Intrusion Detection

Detect attacks before they turn into breaches. Remediate faster.

The Threat Stack Cloud Security Platform^® offers intrusion detection across your host, containers, and infrastructure control plane to alert you to signs of compromise.

Book Your Demo

The Threat Stack Difference

Detect More Events

Threat Stack combines multiple detection and assessment technologies that scour your cloud infrastructure looking for risky and anomalous behavior. More ways to detect means more attacks detected.

Cut to the Chase

Threat Stack provides near real-time alerting that surfaces the context you need to investigate and respond quickly, without having to dig through mountains of data to determine what happened.

Let Us Do the Legwork

Short on resources? Let your Security team focus on other projects while the Threat Stack experts monitor your infrastructure and triage high severity alerts. We’ll cut out the noise and help you understand if something is malicious or not.

We know that, if we detect a malicious event, we are able to go back and search to see who launched the process, what it did, what it connected to, and how to proceed.

Trevor HawthorneWombat Security

Infrastructure has changed. So should your intrusion detection.

Most IDS solutions offer signature- or network-based technology.

The Problem?

Network-Based IDS Leaves Blind Spots.

Without a traditional physical perimeter, it’s difficult to monitor who’s coming in and out. Plus, you lack visibility into what happens when someone bypasses your new software-defined perimeter by taking advantage of encrypted communications such as HTTPS or SSH.

Signature-Based IDS Won’t Catch the Unknown.

If you’re relying on a database of known attacks, you’re always going to be one step behind the advanced attacker or a targeted attack. Since more attackers are leveraging packing or encrypting techniques, no zero day is required to get through your defenses.

I like to call Threat Stack our big security blanket that’s always protecting us.

Steve CaldwellDirector of Engineering, Springbuk

How Threat Stack IDS Works

Multiple Layers of Infrastructure. One Timeline to Follow.

Infrastructure Control
Plane Monitoring

Threat Stack ingests data from services like AWS CloudTrail to alert you of changes made like instances spun up in unused regions.

Host-Based
Monitoring

Threat Stack’s lightweight agent monitors system, user, and file behavior on the host to alert you to signs of compromise — from the inside or outside.

Container
Monitoring

Threat Stack integrates with Docker to alert you to suspicious activity — like someone logging into a container.

Follow Your Attacker as They Traverse Your Infrastructure

Threat Stack gives you a timeline of events, which you can view by user, IP address, or server, helping you investigate alerts quickly and effectively. No more jumping between tools to piece together clues.

Detect Attacks, Even if They Haven’t Hit the Headlines

Unlike solutions that rely on databases of known attacks, Threat Stack uses behavioral analysis to look for suspicious behavior that indicates you’ve been compromised. This enables you to detect attackers regardless of the methods used, whether they’re external threats or inside actors.

We needed an automated solution that could quickly carry out the first round of analysis, so we could then make risk-based decisions based on clear, structured evidence.

Sabino MarquezAllocadia

What we look for

Threat Stack behavioral analysis looks for potential signs of compromise and collects data such as:

User Logins
TTY Timelines
File Copies, Access, Modifications, & Deletions
Privilege Escalations
Login Attempts and Failures
File Access, Modifications, & Deletions
Suspicious Commands
Network Connections (e.g., accept connections to SSH and HTTP, external connections for command and control)
CloudTrail Events
New Processes and Kernel Modules
Known Vulnerabilities

See For Yourself