See Every Connection
Every endpoint is a gateway to the internet. CtrlLayer tracks every network connection, manages firewall rules centrally, and matches traffic against threat intelligence in real-time.
Connection Tracking and History
Every TCP and UDP connection from managed endpoints is tracked and recorded. Source address, destination address, port, protocol, process, data volume, and timestamp. This telemetry builds a comprehensive history of what every device has communicated with, when, and how much data was transferred.
This visibility is essential for security investigations. When a breach is detected, connection history reveals whether data was exfiltrated, which external servers were contacted, and the timeline of the compromise. Without this data, investigations rely on incomplete network logs that may not capture endpoint-level detail.
For routine security operations, connection tracking answers critical questions. Is this application phoning home to an unexpected server? Has any endpoint connected to a known-bad IP? Which devices are generating unusual outbound traffic volumes?
Per-Process Attribution
Every connection is attributed to the specific process that initiated it. Know not just that a device connected to a suspicious IP, but which application made that connection. This attribution enables precise investigation and targeted remediation.
Historical Search
Search connection history by destination IP, domain, port, process, or time range. Retroactive threat hunting becomes possible: when a new threat indicator is published, search your history to determine if any managed endpoint has ever communicated with it.
GeoIP Enrichment
Connection destinations are enriched with geographic location data. Quickly identify connections to unusual geographies that may indicate compromise, especially connections to countries where your organization has no business operations.
Firewall Rule Management
Managing Windows Firewall rules across hundreds of endpoints without centralized control is impractical. Inconsistent rules create security gaps. Manual changes are untracked. Troubleshooting firewall issues requires remote access to each device.
CtrlLayer centralizes firewall rule management. Define rules in the dashboard and deploy them to individual devices, device groups, or the entire fleet. See which rules are active on each endpoint. Identify rule conflicts and inconsistencies across your fleet.
Centralized Rule Definition
Create inbound and outbound rules from the CtrlLayer dashboard. Rules can target specific ports, protocols, IP ranges, and applications. Deploy to individual devices or groups with a single action.
Rule Compliance Monitoring
Continuously verify that firewall rules on endpoints match the centrally defined policy. Detect and alert on rule drift: rules modified locally, rules disabled by users, or rules added without authorization.
Change Logging
Every firewall rule change, whether centrally pushed or locally modified, is recorded in the audit trail. Know who changed what, when, and why. Essential for compliance and troubleshooting.
IP Blocklist Management
Threat intelligence identifies IP addresses associated with malware distribution, command-and-control servers, botnet infrastructure, and phishing campaigns. CtrlLayer maintains a blocklist of these addresses and enforces it across all managed endpoints.
The platform's blocklist integrates 48,000+ threat intelligence indicators with the ability to add custom entries for organization-specific threats. Blocklist enforcement happens at the endpoint level, providing protection even when devices are off the corporate network.
Threat Intel Integration
Curated threat intelligence feeds are integrated directly into the blocklist. New indicators are enforced across all managed endpoints without manual intervention.
Custom Entries
Add organization-specific blocklist entries for IPs identified in your own investigations or shared by industry partners. Custom entries are enforced alongside the curated intelligence.
Block Event Logging
Every blocked connection is logged with full context: the requesting process, the blocked destination, and the blocklist rule that matched. This data feeds into Blue Team correlation for detecting persistent threat activity.
Bandwidth Analysis
Unusual data transfer volumes are one of the earliest indicators of compromise. Data exfiltration, cryptocurrency mining, and malware command-and-control channels all generate network traffic patterns that differ from normal business use.
CtrlLayer analyzes bandwidth consumption per device, per process, and per destination. Baseline normal behavior patterns and alert on deviations that may indicate malicious activity.
Per-Process Bandwidth
See which processes are consuming the most bandwidth on each endpoint. Identify unauthorized applications, cryptocurrency miners, or torrent clients consuming network resources.
Anomaly Detection
Baseline normal bandwidth patterns per device and per user. Flag significant deviations: a device that normally transfers 500MB per day suddenly sending 50GB triggers investigation.
Exfiltration Indicators
Detect patterns consistent with data exfiltration: large uploads to external destinations, sustained outbound transfers during off-hours, and connections to cloud storage services from devices that do not normally use them.
Threat Intel IP Matching
Every outbound connection from managed endpoints is matched in real-time against the CtrlLayer threat intelligence database. When an endpoint connects to a known command-and-control server, malware distribution endpoint, or phishing infrastructure, the detection is immediate.
This matching is not just reactive. CtrlLayer also supports retroactive matching: when a new threat indicator is added to the database, historical connection logs are checked for past communications with the newly identified threat. This reveals compromises that may have been active before the indicator was published.
Detection Example
Endpoint 192.168.1.45 establishes outbound connection to 185.234.xx.xx on port 443
CtrlLayer matches destination against threat intel: known Cobalt Strike C2 server
Blue Team alert generated: Critical severity, lateral movement correlation rule activated
Administrator notified with full context: device, user, process, destination, recommended response
Device isolation available with one click to contain the threat