// 07 The Real Questions

The questions you would ask if you were not on a vendor call.

Technical answers to the most common questions about Shield's architecture, deployment, and operations.

Deployment. Performance. False positives. Integrations. Straight answers, including the ones that admit boundaries. If your question is not here, ask a sales engineer directly. We do not have a script that prevents technical answers.

If you have ever sat through a vendor demo wishing you could just see the FAQ, this is that page.

// 01

Deployment.

If you are asking these, you are running the network team standup tomorrow morning and need to know what to brief them on.
How long until it is actually running in our environment?+

Stratus on a single VPC: under one hour. The platform image deploys behind a Gateway Load Balancer, routing is the only network change.

Shield OnPremise: half a day for rack, cable, IP assignment, and initial policy validation. Most evaluators start in Observe Mode before flipping to enforcement.

Endpoint: under five minutes per host. Bulk deployment via your existing endpoint management tool.

Can we run Observe Mode before enforcing? I am not deploying inline blind.+

Yes. On Shield Stratus and Shield OnPremise. Observe Mode logs every decision the platform would have made without actually blocking. Review the would-be-blocks, validate against your environment, flip to enforcement when you are ready.

Shield Sentinel is passive-only by design and does not block under any condition. Shield Endpoint enforces at the host without an Observe Mode equivalent.

What network changes does my team have to make?+

Minimal. Specifically:

  • Stratus: route VPC or VNet traffic through the platform via Gateway Load Balancer or Azure equivalent.
  • Shield OnPremise: inline placement at perimeter or core, or SPAN port for Observe Mode.
  • Sentinel: SPAN or TAP port. Sentinel does not sit inline.
  • Endpoint: agent install. No network changes.
Where can Stratus actually be deployed?+

AWS and Azure. AWS deployment uses Gateway Load Balancer; Azure uses the equivalent hub-and-spoke pattern. Stratus is the only Shield platform that supports per-direction inbound and outbound policy.

Will Shield interfere with our existing firewall?+

No. Shield is a complementary control. Shield handles reputation-based blocking; the firewall handles your policy and L7 inspection. They sit inline together with no conflict. Coexistence guides for next-gen firewalls are in the Reports & Assets library.

What happens during a Shield platform restart or failure?+

For inline platforms, deployment topology determines failure behavior. Most evaluators deploy in fail-open or active-passive configurations to avoid network impact during planned restarts.

Specific failure modes are discussed during the technical demo because they vary by topology. Sentinel is passive-only and has no inline failure mode.

// 02

Performance.

If you are asking these, your network team has scars from a previous control that added 15 ms of latency under load.
What is the throughput envelope per platform? Real numbers.+

By platform:

  • Stratus: 1 Gbps and up, cloud-elastic scaling.
  • Shield OnPremise: 10 Gbps line rate per appliance.
  • Sentinel: up to 100 Gbps mirrored, passive only.
  • Endpoint: per-host, agent-based, no network throughput limit.

For higher cumulative throughput, deploy multiple platforms rather than oversubscribing a single appliance.

What is the actual decision latency? "Sub-ms" is a marketing word.+

Sub-ms for the reputation lookup and decision, yes. Specific latency budgets vary by deployment topology and are discussed during the technical demo. Decisions are autonomous, with no round trip to a remote analytics layer or cloud verdict service. The dataset is loaded into the platform and matched at connection establishment.

How does Shield handle encrypted traffic? Are we relying on payload inspection?+

Shield evaluates connection metadata. Not packet payload. The decision is identity-based: does the source or destination match a reputation entry? Encryption is irrelevant to that decision. Shield works against:

  • Encrypted C2 channels
  • TLS 1.3 with no SNI
  • Custom protocols
  • Zero-day payloads, when the destination is a known-bad host

Shield does not decrypt traffic and does not require decryption keys.

How is the threat intelligence dataset refreshed?+

The 8.5 billion IP and DNS records are continuously refreshed by INTRUSION's threat intelligence operation. Built since 2001, the dataset has 20+ years of accumulated provenance. Refresh frequency and propagation timing are discussed during the technical demo.

