Every capability inside Strixl Labs.
Grouped by where you meet them in the workflow: ingest, detection, enrichment, investigation, platform. Skim the headers, drill into what matters.
Feed it what you already have.
No software to install. No hardware to buy. No rebuilding your network. Strixl Labs reads the data your team already collects and turns it into answers.
Native PCAP / PCAPNG parsing
Upload raw capture files up to multiple gigabytes. We stream through them, reconstruct TLS ClientHellos and X.509 certs, and reconstitute the pair-level view. No intermediate conversion step.
Zeek support for five log types
conn.log, ssl.log, http.log, dns.log, x509.log. Drop any combination; we correlate by Zeek UID so SSL fingerprints and HTTP user-agents end up attached to the same pair automatically.
Suricata eve.json
Flow, TLS, HTTP, DNS, and alert records parsed into the same pair-centric view. Works on default Suricata rulesets. No custom output plugin required.
NDJSON and CSV fallback
Got a vendor export nobody else supports? Upload it. An auto-detection pass tries to map common field names; if it can’t, you get a simple dropdown to map columns once and save the profile for next time.
Workspace-scoped upload limits
Per-customer ingest streams and per-customer parse queues. One tenant’s 4 GB PCAP never delays another tenant’s 50 MB Zeek bundle.
Signal, not signatures.
Most security tools look for known-bad files or IP addresses. That misses anything new. Strixl Labs scores every connection on multiple independent signals like timing, fingerprints, and destination reputation, then flags what adds up to suspicious.
Behavioral scoring engine
Each pair is scored across timing regularity, payload symmetry, connection duration stability, and other behavioral dimensions. The weights are tuned on real C2 traffic, not on synthetic benchmarks.
TLS client fingerprinting
JA3 and JA4 on every TLS handshake, matched against a curated corpus of known-bad fingerprints from Cobalt Strike, Sliver, Havoc, Metasploit, and more. Updated continuously.
HTTP client fingerprinting
JA4H on every HTTP request, computed from header order, cookie presence, Accept-Language patterns, and more. Catches HTTP-based C2 that would otherwise hide behind a normal-looking User-Agent.
Certificate fingerprinting
JA4X on X.509 certificates, with self-signed detection and subject/issuer hash comparison. Flags the kind of freshly-generated certs C2 operators spin up for individual campaigns.
DNS anomaly detection
High-entropy query detection tuned to catch DNS tunneling and domain-generation-algorithm traffic without drowning the queue in noise from legitimate CDNs and public resolvers.
Transparent severity modifiers
Every score includes a breakdown showing what pushed it up or down. When the engine flags something, you see exactly why. No black box.
Context delivered with the flag.
A high score is a starting point, not an answer. Every flagged connection arrives with the context an analyst would otherwise spend twenty minutes gathering: who owns the destination, has it been reported for abuse, what kind of software is talking.
Live-time threat intelligence
Multiple commercial and community feeds are checked on every scoring pass. Hits are merged into the pair record and weighted against the behavioral score. No extra API tokens to manage.
ASN, registrant, and reverse-DNS lookups
Every destination IP is resolved against authoritative ownership data. Microsoft ASN tells you one story; a five-day-old DigitalOcean droplet tells you another.
Reputation and abuse history
Destination IPs are checked against abuse-report databases with vendor-reported confidence scores surfaced directly on the pair.
Certificate transparency signals
Self-signed certificates, freshly-issued certs, and issuer/subject mismatches get surfaced as severity modifiers. The kind of tell that operators don’t think to hide.
The work after the flag.
Strixl Labs is shaped like a work queue, not a dashboard you squint at. Open a flag, read the evidence, make a call, move on.
Explain-why breakdowns
Every flagged pair has a line-by-line breakdown showing which features contributed to the score, which threat-intel feeds matched, and which severity modifiers applied.
Confirm / dismiss actions
Mark a pair malicious or benign in one click. The engine uses both signals to tune. Confirmed malicious pairs inform the known-bad corpus. Dismissed pairs suppress the pattern.
Workspace-wide false-positive learning
Mark one pair to a destination as benign, and every subsequent pair to that same destination with the same fingerprint gets auto-suppressed. Corporate update traffic only has to be reviewed once.
Investigation notes
Per-pair notes with timestamped history. When you come back to a case in 30 days, your past self has already left you the context.
Structured exports
CSV and JSON exports include every enrichment field: score breakdown, fingerprints, intel results, severity modifiers. Drop them straight into your SIEM or case management tool.
Engineered to be operated, not babysat.
The pieces you don't see in a demo but notice the moment a team starts using it. Access control, audit trails, keeping customers' data separate, API access.
Workspace isolation
Per-customer storage, per-customer scoring queue, per-customer threat-intel cache. A noisy upload in one workspace doesn’t touch another workspace’s latency or limits.
Role-based access
Admin, analyst, and read-only roles per workspace. SSO / SAML on Enterprise plans.
Audit log
Every upload, every confirm/dismiss action, every export is logged with user + timestamp + workspace. Queryable from the settings page, exportable on demand.
REST API
BetaBearer-token authenticated API for ingest, pair lookup, detection feedback, and exports. Pipeline Strixl Labs into existing SOC automation without clicking.
Self-hosted deployment
EnterpriseShip the full stack as a Docker-compose bundle inside your own VPC. Bring your own threat-intel feeds, bring your own S3 bucket, keep your uploads entirely on your infrastructure.
See it with your own traffic.
Upload a capture, get a scored view in minutes. No credit card, no agent, no sales call.