Packetman saysWelcome to the security lane. I'm Packetman. Four things to know about how DataStun does security differently. First, the agent watches outbound flows the moment they open — so internet-exposed databases, RDP on the public internet, MSSQL or MongoDB facing the wrong direction get caught at flow-open, not on the next perimeter scan. Second, every executable that opens a network connection gets a multi-source reputation verdict from a four-chip evidence cluster — code signature, federal known-good catalogue, public malware corpus, multi-engine AV — so "clean" actually means we checked across independent sources. Third, the AI governance surface tells you which machines are using which AI vendors and how many bytes are leaving for which provider, with no content inspection — TLS hides the prompts and we never try to break that. Fourth, and the one that's not just observation: Hop Starvation lets an operator cap how far packets from a chosen device, app, or port are allowed to travel — a database can be told to reach the local switch and nothing beyond. Endpoint security tools catch process behavior. Firewalls enforce network boundaries. DataStun does the network observability and the distance-based enforcement the other tools weren't built for.Endpoint security tools watch process behavior. Firewalls enforce network boundaries. DataStun does the endpoint network observability and the operator-set distance enforcement the other tools weren’t built for: outbound flow attribution, exposed-service detection at flow-open, multi-source executable reputation, AI-governance volume tracking, and Hop Starvation distance limits. Every catch shares one constraint: metadata only, never content — safe to deploy on every machine in the fleet.
Packetman saysFive catches across two halves of the security story. The first half is observation — the agent watches what's happening and grades what it sees. Exposed services catches the database that's accidentally facing the public internet. Executable reputation tells you whether the binary that opened the connection is the one it claims to be, with four independent sources backing the verdict. IP reputation grades every destination, and the global blocklist refuses the worst of them at the OS firewall. Those three are included on every tier — they're the security floor we won't gate behind a paywall. The second half is enforcement that operators apply on purpose. AI governance tracks bytes leaving for AI vendors so the compliance answer to "what's our AI footprint" is a number instead of a survey response. Hop Starvation caps how far packets from a chosen device or app are allowed to travel — so a database server can be told to reach the local switch and nothing beyond. Those two are paid because the upgrade story is a real upgrade, not a tax. All five share one constraint: metadata only, never content. Read the deeper page on whichever catch is the one you came here for.Each of these is a feature page in its own right; this hub gives you the elevator pitch and points you at the deeper material. The first three are included on every tier — the security floor. The last two are paid because the upgrade story is a real upgrade, not a tax.
The single most common “how did we get breached” root cause: an internal service — database, file share, admin API — accidentally reachable on the public internet. The agent catalogs 169 services across 8 categories and tags any outbound flow whose destination is a public IP on a catalog port.
Critical hits (MSSQL, MongoDB, RDP, SMB, Redis, ...) alert tenant admins instantly. One click pushes a tenant-wide block to every agent in 60 seconds.
Read the exposed-services landing →Every binary that opens a network connection gets a SHA-256 fingerprint and a multi-source verdict. The evidence cluster — SIG (code signature), NSRL (federal known-good), MBZ (public malware corpus), VT (multi-engine AV) — means “clean” is the agreement of independent sources, not one vendor’s opinion.
It also answers “is this version vulnerable?” — published CVEs for the binary’s version, flagged with a red KEV chip when a CVE is on CISA’s actively-exploited list (deeper red for documented ransomware use) — and runs a YARA + ClamAV malware scan, with false-positive discipline so a validly-signed system binary never gets flagged by a generic hunting rule.
Hash-only by default. The binary itself never leaves your machine.
Read how file reputation works →Every outbound destination gets a real-time security grade (A+ through F). The reputation pipeline runs geo, rDNS, TLS posture, infrastructure analysis, threat-feed match, and AI-advisory assessment in parallel. D and F destinations land on the global blocklist.
Enforcement is at the OS firewall (Windows WFP, Linux ipset/iptables, macOS pf). The list is global because reputation is a statement about the IP, not about your tenant. Individual customers get the same enforcement as Enterprise. And because the dangerous part of the internet changes constantly, the grading runs around the clock — not a list you install once and forget.
