01post-breach operating layer

Network detectionand attackreconstructioninfrastructure.

Detects modern breaches with near-zero false positives.
Reconstructs the full attack provenance chain.

detection
modern breaches
reconstruction
access → egress
delivery
as a service
architecture
first principles

Prophet is network detection and attack reconstruction infrastructure delivered as a service. Customers deploy lightweight collectors wherever traffic exists; Prophet operates everything behind them. IRIS models network-wide communication and detects activity imposed by an attacker. Apollo reconstructs the full provenance chain of the attack: how the attacker got in, which identity they used, what they ran, how they moved, what they collected, and where the data went. Prophet returns the reconstruction as an evidence-backed case instead of a raw alert.

01detection

Detect breaches.

Cyber attacks must communicate over the network. Network communication has observable shape. Prophet models that shape at enterprise scale and detects when your network has been breached with near-zero false positives.

02reconstruction

Reconstruct attacks.

Prophet reconstructs the full attack provenance chain across access, identity, execution, movement, collection, and egress. The result is an evidence-backed case with the remaining unknown made explicit.

Prophet uses a distributed collection topology. Lightweight collectors deploy wherever traffic originates: containers, Kubernetes nodes, VMs, cloud environments, physical infrastructure, taps, endpoints, and any OS. They extract communication shape as compact telemetry and, on hosts, preserve the process, session, and identity context behind each flow. Network telemetry drives detection; host context supports reconstruction. Prophet operates collection, reconciliation, storage, inference, and reconstruction as one service.

Deploy collectors.

Deploy lightweight collectors with a single command across Linux, Windows, Docker, Kubernetes, VMs, cloud environments, endpoints, or taps. Collectors extract communication shape and protocol metadata - DNS, HTTP, TLS, and flow behavior - and stream compact telemetry to Prophet. Configuration is managed centrally in the Prophet console. Prophet's ingest and storage infrastructure scales horizontally to handle any traffic volume.

deploy nodeesc
dockerlinux / macwindowskubernetes
curl -sSL https://dev.prophet.io/install | bash -s -- pt_de4d46fa7e22

connection status

waiting for node to connect...
approve node
configure

optional configuration

descriptionVMWare virtual switch tap
profilenone (default config)
tagssan-jose DC

Detect breaches.

IRIS models your network-wide communication shape deeply enough to learn what the network produces on its own. Exogenous activity imposed by an attacker becomes visible as a departure from that behavior.

detectionstenantsall
IRIS12K targets · 16 cases
apollo3/1
Northcraft Mediamalicious0.88

CRITICAL Confirmed malicious activity on Docker Swarm cluster. Off-distribution TLS beaconing from swarm-edge-04.

01:26 PM
Pomar Statebenign0.88

Benign - scheduled Veeam backup. Telemetry across upload events is structurally identical.

12:23 AM

Reconstruct attacks.

When breach signal appears, Apollo reconstructs the full attack provenance chain: how the attacker got in, which identity they used, what they ran, how they moved, what they collected, and where the data went. It tests competing explanations and returns an evidence-backed case with each fact labeled observed, inferred, or unavailable.

discriminatorhigh

April upload tooling is statistically incompatible with the March session.

April session: 78 flows, IQR 172-236 MB, mean duration 1.3s - no distributional overlap with March.

verifyApril 9 flows to files.slack.com
discriminatorhigh

Session used a pre-stored Slack token.

No credential acquisition preceded the upload.

verifyDNS queries pre-onset window
corroboratorhigh

Four never-seen Tailscale IPs aligned with upload escalation.

First contact appeared 4 min 10 s before the upload spike.

Ask Prophet.

Ask Prophet any question about your network traffic. It runs a deep search across months of traffic collected across your enterprise, follows pivots across flow and protocol telemetry, and returns the answer.

prophet consolenetwork / deep search
what external services is my network sending traffic to?
Thinking3.9s

Good question. I'll fan out across destination organizations, ports/protocols, and application-layer services.

subagentexplore

top destination orgs by upload bytes

got 160,041 hits
subagentexplore

top dest port:protocol pairs by flow count

got 160,111 hits
subagentexplore

top TLS SNIs by flow count

thinking...
answerexternal SaaS and cloud destinations dominate the last 15m.ready
context /⌘K
message prophet or type / for commands

A mature cyber attack is an active, distributed adversarial presence living inside the enterprise. After initial breach, it uses the enterprise fabric as the substrate for its own proliferation. It is optimized for stealth, novel expression, leverage, and eventual destruction.

Its power is distributed orchestration: the ability to coordinate communications and activities across a surface too large to reduce to one artifact, one path, one host, or one known technique.

Its weakness is its nervous system: the network communications that keep the system coherent.

Detecting mature cyber attacks requires modeling what the enterprise network produces on its own, so precisely that an adversarial communication system becomes visible as exogenous activity imposed within the network.

Existing cyber architectures are built to detect and prevent initial access. They are poorly suited for the attacker activity that follows breach.

Mature attacks are distributed adversarial systems. Their events are fragments, not the system. Their coherence lives in communication.

Modern defense assumes breach and detects what happens after.

Prophet pricing scales with what you’re replacing. Small teams buy Prophet as their whole security stack - host evidence, network detection, and autonomous attack reconstruction in one product, at a fraction of an EDR + SIEM + MDR combo. At scale, pricing anchors to the SOC capacity it displaces. No per-seat tax, no per-alert tax.

monitored hosts & collectors
employees with network activity
$79/ month

Collection, retention, autonomous detection, and attack reconstruction for a single host.

$758 billed annually · 20% discount

Estimates assume 6‑month retention of compact telemetry and average egress volume. Talk to us to scope retention, traffic, and any specifics for your network.