Network security operations centers face a fundamental challenge: traffic volumes are exploding while the expertise required to extract meaningful insights from that traffic remains scarce. Traditional packet brokers excel at collecting and forwarding data, but they require extensive manual programming to identify patterns, configure filters, and adapt to evolving threats. As networks grow more complex and security requirements become more demanding, this manual approach creates bottlenecks that limit both operational efficiency and threat detection capabilities.
To explore how AI can address these limitations, The Tolly Group recently spoke with Recep Ozdak, Vice President and General Manager of Keysight Technologies' Network Visibility Division.
What Traditional Packet Brokers Do and Don't Do
Network packet brokers serve as intelligent traffic directors in data center environments. They aggregate data copied from network taps, perform functions like deduplication and filtering, and then distribute the processed traffic to downstream security and monitoring tools. Think of them as traffic control systems that take raw packet streams and route specific subsets to the right analysis tools.
Legacy packet brokers excel at collecting and forwarding packets without drops, particularly when using FPGAs for deterministic processing. However, they operate as passive conduits that require extensive manual configuration. Engineers must hand-craft every filter, define every pattern match, and continuously update rules as applications and threats evolve.
This manual approach creates several operational challenges. IT professionals typically manage dozens of vendors and hundreds of products, making it impossible to master every feature and capability. As Ozdak explained, "You're an IT professional. You might be dealing with 20 different vendors, 100 different products. You're not going to become an expert in all of them." Meanwhile, vendors continuously add new features that often go unused because operators lack the time to learn and implement them effectively.
Keysight's AI-Enabled Approach
Keysight's AI-enabled packet brokers fundamentally change this dynamic by shifting from reactive programming to proactive learning. Rather than requiring pre-programmed rules, these systems observe network traffic patterns over extended periods to establish baseline behaviors.
Ozdak explained how the learning process works: "With AI, now we can essentially install a packet broker, ask it to listen to the environment, to all that data going inside a network for let's say 30 days so that they identify what a baseline normal behavior is. And then, once they learn it, now they can automatically detect what is abnormal because they've been listening for 30 days as to what this normal behavior is."
This learning capability extends beyond simple anomaly detection. The AI can suggest configuration improvements, automatically apply optimizations, and even revert changes if they don't produce expected results. The system might proactively suggest new capabilities and offer to configure them automatically for trial periods.
Dual Implementation Strategy
Keysight's approach supports AI applications in two ways. First, the company is developing its own AI applications under what it calls the AI Stack, scheduled for release by the end of 2025. This will include planned anomaly detection modules and applications for detecting AI traffic within networks. Currently, only one Keysight-developed AI application is generally available: a solution for detecting AI applications within networks, developed in response to customer demand.
Second, the company enables third-party security vendors to run their AI applications directly on the packet brokers. This eliminates the need for separate appliances while ensuring all data flows through a single collection point. Third-party AI applications are currently available from vendors including Nozomi, Forescout, Allegro, and Instrumentix, with several others actively working to port their applications.
Hardware Upgrades Enable AI Performance
Supporting AI applications requires more than software changes. Keysight upgraded its packet broker hardware with additional memory, storage, and improved CPUs specifically to handle AI's intensive data processing requirements. The platforms also feature the company's latest FPGAs to manage increased computational demands while maintaining deterministic packet processing.
"You need this with AI, better CPUs, and of course, we still use our FPGAs and we upgraded with our latest FPGAs just because AI uses a lot of data," Ozdak noted.
These hardware improvements enable real-time AI processing at the point where all network traffic converges, eliminating the latency and complexity associated with downstream analysis. This architecture delivers faster threat detection and more efficient resource utilization compared to traditional approaches requiring separate AI appliances. Third-party AI-enabled capabilities are currently available on Keysight's E1S, VisionX, and V400 packet broker platforms, with plans to extend support across the entire portfolio.
Primary Markets and Applications
Keysight's AI-enabled packet brokers target heavily regulated industries including financial services, healthcare, and government agencies. These sectors handle large volumes of sensitive data and face strict compliance requirements that drive packet-level monitoring needs.
Cybersecurity represents the dominant use case across these markets. Roughly 70 percent of Keysight's packet broker deployments support cybersecurity tools, Ozdak told Tolly, making early detection capabilities critical for cost-effective remediation.
"We have met with customers where they didn't realize that they were hacked for months or even years," Ozdak said. "The sooner that we essentially apply these methods, the better it is. And typically, the sooner you apply, the cheaper it is to provide cybersecurity defenses."
While AI enables faster threat detection by processing vast amounts of data, Ozdak acknowledges the technology cuts both ways. Attackers are also adopting AI to make their activities appear like normal network behavior, creating an ongoing technological arms race.
Telecommunications providers implementing private 5G networks represent another growing market segment. These deployments expand attack surfaces while requiring both service assurance and cybersecurity monitoring capabilities, making them natural candidates for AI-enabled visibility solutions.
The Software-First Industry Trend
A significant market shift is driving adoption of Keysight's approach: security tool vendors increasingly want to exit the hardware business to focus on software development. As Ozdak explained, "Everybody just wants to be a software company. The problem is that that software has to run somewhere."
This trend creates opportunities for packet broker vendors like Keysight, which continues investing in hardware platforms. Rather than requiring separate appliances for each security tool, organizations can consolidate AI applications onto the high-performance packet brokers that already process all network data flows. The shift reduces deployment complexity, cuts rack space requirements, and improves performance by eliminating the need to replicate packet streams across multiple hardware platforms.
Implications for Network Architects
As network traffic continues growing and security threats become more sophisticated, AI-enabled packet brokers offer a path toward automated threat detection and optimized infrastructure utilization. The ability to learn baseline behaviors and automatically detect anomalies addresses the expertise gap that many organizations face in managing complex security infrastructures.
For organizations struggling with manual packet broker configuration and under-utilized security features, AI capabilities provide both immediate operational benefits and long-term scalability advantages.
Key Takeaways
Legacy packet brokers rely on manual rule configuration and pattern definition
AI-enabled brokers establish baselines through extended traffic observation periods
Keysight offers both proprietary AI Stack and third-party application hosting
AI workloads require hardware upgrades beyond traditional packet broker requirements
Cybersecurity use cases dominate current packet broker installations
Industry trend toward software-only security tools creates consolidation opportunities
Learn More
For more information about Keysight's AI-enabled visibility solutions and partner ecosystem, visit: getnetworkvisibility.com