Intrusion Detection

The Threat Stack Cloud Security Platform® offers intrusion detection across your host, containers, and infrastructure control plane to alert you to signs of compromise.

Book Your Demo

The Threat Stack Difference

Detect More Events

Detect More Events

Threat Stack combines multiple detection and assessment technologies that scour your cloud infrastructure. More ways to detect means more attacks detected.

Cut to the Chase

Cut to the Chase

Threat Stack provides near real-time alerting that surfaces the context you need to investigate and respond quickly, without having to dig through mountains of data.

Let Us Do the Legwork

Let Us Do the Legwork

Short on resources? Let your Security team focus on other projects while the Threat Stack experts monitor your infrastructure and triage high severity alerts.

We know that, if we detect a malicious event, we are able to go back and search to see who launched the process, what it did, what it connected to, and how to proceed.

Trevor HawthorneWombat Security

Infrastructure has changed. So should your intrusion detection.

Most IDS solutions offer signature- or network-based technology.

The Problem?

Network-Based IDS Leaves Blind Spots.

Without a traditional physical perimeter, it’s difficult to monitor who’s coming in and out. Plus, you lack visibility into what happens when someone bypasses your new software-defined perimeter by taking advantage of encrypted communications such as HTTPS or SSH.

Signature-Based IDS Won’t Catch the Unknown.

If you’re relying on a database of known attacks, you’re always going to be one step behind the advanced attacker or a targeted attack. Since more attackers are leveraging packing or encrypting techniques, no zero day is required to get through your defenses.

Learn How Nuxeo Secures Their Infrastructure

I would definitely recommend Threat Stack to any type of organization, small or big, because it will help you achieve complete infrastructure security at an affordable cost.

Remi CattiauHead of Security, Nuxeo

Watch Video

How Threat Stack IDS Works

Multiple Layers of Infrastructure. One Timeline to Follow.

Infrastructure Control
Plane Monitoring

Threat Stack ingests data from services like AWS CloudTrail to alert you of changes made like instances spun up in unused regions.


Threat Stack’s lightweight agent monitors system, user, and file behavior on the host to alert you to signs of compromise — from the inside or outside.


Threat Stack integrates with Docker to alert you to suspicious activity — like someone logging into a container.

How Threat Stack IDS Works

Follow Your Attacker as They Traverse Your Infrastructure

Threat Stack gives you a timeline of events, which you can view by user, IP address, or server, helping you investigate alerts quickly and effectively. No more jumping between tools to piece together clues.


Detect Attacks, Even if They Haven’t Hit the Headlines

Unlike solutions that rely on databases of known attacks, Threat Stack uses behavioral analysis to look for suspicious behavior that indicates you’ve been compromised. This enables you to detect attackers regardless of the methods used, whether they’re external threats or inside actors.

We needed an automated solution that could quickly carry out the first round of analysis, so we could then make risk-based decisions based on clear, structured evidence.

Sabino MarquezAllocadia

What we look for

Threat Stack behavioral analysis looks for potential signs of compromise and collects data such as:

  • User Logins
  • TTY Timelines
  • File Copies, Access, Modifications, & Deletions
  • Privilege Escalations
  • Login Attempts and Failures
  • Suspicious Commands
  • Network Connections (e.g., accept connections to SSH and HTTP, external connections for command and control)
  • CloudTrail Events
  • New Processes and Kernel Modules
  • Known Vulnerabilities

See For Yourself

Book Your Demo