CS Threat Assessment

Detect and analyze malware traffic in your network captures.

Cyber attacks today are bigger, faster, and happening more frequently than ever.

CS Threat Assessment takes you from an IDS alert and brings you right to the packets that triggered it.

Intrusion detection alerts are only the beginning of the story. You need to see the individual packet data to determine the root cause and protect your network.

Request a Demo



Bring Your Own Rules (BYOR)

We know that security and malware threats evolve at an incredible pace, which is why CS Threat Assessment is built on top of the industry-standard Suricata IDS software.

CS Enterprise also delivers the industry standard Zeek analysis tool to run your PCAP against with the click of a button.

Our "BYOR" policy means that you can bring along your own custom rules and Zeek (bro) scripts that have been developed in-house, installed via zkg or purchased from a third party such as ProofPoint

CS Threat Assessment ships with the default ET Open ruleset, but allows full customization of the Suricata environment.

Understand the Structure of an Attack

CloudShark's ThreatVector diagrams offer a whole new way to approach threat analysis

See beyond the alert name

While many tools simply give a high-level overview of attacks or violations, they're missing out of vital information.

CS Threat Assessment applies directionality to security alerts to procduce threat vectors that show the structure and timeline of a compromise or attack.

See when it happened, where it came from, who was the target, and how and if it propagated.

The truth is in the packets

CS Threat Assessment makes it easy to drill down from a high-level alert all the way through the HTTP stream and even to the individual packet that triggered it.

Compare stream data side-by-side with IDS rule criteria making classification of alerts fast and easy.

Find root cause faster and share your analysis

CloudShark lets you easily collaborate with anyone to get to the bottom of an attack or anomaly. View a stream, filter out the offending packets, and share exactly what you’re looking at with colleagues and experts.

It even pulls detailed reference information out of alerts for you to continue your malware research.

Pivot to Zeek

Pivot from an alert right to the Zeek logs with help from the community-id field for every alert. Move from Suricata to Zeek to continue gathering evidence, or run more advanced custom scripts.

Zoom-in on the Details

See raw packet bytes and IDS rule source next to eachother

CS Threat Assessment correlates IDS alerts with the packet or stream that triggered the alert in the first place. Deciding between a false-positive or legitimate alert can happen in one window where the analyst has raw PCAP bytes accessible within the same environment as the alert.

The raw source-code for the alert is available, as well as a list of all the other alerts that triggered on the same packet or stream. You can quickly jump to a full follow-stream view for that traffic, or filter your PCAP by specific port information.

Best of all - it can be shared with a single URL. Perfect for asking someone else what they think, saving in incident reports, or issue tracking systems.

Perfectly Integrated into CloudShark

Threat Assessment is an add-on built right into CS Enterprise like all of our other analysis tools. Once you upload a PCAP file, open it and choose Threat Assesment from the Analysis Tools menu. You'll get a high-level summary in seconds. And, because it's from CloudShark, every view can be shared with your team simply by copy and pasting the URL.

It's quick and secure.

Threat Assessment Statistics

An easy to understand, high-level summary for everybody.

So just how bad is it?

CloudShark tells you how much of a bad thing you have going on, and helps you drill down to exactly the hosts and packets that are involved in each alert.

Who was exposed, and when?

Identify and document Indicators of Compromise from capture files while you are investigating an incident. Malware signatures, binaries, and other assets are all easily identified within CloudShark.

Is it still happening?

With CloudShark managing all your important capture files, you can quickly jump between events and dates to compare traces, making sure that a malware or virus has been cleaned up completely.

Start at a high-level and work your way down

When there's something strange going on, it helps to see it right upfront. See how much malicious activity there is in your capture, and how bad it is, at a glance.

Go straight to the source

Bad actors can come from inside or outside your network. CloudShark breaks it down by both source and destination endpoints; letting you see who is involved so you can take the appropriate action.

Where in the world?

With built-in GeoIP mapping capabilities, you get a picture of where in the world suspicious traffic is coming from and going to.

Do security analysis from whatever you're holding.

CloudShark is entirely HTML based and doesn't require any client-side software or special plugins. CS Threat Assessment expands your capabilities to access packet capture and threat analysis from anywhere, on any device.

Take your malware fight to the next level