Sign in

NetWatcher Overview

NetWatcher is a Managed Detection & Response Platform (MDR). 

A MDR is generally used to go the next step in managing a companies network security.  If you need more than a managed firewall and anti-virus (you do) and want someone to watch over the network 24x7, then NetWatcher is for you.  If you need to meet regulatory mandates such as HIPAA, FINRA, GLBA, PCI-DSS, NIST 800-171 etc and are required to do "continuous monitoring"--NetWatcher is for you too.  Other companies are getting pressure from their customers to have a more secure environment when they have their customers data (i.e. Law firms, Tax firms, State & Local governments etc..)--if this is the case, then NetWatcher is for you too.   If you are a business and need more advanced security but you find that all of the vendors you have considered are just way too expensive--then we are your solution.  We are different. We designed NetWatcher from the ground up to be easier to install, easier to use, more accurate and more affordable than all other security products/platforms & services on the market. 

As a NetWatcher customer you can deploy sensors and endpoints within your networks that listen for anomalous behavior and, if found, produce events.   Events are sent to the NetWatcher cloud where a more advanced correlation occurs looking at events over time and, if found, produces easy to understand alarms that you can take action on.   

It's also your choice to deploy just sensors or just endpoint or BOTH.  Some customer do not want any more devices deployed into their networks and want everything to be in the cloud--you can do that too.

Watch Video


The Sensor can be deployed as a virtual machine or by NetWatcher supplied hardware.  The modules that are currently available on the sensor are as follows:

  • IDS –The Intrusion Detection System does Deep Packet Inspection and analyzes each packet against a set of known anomalies. By default the Emerging Threats (ProofPoint “Open” ruleset is used via the IDS and updated each night). Other rulesets can be purchased for an additional fee.   When an anomaly is found an event is created and sent to the NetWatcher cloud service.
  • SIEM – The Security Information and Event Management System analyzes security-related data from raw syslogs that are pointed at the sensor. By default the Segan ruleset is used to parse syslogs and capture anomalies.
  • NetFlow – The NetFlow engine is capturing all the analytics of the traffic that is passing through the sensor (Start/End of flow, Bytes/Packets to client, Bytes/Packets to server, Source/Destination IP, Source/Destination Port, Source/Destination Hostname, Source/Destination Mac and Protocol). Each event sent to the NetWatcher cloud service has a corresponding netflow attached.
  • Scanner – The Active scanner can be used to scan IP ranges or individual hosts from an external perspective or by logging in via supplied credentials. If an anomaly is found via the scan an event is reported and sent to the NetWatcher cloud service.


The NetAgent is no cost and provides the base asset information (IP Address, MAC address, HostName) for the computer that it is communicating to the NetWatcher service.  You can purchase additional modules that can run within the NetAgent.  The modules that are currently available are as follows:

  • Sensor in the Cloud – Most computers are mobile (laptops) and when they are on premise, their traffic to the internet can be analyzed via a local Intrusion Detection System (IDS) located on the NetWatcher on-premise sensor. However, when a user is a home or in a coffee shop using a public WIFI they are more at risk.  The Sensor in the Cloud provides that same deep packet inspection / Intrusion Detection security analysis that a local sensor would provide even when the user is offsite. **All traffic to and from the internet is sent over a secure VPN**
  • HIDS – The Host Intrusion Detection System monitors and analyzes the internals of the computer for security issues. If there is an issue, it is sent to the NetWatcher sensor for additional correlation.
  • Logs – The logging module monitors the Windows Event log for issues and if there are issues sends them to the NetWatcher sensor for additional correlation.
  • SysTray – Some organizations provide the users the ability to administrate their own computers. If this is the case, a systray icon may be necessary to deploy to those computers.  This module provides that systray to allow the user to start and stop the different modules deployed to the computer.

***The NetAgent is designed to be used both with and without a locally deployed sensor.***




The NetAgent also offers a “free” version that can be used on up to 5 endpoints at no cost.

