Admin console
Tenant admin UI for bulk key provisioning, SSO configuration, fleet policy push, and per-seat remote revoke — all behind your existing IdP.
Enterprise control plane
Per-app egress control at enterprise scale.
Every device runs the same NetInsightPro agent. What changes by tier is where your admin surface and audit data live — our cloud, your VPC, or fully air-gapped. Pick the trust boundary that fits your security model.
£25,000 / yr · 100 seats · Cloud · Hybrid · Private
Two lenses on the same telemetry
Personal + admin, same data plane.
Every device runs the same Pro client. Enterprise tenants get an admin console on top of the same flow records — no second agent, no schema fork.
Pro
Device
workstation-001 · sarah.mitchell@example.com · macOS 14.5
Healthy · Pro tier
Anomaly detectedCursor — 7.2x bytes-out baseline at 14:23
| App | Bytes | Verdict |
|---|---|---|
ChatGPT Desktop | +2.4 MB/min | |
Claude Desktop | +1.8 MB/min | |
Slack | +6.4 MB/min | |
Dropbox | +14.2 MB/h | |
Spotify | +0.9 MB/min |
bytes_out · last 24h
Sample only — not a live control
Enterprise
Tenant
TechProf Ltd
techprof.netinsightpro.com
Healthy · Enterprise Cloud
Seats142 / 250
| Hostname | Last seen | Status |
|---|---|---|
| workstation-001 | 2 min ago | active |
| mbp-finance-04 | 5 min ago | active |
| devbox-01 | 14 min ago | active |
| pos-store-12 | 47 min ago | idle |
Compliance & platform support
- SCIM 2.0
- SAML SSO
- OIDC
- BYOK
- OCSF audit
- Windows Server 2022
- Ubuntu LTS
- RHEL / Rocky
- mTLS
- Ed25519-signed digests
- TLS 1.3
The enterprise gap
What existing tools miss at scale
The problem
- Firewalls block ports — not 10,000 apps across a fleet
- SIEM shows network noise; per-app attribution requires expensive DPI
- Multi-tenant BYOK and air-gap requirements ruled out by cloud-only vendors
- On-prem requirements mean custom build or compromise on visibility
How NetInsightPro closes it
- Kernel-level per-app tagging: WFP on Windows, Netfilter on Linux, VpnService on Android
- Admin console + policy engine scales to 10,000+ devices without custom infrastructure
- BYOK on Hybrid / Private — your KMS, your keys, your data
- Private tier: full control plane in your VPC or air-gapped network
Platform features
Eight enterprise capabilities. One agent.
From kernel-level egress classification to air-gapped Private deployment — all without requiring a separate enterprise binary.
Tenant management
Multi-tenant isolation with OU-scoped policy targeting. Off-board a user from your directory; the device licence revokes automatically via SCIM.
Policy engine
Signed egress rules distributed to the fleet. Allow/block per app, per destination CIDR, per port — or set a bytes-out threshold before flagging.
OCSF
Real-time audit log
Immutable audit log: 90 days on Cloud, 2 years admin audit on Cloud, 7 years on Hybrid, custom retention on Private. Exportable as OCSF JSON.
Enterprise
SIEM forwarder
Push OCSF-formatted events to Splunk, Sentinel, Elastic, Chronicle, or QRadar via webhook (Cloud) or syslog-TLS to your on-prem collector (Hybrid/Private).
Hybrid
BYOK encryption
Customer-managed encryption keys for audit data at rest. Supply your AWS KMS, Azure Key Vault, or GCP KMS ARN — we never hold the key.
Hybrid
Hybrid telemetry
Raw flow records stream to your on-prem collector over mTLS. The cloud sees only Ed25519-signed daily digests. Your SIEM gets raw events; we never do.
SCIM auto-provisioning
Automated seat provisioning and de-provisioning from Okta, Azure AD, Google Workspace, or any SCIM 2.0-compliant identity provider.
