Shield gives enterprise and mid-market security teams a prevention-first network defense. Shield blocks malicious traffic at the network layer using the Global Threat Engine and 8.5 billion IP and DNS combinations refined since 2001.
| What it does | Blocks malicious network traffic at the network layer using reputation-based threat intelligence. |
|---|---|
| Who it's for | Security teams needing prevention-first network defense. |
| How it deploys | Shield's five products cover cloud, Shield OnPremise, endpoint, monitoring, and management. |
| What you get | Prevention of known-bad connections with full evidence of what was blocked. |
Some segments cannot accept inline placement. Contractually, operationally, or by network design. Shield Sentinel is the platform we built for those segments. SPAN or TAP only, up to 100 Gbps mirrored. It does not block. It does not use the threat intelligence dataset. It does not integrate with Command Hub. Three platforms enforce. One watches.
For the architect whose OT environment, regulated segment, or air-gapped enclave makes inline placement non-negotiable.
Sentinel is not a smaller version of the inline platforms. It is a different platform with a different job. It ingests mirrored traffic from a SPAN or TAP port. It produces visibility output. It does not enforce, does not load the reputation dataset, and operates independently.
1. Sentinel does not block. SPAN or TAP only. It does not sit inline under any condition.
2. Sentinel does not use the 8.5 billion record threat intelligence dataset. The dataset is not loaded onto Sentinel. The platform is for visibility, not reputation enforcement.
3. Sentinel does not integrate with Command Hub. If your evaluation requires unified passive monitoring and inline enforcement in one console, plan around the Stratus, Shield OnPremise, and Endpoint family.
Sentinel ingests mirrored traffic. It does not sit inline. There is no risk of interrupting legitimate traffic, because Sentinel cannot interrupt traffic at all.
Hardware appliance sized for high-throughput visibility. The largest passive ingest of any Shield platform. For environments where mirroring 100 Gbps of traffic is the actual requirement.
Sentinel runs independently. No console dependency on Command Hub, no shared threat intelligence with the enforcement platforms. Operated as its own product.
| Specification | Detail |
|---|---|
| Deployment | Hardware appliance |
| Throughput | Up to 100 Gbps mirrored |
| Mode | Passive monitoring only |
| Placement | SPAN port or TAP only; never inline |
| Threat intelligence | Not used. Sentinel does not load the 8.5 billion record dataset. |
| Blocking capability | None. Sentinel does not block. |
| Console | Independent. Does not integrate with Command Hub. |
| Evidence retention | Per-platform retention; details vary by deployment |
For evaluators who want network visibility before committing to inline enforcement. Sentinel produces the visibility output without changing packet flow.
For network segments or business contexts where inline placement is contractually or operationally not an option. SPAN-port-only is the design constraint Sentinel solves for.
When the requirement is mirroring 100 Gbps of traffic. Sentinel is the platform sized for that ingest.
For programs that want a visibility platform operated separately from their enforcement stack. Sentinel runs standalone by design.
The list, locked.
Switch between platforms without going back to the overview.
Visibility-only POV with SPAN port placement. Talk to engineering about scope before kickoff.
RECOMMENDED NEXT STEP