DNS-layer threat detection,
entirely on your network.
This page covers what the product actually does, where the data lives, and what crosses the wire — the questions a security buyer asks first. Pricing and tier details come later, after we've had a chance to talk about your deployment.
Where queries live
Every DNS query is resolved internally. The query log lives in a local database under your control, with retention you set. We have no copy. We can't produce one under subpoena because we never received it.
How threats are scored
Three independent layers fuse into a 0–100 score per query: heuristic signals (DGA entropy, fast-flux, newly-registered, subdomain enumeration), lexical similarity (Damerau-Levenshtein with confusable substitutions for typosquats and homoglyph attacks), and semantic similarity (a pre-trained embedding model compared against curated reference banks).
Where the threat intel comes from
Curated public threat-intelligence sources, embedded into reference banks bundled with the installer. Refreshed daily via cloud delta. No commercial feed subscription required, no per-customer license risk. Specific source list and licensing review available to qualified buyers under NDA.
What crosses the wire
A daily threat-bank delta pull from our cloud (zero customer data sent — only bank updates received). A periodic license heartbeat that transmits product version, platform, and uptime — nothing about your queries, devices, or detections. The optional k-anonymized cloud lookup sends a 4-byte SHA-256 prefix when an uncertain query needs a second opinion; this lookup is admin-controlled and disabled by default.
What you can prove to an auditor
Every admin action lands in an append-only audit log with actor, action, target, timestamp. Every blocked query is explained: which signals fired, what category, what reference matched, what the score was. Your compliance officer can answer “why was this blocked” without forensic engagement.
Where it runs
Single-tenant on-premises. Lightweight enough for an SMB office — battle-tested architecture suitable for fleet deployments. No external dependencies for the detection layer. Specific platform support and deployment options confirmed during sales conversation.
What ships in the product
The full capability list, grouped by what each capability is for. Detection runs in every install; operations and network integrations scale with deployment size.
Core detection
- DNS-over-TLS / DNS-over-HTTPS support
- Reputation-based blocking against curated public blocklists
- Per-device, per-user, and per-group policies
- Time-of-day schedules and category filtering
- Local query log + audit trail under your retention policy
- Plain-English explanations for every detection event
Threat intelligence (no subscription)
- Three-layer threat scoring (heuristic + lexical + semantic)
- Bundled reference banks of curated legit, malicious, and brand-anchor indicators
- Daily delta refresh from curated public threat-intelligence sources
- Brand-impersonation detection by semantic similarity, not just typosquat
- Newly-registered domain (NRD) awareness
- C2 beacon detection with timing-pattern analysis
- Optional k-anonymized cloud lookup for uncertain scores (opt-in)
Operations & compliance
- Append-only audit log of admin actions
- Append-only event log of detection decisions with full reasoning
- Append-only override log when admins allow or block manually
- Local, self-managed retention — no SaaS-side log storage
- Optional cloud lookup for uncertain scores can be admin-disabled
- Single-tenant, on-premises, single-customer-per-install
Network integration
- Automatic router DNS push for UniFi, Mikrotik, OPNsense
- Split-horizon / local-zone DNS rules
- Active Directory / LDAP user sync
- Two-node high-availability pairing
- WireGuard roaming profiles for off-network endpoints
- SIEM event export (Splunk, Elastic, Datadog)
Some capabilities (HA pair, AD sync, SIEM export, WireGuard) target larger deployments. We'll talk through which apply to your environment when you reach out.
Ready when you are.
Currently in pre-release. We'd rather get this in the hands of a small group of organizations with concrete deployment requirements before opening it broadly.