Read the reputation deep-dive →Which AI tools are your fleet using? How much data is leaving for each provider, from which executable, on which machine? Cross-fleet rollup of bytes flowing to 50+ AI vendors — Anthropic, OpenAI, Microsoft Copilot, Cursor, and the long tail.
Volume + attribution, not content inspection. TLS hides the prompts; we never try to break that. The compliance answer to “what’s our AI footprint?” with measurement, not survey.
Read the AI governance landing →The one catch on this page that’s not just observation. Operator-set distance limits per device, per app, per port, enforced through the TTL field in every IP packet. A database server can be told to reach the local switch and nothing beyond. A laptop can be told to reach the company network plus a measured pinhole to your payment processor.
Operator measures the hop count, the AI sanity-checks the rule against today’s flows before apply, the router confirms it stuck, the operator can reverse in seconds. Per-agent add-on — buy it for the agents that protect crown jewels, leave laptops on the standard agent.
Read the Hop Starvation landing →Every binary that opens a network connection is fingerprinted and checked against four independent sources at the same time. A verdict is their agreement — not one vendor’s opinion.
One source can be wrong, bought, or stale. Four independent sources rarely agree by accident — so “clean” on your dashboard means checked, and a flag means more than a hunch. Hash-only by default; the binary itself never leaves the machine.
A virus list answers one question: “have we seen this exact file before?” Modern attacks are built to beat that. Here’s the fuller picture the agent works from.
About half a million brand-new malicious files appear every day — roughly five every second. The threat you face this afternoon didn’t exist this morning, so the checks run in real time, not off a list someone refreshed last month.
Most modern malware rewrites itself for every victim, so the exact file attacking you has usually never been seen anywhere. Instead of only asking “is this a known-bad file?”, the agent recognizes the tell-tale patterns a malware family leaves behind — catching new disguises a file list can’t.
A program can be perfectly legitimate and still be the way in — if it’s an outdated version with a known hole. There are more than 300,000 known software flaws, but fewer than 1,500 are actually being exploited right now. DataStun flags those versions in red, so you know what to update first.
Most tools only hunt for known viruses. DataStun recognizes what’s legitimate, spots the disguised, and flags the trusted-but-outdated software attackers are breaking into today — then explains every verdict in plain language.
Every outbound destination is graded in real time. The worst grades don’t just get reported — they get refused, at the kernel, on every machine.
A D or F lands the address on the global block list, and the OS firewall refuses the session before it completes — the same enforcement on the Individual tier as on Enterprise. The list is global because reputation is a statement about the IP, not about your tenant. And every block carries its source, reason, and a dispute link — a block you can’t explain or appeal isn’t one you should trust.
Packetman saysHere's the part most people miss about blocklists. The dangerous part of the internet is small — roughly a third of one percent of all addresses — and it's known, so we refuse it on every device the moment you turn us on. But it doesn't hold still. A new dangerous address shows up about every minute, and most get abandoned within months as the people behind them move to fresh ones to stay hidden. A firewall you configured last week is already describing an internet that's moved on. So instead of shipping you a giant list to install — which would be stale on arrival and slow your machines down — we keep grading in the background, around the clock, and we watch your own traffic so we catch the new addresses the moment they actually try to reach you. A static list protects you from where attackers used to be. This protects you from where they are now.Two facts make “set it and forget it” a myth — and both are why DataStun keeps grading in the background instead of handing you a list to install.
Most of the internet is safe. The genuinely dangerous part is about one-third of one percent of all addresses — small enough to refuse on every one of your devices from the moment you turn us on. That worst-of-the-worst core travels to every agent.
A new dangerous address appears roughly every minute, and most are abandoned within months. A firewall set last week is already describing an internet that has moved on. DataStun re-grades around the clock, so your protection matches today’s internet.
Blocking an address doesn’t retire the people behind it — they shift to fresh ones to stay hidden. Rather than carry millions of stale entries that would slow your machines, the agent watches your own traffic and grades each new destination the moment it appears.
