Self-hosted Network Detection & Response

See the conversations
your network should not have.

obserae turns NetFlow and IPFIX into a practical NDR: named assets, intended connectivity, suspicious sessions, and searchable evidence. Start with the flow records your infrastructure already exports, then see what is normal, what changed, and what needs an investigation.

  • NetFlow/IPFIX in
  • Named assets and services
  • Policy drift detection
  • Local data, no telemetry
  • NIS2 / DORA / SOC 2 evidence

Free Community edition · Local install · No telemetry

What obserae brings to an NDR trial

The first value is clarity. You do not need another wall of flow logs; you need to know which conversations exist, whether they are expected, and what to do with the ones that are not.

Visibility

Turn IP traffic into named relationships

Map hosts, networks, groups and services so an investigation starts with assets your team recognizes, not anonymous addresses.

Baseline

Make intended connectivity explicit

Describe what should be allowed in the Flow Matrix. Every session can then be matched against the architecture you meant to run.

Detection

Surface the drift that matters

Unexpected east-west traffic, known-bad destinations, cloud outliers, scans and volume spikes become leads you can review.

Control

Keep evidence inside your environment

Deploy on your own host, keep the data local, export configuration as YAML, and evaluate without a cloud dependency.

A raw flow becomes an investigation lead.

NetFlow tells you where packets went. obserae adds the context an operator needs to decide whether the session belongs in the environment.

Flow record 10.10.42.18 → 10.20.4.11:5432 TCP
NDR context
  • ci-runner-prod → finance-postgres
  • PostgreSQL / TCP 5432
  • No matching connectivity rule
  • First seen in the last 3 minutes
  • Open an investigation or alert on recurrence

How the NDR loop works

A useful evaluation should be simple: collect flows, name what matters, compare traffic to intent, then investigate the exceptions.

  1. Collect existing telemetry

    Receive NetFlow v5/v9 and IPFIX from routers, firewalls, virtual switches or host probes.

  2. Name the environment

    Describe networks, hosts, groups and services once, then search traffic using that vocabulary.

  3. Compare traffic to policy

    Use the Flow Matrix to mark intended communications and expose sessions outside the model.

  4. Investigate and alert

    Query sessions with NFQL, enrich public destinations, and route useful detections to webhooks or Gotify.

Questions you can answer on day one

The goal of the landing page is the goal of the product: help a security or network team see concrete value before a long deployment project starts.

Threat intel

Which internal host reached Tor or a known-bad IP?

Sessions are checked against Tor and FireHOL sources so suspicious destinations are visible with source, time and context.

Segmentation

Which workstation talked directly to a server?

Unexpected east-west sessions stand out when they do not match the connectivity model you defined.

Cloud

Which cloud provider, region or ASN is this traffic using?

Public destinations are enriched with cloud, country and autonomous-system context so outliers are easier to explain.

Discovery

What devices or subnets are alive but undocumented?

Observed traffic proposes networks and hosts that can be added to the cartography instead of staying as shadow infrastructure.

Operations

What changed since the last clean baseline?

Query recent sessions, compare them to rules, and keep the useful checks as alerts for the next occurrence.

Behavior

Are scans, brute-force attempts or large transfers appearing?

Threshold and volume rules turn recurring patterns into alerts that can be sent to your existing notification path.

Product capabilities

The product surface is built around the daily NDR workflow: understand the network, define what is expected, and investigate what falls outside it.

obserae Cartography — a live network graph of named networks (dmz, work, home), a firewall, DHCP nodes and hosts, with an external-dns group.
Cartography

Your network, explained by name.

Explore hosts, groups, networks and services as a live graph. See traffic crossing every connection and discover devices that are not yet documented.

Learn more →
obserae Flow Matrix — a table of connectivity rules with named source and destination, protocol and ports, each marked active.
Flow Matrix

Turn architecture into detection.

Define the communications your environment is expected to allow. obserae reveals sessions that fall outside that model.

Learn more →
obserae Detection — an alerts table showing high-severity postgres-present alerts with fired time, matched count, status and triage actions.
Detection

Triage alerts as soon as rules fire.

See raised alerts in one queue with severity, status, matching rule and sample rows. Acknowledge what is being handled and close what is resolved.

Learn more →
obserae Investigation — an NFQL query filtering sessions by cartography names (network:work to internet4) on HTTPS/TCP, with the results table below.
Investigation

Ask better questions than "what is this IP?"

Investigate sessions and flows using names, groups, services, ports, protocols and available enrichment data. Save useful investigations as alerts.

Learn more →

Try it on your own traffic without a platform project

A useful NDR trial should not require forwarding packet captures to someone else's cloud. Start small, point one exporter at obserae, and look for the first unexplained conversations.

Self-hosted, offline-capable, signed releases, SBOM and provenance — traceable evidence to support NIS2, DORA and SOC 2 audits. The Community edition is free under the licence; larger deployments and future Enterprise features use commercial licences.

  1. Run a local instance

    Start the Docker image or download a Linux release on amd64 or arm64.

    docker run -p 2055:2055/udp -p 4739:4739/udp -p 127.0.0.1:8080:8080/tcp ghcr.io/spartan-conseil/obserae:latest
  2. Send a copy of flow telemetry

    Point one router, firewall, virtual switch or host probe at UDP 2055/4739.

  3. Describe a small part of the network

    Name a few networks, key hosts and expected communications, then let discovery fill the gaps.

  4. Review what does not fit

    Use Cartography, Flow Matrix and Investigation to decide whether the signal is normal, misconfigured or suspicious.

Give obserae 10 minutes of your own network traffic.

Run it locally, follow the quickstart, and see whether the conversations match the network you think you operate.