ExtraHop delivers cloud-scale network detection and response (NDR) and network performance monitoring, providing security and IT teams with complete visibility, real-time detection, and intelligent response to threats within the enterprise. Built on full-packet visibility and advanced behavioral analytics, ExtraHop RevealX™, through its Packet Forensics module, helps organizations detect intrusions, defend sensitive assets, and ensure application performance at the speed of modern business.
We sat down with Anthony James, Vice President of Product Management and Product Marketing at ExtraHop, to learn how embedding Packet Viewer helped them complete the story, bringing packet-level evidence directly into the RevealX experience and giving customers the ultimate proof behind every detection.
QA Cafe (QAC): For those who might not be familiar, can you give us a quick overview of what ExtraHop does and where packet data fits into your platform?
Anthony James (AJ): ExtraHop RevealX is a network detection and response platform, that incorporates sensors (high-speed packet capture appliances) with our Packet Forensics solution. What we do is look at what’s happening across the network in real time and determine if there’s something unusual, malicious, or misconfigured.
We use the packets themselves to reassemble flows, identify offenders and victims, and really show what happened. Our detections range from basic signatures to thousands of machine learning models that learn what “normal” looks like on a network and flag what isn’t. It’s incredibly powerful because it’s all grounded in packet data. That’s where the truth lives.
QAC: When you talk about “packet forensics,” what kinds of questions are your customers trying to answer?
AJ: It depends on who’s asking. For a security team, it’s “Did something bad really happen?” and “Can we prove it?” For performance teams, it might be “Why is this application slow?”
It’s true that you can gain some insights with higher-level information, and we provide that; however, when something happens, everyone wants to know how and why. When it comes time to produce the evidence... "go look at your SIEM logs" isn't going to work. They want to have proof. Without packet data, you don't have the evidence.
This goes for security as much as it does for app performance. If an app is performing poorly in corporate infrastructure, you want to know what part of the network is causing a problem. Is it a routing problem? A switching problem? Some misconfiguration? For example, one of the major streaming companies is a big fan of ours because we can not only identify the problem but also pinpoint its source. They can drill down into that data.
At the end of the day, it’s all about evidence. If an event happens, you need proof that it was a serious event, not a fluke or a false positive. That’s where packets come in. You can rebuild the entire conversation between systems and know exactly what was exchanged and when.
Without packet data, you don’t have the whole story.
QAC: How did your customers get to that evidence before integrating Packet Viewer?
AJ: For a long time, we provided a “download pcap” button. Customers could open them in Wireshark and dig through the data manually.
But as we grew, that model started to show its limitations. Users wanted to stay inside the Packet Forensics interface. They didn’t want to pivot out, download something, open another tool, and start over. It broke the workflow.
The ExtraHop product automatically builds flows and learns baselines, all by capturing and analyzing packets in real time. What our customers asked for was simple: “Can we see those packets here, in the product?”
QAC: So the need was clear, but why choose Packet Viewer instead of building something yourselves?
AJ: Our value is in our detections, our machine learning models, and our identity work, not in re-engineering Wireshark.
We weren’t going to spend engineering cycles building a packet viewer when there’s already one on the market that does it better than we ever could. We wanted to focus on what makes ExtraHop unique, and let QA Cafe handle the packet visualization side.
Packet Viewer checked every box. It’s web-based, integrates cleanly, looks and feels like Wireshark, and it doesn’t disrupt the user experience we’ve built. That’s exactly what we needed.
QAC: How does Packet Viewer fit into the Packet Forensics workflow?
AJ: You start at the outer layer with detections, the “here’s what happened.” Then, you drill into the offender’s activity, examine the flows and timelines, and finally, you hit the bullseye to access the packets themselves.
That’s where Packet Viewer lives. It gives our users that familiar, structured look at the raw data behind everything else. They can pivot right into the packets, see the evidence, and confirm exactly what happened, all without leaving the platform.
QAC: What kind of impact has this had on your customers and your own team?
AJ: Our field team loves it. They show it in every demo. When prospects see they can go from a high-level detection all the way to the individual packets, they’re blown away. It’s “demo candy.”
But more importantly, it changes how customers investigate issues. For security teams, it’s about proof. They now have packet-level evidence right at their fingertips. For performance teams, it’s visibility. They can understand where a problem is happening and why.
QAC: What does Packet Viewer let ExtraHop do that your competitors can’t?
AJ: Many of our competitors rely on network telemetry or flow headers. They’re not curating the actual packet data tied to events.
Because we are, our customers can get right to the evidence. They can say, “Show me the offender, show me their activity, and let me see the packets that prove it.” That’s something our competitors simply can’t match.
It’s also a differentiator in how we position ourselves. Anyone can show alerts. We can show proof.
QAC: If you had to summarize the value of adding Packet Viewer in one line, what would it be?
AJ: Evidence is everything.
Detection tells you something might be wrong. Packet Viewer lets us show why, and that’s what customers really care about. Also, our field teams love it! They are always showing it off in demos.
QAC: That’s a great way to end it. Thanks for sharing your insights, Anthony.
AJ: My pleasure. It’s been a great partnership, and a perfect example of how focusing on your core value and integrating the right technology can make your product that much stronger.
