v0.6  ·  Open Source  ·  MIT License  ·  AI Copilot

See everything
on your network.

Real-time packet capture, deep protocol decode, and AI-powered threat detection — from a single laptop to hundreds of production servers.

Deploy the hub → Read the docs GitHub
$ curl -sSL https://netscope.ie/hub-quickstart.sh | sh
NetScope Hub · Live Flows Live
Total flows
33,820
Flows / min
590
Active agents
5
Threats detected
3
TimeProtoSourceDestination ProcessThreat
20:09:56.421DNS172.20.10.8:532018.8.8.8:53chrome
20:09:56.198TLS172.20.10.8:52901142.250.80.46:443slack
20:09:55.991HTTP172.20.10.8:51204192.168.1.1:80curlMED
20:09:55.855ICMP172.20.10.81.1.1.1ping
20:09:55.612gRPC10.0.0.5:5422110.0.0.9:50051node
20:09:55.301TLS172.20.10.8:5289935.186.224.47:443dockerHIGH
<1ms
Packet to dashboard latency
0+
Decoded protocols
0
Platforms — macOS, Linux, Windows
MIT
Open source forever
Getting started

Up and running
in two minutes.

No Kubernetes. No YAML. One command starts the full stack.

01

Deploy the hub

One curl starts ClickHouse, Kafka, the API, and the web dashboard in Docker. A random API key is generated automatically.

$curl -sSL https://netscope.ie/hub-quickstart.sh | sh
02

Enrol an agent

Generate an enrollment token in the dashboard. Run the install command on any target machine — Linux, macOS, or Windows.

$curl -sSL "https://hub/install?token=…" | INTERFACE=eth0 sh
03

Investigate with AI

Flows appear within seconds. Ask the AI Copilot questions in plain English. Set alert rules, write Sigma detections, export to SIEM.

Dashboard at http://localhost — open in browser
Platform

Three tools.
One platform.

Every component works standalone. Together they give you complete, fleet-wide observability.

Desktop App

A native Tauri + React explorer for macOS and Windows. Browse live traffic, view connection graphs, inspect TLS certificates, and run HTTP analytics — no terminal required.

macOSWindows Tauri 2Auto-update
Explore features →

Capture Agent

A zero-overhead Rust sensor. Runs in pcap mode on any platform, or eBPF mode on Linux for process attribution and kernel-level visibility. Sends compressed flow telemetry with no local storage.

LinuxmacOS WindowseBPF
Explore features →

SaaS Hub

A self-hosted control plane aggregating flows from your entire fleet. AI Copilot, anomaly detection, Sigma rules, custom dashboards, SSO/SCIM, compliance reporting, and SIEM export.

DockerKubernetes ClickHouseAI Copilot
Explore features →
Capabilities

Everything to understand your traffic.

From raw packets to actionable security intelligence — in real time.

Full documentation →

Real-time capture

Sub-millisecond latency from packet to dashboard. pcap on all platforms, eBPF on Linux for kernel-level visibility without copying to userspace.

Deep protocol decode

HTTP hostnames, DNS queries, TLS handshakes, gRPC method names, HTTP/2 streams, ICMP types, ARP. See the conversation, not just IP headers.

Process attribution

eBPF maps every connection to the process, PID, binary, and user. Know exactly which app is phoning home or exfiltrating data.

AI Security Copilot

Ask questions in plain English. The Claude-powered copilot translates your question into ClickHouse SQL, runs it, and explains the results inline.

GeoIP & threat intel

MaxMind GeoLite2 enrichment on every flow. AbuseIPDB lookups flag known-malicious IPs with colour-coded threat badges before they escalate.

Sigma detection

Write detections in standard Sigma format or use 5 built-in rules. Get real-time alerts on port scans, DNS tunnelling, C2 beaconing, and more.

Behavioural anomaly detection

7-day rolling Z-score baseline per agent and protocol. Automatic spike detection flags unusual traffic volumes within 5 minutes.

Custom dashboards

Build your own views with 6 widget types: stat cards, flow-rate charts, protocol pies, top-talkers, alert feeds, and anomaly feeds.

New in v0.6

Ask your network
anything.

The AI Security Copilot translates plain-English questions into ClickHouse SQL, executes them against your live flow data, and explains the results — all in a streaming side panel.

Powered by Claude — runs inside your hub, API key never leaves your server

SELECT-only enforcement — injected SQL is validated before execution

Multi-turn tool use — runs up to 5 queries per question, shows live SQL cards

Learn more →
AI Copilot Powered by Claude
Which IPs had unusual outbound traffic in the last hour?
I'll look for source IPs with significantly higher bytes_out than their recent baseline…
SELECT src_ip,
  sum(bytes_out) AS total_out,
  count() AS flows
FROM flows
WHERE ts > now() - INTERVAL 1 HOUR
GROUP BY src_ip
HAVING total_out > 50000000
ORDER BY total_out DESC LIMIT 10
Found 3 IPs with >50 MB out — 10.0.0.14 sent 1.2 GB, which is 8× its 7-day average. Possible exfiltration.
Under the hood

Powerful CLI,
clean dashboard.

Use the agent from the terminal during incident response, or let the hub aggregate everything automatically.

Capture on any interface

Physical NICs, virtual bridges, container network namespaces, loopback. Works in Docker, K8s pods, and bare metal.

Queryable with SQL

All flows land in ClickHouse. Run ad-hoc queries from the AI Copilot or any SQL client. Export to CSV, hook up Grafana.

Server-side enrichment

Hostname resolution, GeoIP, ASN, threat intel, and process attribution all happen server-side — the agent stays lean.

zsh — netscope-agent
# Install and enrol the agent
$ curl -sSL "http://hub/install?token=abc123" | INTERFACE=eth0 sh
✓ Agent installed → /usr/local/bin/netscope-agent
✓ Enrolled — agent_id: 4f8a2c1e
→ Capturing on eth0 (pcap mode)...

# Switch to eBPF for process attribution (Linux)
$ sudo netscope-agent-ebpf --hub-url http://hub --api-key …
✓ eBPF probe loaded
DNS chrome → 8.8.8.8:53 api.example.com 0.8ms
TLS node → 104.18.3.12:443 registry.npmjs.org 12ms
HTTP curl → 192.168.1.1:80 ⚠ unencrypted POST /login
Pricing

Start free. Scale as you grow.

Every plan includes the desktop app, capture agent, and self-hosted hub. No vendor lock-in, ever.

Community
Free
forever · open source · MIT
  • Up to 10 agents
  • All protocols · eBPF · AI Copilot
  • Desktop app (macOS + Windows)
  • Self-hosted hub (Docker)
  • Anomaly detection · Custom dashboards
  • Community support (GitHub)
Get started →
TeamMost popular
$149
per month · billed annually
  • Up to 50 agents
  • Everything in Community
  • SSO — SAML & OIDC · SCIM
  • Slack · PagerDuty · OpsGenie alerts
  • SIEM export (Splunk, Elastic, S3)
  • Incident workflow · Compliance reports
  • Priority email support
Contact sales →
Enterprise
Custom
volume pricing · on-prem · SLAs
  • Unlimited agents
  • Everything in Team
  • Custom RBAC roles · PII redaction
  • OpenTelemetry trace correlation
  • SOC 2 / ISO 27001 compliance docs
  • Dedicated support & SLAs
Talk to us →

Ready to see
your network?

Deploy in two minutes. No credit card, no sign-up, no telemetry sent anywhere.

Deploy free → Read the docs Star on GitHub ★