Technical reference for Shield, Intrusion's prevention-first network security platform. Shield blocks malicious traffic at the network layer using the Global Threat Engine and 8.5 billion IP and DNS combinations refined since 2001.
| What it does | Blocks malicious network traffic at the network layer using reputation-based threat intelligence. |
|---|---|
| Who it's for | Security teams needing prevention-first network defense. |
| How it deploys | Shield's five products cover cloud, Shield OnPremise, endpoint, monitoring, and management. |
| What you get | Prevention of known-bad connections with full evidence of what was blocked. |
If you have to ask twice, the vendor lost you. So here it is, named, before the marketing copy. Five platforms. Three enforce. One watches. One console. Your stack does not change shape.
Most architects bounce off vendor sites because the diagram lives behind a "schedule a demo" wall. We do not put it there.
Stratus runs in your VPC. Shield OnPremise racks at your perimeter. Endpoint runs on the host. Shield Sentinel watches passively at line rate. Command Hub manages the three that enforce. Each has a job, and we do not blur them.
If you have read the technical overview, you already know we do not pretend to be an EDR or a firewall. Same rule applies inside the Shield portfolio. Each of the five platforms has a defined role. They do not overlap.
Cloud-native inline blocking for AWS and Azure. The only Shield platform with independent inbound and outbound policy. Runs behind a Gateway Load Balancer or Azure equivalent.
1U appliance, hardware-based inline blocking for the datacenter and campus. The platform you rack next to your firewall, not in place of it. Syslog forwarding to your existing SIEM.
Software agent for Windows and Android. Reputation filtering travels with the user. Browser isolation works inside and outside the perimeter. ZTNA on Android.
Passive monitoring at up to 100 Gbps. SPAN or TAP placement only. Sentinel does not block. Does not use the threat intelligence dataset. Does not integrate with Command Hub. Built for environments that cannot accept inline placement.
The web console for the three enforcement platforms. Event log, policy editor, role-based access, CSV and Excel export. Built for security engineers, not analyst triage.
Sentinel is the part of the portfolio that breaks the pattern. We surface it now, here, before you spend twenty minutes assuming it works the same way as the others.
1. Sentinel does not block. SPAN or TAP only. It does not sit inline under any condition.
2. Sentinel does not use the threat intelligence data. The 8.5 billion record dataset is not loaded onto Sentinel. The platform is for visibility, not reputation enforcement.
3. Sentinel does not integrate with Command Hub. If your evaluation requires unified passive monitoring and inline enforcement in one console, plan around the Stratus, Shield OnPremise, and Endpoint family.
Most evaluators arrive expecting an architecture diagram that requires re-platforming something. That is not what this is. Shield slots into the network at one of three enforcement placements (cloud, datacenter, host) plus optional passive visibility (Sentinel). Your firewall, EDR, and SIEM keep doing what they do.
| Where Shield Sits | What That Looks Like |
|---|---|
| Cloud (Stratus) | Behind AWS Gateway Load Balancer or Azure hub VNet. Routes VPC traffic through the platform. Inline at sub-ms. |
| Datacenter (Shield OnPremise) | 1U appliance racks at perimeter or core. Inline placement, optional SPAN port for Observe Mode validation first. |
| Host (Endpoint) | Software agent on Windows and Android. Reputation enforcement at the host. ZTNA on Android. |
| Visibility-only (Sentinel) | SPAN or TAP. Independent of Command Hub. Use when inline is not acceptable for the segment. |
| Console (Command Hub) | Web. Event log + policy + roles for the three enforcement platforms only. |
30 minutes with a sales engineer. Your network on screen. We sketch the placement.
RECOMMENDED NEXT STEP