HOW IT WORKS & DEPLOYMENT SAFETY
// Deployment, Operation, Boundaries

How it deploys.
What it requires.
What it blocks, and why.

Shield brings prevention-first network security to critical infrastructure environments. Shield blocks malicious traffic at the network layer using the Global Threat Engine and 8.5 billion IP and DNS combinations refined since 2001.

At a Glance

What it doesBlocks malicious network traffic at the network layer using reputation-based threat intelligence.
Who it's forSecurity teams needing prevention-first network defense.
How it deploysShield's five products cover cloud, Shield OnPremise, endpoint, monitoring, and management.
What you getPrevention of known-bad connections with full evidence of what was blocked.

Public sector and critical infrastructure buyers ask the operational questions first. Will it cause downtime? What does my team have to do? What does it block, and how do I know? This page answers those questions in order, with the kind of specificity your IT and OT teams need to evaluate.

// Deployment Modes

Three modes.
You stay in control of the timeline.

Shield does not force you to turn on blocking before you are ready. Most public sector and critical infrastructure deployments start in observe-only mode and graduate to protect mode on a timeline the customer sets.

Mode 01

Observe-only

Shield runs in observe-only mode and logs every connection that would have been blocked, without blocking anything. Your team sees the traffic patterns, the attempted recon, and the outbound connections to known-bad destinations, with full visibility and zero impact to operations.

Available on Shield Stratus and Shield OnPremise.

Mode 02

Protect

Shield blocks known-bad traffic at the network edge. Outbound command-and-control connections are stopped before encryption begins. Inbound recon is blocked at the perimeter. The event log shows exactly what was blocked, when, and why.

Mode 03

Monitor-only (Shield Sentinel)

Shield Sentinel is a passive carrier-grade monitoring platform. It does not block traffic, does not use threat intelligence, and does not integrate with Shield Command Hub. Sentinel observes and logs network traffic at scale, for organizations that want visibility without enforcement.

// Deployment Sequence

From signed paperwork
to running in observe mode.

Most public sector deployments complete this sequence inside one calendar week. The sequence below is the typical path. Your environment may vary.

01

Scoping & topology review

Your team and ours walk through the network topology, identify the segments to cover, and confirm the deployment mode (Stratus for cloud, Shield OnPremise for on-network, Sentinel for passive monitoring, Endpoint for reputation-based filtering on Windows and Android).

02

Insertion point identified

For Shield OnPremise: typically inline at the perimeter or between network zones, with a span-port option for pure observation. For Stratus: integrated with AWS Gateway Load Balancer in your VPC. For Endpoint: deployed via your existing endpoint management.

03

Observe-only turn-on

Shield is enabled in observe-only mode. Your team sees the event log immediately. Outbound connections to known-bad destinations and inbound recon attempts that would have been blocked are now visible.

04

Review & readiness

Your team reviews the observed traffic with our deployment engineer. We document together what is being blocked and confirm there are no surprises. The duration of this phase is set by you, not by us.

05

Protect mode

When your team is ready, Shield is switched to protect mode. From that point forward, known-bad traffic is blocked at the network edge. The event log continues, now showing actual blocks instead of would-have-blocked entries.

// Team Requirements

What your IT and OT
teams have to do.

Public sector and critical infrastructure teams ask precisely what they will be on the hook for. The honest answer is: not much, and we share the work.

What You Do Not Do

  • Tune detection rules, write policies, or train a model
  • Forward logs to a SIEM, parse them, or maintain a parser
  • Triage daily alert volume or staff a SOC for Shield
  • Deploy endpoint agents on every device including unmanaged ones
  • Take production or clinical systems offline for deployment
  • Decrypt traffic, manage TLS keys, or break encrypted sessions

What You Do Do

  • Identify the network segments to cover and the deployment topology
  • Confirm an insertion point, span port, or VPC for the deployment
  • Review the observe-only event log with our deployment engineer
  • Decide when to graduate from observe-only to protect mode
  • Optionally forward Shield OnPremise Syslog to your SIEM
  • Hold a periodic review with your deployment engineer or partner
// What Shield Blocks

Reputation-based blocking.
Evidence-based decisions.

Shield does not guess. Every block is tied to a specific entry in the Global Threat Engine, the proprietary 8.5 billion IP and DNS combination database that has been built continuously since 2001. The event log shows the reason for each block.

