Technical reference for Shield, Intrusion's prevention-first network security platform. Shield blocks malicious traffic at the network layer using the Global Threat Engine and 8.5 billion IP and DNS combinations refined since 2001.
| What it does | Blocks malicious network traffic at the network layer using reputation-based threat intelligence. |
|---|---|
| Who it's for | Security teams needing prevention-first network defense. |
| How it deploys | Shield's five products cover cloud, Shield OnPremise, endpoint, monitoring, and management. |
| What you get | Prevention of known-bad connections with full evidence of what was blocked. |
Most of those votes are based on nothing. Your firewall says "the port is open." Your TLS says "the cert validates." Neither asks who is on the other end. We do.
If your last incident review surfaced "outbound C2 to a known-bad IP," this page is for you.
Connection metadata hits the platform. The 5-tuple is checked against 8.5 billion IP and DNS records. Match a known-bad destination, the connection drops. No payload inspection. No round trip to a verdict service. No alert.
A connection enters the platform. This is what happens before the next packet leaves.
Connection metadata arrives at the platform: source IP, source port, destination IP, destination port, protocol. No payload required for the decision.
Wire speedDestination is checked against the 8.5 billion record reputation set. Categorized matches surface threat tags: C2, botnet, scanning, DNS-flagged, recon.
Sub-msMatch a flagged destination, decision is block. No human in the loop. No round trip to cloud verdict. Decision happens at the platform autonomously.
Sub-msFull forensic record written to the event log: 5-tuple, reputation context, policy attribution, microsecond timestamp. Available in Command Hub immediately.
After blockIf you have been burned by behavioral detection that flagged the wrong process at 3 AM, the architectural distinction here is the one you care about.
Pattern matching on payload. Sandbox detonation. Anomaly scoring on traffic shape. The decision lags the behavior. You learn after the fact.
False positive rate scales with traffic volume because the input is fuzzy. Encrypted traffic, novel payloads, and zero-day variants all reduce signal.
The destination is either in the dataset or it is not. Categorical match, not probabilistic inference. The decision is the same on encrypted and cleartext traffic.
False positive rate is structurally lower because the input is identity, not pattern. Allowlist a destination once, the decision flips for that destination only.
Because detection-only tools are downstream of the connection. By the time the alert fires, the packet has already moved. Reputation-based pre-emptive blocking moves the decision to the connection itself.
Shield does not detect. It blocks before the connection completes.
If you have heard "AI-powered threat intelligence" enough times to be skeptical, you should be. Here is what the dataset actually is and where it comes from.
| Attribute | Detail |
|---|---|
| Size | 8.5 billion IP and DNS records |
| Age | 20+ years of accumulated provenance, built since 2001 |
| Categorization | C2, botnet, scanning, DNS-flagged, recon, others |
| Sourcing | Proprietary INTRUSION threat intelligence operation. Not a reseller of someone else's feed. |
| Refresh | Continuously updated. Specific cadence and propagation timing discussed during the technical demo. |
| Distribution | Loaded onto each enforcement platform. No round trip to a remote verdict service for the decision. |
| Shield Sentinel | Not loaded. Sentinel is a visibility platform and does not use the dataset. |
If your network team is asking "what does this thing actually do at the configuration level," start here. No "depending on tier" footnotes. This is what Shield does and what you can control.
| Behavior | What Shield Does | What You Can Tune |
|---|---|---|
| Default | Reputation-based pre-emptive blocking is on. Every connection is checked against the 8.5 billion record dataset before completion. The dataset is loaded onto each enforcement platform. | Switch enforcement mode (Stratus, Shield OnPremise) to Observe Mode for validation before flipping back to enforcement. Default policy is "block reputation-flagged destinations." |
| Tunable | Threat categories (C2, botnet, scanning, DNS-flagged, recon) are independently controllable. Per-direction policy on Stratus. Allowlists at platform or global scope. | Enable or disable specific threat categories. Suppress per source IP range. Allowlist destinations. On Stratus only, configure inbound and outbound policy independently. |
| Logged | Every blocked connection is written to the event log with full forensic context: 5-tuple metadata, reputation context, threat category, policy attribution, microsecond timestamp. | Filter the event log by platform, time, source, destination, threat category, or policy. Export filtered or full event sets to CSV or Excel. |
| Alerted | Nothing. Shield does not generate alerts. There is no alert queue, no urgency scoring, no notification system. Blocks are events, not alerts. | Not applicable. If you need an alert workflow, forward Shield events to your existing SIEM via Syslog (Shield OnPremise) and configure alerting there. |
| Blocked | Connections to reputation-flagged destinations drop at sub-ms, before completion. The decision is autonomous, identity-based, and happens at the platform. | Override per destination via allowlist. Override per threat category via category suppression. Switch the entire platform to Observe Mode to log without blocking. |
POV runs 7 to 14 days. Observe Mode first. You see what would block, then flip to enforcement.
RECOMMENDED NEXT STEP