// 03 The Mechanism

Every connection your network makes is a vote of trust.

Technical reference for Shield, Intrusion's prevention-first network security platform. Shield blocks malicious traffic at the network layer using the Global Threat Engine and 8.5 billion IP and DNS combinations refined since 2001.

At a Glance

What it doesBlocks malicious network traffic at the network layer using reputation-based threat intelligence.
Who it's forSecurity teams needing prevention-first network defense.
How it deploysShield's five products cover cloud, Shield OnPremise, endpoint, monitoring, and management.
What you getPrevention of known-bad connections with full evidence of what was blocked.

Most of those votes are based on nothing. Your firewall says "the port is open." Your TLS says "the cert validates." Neither asks who is on the other end. We do.

If your last incident review surfaced "outbound C2 to a known-bad IP," this page is for you.

Reputation lookup, at the wire.

Connection metadata hits the platform. The 5-tuple is checked against 8.5 billion IP and DNS records. Match a known-bad destination, the connection drops. No payload inspection. No round trip to a verdict service. No alert.

// The Connection Walkthrough

Four steps. Sub-ms. Autonomous.

A connection enters the platform. This is what happens before the next packet leaves.

01

Receive.

Connection metadata arrives at the platform: source IP, source port, destination IP, destination port, protocol. No payload required for the decision.

Wire speed
02

Lookup.

Destination is checked against the 8.5 billion record reputation set. Categorized matches surface threat tags: C2, botnet, scanning, DNS-flagged, recon.

Sub-ms
03

Decide.

Match a flagged destination, decision is block. No human in the loop. No round trip to cloud verdict. Decision happens at the platform autonomously.

Sub-ms
04

Log.

Full forensic record written to the event log: 5-tuple, reputation context, policy attribution, microsecond timestamp. Available in Command Hub immediately.

After block
// Why This Matters to You

The decision is identity, not behavior.

If you have been burned by behavioral detection that flagged the wrong process at 3 AM, the architectural distinction here is the one you care about.

// Behavior-Inference Tools

Watch what the packet does.

Pattern matching on payload. Sandbox detonation. Anomaly scoring on traffic shape. The decision lags the behavior. You learn after the fact.

False positive rate scales with traffic volume because the input is fuzzy. Encrypted traffic, novel payloads, and zero-day variants all reduce signal.

// Reputation Identity

Asks who is on the other end.

The destination is either in the dataset or it is not. Categorical match, not probabilistic inference. The decision is the same on encrypted and cleartext traffic.

False positive rate is structurally lower because the input is identity, not pattern. Allowlist a destination once, the decision flips for that destination only.

THE QUESTION YOU HAVE ASKED YOURSELF.

Why did your detection tool tell you about the breach instead of preventing it?

Because detection-only tools are downstream of the connection. By the time the alert fires, the packet has already moved. Reputation-based pre-emptive blocking moves the decision to the connection itself.

Shield does not detect. It blocks before the connection completes.

// What the Threat Intelligence Actually Is

8.5 billion records. Built since 2001.

If you have heard "AI-powered threat intelligence" enough times to be skeptical, you should be. Here is what the dataset actually is and where it comes from.

AttributeDetail
Size8.5 billion IP and DNS records
Age20+ years of accumulated provenance, built since 2001
CategorizationC2, botnet, scanning, DNS-flagged, recon, others
SourcingProprietary INTRUSION threat intelligence operation. Not a reseller of someone else's feed.
RefreshContinuously updated. Specific cadence and propagation timing discussed during the technical demo.
DistributionLoaded onto each enforcement platform. No round trip to a remote verdict service for the decision.
Shield SentinelNot loaded. Sentinel is a visibility platform and does not use the dataset.
// What's Default, What's Tunable, What's Logged

The configuration matrix. Five rows, no asterisks.

If your network team is asking "what does this thing actually do at the configuration level," start here. No "depending on tier" footnotes. This is what Shield does and what you can control.

Behavior What Shield Does What You Can Tune
Default Reputation-based pre-emptive blocking is on. Every connection is checked against the 8.5 billion record dataset before completion. The dataset is loaded onto each enforcement platform. Switch enforcement mode (Stratus, Shield OnPremise) to Observe Mode for validation before flipping back to enforcement. Default policy is "block reputation-flagged destinations."
Tunable Threat categories (C2, botnet, scanning, DNS-flagged, recon) are independently controllable. Per-direction policy on Stratus. Allowlists at platform or global scope. Enable or disable specific threat categories. Suppress per source IP range. Allowlist destinations. On Stratus only, configure inbound and outbound policy independently.
Logged Every blocked connection is written to the event log with full forensic context: 5-tuple metadata, reputation context, threat category, policy attribution, microsecond timestamp. Filter the event log by platform, time, source, destination, threat category, or policy. Export filtered or full event sets to CSV or Excel.
Alerted Nothing. Shield does not generate alerts. There is no alert queue, no urgency scoring, no notification system. Blocks are events, not alerts. Not applicable. If you need an alert workflow, forward Shield events to your existing SIEM via Syslog (Shield OnPremise) and configure alerting there.
Blocked Connections to reputation-flagged destinations drop at sub-ms, before completion. The decision is autonomous, identity-based, and happens at the platform. Override per destination via allowlist. Override per threat category via category suppression. Switch the entire platform to Observe Mode to log without blocking.

Want to see this against your traffic?

POV runs 7 to 14 days. Observe Mode first. You see what would block, then flip to enforcement.

Read the POV Process

RECOMMENDED NEXT STEP

Ready to see what Shield finds in your environment?

Request a POV Book a Meeting Talk to an Engineer