Locus NDR

Locus NDR (Network Detection & Response)

Locus is the Network Detection and Response module. It closes the visibility gap that endpoint agents cannot reach by inspecting network traffic across both north-south (perimeter) and east-west (internal) paths. Because it observes the wire rather than the host, Locus sees activity from unmanaged, IoT, and operational technology devices on which no agent can be installed, as well as the lateral movement and reconnaissance that unfold entirely between internal systems. Running as a high-performance, multi-threaded deep-packet-inspection engine, Locus reconstructs flows and sessions, parses application-layer protocols, extracts and hashes transferred files, and emits richly structured event telemetry. It can operate passively as an intrusion detection system (IDS) or inline as an intrusion prevention system (IPS) that blocks malicious traffic on match. All output is normalized and fused with endpoint and identity evidence in the shared correlation engine, so a network signal becomes part of one coherent incident rather than an isolated alert.

Sensor Deployment and Traffic Acquisition

Locus sensors receive traffic through network TAPs, switch SPAN or mirror ports, or virtual taps in cloud and virtualized environments, and can also be placed inline where active blocking is required. Sensors can be distributed across data centres, branch sites, and cloud segments, all reporting into the central platform, allowing both perimeter and internal segments to be monitored from a single management plane.

Locus NDR Key Features

Signature and anomaly-based detection.

A high-throughput engine evaluates traffic against a continuously updated threat ruleset while flagging protocol anomalies and deviations from normal communication patterns in real time.

Deep protocol parsing.

Native decoding of HTTP and HTTP/2, TLS, DNS, DHCP, SMB, QUIC, and more, exposing URIs, headers, methods, TLS SNI and ALPN, certificate details, and DNS query and response data to both detection logic and investigators.

Encrypted-traffic analysis

TLS and QUIC client and server fingerprinting (JA3, JA3S, and JA4) identifies malicious sessions and reused malware fingerprints without decryption, preserving privacy and performance.

File extraction and hashing.

Files transferred over the network are carved from the stream, typed, and hashed for malware lookup and evidentiary retention under policy control.

File extraction and hashing.

Files transferred over the network are carved from the stream, typed, and hashed for malware lookup and evidentiary retention under policy control.

Full-fidelity flow and session records.

Continuous connection and session metadata models normal behaviour and underpins command-and-control, beaconing, tunnelling, and data-exfiltration detection.

Locus NDR Benefits

Eliminates the network blind spot

Detects adversaries that never touch an instrumented endpoint, including unmanaged and OT/IoT devices.

Privacy-preserving detection

Encrypted-traffic fingerprinting identifies threats without breaking confidentiality or decrypting sessions.

Continuous asset discovery

Passively inventories everything talking on the network, exposing rogue and shadow devices as they appear.

Early lateral-movement containment

East-west visibility surfaces internal pivoting before an intruder reaches high-value systems.

Unified investigations

Network signals fuse with endpoint and identity evidence, so an analyst moves from alert to session to extracted file in one place.

Use Cases

Unmanaged, OT, and IoT visibility

Detect threats on devices that cannot host an agent, including industrial, medical, and building-automation equipment.

Command-and-control discovery

Reveal beaconing and covert channels used by malware and postexploitation frameworks, even over encrypted transport.

Shadow-IT and rogue-asset detection

Continuously inventory everything talking on the network and flag devices that should not be there.

Lateral-movement containment

Surface internal scanning and pivoting early, before an intruder reaches high-value systems.

Ready to take your business to new heights?

Get in touch, and let’s make it happen.

FAQs

1. What does Locus NDR do?

It monitors and analyses network traffic to detect threats across the perimeter and inside the network,
complementing endpoint-based detection.

It combines signature, protocol-anomaly, and flow-based detection with encrypted-traffic fingerprinting
and file extraction, and can run as either an IDS or an IPS.

No. Locus observes network traffic directly, so it sees unmanaged, IoT, and OT devices that cannot host an
agent.

Yes. It fingerprints TLS and QUIC sessions (JA3/JA3S/JA4) to identify malicious activity without decrypting
the traffic.

Through network TAPs, SPAN/mirror ports, or virtual taps in cloud environments, and inline where active
blocking is required.

Both. It runs passively as an IDS for detection and forensics, or inline as an IPS to drop malicious traffic.

Its structured telemetry is fused with endpoint and identity evidence in the shared correlation engine,
forming one coherent incident.

Create your account