That’s the split: the small, stable worst-of-the-worst refused everywhere instantly — and everything else graded live, as it actually tries to reach you. A static list protects you from where attackers used to be. DataStun protects you from where they are now.
A real observation from a live agent. A browser opened a session to a familiar-looking address — and the server answered with a security certificate issued for a completely different name, expired weeks earlier, served from a data center overseas. Here is exactly what the agent saw.
con.cn — does not cover mail.365.comchrome.exe), the agent that saw it, and every session attached to the record. The block carries its source, reason, and a dispute link, like any other.Would you have typed your password into that? The address looked familiar. The certificate — the part your browser actually verifies — was for a different name, already expired, on the other side of the world. DataStun reads the name on the ID, not the name on the door.
Forty years of breach work taught me the same lesson every time: the tools were watching the wrong layer. The endpoint tool watched the process. The firewall watched the boundary. Nobody watched where the data actually went, vouched for the program that sent it with evidence you could check, or capped how far the data was allowed to travel in the first place. That gap is the whole game — and it’s what these catches close.
Hardening narrows the ways in — but sound security planning assumes that, eventually, something gets through. DataStun is built for that moment: at worst, you have a complete record of what it did; at best, the connection is refused before it completes.
Exposed-service detection flags internal databases, file shares, and admin APIs reachable when they shouldn’t be. Blocklist enforcement refuses known-bad destinations at the OS firewall. Fewer doors — and the obvious-bad ones already shut.
Hop Starvation caps how far packets from a chosen device, app, or port are allowed to travel. A database compromised through a zero-day still can’t reach the internet if its reach was capped at the local switch. The blast radius is bounded by physics, not by patrolling.
The agent records connections that reach the machine, not only the ones it makes. Every session landing on a listening service is captured: the source IP, the source and local port, the process that accepted it, bytes in and out, the timestamp. Public-internet sources get the same A–F reputation grade as outbound destinations.
If a machine is reached, the session-level record is already there: who connected, which process accepted it, what that process then reached outbound, which executable on disk made those calls, and how much data moved each way. The event has a name, a source, and a timeline — not a gap.
You know exactly what it did. The source address, the process it reached, the executable behind it, the outbound destinations that followed, and the byte counts on every leg — a full account of the event, ready for response.
It never completes the connection — or it can’t go anywhere if it does. When the source or destination is known-bad, the OS firewall refuses the session before it opens. When the compromised machine has a distance-cap rule applied, its packets expire at the boundary the operator chose — long before they reach an exfiltration endpoint.
Every layer here runs on connection metadata — source, destination, process, ports, bytes, timing. Never content. The forensic record is detailed enough to drive an investigation and small enough that nobody has to trust us with payloads.
Every catch above runs on connection metadata: source process, destination, port, protocol, byte counts, timing, TLS handshake fields. Never content. No proxy, no man-in-the-middle, no decrypted-payload buffer anywhere in the agent or platform. That constraint is what lets the agent live next to your existing endpoint security tools on every machine in the fleet without becoming a privacy concern.
DataStun pairs with what you already run; it does not try to replace it. The integration story:
Endpoint security tools tell you a process behaved suspiciously. DataStun tells you where its outbound flows went, which executable on disk made the call, how many bytes left — and lets the operator cap how far those packets are allowed to travel in the first place.
All features →Per-flow records, blocklist enforcement events, exposed-service denials, Hop Starvation rule activity, and grade-shift events stream into Splunk, Elastic, Datadog, or any HTTP / syslog endpoint on the Business tier and above.
All features →Per-framework evidence binders generated on demand: SOC 2, ISO 27001, HIPAA, GDPR, EU NIS2, EU DORA, PCI-DSS 4.0, NIST 800-171 / CMMC. Feeds into Vanta / Drata / Secureframe.
Compliance crosswalk →Sign up free, enroll one agent, and the security lane lights up on day one. Individual tier covers up to 3 agents with 30 days of history; the catches on this page are not tier-gated.