How long is event data retained on the platform?+

72 hours of full evidence retention on-platform. Each blocked event includes 5-tuple metadata, reputation context, policy attribution, and microsecond timestamps. For longer retention, configure SIEM forwarding via Syslog (Shield OnPremise) or CSV/Excel export from Command Hub.

// 03

False positives.

If you are asking these, you have been burned by a behavioral tool that blocked production traffic during a release window.
How does Shield avoid blocking legitimate traffic?+

Reputation entries are destination-specific. A clean destination is not flagged because of pattern similarity to a bad one. The 8.5 billion entries are categorized, time-stamped, and tied to provenance: where the entry came from, what it has been observed doing, when it was last seen.

That structure means false positives are rare relative to behavior-inference systems. When they do occur, allowlist entries take effect within the platform refresh cycle.

What happens if Shield blocks something we need? How fast can we unblock?+

Open the event log in Command Hub, click the event, review the forensic record, add the destination to the allowlist. Per-platform or global. The change takes effect within the platform refresh cycle.

For high-volume legitimate destinations, work with the technical team during the POV to validate the allowlist before flipping from Observe Mode to enforcement. This is the most common reason to run the 10-day Standard POV instead of the 7-day Express.

Can we suppress specific threat categories for specific source ranges?+

Yes. Each threat category (C2, botnet, scanning, DNS, recon) can be enabled or disabled at the platform level. For finer control, suppression can be scoped to specific source IP ranges. Configuration lives in Command Hub.

Does Shield generate alerts that need analyst triage?+

No. Shield blocks rather than alerts. There is no alert queue, no alert prioritization, no urgency scoring. Every blocked event is logged with full forensic context, which means the answer to "why" is one click away when someone asks. The volume of blocks does not translate to volume of analyst work.

// 04

Integrations.

If you are asking these, you have a stack to defend and a procurement process that asks "does it integrate with our SIEM."
Does Shield integrate with our SIEM?+

Shield OnPremise supports Syslog forwarding for SIEM ingestion. Command Hub supports CSV and Excel export for filtered or full event sets. SIEM forwarding is configured per deployment. JSON, CEF, and direct API integrations are not currently offered.

Is there a public API?+

No exposed public API today. Programmatic access is on the roadmap; specific timing is discussed during the technical demo.

Does Command Hub support SSO?+

Not currently. Local accounts with role-based access (Observer, User, Administrator) per group. Shield Endpoint supports Entra ID, but only for activation, not for Command Hub authentication.

Are there integrations with PSA, RMM, or SOAR tools?+

Not currently offered. For downstream automation, forward events via SIEM and orchestrate from there.

Does Shield replace our EDR or firewall?+

No. Shield is a complementary network-layer reputation control. EDR sees the endpoint behaviorally; Shield sees the wire identity-wise. Firewall handles your policy and L7; Shield handles reputation. The categories cover different threat surfaces, and most evaluators run all three.

If your evaluation criteria is full SOC tool replacement, Shield is not the right fit for that requirement.

What about compliance certifications?+

FedRAMP, GSA Schedule, and SOC 2 are in active certification process. ISO 27001 is not currently in scope. GDPR and HIPAA do not apply because Shield does not process regulated data as part of its operation; it is excluded from these frameworks rather than compliant with them.

For procurement processes that require these certifications, talk to the team about timing for current roadmap items.

Does Shield Sentinel feed into Command Hub?+

No. Sentinel is monitor-only and operates independently. It does not use the threat intelligence dataset and does not integrate with Command Hub. Three platforms enforce. One watches. They do not share a console.

If your evaluation requires unified passive monitoring and inline enforcement in one console, plan around the Stratus, Shield OnPremise, and Endpoint family.

Question not here?

Sales engineering answers anything. 30 minute call, your network diagram on screen.

Talk to an Engineer

RECOMMENDED NEXT STEP

Ready to see what Shield finds in your environment?

Request a POV Book a Meeting Talk to an Engineer