equipment
  • The ability to coordinate malware detection from a central controller
  • Detection of Trojan and lateral movement utilities
  • The ability to stop and delete malicious software
  • A mechanism to stop and clear out system utilities that have been hijacked
  • A free trial or a demo package that enables a risk-free assessment
  • Value for money from a comprehensive protection system that is offered at a fair price

With these selection criteria in mind, we surveyed the market for breach detection services and noted systems that are worth considering.

1. Crowdstrike Falcon Prevent (FREE TRIAL)

crowdstrikefalcon detections dashboard

CrowdStrike Falcon Prevent is a range of packages in four service levels: Pro, Enterprise, Premium, and Complete.

CrowdStrike markets the Falcon Prevent range as a “next-generation antivirus.” The term is accurate, but CrowdStrike Falcon goes a lot further than just a malicious software scanner. It is a breach detection system. Falcon doesn’t just scan for known malware. It has detection systems that can catch software that is performing unexpected actions even if that program hasn’t previously been spotted and marked as malware. It is also able to detect combinations of authorized, valid software that could indicate intrusion when executed in a specific sequence.

Key Features

  • Endpoint protection
  • Central coordination of all instances possible
  • Audit trail for standards compliance
  • Doesn’t rely on network connections
  • Part of a suite of system protection services

The philosophy behind all breach detection system is not to prevent malicious software from getting on the network – edge services are supposed to do that. The purpose of these systems is to catch malware that manages to dodge firewalls and access controls.

Falcon Prevent retreats from the network all the way to its endpoints. You shouldn’t abandon firewalls and access controls, but you should use Falcon as a fallback in case those systems fail.

Although this is a cloud-based service, its protection isn’t broken if the internet gets disconnected. The Falcon Prevent software includes on-site agents that don’t cut off when they can’t reach the controller on the CrowdStrike servers.

The system includes automated protection actions and audit trails to help users understand a concerted and repeated attack vector. The audit trail is also a good source of data protection standards compliance evidence.


  • Doesn’t rely on only log files to threat detection, uses process scanning to find threats right away
  • Acts as a HIDS and endpoint protection tool all in one
  • Can track and alert anomalous behavior over time, improves the longer it monitors the network
  • Can install either on-premise or directly into a cloud-based architecture
  • Lightweight agents won’t slow down servers or end-user devices


  • Would benefit from a longer trial period

CrowdStrike offers a 15-day free trial of the Falcon Prevent system so you can put it through its paces and decide on its suitability for your company’s data defense strategy.


CrowdStrike Falcon Prevent is our top pick for a breach detection system because it offers a basis from which to grow a full system-wide security service. Falcon Prevent installs on each endpoint and protects it from all forms of attacks. After this installation has been bedded in you can enhance your protection by moving up to Falcon Insight, which adds on a cloud-based coordinator together data from each Prevent instance and perform extra threat hunting.

Official Site:

OS: Windows, macOS, and Linux

2. UpGuard BreachSight

upguard dashboard

BreachSight is a very competent data breach system from UpGuard, which produces a range of security products that are ideal for online retailers.

The BreachSight system has an attractive management console that is accessible online. The whole system is delivered from the cloud so you don’t need to worry about server space to host the cybersecurity system.

Key Features

  • Cloud-based
  • Data loss prevention
  • Credentials protection
  • Vulnerability scanner

The security system tackles data protection from two angles:

  • Data leak vulnerability
  • Credentials disclosure

The vulnerability scanner runs continuously. It alerts the data manager of any suspicious data access attempts. It will also highlight system security weaknesses that need to be closed off. The scanner looks for running processes and scans the code for the programs, looking for malicious intent.

BreachSight is able to detect when employee credentials have been disclosed. The credentials protector checks for unexpected activity and alerts the company’s systems administrator to revoke credentials that are suspected of being compromised.

The BreachSight system includes automated remediation scripts. All steps are fully documented. The records of breach detection and remediation form a valuable archive, which you will need in order to demonstrate compliance to data protection security standards.

The package of breach detection measures includes access to cybersecurity experts at the UpGuard offices. These consultants will guide your system administration team in interpreting the data raised by the application. That breach event log is even able to identify the parties responsible for the breach, enabling your company to sue for the recovery of losses or at least, to get the authorities to deal with the perpetrator.


  • Cloud-based product, reduces infrastructure costs and enable simple scalability
  • Includes DLP features to protect against accidental deletion and ransomware
  • Offers vulnerability scanning, great for companies with in-house remediation teams


  • Would like to see a free trial version rather than a demo

This is an excellent breach detection system, but you will need to check it out for yourself before in order to understand how it will fit into your data protection strategy. You can get a free demo of the system over at the UpGuard website.

3. Trend Micro Deep Discovery Inspector

Trend Micro Inspector

Trend Micro is a major antivirus brand. All AV providers are currently moving forward to provide more comprehensive cybersecurity services. Trend Micro has developed a breach detection system that will help it pull ahead of the competition.