SIEM integration
Sample OCSF event forwarded to your SIEM
{
"metadata": {
"version": "1.3.0",
"product": { "name": "NetInsightPro", "vendor_name": "NetInsightPro Ltd" }
},
"class_uid": 4001,
"category_name": "Network Activity",
"activity_name": "Established",
"severity_id": 3,
"time": 1717862400000,
"src_endpoint": { "ip": "10.0.4.17", "hostname": "ws-eu-014" },
"dst_endpoint": { "ip": "104.18.32.7", "hostname": "api.openai.com" },
"connection_info": { "protocol_name": "tcp", "direction": "outbound" },
"observables": [{ "name": "ai_threat_subtype", "value": "llm_exfil_suspect" }]
}Intelligence layer
Anomaly detection across your entire fleet.
Smart alerts fire when a device's outbound bytes deviate from its 7-day EWMA baseline. Per-tenant threshold tuning via policy — no rules to write for the common case.
- Flags the app, new destinations, and excess byte volume
- OCSF-formatted anomaly events forwarded to your SIEM automatically
- Fleet-wide alert thresholds pushed via policy engine
AI-era threat detectionEarly Access
Detects documented AI-worm threats your SIEM cannot.
CrowdStrike reported an 89% surge in AI-enabled adversary operations in their 2026 Global Threat Report.[5] SesameOp routes C2 through api.openai.com — standard HTTPS that port-based firewalls and TLS inspection cannot distinguish from developer tooling. Per-app attribution at the kernel level is the only detection surface.
Documented threats now detectable
Morris II
2024
Self-replicating GenAI worm — RAG poisoning + adversarial prompt propagation (Cornell Tech, arXiv:2403.02817).
Source →PROMPTSTEAL
2025
APT28 malware calls Hugging Face LLM in real attacks to generate Windows recon commands, then exfiltrates via SSH.
Source →SesameOp
2025
Backdoor uses OpenAI Assistants API as C2. Traffic is valid HTTPS to api.openai.com — invisible to TLS inspection alone.
Source →H1
LLM API egress monitoring
Alerts when malware queries ChatGPT, Claude, or Gemini from non-browser processes. The H1 heuristic — lowest false-positive rate of any AI-threat signal.
H5
Lateral move detection
Flags follow-up SSH/SMB/Kubernetes connections within 60 seconds of an LLM API response from the same process — the signal of LLM-orchestrated reconnaissance.
H7
Swarm detection
Escalates when 3+ hosts show the same unknown process binary making LLM API calls within a 5-minute window. The highest-specificity worm propagation signal (H7).
Phase 2 MVP is shipped. Admin UI tab is Phase 3 (roadmap).
Detection telemetry and backend DDB visibility are live. The admin console AI Threats tab, block-mode policy template, and threat-intel feed integration are in the roadmap for Phases 3–5. See the full breakdown on the dedicated page.
How NetInsightPro works
From endpoint signal to operator alert — one unified pipeline, fully on-host or hybrid.
Data Sources
Endpoints · Firewall · DNS
Collectors
On-host · Hybrid · Cloud
Analytics Engine
Stream · Enrich · Index
Threat Detection
Anomaly · AI-Worm · Lateral
Dashboards & Alerts
Per-tenant · SIEM · Pager
- Data SourcesEndpoints · Firewall · DNS
- CollectorsOn-host · Hybrid · Cloud
- Analytics EngineStream · Enrich · Index
- Threat DetectionAnomaly · AI-Worm · Lateral
- Dashboards & AlertsPer-tenant · SIEM · Pager
See the platform
Per-tenant fleet visibility, compliance evidence, and SIEM-grade event forwarding — out of the box.
Live tenant fleet, anomaly status, recent activity.
Per-collector posture, version, last-seen, drift.
SOC2 / ISO / GDPR evidence pack — export on demand.
DLQ-protected forwarder to Splunk, Datadog, Sentinel.
Admin dashboard
Fleet-wide visibility in one console.
The admin console shows per-device egress, anomaly alerts, policy compliance, and SIEM forwarder status across every managed endpoint.
app.netinsightpro.com — Admin Console
Total endpoints
4,200
Active alerts
17
Blocked connections
348
SIEM events / day
92K
Recent anomaliesView all →
WKSTN-0442 · Windows 11
OneDrive
+22.1 MBBlocked
LNXSRV-07 · Ubuntu 22.04
python3
+8.4 MBAlerting
MOBILE-1104 · Android 14
Dropbox
+5.7 MBAlerting
0managed endpoints
0anomalies this week
0SIEM events / day
0confirmed exfil events
Deployment options
Three shapes. One client binary.
