How AEGYS Monitor works technically — from passive network capture to analysis in the location you choose. Architecture and methodology in detail.
This page describes the architecture of AEGYS Monitor. The autonomous pentest is covered on its own page AEGYS Pentest.
AEGYS Monitor differs technically through three deliberate design decisions. These aren't the result of a roadmap — they're the foundation of the product promise.
The Monitor works exclusively passively. It blocks nothing, reroutes nothing, changes no configuration on your network. This constraint is intentional: it makes deployment risk-free and enables operation even in production-critical or OT environments where no other security tool is granted intervention rights.
Analysis is based on actual network communication, not on logs from connected systems. This removes the dependency on the configuration and availability of other data sources. What happens on the network becomes visible regardless of whether it was logged elsewhere.
Captured network activity is transmitted encrypted to the AEGYS analysis environment — on US infrastructure or in Germany, your choice. No hyperscaler cloud — AWS, Azure, and Google Cloud are not involved. No transfer to jurisdictions you didn't pick. A sovereign IT architecture, compatible with GDPR-grade privacy and regulated/critical-infrastructure requirements.
These three principles together produce a system that's productive within hours and requires no pre-configuration in your environment. The architecture is the explanation, not the marketing.
AEGYS Pentest follows a different architectural logic: active instead of passive, autonomous instead of rule-based, with proven attack paths instead of connection observations.
Pentest architectureAEGYS Monitor consists of several components that work together depending on the situation. Which come into play depends on the use case — point-in-time reality check or continuous operation.
Hardware or software sensor, connected passively to the network.
Connected via SPAN/mirror port or network TAP. Hardware configuration depends on deployment size: industrial-PC or server hardware for typical enterprise networks, scalable platforms for higher bandwidths.
In certain scenarios — software-only tests or VM-based environments — operation on customer-provided hardware is also possible. Configuration is set in the intro call: bandwidth, number of connection points, capture depth.
On the AEGYS Monitor appliance, with encrypted transmission to the AEGYS platform.
The Monitor captures network traffic in real time. Standard operation works with connection metadata: source, destination, volume, protocol, port, timestamp. Optionally, deeper capture modes are configurable — from supplementary Deep Packet Inspection to full PCAP.
Captured metadata is transmitted TLS-encrypted to your chosen AEGYS analysis environment. On connection loss, the Monitor buffers locally and transmits after recovery — no data loss.
Hybrid methodology from three complementary methods.
The detection logic combines signature detection for known attacks, behavioral analytics for deviations from the operating picture, and threat intelligence for known-malicious destinations. What each method's strengths are — and why none suffices alone — is described in the detection-methodology section.
Structured presentation in the AEGYS platform — for joint analysis.
Findings aren't output as an alert stream, but as a structured analysis of relevant connections and anomalies. On request, we review the analysis together with your team — structured, clear, no room for interpretation.
The analysis platform runs in the location you've chosen.
AEGYS Pentest consists of its own components — pentest engine, attack models, path analysis. Different architecture, different logic.
Pentest componentsAn anonymized example — this is what the analysis of a case looks like.
Correlated alerts on a single host, grouped into one case. AEGYS makes the connections visible — interpreting them and deciding next steps happens together with you and stays with your IT team or provider.
From network tap to assessment — the data flow in four steps.
SPAN port or TAP delivers network traffic to the Monitor. Passive read-only connection, no active participation in the data flow.
Incoming packets are converted into connection metadata on the Monitor: flow records, optionally supplemented with Deep Packet Inspection. Structured per the configured capture schema.
The normalized data is transmitted TLS-encrypted to your chosen AEGYS analysis environment. One outbound connection from the Monitor to the platform — nothing more.
In the analysis environment, the detection logic combines the three methods into a structured assessment of the relevant findings. The analysis is available to you and your team in structured form.
No step requires configuration in your infrastructure. No step changes your network topology. One outbound firewall allowance from the Monitor to the platform is enough.
This hybrid methodology of signature detection, behavioral analytics, and threat intelligence is the core of Network Detection and Response (NDR) — continuous detection of suspicious activity at the network level.
01Signature detection
Known attack patterns are caught directly: exploits, malicious protocol anomalies, documented malware indicators, IDS signatures for protocol exploits. The fastest answer to threats whose patterns are already described — and the foundation other detection methods build on.
02Behavioral analytics
In the first hours of an engagement, AEGYS Monitor learns your network's normal communication behavior: which systems talk to each other, which external destinations are typical, which volumes look normal. From that, deviations are identified — new external destinations, unusual lateral connections, atypical data flows.
03Threat intelligence
In parallel, a comparison runs against curated threat-intelligence sources: known-malicious hosts, command-and-control servers, compromised endpoints, suspicious domains. Connections to such targets are flagged — even when they look unremarkable within the network's normal operating picture.
Signature detection without behavioral analytics misses new attacks. Behavioral analytics without signatures creates too much noise. Threat intelligence without both stays theoretical. Only the combination delivers a reliable read.
AEGYS Pentest follows a different methodology: autonomous attack paths instead of detection models, proven feasibility instead of connection observation.
Pentest methodologyAEGYS Monitor is built for data minimization. What data is captured is a deliberate decision per engagement, not a fixed scope.
| Capture mode | What's captured | When it makes sense |
|---|---|---|
| Standard (metadata) | Connection metadata: source, destination, volume, protocol, port, timestamp | Continuous Monitor operation, reality check, privacy-sensitive environments |
| Extended (DPI) | Metadata plus Deep Packet Inspection: protocol details, selected header info | More detailed analysis on demand, by explicit agreement |
| Full capture (PCAP) | Complete packet captures for defined periods | Forensic analysis after an incident, only by explicit agreement |
The capture mode is set and documented before deployment. By default we work with metadata — an extension happens only when the use case requires it and you explicitly approve it.
