Run Silent.
Run Deep.
Track Everything.

IoT/IIoT-Native Network Detection & Response. IT-Ready.

Rockfish NDR turns Suricata EVE records into network intelligence — surfacing what lurks on the wire. Graph-based behavioral detection. GeoIP enrichment. Cryptographically signed Parquet. Built for CMMC compliance. Deployed as a single Rust binary.

See the Pipeline Live Demo
5+
Pipeline stages
12
Detection algorithms
14+
EVE event types
1
Single binary
The Pipeline

Five stages. One Simple Bolt-On.

Every stage is built into a single Rust binary. Data flows left to right — from Suricata's event stream to actionable intelligence.

INPUT Suricata EVE Unix Socket File (tail -f) INGEST parse & classify events alert flow dns http tls smtp +8 more + GeoIP enrichment + IP reputation + event filtering STORE Parquet Zstd compression Hive partitioning year / month / day S3 / MinIO (optional upload) ANALYZE Hunt graph-based behavioral detection Anomaly ML-based anomaly detection Report 12+ page HTML dashboards MCP / Chat AI-native queries & analysis RESPOND JSON Alerts MQTT / Kafka Fluent Bit / Vector n8n / Node-RED Suricata rockfish ingest Apache Parquet rockfish hunt|report|mcp SIEM & SOAR
Input

Suricata EVE records

Rockfish connects directly to Suricata's EVE output — via Unix socket for real-time streaming or file tailing for batch processing. No agents. No sidecars. No middleware.

  • Unix socket with automatic reconnect on failure
  • File input with tail -f semantics for batch replay
  • All EVE event types including OT/ICS protocols
suricata → rockfish
# Suricata output sources Suricata ├─ eve.json ──────► file input └─ eve.sock ──────► socket input # Supported event types alert flow dns http tls ssh smtp fileinfo anomaly dhcp mqtt modbus dnp3 ...
Ingest

Parse, Enrich, Partition

Events are strongly typed, parsed into native Rust structures, and routed by event type. Optional enrichment layers add geolocation and IP reputation before writing to columnar storage.

  • Strongly-typed EVE JSON deserialization with full validation
  • GeoIP enrichment via MaxMind databases
  • IP reputation scoring via AbuseIPDB with local caching
  • Configurable include/exclude Event Filtering
  • Memory-bounded buffering with time-based flush
  • Multi-sensor partitioning for distributed deployments
rockfish ingest
$ rockfish ingest \ --input /var/run/suricata/eve.sock \ --output /var/lib/rockfish/parquet/ \ --geoip /usr/share/GeoIP/ \ --flush-interval 60s \ --compression zstd # Hive-style date partitioning /parquet/ ├── alert=2026/month=04/day=01/ ├── flow=2026/month=04/day=01/ ├── dns=2026/month=04/day=01/ └── tls=2026/month=04/day=01/
Store

Columnar Parquet + Zstd

All events are written to Apache Parquet with Zstd compression and hive-style date partitioning. SQL engine queries exploit partition pruning for sub-second analytical performance. Optional S3 upload for long-term retention.

  • Apache Parquet columnar format with 10-20x compression
  • Hive-style date partitioning for sub-second queries
  • Per-event-type schemas with full field coverage
  • Embedded SQL engine for analytical queries at query time
  • Optional AWS S3 / MinIO / DigitalOcean Spaces upload
  • Configurable retention with rockfish prune
schema & query
# Schema per event type alert.parquet ├── timestamp TIMESTAMP_TZ ├── src_ip VARCHAR ├── dest_ip VARCHAR ├── alert_action VARCHAR ├── alert_sig_id INT64 ├── alert_severity INT32 └── ...48+ fields # SQL engine analytical query SELECT dest_ip, count(*) FROM read_parquet('alert/**/*.parquet', hive_partitioning=true) WHERE year=2026 AND month=4 GROUP BY 1 ORDER BY 2 DESC
Analyze

Hunt, Report, Query

Three complementary engines operate on the same Parquet data. Hunt builds communication graphs for behavioral detection. Report renders interactive dashboards. MCP and Chat expose data to AI assistants for conversational investigation.

  • 12 behavioral detection algorithms in a single pass
  • Beaconing, lateral movement, C2 fanout, port scanning
  • DNS tunneling and data exfiltration detection
  • ML-based anomaly detection for unknown threats
  • 12+ page self-contained HTML reports with Chart.js & D3
  • MCP server for Claude and AI assistant integration
  • Natural language chat interface for threat hunting
rockfish hunt & report
# 12 behavioral detection algorithms rockfish hunt: ├── Beaconing C2 callback detection ├── Lateral Movement A→B→C chain analysis ├── C2 Fanout many→one patterns ├── Port Scanning host→many ports ├── DNS Tunneling subdomain entropy ├── Data Exfiltration byte thresholds ├── Community Detect botnet clustering ├── Baseline Deviation behavioral drift ├── Anomaly Detection ML-based scoring └── ...3 more algorithms # Self-contained HTML report rockfish report → report.html ├── Overview ├── Alerts ├── Findings ├── DNS ├── TLS ├── Flows ├── Network └── Inventory
Respond

Alert & Automate

Detection findings and enriched alerts are published to MQTT and Kafka for downstream automation. Integrate with Fluent Bit, Vector, n8n, Node-RED, or any consumer for SIEM forwarding and SOAR workflows.

  • MQTT publish for IoT and OT environments
  • Kafka produce for enterprise event pipelines
  • Fluent Bit and Vector integration for SIEM forwarding
  • n8n and Node-RED workflow triggers
  • Normalized JSON alert payload with severity and confidence
rockfish alert
$ rockfish alert \ --mqtt-broker mqtt://localhost:1883 \ --kafka-broker localhost:9092 \ --topic rockfish/alerts # Example alert payload { "timestamp": "2026-04-01T14:32:01Z", "src_ip": "10.0.1.42", "dest_ip": "198.51.100.7", "alert": "ET MALWARE C2 Beacon", "severity": 1, "hunt_type": "beaconing", "score": 0.94 }
Are You Ready?

Ready for CMMC compliance?

Deploy Rockfish NDR in minutes. Single binary. No dependencies. Full pipeline.

We built this for Defense Industrial Base contractors.

Now we want to prove it.

We are looking for defense contractors and C3PAOs to deploy Rockfish NDR in a production environment at no cost. Slots are limited.

Requirements are simple: you run it, we support it, you tell us what you think. If that sounds like a fair trade, let's talk.

Request a Pilot Slot