ThreatEye Network Recorder is a network forensics solution that guarantees line-rate packet capture from 1 to 100 gigabits per second with lossless write to disk. It scales to retain petabytes of data and supports a range of storage options with advanced indexing and search features. The solution provides an intuitive user interface and offers easy integration via RESTful APIs. ThreatEye Network Recorder is powered by Napatech’s industry-leading SmartNIC technology, providing 100% packet capture with nanosecond precision time stamping.


Use Cases

Experienced analysts agree that network forensics and analysis is only as good as the depth and fidelity of packets recorded. With an easy-to-use RESTful API, ThreatEye Network Recorder is a cost-effective, bolt-on solution that enables you to harness the full potential of your application.



In the aftermath of a security breach or cyberattack, ThreatEye delivers critical context around alerts generated by security applications such as:

  • Intrusion Detection Systems / Intrusion Prevention Systems (IDS/IPS)

  • Unified Threat Management (UTM)

  • Security Information and Event Management (SIEM)

  • Data Loss Prevention (DLP)

  • Advanced Persistent Threats (APT)

To reduce recovery time and costs, ThreatEye Network Recorder makes it possible to retrospectively assess, contain, and ascertain the damage of an incident.

Threat Hunting

ThreatEye Network Recorder provides ground truth data used by security analysts to proactively track and target malicious activity before there is an incident. Network forensic evidence provides the proof necessary to show intent, expose correlations of unusual patterns, and uncover attackers that potentially have been active for months. Investigations using a threat-hunting approach improve the probability of finding advanced threats and shorten the “dwell time” between initial breach and detection.

Cyber defense

ThreatEye Network Recorder delivers data to applications that help governments see all data running through their networks. Recognizing malicious packages and suspicious patterns allows governments to take preemptive measures to stop criminals before or during an attack, safeguarding sensitive government information as well as the personal data of citizens.


ThreatEye Network Recorder delivers data to applications that enable infrastructure network managers to optimize performance of power transmission, water distribution, transportation, healthcare, and other complex networks. The insight delivered helps sustain the reliable functioning of these vital networks and creates the visibility needed to protect them.

Fraud detection & compliance management

ThreatEye Network Recorder delivers data to applications that ensure compliance with regulations, protect trading information, and reduce the risk of confidential information leaks. This enables stock exchanges to provide a seamless, secure trading experience for their customers.

Financial latency measurement

ThreatEye Network Recorder delivers data to applications that make delays visible by capturing all transactions and measuring the exact time of each trading event up to the nanosecond. This enables financial institutions to guarantee optimal performance and transparency of their trading infrastructure.



100% Packet Capture

100% accurate, continuous packet capture with up to 40 Gbps sustained write-to-disk. 1, 10, 40, and 100 Gbps line-rate connectivity options.


Adaptive Packet Capture

Reduce storage costs and improve forensic search speeds by retaining only important and useful traffic elements.


Federated Search

Accelerated search based on 5 tuple and Layer 2-4 protocols. Federated search across multiple ThreatEye appliances in a group.



On-board and SAN storage options to scale to whatever record speed and retention volume required.


Software Application Support

Container hosting support for a wide range of commercial and open-source network security applications such as Suricata and Bro.


Web-Based GUI & Management

Centralized management through web-based GUI. RESTful API for easy integrations.

Adaptive Packet Capture

(Coming Soon!)

Select one or more optional packet capture modes to reduce storage costs and improve search speeds.

Connection cutoff

Leverage the heavy-tailed nature of network traffic by retaining only the first “N” packets (or kilobytes) of each network session.


Maintain user privacy by slicing the packet payload and only retaining packet and protocol headers.

Encryption Bypass

Save storage and compute resources by discarding encrypted traffic sessions.

Reputation List

Utilize IP reputation lists to selectively trigger the recording of network sessions of questionable or malicious sites.




Discover the ThreatEye Network Recorder plug-in for Palo Alto firewalls with drill-down details of a specific security event.


Connections & Expansion


 ThreatEye Network Recorder Portfolio

Capture to Disk Performance
(Sustained recording rate without packet loss)
1 Gbps 10Gbps 20 Gbps 40 Gbps
Software v3.0 Required
Capture port options 2 x 10/100/1000 RJ45 capture ports Capture card required (choose one:)

4-port Dual-rate 1/10 Gbps SFP/SFP
2-port 40 Gbps QSFP
2-port 1000 Gbps QSFP28
Base Appliance Appliance Included Required Dell PowerEdge R730XD or Equivalent
Form Factor 1 x 1U 1 x 2U
Base Storage 4TB 120TB
Storage Expanders (Min. requirement) N/A N/A 1 x 2U, with 120TBytes 3 x 2U, with 120TBytes
Storage Expanders (Max. supported) N/A 8 (total 1 PB)
Management Interface 1 × 10/100/1000 RJ45 2 × 1G RJ45 + 2 × 1/10G SFP+
GUI Web Based
Support Included Support and Warranty

About ThreatEye Network Recorder

ThreatEye Network Recorder is based on Napatech’s Pandion Network Recorder, a product line renowned for ultrafast packet capture, indexing, and search capabilities. In the fall of 2018, Counterflow AI acquired and adopted Pandion as the basis of ThreatEye Network Recorder, a next-generation network forensics platform that seamlessly integrates full packet capture with a streaming machine-learning and data visualization engine.