Key Features

  • Implemented as an appliance
  • Blocks Trojan activity
  • Zero-day protection

This is an appliance that you plug into your network, much as you would a firewall. Don’t replace your boundary protection services with the Deep Discovery Inspector because this appliance’s attention is drawn toward activity within the network.

The strength of this tool lies in its ability to catch the interactions between Trojan software and its external controllers.

A very distinctive feature of attacks that breach detection systems are designed to block is that seemingly unrelated software gets manipulated to work in concert for malicious purposes. Deep Discovery Inspector aims to detect the controlling force that commands legitimate software to contribute to data breaches.

This system operates at the network level and looks for suspicious combinations of events. It covers endpoints, web and email applications and network traffic to build up threat analysis profiles. It does not use the traditional AV tactic of reference to a malware characteristic database. Thus, it is able to detect “zero-day” attacks. It reaches into applications, including email and web servers to fish out attack strategies before they have a chance to reach targets.

This is an innovative breach detection system from one of the world’s leading cybersecurity operations.


  • Can automate breach response through notification or remediation
  • Collects a vast amount of data on the breach, great for auditing and investigations
  • Prevents zero-days by blocking behavior rather than threat signatures


  • Must contact for pricing
  • Not the best option for smaller networks

4. Imperva Data Activity Monitoring

Imperva Data Activity Monitoring

Data activity monitoring covers every type of data storage from databases to files and this suite of system security measures covers all of them.

Key Features

  • Protects all data stores
  • Standards compliance
  • Live threat intelligence feed

Imperva stresses the importance of its service’s ability to prove data security standards compliance. As a systems administrator, you have two data protection priorities: protection of data and proving that you have done everything possible to protect that data. The proof is important if you need to demonstrate compliance to data security standards in order to win new business and keep your enterprise profitable.

The system monitors events that relate to data stores and reports on suspicious activity live in the console screen. The monitor pulls in live feeds from Imperva Data Risk Analytics to continuously update its remediation of attack vectors.

Imperva Data Activity Monitoring is available as on-premises software or as a cloud-based service. The company does not offer a free trial, but you can get a demo of the system to assess whether or not it meets your company’s data security needs.


  • Combines in-depth audits and compliance tests with breach detection features
  • Offers highly technical compliance auditing features, great for enterprise environments
  • Available both as a cloud product or on-premise solution


  • No free trial
  • Many features are not applicable to smaller organizations that don’t have to monitor compliance

5. Fortinet FortiSandbox

Fortinet FortiSandbox

Fortinet specializes in network security against incoming Internet-bound threats. The FortiSandbox is available as an appliance, as on-premises software run over a virtual machine, or as a cloud-based subscription service.

Key Features

  • Physical and virtual appliance options
  • Monitors the network
  • Quarantines new software

Breach detection systems start with the assumption that network access security can be defeated. The FortiSandbox strategy involves isolating new software and monitoring its reaction with the resources and services of the network. This is a quarantine approach that allows the software to function fully but establishes savepoints to enable full system rollback.


  • Brand has extensive knowledge in networking and security software, giving it more experience than some competitors
  • Integrates nicely with FortiGate firewalls are other brand hardware
  • Supports multi-cloud support for either AWS or Azure, making it a flexible cloud-based option


  • WAN management features are only available through the companion tool called FortiManager

FortiSandbox interacts with all levels on your networks from firewalls and gateways over to endpoints. The package includes mitigation services as well as threat detection. This is the software equivalent of “Trust but verify.” Fortinet offers a free demo of FortiSandbox.

6. NNT Change Tracker

NNT Change Tracker

The latest version of Change Tracker is called Ben7 R2. 7. This tool is particularly concerned with exploits that can be slipped into system change processes. The tool is designed to enforce the demands of IT system management standards, especially ITIL.

Key Features

  • Traps malware in system updates
  • Good for development environments
  • Configuration manager

Improvement projects are always undertaken with a positive attitude. System change is only for the better. However, while the team is working to a bright new future, others might have malicious intent and use the upgrade project as a smokescreen for an intrusion opportunity.

Change Tracker keeps an eye on exploits that might arise during a development project. It keeps control of device configurations while everyone’s attention is directed towards development. The tool looks at unauthorized configuration changes, generates an alert when one is detected and automatically rolls back to authorized configurations when any change is detected.


  • Ideal for tracking change management and configuration monitoring
  • Helps prevent misconfigurations automatically
  • Can prevent accidental exploits and identity malicious insider threats
  • Great visualizations


  • Contains a lot of customizable features that can take time to fully explore

NNT offers a free trial of Change Tracker.

7. InsiderSecurity


InsiderSecurity is a SaaS breach detection system based in Singapore. The service is a blend of software and human expertise because the company offers real expert analysis of threat event records that are raised on your network.