A security platform that isn't itself secured creates more risk than it solves. Hardening both sides — AEGYS Monitor and the analysis environment — is part of the architecture.
Minimal attack surface
The Monitor communicates exclusively outbound to your chosen analysis environment. No inbound connections, no extra services on the hardware.
Hardened to common standards
Shipped with reduced attack surface: minimal services, restricted interfaces, dedicated management interface.
Encrypted connection
Transmission between AEGYS Monitor and the analysis environment is exclusively TLS-encrypted. Mutual authentication via certificate-based methods.
Controlled updates
Monitor updates happen in a controlled manner after agreement with the customer. No automated auto-updates without approval.
CVE handling
Known vulnerabilities are addressed promptly. Details on the update and vulnerability process are available on request.
Data integrity
On request, documented deletion processes after an engagement, including proof.
Detailed technical information on hardening, the update process, and vulnerability handling is available on request as a security whitepaper.
AEGYS DATALYTICS AG developed AEGYS Monitor and AEGYS Pentest with European and international compliance requirements in mind. Details are available in the intro call and contract.
Data-processing agreement as standard. Data minimization through configurable capture depth. No transfer to jurisdictions you didn't choose. GDPR-grade protection.
Processing on US infrastructure or in Germany — your choice, for both Monitor analysis and Pentest engine. No hyperscaler cloud — AWS, Azure, and Google Cloud not involved.
Aligned with common security standards. Suitable for regulated environments — financial services, healthcare, critical infrastructure, OT.
AEGYS integrates with the security systems you already have and makes them more valuable, instead of replacing them. The Monitor is the entry point via network visibility; further sources can be integrated through defined connection points.
Existing SIEM systems
Monitor findings and Pentest reports can be fed into an existing SIEM as an additional source, without changing the SIEM configuration.
Incident-response workflows
Monitor analyses and Pentest reports are available in structured form for handover to IR teams or external forensics providers.
MSSP workflows
For security partners deploying AEGYS for their own customers, a simplified handover of the analysis into their own reporting structures is provided.
OT and production environments
The Monitor runs passively and creates no feedback on production systems. Pentest engagements in OT require a coordinated scope definition and are discussed separately as needed.
The Monitor's design decisions rule out certain use cases. We name these limits openly, because they're decisive for choosing the right tool.
No active protection
A passive architecture can't block or intervene. Protection requires firewall, IPS, or EDR.
No endpoint visibility
The Monitor itself reads network traffic, not endpoint activity — that's what EDR is for. AEGYS doesn't build its own EDR, but can plug your existing endpoint solution in as an additional source and bring it together with the network view.
Not a SIEM implementation project
Classic SIEM implementations are custom projects: use cases written for the specific environment, log sources configured individually, a dedicated SOC team built up. The Monitor delivers the same platform capabilities as a standard service: pre-configured detection logic, standard connection, joint analysis with the AEGYS team.
No content decryption
Encrypted content stays encrypted. The Monitor works at the connection and behavioral level, not the content level. Suspicious behavior is flagged regardless of whether the traffic is encrypted.
No vulnerability assessment
What an attacker could achieve in your environment is shown by AEGYS Pentest, not AEGYS Monitor.
These limits aren't weaknesses — they're consequences of the design decisions. If you need a solution that also handles one of these, you need an additional or different tool.
Four typical deployment constellations follow from the technical components.
Constellation 01
AEGYS Monitor is deployed for a defined period — typically days to weeks. Afterward it's removed or stays in continued operation. Data is deleted per instruction. You keep the analysis as a basis for decisions.
Constellation 02
AEGYS Monitor stays on the network. Analyses run on an agreed cadence. Asset-based subscription model, cancelable anytime — no long-term contract lock-in.
Constellation 03
AEGYS Monitor is deployed by a security partner for its customers. The Monitor can be used serially for multiple customers. Analysis and reporting can be embedded into partner workflows.
Constellation 04
AEGYS Pentest is run once with a clear scope and fixed price. With re-test after remediation on request. No subscription, no contract lock-in.
This section is for strategic partners, investors, and providers of complementary technologies.
Combinable with established Open-XDR frameworks.
Complements existing security stacks instead of replacing them.
The technical architecture is deliberately built for flexibility — from compact hardware for point-in-time reality checks to software-based configurations for VM environments. The hybrid detection methodology allows connecting further data sources or analysis modules without touching the core architecture.
Partnerships exist with established providers from the Open-XDR space. Strategic guidance comes from an advisory board spanning science, critical infrastructure, international threat research, and cyber crisis management.
For investors and strategic partners, we provide additional materials on request — from deep technical whitepapers to roadmap insights. Get in touch via the intro call or directly at hallo@aegysdata.com.
“We plugged it in, and a few hours later we could actually see what our systems talk to externally. No project, no specialists.”
If you'd like, we'll arrange a direct conversation with companies already using AEGYS.
That's the norm. Often your existing provider can run the ongoing analysis through AEGYS themselves — and if not, a security partner takes it over. We'll clarify what fits in the intro call.
If you want to go deeper as a technical lead or strategic partner — on architecture, detection methodology, compliance, or integration — we're glad to talk directly.
15 minutes. No sales call.