Skip to main content


Hundreds of security teams process network telemetry via AE to uncover infected hosts and highlight anomalies that require investigation. High fidelity alerts can be escalated to SOAR platforms for triage, and lower fidelity items can be used by threat hunting staff to proactively investigate potential threats.

AE solves 65+ distinct use cases across the following high-level categories:

  • Traffic indicating a compromised host (e.g. C2 or malware distribution traffic)
  • Data exfiltration patterns, such as DNS or ICMP tunneling
  • Cryptomining traffic indicating infection or resource misuse
  • Targeted phishing campaign traffic (e.g. use of young lookalike domains)
  • Anomalies indicating infection, such as a cluster of suspicious events in a short period
  • Low-level protocol anomalies (e.g. SSH over a common port such as 80 or 443)
  • Policy violations (e.g. potentially unwanted programs and P2P network traffic)
  • Anonymizing circuit traffic, such as Tor, I2P, or Freenet