Key Features

  • Cloud-based service
  • Backed by expert security consultants
  • Monitors all activity

The platform offers quick breach detection and automated remediation as well as online human analysis who give security guidance. In addition to the detection of rogue software, this service monitors the activities of authorized users to detect insider attacks. Basically, any execution of software on your system gets examined for intent and the security system chains back to the originator of any malicious activity.


  • Breach protection offered through a simple SaaS integration
  • Offers expert consulting, ideal for larger businesses
  • Provides automated remediation


  • No free trial
  • Designed more for enterprise networks

This online service could save you from prosecution in the event of a system breach. You can get a look at how it works by requesting a demo.

8. ActiveReach HackWatchman

ActiveReach HackWatchman

The ActiveReach breach detection system is called HackWatchman. This is a managed breach detection service, so you don’t have to sit in front of the dashboard all day. The ActiveReach staff do all of the monitoring work for you and notify you if any breaches occur.

Key Features

  • A managed service
  • Uses honeypots
  • Protects data

This protection solution is unique. It identifies crucial data storing devices and mimics them. The idea is to attract hackers away from your real data storage locations towards the ghosting version created by HackWatchman.

The HackWatchman system includes physical devices that attach to monitored equipment. This reports back to the ActiveReach servers where analysts comb through event records as soon as they arrive. It takes skill to root out false positive and detect attack patterns. The Activereach strategy gives the breach detection spotting tasks to experienced cybersecurity specialists.


  • Breach detection offered as a managed service
  • Leverages honey pots to stop breaches early on
  • Offers highly customizable solutions


  • Only available as a managed service
  • Better suited for larger organizations

Although the use of human analysts seems to be a backward step, it gets over the problem of constant “false positive” reporting that can swamp a typical IT department. ActiveReach offers a free demo of the HackWatchman system.

9. Lastline Defender

Lastline Defender

Lastline uses AI methods in the Defender system. Despite its automated machine learning methods, Defender isn’t an off-the-shelf solution. Installation starts with a consultation. The next step is a proposal that presents a tailored solution.

Key Features

  • Bespoke service
  • AI-based detection
  • Protects network, cloud resources, email systems, and IoT devices

The company has a large number of existing users across the globe, covering millions of user accounts. Defender buyers are scattered across North America, Europe, Asia, and Australasia.

Defender is available in specialists packages that focus on the network, on email systems, on cloud resources, and on IoT devices. The AI element of the package helps filter out false positives, so your system administration team won’t be overwhelmed by irrelevant or falsely triggered alerts.

Lastline offers a demo of its software on its website.


  • Leverages artificial intelligence to uncover breaches and other malicious activity
  • Specializes in enterprise security
  • Can protect assets in numerous environments (cloud, IoT, LAN, etc)


  • No free trial offered

10. SpyCloud


SpyCloud focuses on the activity of authorized accounts and makes sure that they don’t get hijacked. In these days where phishing scams are prevalent, it is difficult for any monitoring software to block malicious activities. If software gets installed by an authorized user or if a valid user account launches a series of legitimate programs, it is almost impossible for traditional AV systems to protect your system.

Key Features

  • Scans for hijacked accounts
  • Intent-based detection
  • Identifies illogical activity

SpyCloud gets around the problem of deciding which running processors are valid and which have malicious intent. Rather than monitoring all events on the network, it focuses on the activities of user intent. It checks on factors such as the login location matched against the known location of the user and also spots unfeasible simultaneous access by the same account.

Protecting data

Data protection is becoming increasingly more difficult every day. You can’t rely solely on a firewall and traditional antivirus to prevent data disclosure or system breaches.

These days, hackers know how to trick employees into giving away their login credentials, so it isn’t enough to just look at outsider access to your system in order to protect your company’s data stores. You need more sophisticated data protection software, such as a breach detection system.

Breach Detection Systems FAQs

What is breach detection tools?

Breach detection systems specifically look for signs of data theft. These scans can be an intrusion detection system that runs internally but it can also be implemented through Dark Web scans that look for examples of company data for sale – this would include employee credentials or customer personal information.

What are 4 methods of threat detection?

There are four methods for threat detection:

  • Configuration tampering, which identifies unauthorized changes to device settings that weaken system security
  • Anomaly detection, which looks for unusual network or processor activity
  • Indicators of compromise, which is also called signature-based detection and looks for a sequence of actions that are known to be common to hacker activity
  • Behavioral analytics, which establishes a baseline of normal activity per user account and then looks for deviations from that standard to spot account takeover or insider threats

What are the three main detection types?

There are three areas that detection systems focus on, which creates three categories of threat detection systems:

  • Host-based intrusion detection systems: HIDS services look through log files
  • Network-based intrusion detection systems: NIDS services scan network traffic for malicious activity and can include deep packet inspection
  • Application-based intrusion detection systems: AIDS services that examine the activities of user in relation to Web applications