VMware vDefend Advanced Threat Prevention adds multi-layer threat detection and response to your VCF environment. It combines IDS/IPS, network traffic analysis, malware prevention, and network detection & response into a single platform built into the hypervisor — no additional network appliances required.
Best for
VMware vDefend Advanced Threat Prevention
What is VMware vDefend Advanced Threat Prevention?
VMware vDefend Advanced Threat Prevention (ATP) is an add-on to the vDefend Distributed Firewall that adds IDS/IPS, network traffic analysis, malware prevention, and network detection & response to VMware Cloud Foundation. It operates at the hypervisor level, inspecting east-west traffic between workloads without requiring additional network appliances or traffic mirroring. SE Labs has certified vDefend ATP with a AAA rating for enterprise advanced security detection.
Perimeter firewalls protect north-south traffic entering and leaving the data center. But most modern attacks move laterally between workloads once inside. Traditional security tools have three gaps that ATP addresses.
Perimeter-based IDS/IPS appliances only see traffic crossing the network edge. East-west traffic between workloads — where lateral movement, ransomware propagation, and data exfiltration happen — is invisible to them.
vDefend ATP inspects traffic at the hypervisor layer, covering every workload-to-workload connection without network reconfiguration or traffic hairpinning.
Security teams managing separate IDS/IPS, NTA, and malware tools receive thousands of individual alerts daily. Without correlation, analysts spend hours triaging events that may be parts of the same attack.
ATP's Network Detection & Response engine automatically correlates IDS/IPS, NTA, and malware signals into unified intrusion campaigns mapped to MITRE ATT&CK — reducing alert volume and surfacing complete attack narratives.
When a threat is detected, analysts typically pivot between multiple consoles, correlate logs manually, and draft remediation steps. This delays containment and increases the blast radius of an attack.
ATP includes GenAI-powered Intelligent Assist that provides natural-language threat summaries, investigation guidance, and recommended remediation actions — accelerating response from hours to minutes.
ATP addresses specific security scenarios where perimeter-only protection falls short. These are the most common deployment drivers.
Many organizations run legacy applications or operating systems that cannot be patched immediately — or at all. Zero-day vulnerabilities and delayed patch cycles leave these workloads exposed.
ATP's IDS/IPS applies signature-based protection at the hypervisor level, blocking known exploits before they reach the workload OS. This provides protection without requiring OS-level changes.
Typical scenario: A hospital runs a medical imaging system on Windows Server 2012 that cannot be upgraded. ATP IDS/IPS shields the workload from known CVEs while the organization plans a longer-term migration.
Ransomware typically enters through a single compromised endpoint and spreads laterally across the network. By the time perimeter tools detect it, multiple workloads are already encrypted.
ATP's Network Traffic Analysis uses ML-based behavioral detection to identify lateral movement patterns — port scanning, beaconing, unusual DNS queries — and the Malware Prevention Service analyzes both file-based and fileless malware in real time.
Typical scenario: A compromised workload begins scanning adjacent subnets. NTA detects the anomalous port scanning behavior and triggers an alert before the attacker establishes persistence on additional hosts.
Security operations teams need a consolidated view of threats across the environment. When IDS/IPS, NTA, and malware signals are scattered across separate tools, investigation is slow and incomplete.
ATP's NDR engine correlates signals from all detection layers into unified intrusion campaigns. Each campaign maps to MITRE ATT&CK tactics and techniques, giving analysts a complete attack narrative instead of fragmented alerts.
Typical scenario: A SOC analyst sees a single NDR campaign that correlates an IDS signature match, anomalous DNS tunneling traffic, and a malware file detection — all linked to the same compromised workload. Intelligent Assist provides a natural-language summary and recommended containment steps.
PCI-DSS requires intrusion detection on all critical network segments. HIPAA mandates monitoring for unauthorized access to systems containing protected health information. Many compliance frameworks require documented IDS/IPS capabilities.
ATP provides hypervisor-level IDS/IPS with logging and audit trails that map directly to these compliance requirements — without deploying and maintaining separate IDS/IPS appliances on each network segment.
Typical scenario: An organization preparing for PCI-DSS audit needs IDS/IPS coverage across all cardholder data environment segments. ATP provides this at the hypervisor layer, covering every workload without deploying physical or virtual IDS appliances per segment.
vDefend ATP operates as four integrated detection layers plus an AI investigation assistant. Each layer addresses a different class of threat. Together they provide correlated, multi-signal threat detection built into the hypervisor.
VMware vDefend includes three security products that build on each other. Use this comparison to understand which capabilities each product provides and determine the right level of protection for your environment.
VMware vDefend Advanced Threat Prevention (ATP) is a multi-layer threat detection and response add-on for VMware Cloud Foundation. It extends the vDefend Distributed Firewall with four detection engines: IDS/IPS, network traffic analysis, malware prevention, and network detection & response.
All detection runs at the hypervisor level, meaning it sees east-west traffic between workloads without requiring network reconfiguration, traffic mirroring, or additional appliances. SE Labs has certified ATP with a AAA rating for enterprise advanced security detection.
The vDefend Distributed Firewall provides Layer 2-7 stateful firewall capabilities, micro-segmentation, and zero-trust access controls. It controls what traffic is allowed between workloads.
Advanced Threat Prevention adds threat detection on top of the firewall. IDS/IPS detects known exploits via signatures. Network Traffic Analysis uses machine learning to detect behavioral anomalies like lateral movement and data exfiltration. Malware Prevention analyzes files and in-memory activity. NDR correlates all these signals into unified intrusion campaigns mapped to MITRE ATT&CK.
Think of it this way: Distributed Firewall is policy enforcement. ATP is threat detection and investigation.
vDefend Advanced Threat Prevention requires two prerequisites: VMware Cloud Foundation (base platform) and the vDefend Distributed Firewall (add-on). ATP is then added as a second add-on on top of the Distributed Firewall.
All three are per-core subscriptions sold through authorized resellers. Broadcom does not publish list pricing publicly. Contact our team with your core count and security requirements for a complete quote.
For east-west (internal) traffic, yes. vDefend ATP operates at the hypervisor level and inspects all traffic between workloads — including traffic that perimeter IDS/IPS appliances cannot see. Organizations commonly use ATP to replace physical IDS/IPS for internal traffic.
For north-south (perimeter) traffic, most organizations maintain their existing perimeter security stack while using ATP for the internal network. The two approaches complement each other rather than overlap.
The hypervisor-level approach also eliminates scaling concerns — detection capacity grows automatically as you add hosts, without deploying additional appliances.
The core ATP detection engines (IDS/IPS, NTA, Malware Prevention, NDR) run natively within the VCF hypervisor layer. They require VMware Cloud Foundation.
For organizations with mixed environments, the NDR Sensor provides out-of-band detection capabilities for physical networks and non-vSphere virtualization platforms. This extends threat correlation and campaign visibility beyond the VCF footprint.
Datasheets & Technical
vDefend Advanced Threat Prevention Datasheet Secure Private Cloud with VMware vDefendVirtualizationWorks is an authorized VMware reseller. We help IT and security teams evaluate vDefend Advanced Threat Prevention, size the deployment, understand licensing requirements, and plan integration with existing security operations.
