Data-Centric Threat Detection & Response

Say goodbye to dead-end investigations and mountains of raw logs. Confidently answer the question, “is my data safe” with user behavior analytics that just works.

Download Datasheet

Catch threats other security solutions miss

If you're watching what's happening with your data, attackers can't hide. Varonis combines a unique set of ingredients to uncover threats across the kill chain, like suspicious data access, abnormal logon attempts, and DNS exfiltration.

Request a Demo

Abnormal access to sensitive idle data

Suspicious service account behavior

Privilege escalation attempts

Unusual file upload/download activity

Data exfiltration

Mass file deletion

Mass file encryption

Permission changes on critical objects

Group membership changes

Abnormal lockout behavior

Unusual email send/receive activity

Brute-force attacks

Use of exploit kits

Password spraying

Unauthorized mailbox access

Lateral movement

DNS cache poisoning

Abnormal GPO changes

How it Works


Varonis collects billions of events from the right data sources, unobtrusively, and without endpoint agents

File access activity

File access activity

DNS and web requests

DNS and web requests

Email activity

Email activity

VPN events

VPN events

Shared link actions

Shared link actions

Login activity

Login activity

Then, we combine and enrich them


And use AI to learn behavior baselines and profiles


Our threat models alert on meaningful deviations


"DatAlert noticed the anomalous behavior right away, which helped us get ahead of the infection proactively... without Varonis, we wouldn't have known it was happening until it was much worse."

Fewer alerts, more answers

Quickly determine whether an alert represents a real threat or an insignificant anomaly without spending hours stitching together logs. Then, put alerts in a broader context: Is this alerted user on a watch list? Have they triggered any other alerts recently? Do they normally access sensitive data?

Fewer alerts, more answers
The most highly-rated Insider Risk Management solution on Gartner Peer Insights

The most highly-rated Insider Risk Management solution on Gartner Peer Insights

See the rankings
StarStarStarStarHalf Star

4.9 overall

across 200+ reviews

*as of Sept 1, 2021

Read the reviews

Get expert Incident Response help—for free

Our Incident Response team can help you investigate all kinds of attacks—from ransomware, to APTs, to insider threats, and more. We offer this service for free to customers and prospects.

Meet some of our analysts

Matt Radolec

Director, Security Architecture & Incident Response

Ryan O’Boyle

Security Analytics Manager

Ian McIntyre

Security Analyst, Incident Response

Madeleine Massee

Security Analyst, Incident Response

See results next week, not next year

“We couldn’t answer questions like, ‘What happened to this file?’ or ‘What did this user change?’ We needed a solution that would help us audit our file servers.”

Read case study

“Varonis detected behavioral patterns of ransomware and immediately disabled the impacted user to stop this behavior in its tracks. Varonis is the sole reason we were able to react so quickly, especially since the alert was detected outside of business hours.”

Read case study

“DatAlert noticed the anomalous behavior right away, which helped us get ahead of the infection proactively… without Varonis, we wouldn’t have known it was happening until it was much worse.”

Read case study

Bring data-centric visibility to your SIEM without breaking the bank

Increase the power of your SIEM with data-centric insights from Varonis. Send high-fidelity alerts (not raw logs) for correlation and investigation via syslog, SNMP, or one of our ready-made connectors.

Bring data-centric visibility to your SIEM without breaking the bank

Don’t just detect, block.

Automated responses that can end users’ sessions, change passwords, etc. can stop attacks in their tracks and limit damage.

Circle Shape

Powering 88% faster investigations

Auto-account discovery

Privileged users, service accounts, and executives are automatically identified based on their behavior.

Behavior analysis

Our security experts and data scientists continually introduce new behavior-based threat models to monitor patterns, track the latest APTs, and keep your data safe.

Personal device pairing

Users are auto-paired with their personal devices making it easier to detect when an account has been compromised.

Working hours and geolocation

A profile of each human user’s normal working hours and geolocation helps flag suspicious after-hours or atypical activity.

IP resolution

Varonis automatically resolves IP addresses to hostnames and geolocations, giving analysts helpful context and saving time.

Peer analysis

Varonis benchmarks each user against their peers and alerts you when they deviate from normal activity for their role.

Threat intelligence

URL reputation enrichment separates risky connections from normal ones.

Incident response playbooks

Auto-updated built-in playbooks provide guided next steps for investigations and incident responses.

Gain access to our world-class cybersecurity services

Free Incident Response service

Call on Varonis cybersecurity experts in the event of an incident

Read the datasheet

Free Purple Team exercise

Discover weak spots in your environment and bolster security defense

Read the datasheet

Free DatAlert optimization

Finetune DatAlert for your environment to enhance threat detection

Read the datasheet

Original, cutting-edge threat research

Learn about newly discovered strains of malware, APT activity, and ransomware

Read the blog


  • How much data can Varonis monitor?

    We have customers monitoring over 20PB of data while collecting and analyzing billions of events per day with Varonis.

    Our platform is built using a distributed event collection architecture, so it’s easy to scale up or down depending on your needs.

  • Will DatAlert slow down the systems that it’s monitoring?

    No. Varonis offloads the event collection from the servers we’re monitoring to a dedicated component called a collector. The resource impact on your servers will be trivial.

  • Does DatAlert require endpoint agents?

    No. Varonis monitors data stores, email, and Active Directory server-side, so there is no need to deploy endpoint agents.

  • Can I create my own alerts?

    Yes. You can leverage out-of-the-box threat models as well as create custom alerts that are specifically designed for your data and your environment.

    For example, you may choose to trigger an alert if an important folder’s permissions change or a specific user logs into a restricted system. The possibilities are endless.

  • Can I automate threat responses?

    Varonis comes with a set of pre-configured threat response. You can trigger an email, send alerts to syslog, SNMP, or a supported SIEM.

    You can also automatically execute an .exe or PowerShell script as part of the alert itself.

    Some of our customers, for example, use a basic PowerShell script to disable a user’s account and power down their computer when Varonis recognizes ransomware behavior.

  • Does it integrate with other security products?

    Varonis integrates directly with LogRhythm, Splunk, ArcSight, ServiceNow, and QRadar, and supports more integrations via syslog.

    Not sure if your integration is supported? Get in touch and we'll work with you to find out.

  • How easy are threat models to deploy?

    The Varonis threat models are available out-of-the-box with the DatAlert. There is no need to write custom models or correlation rules. As we release new threat models, you can install them automatically via the VIP (Varonis Installation Package) process.

    If you are an existing Varonis customer, but don’t have DatAlert installed, it can be fully deployed and ready to go in just a few clicks. The Varonis Data Security Platform is a single codebase, so new modules can be enabled very quickly.

  • Is the learning period different for different threat models?

    Yes. Our machine learning threat models rely on behavioral profiles that improve over time and gradually become tailored to your environment.

    Certain abnormal behaviors, such as ransomware or brute-force attacks, can be detected immediately after deploying DatAlert. Other models that rely on a user’s normal working hours or peer analysis take longer to become pinpoint accurate.

    Our free DatAlert Optimization service ensures that your instance is well-tuned and triggering hi-fidelity alerts.

Want to see DatAlert in action?