ThreatEye Network Recorder is a network forensics software solution designed to run on commodity hardware. It guarantees line-rate packet capture from 1 to 100 gigabits per second with lossless write to disk. It scales to retain petabytes of data and supports a range of storage options with advanced indexing and search features. The solution provides a web-based packet analysis platform supporting a collaborative packet analysis workflow with retrospective visual analytics. A RESTful API structure supports integrations across a wide range security products. ThreatEye Network Recorder is powered by Napatech’s industry-leading SmartNIC technology, providing 100% packet capture with nanosecond precision time stamping.


Use Cases

Experienced analysts agree that network forensics and analysis is only as good as the depth and fidelity of packets recorded. With an easy-to-use RESTful API, ThreatEye Network Recorder is a cost-effective, bolt-on solution that enables you to harness the full potential of your application.


Threat Hunting

ThreatEye Network Recorder provides ground truth data used by security analysts to proactively track and target malicious activity before there is an incident. Network forensic evidence provides the proof necessary to show intent, expose correlations of unusual patterns, and uncover attackers that potentially have been active for months. Investigations using a threat-hunting approach improve the probability of finding advanced threats and shorten the “dwell time” between initial breach and detection.


In the aftermath of a security breach or cyberattack, ThreatEye delivers critical context around alerts generated by security applications such as:

  • Intrusion Detection Systems / Intrusion Prevention Systems (IDS/IPS)

  • Unified Threat Management (UTM)

  • Security Information and Event Management (SIEM)

  • Data Loss Prevention (DLP)

  • Advanced Persistent Threats (APT)

To reduce recovery time and costs, ThreatEye Network Recorder makes it possible to retrospectively assess, contain, and ascertain the damage of an incident.

Cyber defense

ThreatEye Network Recorder delivers data to applications that help governments see all data running through their networks. Recognizing malicious packages and suspicious patterns allows governments to take preemptive measures to stop criminals before or during an attack, safeguarding sensitive government information as well as the personal data of citizens.

Fraud detection & compliance management

ThreatEye Network Recorder delivers data to applications that ensure compliance with regulations, protect trading information, and reduce the risk of confidential information leaks. This enables stock exchanges to provide a seamless, secure trading experience for their customers.


ThreatEye Network Recorder delivers data to applications that enable infrastructure network managers to optimize performance of power transmission, water distribution, transportation, healthcare, and other complex networks. The insight delivered helps sustain the reliable functioning of these vital networks and creates the visibility needed to protect them.

Financial latency measurement

ThreatEye Network Recorder delivers data to applications that make delays visible by capturing all transactions and measuring the exact time of each trading event up to the nanosecond. This enables financial institutions to guarantee optimal performance and transparency of their trading infrastructure.



100% Packet Capture

100% accurate, continuous packet capture with up to 40 Gbps sustained write-to-disk. 1, 10, 40, and 100 Gbps line-rate connectivity options.


Intelligent Packet Capture

Using a streaming machine learning approach to make intelligent decisions about which network sessions to record, how long to retain them, and what traffic can be safely ignored.


Federated Search

Accelerated search based on 5 tuple and Layer 2-4 protocols. Federated search across multiple ThreatEye appliances in a group.



On-board and SAN storage options to scale to whatever record speed and retention volume required.


Packet Analysis and Collaborative Workflow

Transforming  packet analysis workflows by providing a secure web-based environment to organize, collaborate and analyze packet captures.



Web-Based GUI & Management

Centralized management through web-based GUI. RESTful API for easy integrations.

IntelligenCE-DRIVEN Packet Capture

Greatly reduces the size and cost of data retention and providing a more targeted search space for real-time threat hunting.

Connection cutoff

Leverage the heavy-tailed nature of network traffic by retaining only the first “N” packets (or kilobytes) of each network session.

Encryption Bypass

Save storage and compute resources by discarding encrypted traffic sessions.

Threat INtel

Utilize IP and Domain reputation lists to selectively trigger the recording of network sessions of questionable or malicious sites.

Anomaly Detection

Through machine learning analysis determine the most highly suspicious indicators of compromise.



Discover the ThreatEye Network Recorder plug-in for Palo Alto firewalls with drill-down details of a specific security event.


Integrated into the ThreatEye platform, Cloudshark’s secure, modern, web-based packet capture analysis platform for network and SOC teams.


Connections & Expansion


 ThreatEye Network Recorder Portfolio

Capture to Disk Performance
(Sustained recording rate without packet loss)
1 Gbps 10Gbps 20 Gbps 40 Gbps
Software v3.0 Required
Capture port options 2 x 10/100/1000 RJ45 capture ports Capture card required (choose one:)

4-port Dual-rate 1/10 Gbps SFP/SFP
2-port 40 Gbps QSFP
2-port 1000 Gbps QSFP28
Base Appliance Appliance Included Required Dell PowerEdge R730XD or Equivalent
Form Factor 1 x 1U 1 x 2U
Base Storage 4TB 120TB
Storage Expanders (Min. requirement) N/A N/A 1 x 2U, with 120TBytes 3 x 2U, with 120TBytes
Storage Expanders (Max. supported) N/A 8 (total 1 PB)
Management Interface 1 × 10/100/1000 RJ45 2 × 1G RJ45 + 2 × 1/10G SFP+
GUI Web Based
Support Included Support and Warranty

About ThreatEye Network Recorder

ThreatEye Network Recorder is based on Napatech’s Pandion Network Recorder, a product line renowned for ultrafast packet capture, indexing, and search capabilities. In the fall of 2018, Counterflow AI acquired and adopted Pandion as the basis of ThreatEye Network Recorder, a next-generation network forensics platform that seamlessly integrates full packet capture with a streaming machine-learning and data visualization engine.