  • Offers Sensor in the Cloud for 1 endpoint (desktop, laptop or server)
  • Offers a secure VPN for all internet traffic to and from the asset
  • Easily upgraded to the paid NetWatcher Cloud Endpoint
  • Limitations
    •  Only 7 days of event data stored
    •  No SMS alerts
  • Value
    •  User quickly notified via email of both Exploits and Security Hygiene issues on their endpoint
    •  User provided with a security hygiene score on how well they are doing in regards to securing their asset

Find more here... 


NetWatcher’s cloud correlation service (CCS) analyzes events over time and over the disparate silos of IDS, Netflow, Logs and Scanning.   If an event is triggered on the firewall at 10am and at 10:01 the IDS triggers an event and at 10:02 there is strange netflow to China, these three items are correlated by the CCS’s rules engine  to determine what the threat is, how bad it is. and what to do about the threat.

The CCS rules are proprietary to NetWatcher.



The NetWatcher Customer Portal was designed to be very easy to navigate for a business person OR a more technical user.    The Dashboard contains many useful widgets and is meant to provide an overall situational awareness picture (along with a network hygiene score) of a companies security footprint.

You can find a lot more information on the customer portal here.  Also, learn about the NetWatcher Scores here.


The NetWatcher MSP Portal is used by both the NetWatcher security analysts and our Managed Services Provider Partners (NetWatcher can be purchased directly or through the NetWatcher Partner Network).

You can find a lot more information on the MSP Portal here.



One of the huge value-added features of the NetWatcher service is the Security Analysts that are also on top of watching your network.  They provide value in several ways.  First, they are watching your network for any strange behavior that the Cloud Correlation Service (CCS) may have not seen in the past (possibly a new type of exploit).  If the analyst finds such an exploit they will warn you by creating a manual alarm.  They may even call you depending on the severity of the situation. Once they scope out the issue they can then add additional logic into the CCS so that if the engine ever sees the situation in the future ALL customers will benefit.   




Alarms are the basic element of how NetWatcher communicates to our customers and partners about issues on their network.  Alarms are created either by the automated Cloud Correlation Service or by a NetWatcher Security analyst. Alarms are either Security (i.e. Malware and Exploits), Policy (i.e. pornography), Scans (i.e. Metasploit, Nessus or another scanner being run inside the network or Security Hygiene issues (i.e. Employees running outdated or risky software or sending information over the internet in clear text)



Events are the world of the security analyst, however the Customer Portal allows the customer to get into the system and go as deep as they want analyzing all the events from the endpoints, syslogs, IDS, Netflow etc.

Users can chart the events, group them and set tripwires on them if they ever occur in the future.

Users can also download the raw logs and PCAPS if necessary to do an even deeper analysis for forensics purposes.

You can find out more about the 'Advanced' tab here. (video)

 To get an appreciation for how an analyst works with events you can see some detailed articles here.


The NetWatcher sensor (VM or NetWatcher provided Hardware) is best installed on a mirror port on the switch or the router where you have the firewall connected.  Then mirror the traffic on the firewall port (ingress and egress) to the sensor. The sensor uses one port for its connection to the cloud and the other port to analyze the mirrored port.

To see and make use of the assets and traffic behind a WIFI you should either bridge the WIFI or point it’s syslog to the sensor.

More can be found here:




In the Customer Portal under the EndPoints tab (1) you will see a ‘Download NetAgents’ button (2).  Simply download the agent and run it on the asset that you want to be visible to your NetWatcher service.  Once you install the NetAgent, you can see how many agents are installed (and their corresponding modules) if you press ‘show’ on the ‘Available Modules Count’ line (3).  If the other modules were purchased they will be available for installation as well (4).



The NetWatcher Cloud Correlation Service can use whatever events are provided for additional analysis.   Think of it as an automated version of a security analyst and the more data your provide, the smarter it is.

Most customers point the following syslogs to the sensor:

  • Microsoft servers – FYI the NetWatcher Cloud Endpoint can help here by turning the eventlog into syslog messages and sending them back to the sensor. I.E. Use it for your Active Directory Server at a minimum…
  • Firewalls
  • WiFi devices
  • DNS servers
  • DHCP servers
  • VPN servers

More can be found here




Powered by Zendesk