The platform

One system for internal network visibility.

Intrudect combines passive network metadata analysis, isolated-segment egress validation, decoy-service monitoring, and regex-based log monitoring in one centrally managed platform. Agents do the watching; you work in a single Web UI.

Architecture

Agents in the environment. Operators in one console.

Agents collect metadata and generate alerts where the traffic is. Everyone else interacts only with the central Web UI — for triage, investigation, and configuration.

Network Agent
Passive traffic analysis: internal attack behaviour, service exposure, and policy violations from port-mirrored (SPAN) traffic.
Egress Agent
Validates whether isolated or restricted segments can unexpectedly reach outside networks.
Honeypot
Decoy TCP/UDP services as a low-noise tripwire for reconnaissance and lateral movement.
Log Agent
Regex-based monitoring of system and application log files.
IOC Proxy
Aggregates MISP, Suricata rules, and user-defined IP/DNS blocklists into unified threat feeds — agents fetch from it locally, so nothing else needs internet access.
Central Web UI
Alert triage, search, dashboards, configuration, user management, integrations, exports, and a public REST API.
The components

What each part does.

01 · network agent

Sees the movement

Passively analyses traffic metadata and selected protocol activity from a SPAN port: scans, lateral movement, DNS tunnelling and C2, rogue DHCP/DNS, unauthorized services, IOC matching against aggregated threat feeds, and Suricata rule detection. Full detection list on the features page.

02 · honeypot

The tripwire

Configurable TCP/UDP listeners on selected IP and port combinations, with multiple IPs per instance and protocol emulation for common services (SSH, Telnet, FTP, mail, HTTP, databases, LDAP, VNC, SMB) to capture what an attacker attempts. Detects both SYN (half-open) and full connect scans, alerts on connection initiation, and captures full session PCAP on disconnect.

03 · egress agent

Proves isolation is real

Runs 24/7, actively attempting outbound communication from sealed segments using DNS (A/AAAA/TXT), IPv4/IPv6 pathways, ICMP, proxy abuse, and discovered gateways. Alerts identify the leaking segment and the exact method that got out. A local read-only status web UI and JSON API on the agent show workers, recent activity, and runtime state.

04 · log agent

Watches your logs

Extends coverage into host and application logs with user-defined regex. Unlimited concurrent files per agent, custom message and severity per rule — syslog, web, database, and audit logs, including auditd and honeyfile access.

05 · central web ui

Where you actually work

Agent management and configuration, per-module tuning, network segment and allowed-service management, agent health monitoring, and remote self-updating via signed packages. Password auth with MFA (TOTP and YubiKey), role-based permissions, and an audit log of every authentication and configuration change. A public REST API (/api/v1, bearer-token authenticated) exposes alert and metadata search, exports, and configuration for scripting and integrations — see the API reference.

Investigation

Actionable metadata, not endless packet review.

Intrudect stores detailed context so alerts are investigable without full packet capture for every event.

All traffic
Timestamp, source/destination IP, MAC, port, reverse PTR value, ASN.
DNS
Query content, record type (A, AAAA, CNAME, …), query values, DNS server.
TCP sessions
Connection duration, bytes and packets both directions, SNI from TLS, PTR and ASN enrichment.
UDP flows
Flows grouped by source/destination IP and port, SNI extracted from QUIC — same search, export, and report views as TCP.
DHCP
Requests and responses, hostname values, assigned IP addresses.
HTTP
Request URL, host header, user-agent value.
Devices
IP, MAC, vendor, hostname, first seen, last seen.
Services
Observed internal TCP/UDP services with first-seen and last-used timestamps.
Forensics
Optional PCAP snippets attached to qualifying alerts.
Deployment

Runs on your hardware — bare metal or virtual.

Packaging
Debian (.deb / APT) and RHEL (.rpm / DNF).
Architectures
amd64 / x86_64 and arm64.
Connectivity
No internet access required to operate. No telemetry, no call-home.
Updates
APT repository, manual, or centrally via the Web UI — all GPG-signed.
Licensing
Per-agent. No feature tiers — every agent ships with its full detection capability.
Model
Self-hosted. Single-site, multi-site, and reseller/SaaS operation.