Pick the trust boundary that fits your security model. The agent binary is bit-identical across all three tiers — licences come from the server, not the client.
Enterprise starts at £25,000 / yr · 100 seats included
RecommendedTalk to sales
Cloud
Fully managed SaaS
Admin console and licence control plane hosted by NetInsightPro. Same client binary as Pro. Zero infrastructure to run.
- Hosted admin console
- SSO via SAML 2.0 or OIDC
- SIEM webhook + bulk provisioning
- MDM silent install (Windows / Linux / Android)
- 99.9% uptime SLA + dedicated CSM
- 90-day raw event retention
From £25,000 / yr
100 seats included
Hybrid
SaaS admin · private data plane
Control plane is ours; raw event data never leaves your VPC. On-prem collector runs as Docker Compose or Helm inside your infrastructure.
- Everything in Cloud
- On-prem event collector in your VPC
- Raw events to your SIEM directly
- BYOK — customer-managed encryption keys
- Private CIDR allow-list on control plane
- 7-year admin audit retention
Custom quote
Seat volume + collector
Private
Air-gapped · fully sovereign
Control plane ships as Docker Compose / Helm into your VPC or air-gapped network. No third-party cloud dependency at runtime. Client binary is bit-identical.
- Everything in Hybrid
- Control plane in your VPC or air-gap
- Open-source stack — no cloud dependency
- Quarterly security patch releases
- Dedicated implementation engineer
- Custom SLA, audit retention, and support tier
Custom quote
Unlimited seats
Why one binary across every tier
Mature endpoint tools ship a single binary. Licence entitlements come from the server — the client never changes. That means:
- — One supply chain (one signing cert, one notarisation, one crash stream)
- — Users upgrade in place by pasting a licence — no reinstall
- — Downgrade is graceful: expire the licence, the client falls back to Free
What is enterprise-tier-only is the control plane:
- — Tenant admin console (bulk keys, SSO, audit, policy engine)
- — SIEM egress pipeline and OCSF event forwarder
- — MDM install parameters honoured by the client
- — Policy distribution channel (signed rules, polled by the client)
Buyer journey
From first call to rollout.
- 01Scoping call
30-min technical intro. We map your fleet size, SIEM, IdP, and retention requirement to one of the three deployment shapes.
- 02Proof of value
30-day pilot on up to 50 seats. Full capability set; we co-build one policy + one SIEM integration with your team.
- 03Quote + contract
Fixed annual price tied to seat count, retention tier, and SLA level. Standard DPA + MSA — redlines welcome.
- 04Rollout
MDM silent install pushes the agent + licence to every device. SSO + policy engine go live the same day.
- 05Ongoing
Dedicated CSM. Quarterly business reviews. Compliance pack available on demand.
Security & compliance
Built for regulated enterprise.
Security architecture
- Data-at-rest: AES-256 via KMS (BYOK on Hybrid / Private)
- In-flight: TLS 1.3 to all endpoints; mTLS for agent → collector
- Ed25519-signed digests (Hybrid) — tamper-evident audit trail
- RBAC — per-seat and per-OU role enforcement
- Immutable audit log with configurable retention
- On-prem Private tier: air-gap eligible, no third-party cloud dependency
Compliance & standards
- UK GDPR · EU GDPR · CCPA
- SAML 2.0 / OIDC SSO — Okta, Azure AD, Google Workspace
- SCIM 2.0 automated provisioning
- OCSF-format audit events for SIEM ingestion
- SOC 2 Type II — available on request (Enterprise)
- DORA · BSI C5 · NIS2 alignment (Hybrid / Private)
No banned dates. SOC 2 Type II report available on request for Enterprise customers. DPA + MSA available at legal@netinsightpro.com.
FAQ
Enterprise questions answered
More questions? Email enterprise sales or request DPA / MSA templates.
Talk to enterprise sales.
Tell us your rough seat count, SIEM, and IdP. We'll respond within one business day with a deployment shape and a price. No spam. No gate on the first call.
Or email direct: sales@netinsightpro.com
Three deployment shapes · One client binary · Standard DPA + MSA available