Technical reference for Shield, Intrusion's prevention-first network security platform. Shield blocks malicious traffic at the network layer using the Global Threat Engine and 8.5 billion IP and DNS combinations refined since 2001.
| What it does | Blocks malicious network traffic at the network layer using reputation-based threat intelligence. |
|---|---|
| Who it's for | Security teams needing prevention-first network defense. |
| How it deploys | Shield's five products cover cloud, Shield OnPremise, endpoint, monitoring, and management. |
| What you get | Prevention of known-bad connections with full evidence of what was blocked. |
Your EDR sees the endpoint. Your firewall enforces L7. Your SIEM correlates after the fact. Nothing in your stack stops a connection at the wire because the destination is known-bad. We are the layer that does.
Built for the architect running the POV. Not the marketing decision-maker.
Every connection your network attempts is checked against 8.5 billion IP and DNS records of proprietary threat intelligence built since 2001. Match a known-bad destination, the connection drops at sub-ms. No alert. No analyst triage. No queue.
Twelve pages. Architecture, mechanism, console workflow, POV process, downloadable assets, FAQ, and a technical sheet for each of the five Shield platforms. Read in order, or jump to the page that answers your question.
Most evaluators arrive expecting us to position against their existing controls. We are not. Shield is a network-layer reputation control that operates alongside everything you have already deployed. The honest version of where it fits:
Behavioral analysis on the endpoint. Process trees, file activity, memory inspection. Catches what runs after the connection is made.
Rule-based traffic control at L3 to L7. Allow this port from this subnet. Deny that protocol. Critical for policy. Not a reputation control.
Aggregation, retention, correlation across logs from everything else. Tells you what happened. Does not stop what is happening.
Reputation-based pre-emptive blocking on the connection itself. Identity of the destination, not behavior on the host or signature in the packet.
If you are running an EDR plus a firewall plus a SIEM, the legitimate question is what Shield adds. Four answers.
The decision happens at sub-ms. No round trip to a cloud verdict service. No human in the loop. The connection drops at the wire before anything on either side knows it was attempted.
The decision is based on who the destination is, not what the packet contains or what the process is doing. Encryption, novel payloads, and TLS 1.3 with no SNI are all irrelevant to the decision.
8.5 billion IP and DNS records, built since 2001, continuously refreshed. Not a reseller of someone else's threat feed. The 20+ year heritage is the moat.
Shield blocks. It does not surface decisions for you to triage. Every block is logged with full forensic context, but the volume of blocks does not translate to volume of analyst work.
Saying yes to everything is a vendor tell. Here is the explicit list of what Shield does not do, so you can decide if you are in the right place before you spend twenty minutes more.
If your evaluation criteria includes any of the items below, talk to a sales engineer first to confirm fit. We are not going to waste your time with a POV against the wrong problem.
The next eleven pages are written for you, not for a buying committee. Architecture and mechanism first. Console workflow next. POV process. Then the per-platform technical sheets. Skip what you do not need.
Five platforms, three enforcement points, one console. The actual diagram, not a marketing topology.
Connection-by-connection walkthrough. What the platform sees, decides, and does in the time it takes to read this card.
The console. When someone asks "why was that blocked?" your answer takes 30 seconds.
7, 10, or 14 days. Documented success criteria signed off before kickoff. Run in your network, not ours.
The downloadable bundle. Architecture diagrams, one-pagers, posture statement, POV templates.
The questions you would actually ask. Deployment, performance, false positives, integrations.
30 minutes with a sales engineer. Your network diagram on screen. We answer "what does this not do" before you ask.
RECOMMENDED NEXT STEP