Network Defense System

Monitoring network data used to be too expensive or too complex for many. We are changing that.

With nzyme, you can monitor all Ethernet and WiFi network traffic for threats, confirm expected behavior and selectively forward data to your SIEM or log management system—With minimal configuration and a small hardware footprint.

nzyme logo

Nzyme v2.0.0 is under development.

Nzyme is in alpha, with the WiFi functionality in a very advanced state. The previous releases of nzyme are no longer supported while this re-write is in progress.

nzyme Screenshot

Web Interface Built-In

  • True multi-tenancy
  • HTTPs/TLS out of the box
  • Certificate upload and management
  • Really, really fast and responsive

Favorite Use-Cases

Ethernet Security

The nzyme tap runs on any hardware and needs nothing but a network cable connected to a mirror port on your switch.

Once connected, the tap reports metadata about recorded traffic to your nzyme cluster via HTTPs.

The nzyme cluster makes all that data available for analysis and reporting. Protocols like IP, ARP, TCP, UDP, DNS, TLS and others are automatically parsed and analyzed.

Ethernet Security

WiFi Security

Your nzyme taps can record WiFi (802.11) data directly off the air to help you detect wireless threats like rogue access points (for example evil twin or KARMA attacks) or unauthorized networks.

All data is automatically parsed and presented in an easy to comprehend way. The Network Monitoring functionality provides all detection capabilities mostly out of the box.

WiFi Security

Threat Hunting

Recorded data is aggregated, stored and presented for easy and efficient threat hunting without complex visualization builders or query languages.

The database model and visualization layer make opinionated choices based on popular threat hunting techniques and reduce required configuration to near zero that way.

You can forward the automatically parsed data to your SIEM or log management system if you want the full flexibility and long-term archival offered by such a system.

Threat Hunting


Your nzyme taps can alert on highly granular data, in near-realtime, while the nzyme cluster can alert on aggregated data from all taps.

Similarly to how threat hunting is made easy by taking an opinionated approach, a lot of alerts are pre-configured and simply have to be enabled by the user.

Alerts and events can trigger actions like, for example, sending an email.

Alerting Screenshot

Frequently Asked Questions

Have unanswered questions and want to get in touch?

Still have questions?

Contact Us

We believe there are a few things that make nzyme fundamentally different from other intrusion detection systems. Take this as our view and confirm it yourself as you see need:

  • It is designed to be very easy to use and require near-zero configuration for many use-cases, while allowing configuration-heavy flexibility where desired. We want organizations of all maturity levels to be successful with nzyme.
  • Architectural dependencies are kept to an absolute minimum. All you need is a PostgreSQL database.
  • A lot of alerting and analysis has been pre-built, following proven methodologies, to avoid learning another query language or aggregation builder UI. We are proud to put some of our opinions to work instead of giving you another empty whiteboard in your toolbox.
  • The built-in web interface is at the core of the day-to-day use and allows to perform all configuration without editing files or restarting services if the user has the necessary permissions.
  • Historically hard or annoying things in this industry have received a lot of attention. For example, you will find a TLS certificate manager, a cluster health monitoring system and even PGP key synchronization for database encryption built-in and ready to go.
  • True multi-tenancy allows you to share nzyme clusters with multiple internal and external teams or customers.

You will notice that some of these decisions will come at the cost of ultra-flexibility. If you are looking for such a system, you may be better served by ingesting network data directly into a SIEM. (Note that nzyme can forward the automatically parsed data to popular SIEMs.)

It may be! We are writing nzyme to allow organizations who do not have the resources to analyze all network data in a SIEM to still monitor their networks.

  • Parsing all relevant network protocols, blending them into a SIEM schema and maintain such a system can be very expensive.
  • Keeping network data in high granularity/cardinality, without automated aggregation, can be extremely expensive and slow to analyze.

You likely do not need nzyme if you are successfully using your SIEM to analyze your network data at an acceptable cost. (Note that nzyme can forward the automatically parsed data to popular SIEMs.)

It may, but there are usually many devices in a network that do not have EDR agents running: Developer containers, temporary virtual machines, embedded systems, etc.

We believe that the high cost and effort required to run good network monitoring has often been seen as unjustified. This is what nzyme aims to change. We think you should be able to run both EDR and good network monitoring to have as much visibility as possible.

It depends! Do you believe that there is a risk that bad actors may resort to physically appear on-site to attack your network? If so, you should consider advanced measures like the nzyme WiFi protection subsystem and go beyond only following safe configuration best-practices.

Our founder Lennart wrote about this topic in more detail if you are interested.

There is no silver bullet in software engineering. Running nzyme is cheaper compared to some other alternatives because it does less. For example, to allow you to collect and search over long periods of data, we only store aggregated data. This uses much less space and computing resources than keeping every single data point, but comes at the cost of losing some level of granularity.

Cost is almost always the result of which tradeoffs were accepted during design of the software. We usually opt for the less compute-intensive option because we want more organizations to be able to truly monitor their network traffic and this can come at the cost of extreme flexibility.

We encourage you to try our software and to consider forwarding automatically parsed network data from nzyme to a SIEM. Reach out, and we will be happy to assist you with evaluating requirements.

We are not funded with any outside investment and can focus on building real, sustainable value for our users. No half-baked features, pushy sales or similar results of chasing yet another unrealistic quarterly growth at the expense of doing the right thing.

This is a lot more fun for everyone involved.

Want to receive one email?

We'll send you exactly one email when nzyme v2.0
is released and delete your address right after.