Quickstart

From signup to a confirmed beacon, in about ten minutes. You need a network capture, a browser, and an email address.

1. Create an account

Head to the signup page and create a free Recon account. No credit card. You'll be asked to verify your email before your first upload. Recon gives you two uploads per day and forty-eight hours of retention, which is plenty to walk through this guide with a real capture.

2. Upload a capture

On the Uploads page, drop in a file. Any of the following works:

• A PCAP or PCAPNG from tcpdump or Wireshark
• Zeek logs (conn.log, ssl.log, http.log, dns.log, x509.log), either TSV or JSON, one at a time or bundled
• A Suricata eve.json export
• Your own NDJSON or CSV, with auto-detected fields

If you don't have traffic handy, grab a sample from malware-traffic-analysis.net and use a capture that includes a known C2 exercise.

3. Wait for scoring

You'll see a progress bar while the file is parsed and every source/destination pair is scored. Most uploads finish in under a minute. You don't have to stay on the page; the results are waiting when you come back.

4. Read the detections

The Detections view lists every flagged pair for this upload, ordered by score. Click a row to open the investigation panel. The panel shows:

• Source and destination, with the score and severity
• TLS fingerprints (JA3, JA4) and any known-bad matches
• ASN, reverse DNS, and registrant for the destination
• Timing pattern, including periodicity and jitter
• Threat-intel hits from the feeds we query
• An Explain why section that shows which features contributed to the score

5. Confirm or dismiss

At the bottom of the panel, mark the pair as Malicious or Benign. Your verdict trains two things at once: the engine's suppression rules for your workspace, and the confidence it places on similar pairs next time.

Next

If your captures come from a vendor that uses unusual field names, read Field mapping. If you want to understand how the score itself is built, skip ahead to Behavioral scoring.