Block Type 01

Outbound C2 traffic

When a device on your network attempts to reach a destination known to be a command-and-control endpoint, Shield blocks the connection before it completes. Blocking outbound C2 can interrupt ransomware coordination, staging, key exchange, or follow-on command activity, depending on the attack pattern. The earlier the connection is severed, the less the attacker can do.

Block Type 02

Inbound reconnaissance

Before a targeted attack, operators map your network. Shield blocks the inbound recon traffic from known-bad sources before it can fingerprint your perimeter. The attacker never gets the map they need to plan.

Block Type 03

Outbound exfiltration

If an attacker has already established access and is attempting to exfiltrate data to a known-bad destination, Shield blocks the outbound connection. Data does not leave the network through a destination Shield recognizes.

Why reputation-based, not behavioral

Behavior-based detection looks at what traffic is doing and decides whether it looks suspicious. That approach generates false positives, requires tuning, and needs a baseline of "normal" before it works. Reputation-based blocking looks at the destination address and decides whether it is on the known-bad list. The destination is either on the list or it is not. This significantly reduces tuning overhead and the volume of alerts that require triage.

// Important Boundaries

What Shield does not do.
Named precisely.

We are explicit about boundaries because procurement and audit conversations go better when the answers are precise.

Sentinel does not block
Shield Sentinel is a passive monitoring platform. It does not use threat intelligence, does not integrate with Command Hub, and does not block traffic. When we say "every enforcement platform blocks", Sentinel is excluded by design. Sentinel observes and logs.
Shield does not alert and does not "kill"
Shield is not an alerting product. Shield blocks, and produces a log of blocked events. There is no alert queue to triage. There is no "kill" action. There is a clean event log of what was blocked, when, and why.
Shield Endpoint coverage is specific
Shield Endpoint provides reputation-based filtering on Windows and Android (north-south traffic). ZTNA capability is on Android only, not Windows. Browser isolation works inside or outside the perimeter. Shield Endpoint is not an EDR.
Command Hub exports are CSV and Excel
Shield Command Hub exports CSV and Excel formats. It does not natively export JSON, CEF, or Syslog. Shield OnPremise produces a Syslog feed for SIEM forwarding. Command Hub does not have a published API or direct PSA, RMM, or SOAR integration.
No FedRAMP, GSA Schedule, SOC 2, or ISO 27001
Shield is a security control, not a federal accreditation or compliance certification. Do not assume any of those statuses unless we say so explicitly in writing.
HIPAA, PCI-DSS, and personal data handling
Shield does not process protected health information or cardholder data. Because of the data Shield uses, the data-handling provisions of HIPAA and PCI-DSS do not apply to Shield. INTRUSION as a company complies with GDPR for the business contact information processed at the company level. Shield supports the technical controls GDPR places on data controllers and processors at the network layer.
Evidence retention
Shield retains 72 hours of full evidence at the platform level. For longer retention, Shield OnPremise customers forward Syslog to their SIEM or log management system.
// Incident Response Support

When something does happen.

Shield reduces the volume of incidents you have to respond to. When you do have an incident, the Shield event log is one of the first artifacts your incident response team will pull.

IR Support 01

Event log timeline

The Shield event log gives your IR team a chronological record of blocked connections. That timeline often reveals when the attacker first attempted to communicate with a C2 destination, which is one of the most useful early indicators in an investigation.

IR Support 02

Available data

Shield logs blocked events including DNS, TCP, and UDP. Permitted destinations, bandwidth by connection, and new internal hostnames, IPs, and MACs are also available. This is the working set of data your IR team uses for scoping and containment questions.

IR Support 03

Working with your IR retainer

If you have an IR retainer with an MSSP or DFIR firm, Shield event logs and Syslog feeds are the artifacts they will request. We can coordinate directly with your IR team during an incident to support the investigation.

SEE IT RUN

Run Shield in observe-only mode
on your network.

The fastest way to know whether Shield fits your environment is to run it in observe-only mode and look at the event log together. Most POVs complete in under two weeks.

RECOMMENDED NEXT STEP

Ready to see what Shield finds in your environment?

Request a POV Book a Meeting Talk to an Engineer