How It Works

Works alongside
your existing stack.

Shield gives MSSPs a prevention-first network security capability that reduces analyst workload and improves customer outcomes. Shield blocks malicious traffic at the network layer using the Global Threat Engine.

Know More. Miss Less.

Shield closes the gaps other tools leave behind. Inline blocking across network, cloud, and endpoint. Lower risk. Lower cost. A scalable, high-margin managed service you deliver across every customer.

At a Glance
AudienceMSSP technical and operations teams evaluating Shield
ProblemNeed to understand how Shield works before committing to a partner relationship
How Shield helpsReputation-based DNS and IP filtering blocks risky traffic before it reaches the analyst queue
Best fitMSSPs with 50+ managed tenants seeking noise reduction
Next stepRequest a POV
What You Replace or Reduce

Works with your stack.
Not against it.

Shield doesn’t ask you to rip out what’s working. It plugs into the gaps where your team is bleeding hours.

No rip and replace

Shield works with your stack, not against it. Existing firewall, EDR, SIEM, and ticketing investments stay in place. Shield adds prevention upstream of all of them.

Less alert-heavy detection

Reduces alert-heavy detection and manual triage. Block at the connection level so noise never reaches your queue.

Less rule management

Minimizes ongoing tuning. Shield operates on reputation intelligence built since 2001, not signatures your team has to maintain.

Lower SIEM cost

Decreases SIEM noise and investigation workload. Less ingestion, fewer false-positive trails to chase, fewer billable analyst hours wasted.

Deployment Model

Where Shield
sits in the network.

01 Shield OnPremise

Inline at the perimeter

Inline between firewall and internal network. Inspects and blocks all inbound and outbound traffic at the network edge. Up to 10 Gbps throughput.

02 Stratus (Cloud)

Inside cloud environments

Native to AWS and Azure. Controls inbound and outbound traffic per-direction. The only Shield platform that supports separate policies per direction.

03 Endpoint

On the device

Reputation filtering on Windows and Android for north-south protection. ZTNA on Android for secure east-west access. Browser isolation built in.

What’s Required

No rebuild.
No retraining.

Access

Network insertion point, cloud account access, or endpoint install permissions. Whatever your team already has authority to deploy.

Time

Hours to live, not weeks of consulting. Stratus deploys in hours. Shield OnPremise ships in days, lives in under an hour. Endpoint installs in under five minutes per device.

Data

Live traffic and DNS/IP lookups. Built-in reputation intelligence. No external feeds, no model training, no data ingestion required.

Detection & Blocking Flow

What gets inspected.
What gets blocked.

01 Every Connection

No sampling

All inbound and outbound traffic. DNS requests, IP connections, TCP/UDP connections. No log-based blind spots, no delayed visibility.

02 Reputation-Based

Why we block

Known malicious infrastructure based on long-term reputation and behavior. Unknown or untrusted infrastructure commonly used in attacks.

03 Evidence Trail

What gets recorded

Source and destination details. Timestamp and protocol details. Reputation-based reason for enforcement. Permission to deploy customer-facing reports without guesswork.

How false positives are handled

Simple permit workflows for exceptions. Done at the individual or group level. Full visibility into why something was blocked. No complex rule rewrites, no model retraining, no escalation chain to override a single block.

Operations at Scale

How an MSSP runs
many customers.

Multi-tenant visibility

Single pane of glass through Shield Command Hub. Centralized dashboards across all environments. Per-customer segmentation with unified control.

Templating & standardization

Consistent enforcement across all customers. Repeatable deployment models. Minimal customization required to onboard a new tenant.

Quiet by default

Prevention-first reduces noise. Logging instead of analyst-driven triage. Your SOC sees the events that matter, not the static.

Reporting cadence

On-demand reports. Executive summaries and technical detail per customer. Build the rhythm your client wants, not the one your tooling forces.

Investigation Workflow

From event
to action.

01 First View

What an analyst sees

A blocked event with device, destination, and reason. Immediate context for why action was taken. No digging through three tools to assemble the picture.

02 Drill Down

From event to context

Drill into device activity and communication patterns. View related events and historical behavior. AI Insights summarizes activity and surfaces what matters.

03 Action

Findings into outcomes

Validate enforcement. Add permits if needed. Turn insights into customer recommendations and billable advisory work.

Reporting & Customer Value

What customers get.

Shield gives you the raw material. You shape the customer narrative. Daily, weekly, monthly, quarterly - the cadence is yours, the data is the same.

Threat-Focused

Known IoCs and emerging risks

Surfaced clearly: known indicators of compromise, suspicious endpoints, and emerging risks across the customer environment.

Behavior & Traffic

Communication patterns

Visibility into how devices are talking, traffic flows, and unusual activity. The patterns most tools never surface.

Environment Visibility

Internal inventory

Internal hostnames, IPs, MACs, protocol usage, infrastructure awareness. The asset inventory you couldn’t build before.

ROI & Risk Reduction

Prove what was stopped

Clear visibility into blocked malicious and unknown traffic. Highlight hidden risk. Demonstrate gaps other tools missed. AI Insights summarizes findings in plain language.

See Integrations & Reporting
POV Path

A 7-to-14 day
proof of value.

What it looks like

Deploy chosen Shield product in observe or protect mode. Immediate visibility into traffic and enforcement. Show what is (or would be) blocked.

Success criteria

  • + Proven blocking in a real customer environment
  • + Reduced noise and investigation effort
  • + New, actionable insights into unmanaged risk
  • + Seamless fit into existing operations
  • + Customer-ready reporting of value

What you bring

  • + Deployment access (network, cloud, or endpoint)
  • + Initial customer or test environment
  • + Defined success metrics

First customer rollout

  • + Begin with one environment
  • + Expand after validation
  • + Standardize across customers

Shield Command Hub for MSSPs.

Command Hub is the centralized console for managing Shield deployments across all your customer tenants. Configure policies, view blocked events, generate reports, and manage the full Shield lifecycle from a single interface.

See Shield Command Hub Technical Overview →   Command Hub Architecture →

RECOMMENDED NEXT STEP

Ready to see what Shield finds in your environment?

Request a POV Book a Meeting Talk to an Engineer