Locus sensors receive traffic through network TAPs, switch SPAN or mirror ports, or virtual taps in cloud and virtualized environments, and can also be placed inline where active blocking is required. Sensors can be distributed across data centres, branch sites, and cloud segments, all reporting into the central platform, allowing both perimeter and internal segments to be monitored from a single management plane.
A high-throughput engine evaluates traffic against a continuously updated threat ruleset while flagging protocol anomalies and deviations from normal communication patterns in real time.
Native decoding of HTTP and HTTP/2, TLS, DNS, DHCP, SMB, QUIC, and more, exposing URIs, headers, methods, TLS SNI and ALPN, certificate details, and DNS query and response data to both detection logic and investigators.
TLS and QUIC client and server fingerprinting (JA3, JA3S, and JA4) identifies malicious sessions and reused malware fingerprints without decryption, preserving privacy and performance.
Files transferred over the network are carved from the stream, typed, and hashed for malware lookup and evidentiary retention under policy control.
Files transferred over the network are carved from the stream, typed, and hashed for malware lookup and evidentiary retention under policy control.
Continuous connection and session metadata models normal behaviour and underpins command-and-control, beaconing, tunnelling, and data-exfiltration detection.
Detects adversaries that never touch an instrumented endpoint, including unmanaged and OT/IoT devices.
Encrypted-traffic fingerprinting identifies threats without breaking confidentiality or decrypting sessions.
Passively inventories everything talking on the network, exposing rogue and shadow devices as they appear.
East-west visibility surfaces internal pivoting before an intruder reaches high-value systems.
Network signals fuse with endpoint and identity evidence, so an analyst moves from alert to session to extracted file in one place.
Detect threats on devices that cannot host an agent, including industrial, medical, and building-automation equipment.
Reveal beaconing and covert channels used by malware and postexploitation frameworks, even over encrypted transport.
Continuously inventory everything talking on the network and flag devices that should not be there.
Surface internal scanning and pivoting early, before an intruder reaches high-value systems.
It monitors and analyses network traffic to detect threats across the perimeter and inside the network,
complementing endpoint-based detection.
It combines signature, protocol-anomaly, and flow-based detection with encrypted-traffic fingerprinting
and file extraction, and can run as either an IDS or an IPS.
No. Locus observes network traffic directly, so it sees unmanaged, IoT, and OT devices that cannot host an
agent.
Yes. It fingerprints TLS and QUIC sessions (JA3/JA3S/JA4) to identify malicious activity without decrypting
the traffic.
Through network TAPs, SPAN/mirror ports, or virtual taps in cloud environments, and inline where active
blocking is required.
Both. It runs passively as an IDS for detection and forensics, or inline as an IPS to drop malicious traffic.
Its structured telemetry is fused with endpoint and identity evidence in the shared correlation engine,
forming one coherent incident.
IT Performance and Security Solution Provider