Frequently Asked Questions

1. I am concerned about the data in the files I'm uploading. What happens to any files I upload?

Any files you upload that are not already in NetworkSage's Secflow format will be processed to capture the Secflows. All other formats will be scheduled for deletion, as they are not part of our analysis.

Additionally, we do not process any internal-to-internal (commonly referred to as East-West) traffic from your uploads (with the exception of DNS for naming).

2. Will my samples be private?

All samples are private by default but can be shared by providing the public link to another person. This means that no other user can view any sample created by you unless you explicitly share it. However, all samples uploaded by customers of the Free tier may be searchable in future versions of the product. This is similar to how other leading analysis platforms store and share data.

3. Which file formats are supported as uploads?

Currently, we support processing PCAP, PCAPNG, and Zeek (conn.log and dns.log in JSON and TSV formats) files, in addition to our own Secflow format. However, we can support any file formats that contain the following information:

  • Source and destination IP addresses
  • Destination port
  • Number of source and destination packets
  • Number of source and destination bytes
  • Session start and end time/duration
If you have a format that meets the above criteria (or if you are unsure), please contact us at!

4. What if I can't/don't want to share PCAP files?

The privacy and security of your data is of utmost importance, and we acknowledge that many types of organizations cannot share full packet capture data. Because of this, we have created an open-source converter that allows customers to turn their network data into our Secflow format locally. You can access this Python functionality via pip here.

It is also possible to install Zeek on your local system, process your PCAP (via zeek -C -r), and upload the conn.log and dns.log. This will enable you to avoid sharing any payload information.

5. I would like to use NetworkSage to create content for my environment without sharing that information publicly. Is this possible?

While currently not possible, this is a use case that we are interested in supporting. If this is absolutely critical to your use, please contact us at!

6. How does NetworkSage differ from other security platforms (sandboxes, SEGs, etc...)?

NetworkSage was built to fill a critical gap that has existed in the security industry for many years. To learn more about this gap and why it existed (until now!), read our blog post. We also have blog posts describing how NetworkSage compares to Sandbox and SEG technologies.

7. Is NetworkSage a detection platform?

NetworkSage is not a detection platform. Instead, we are focused on:

  • understanding network traffic
  • identifying the places where we believe security analysts should be focused (for example, after some detection has occurred)
  • making this underlying information available to every analyst, whether they have a SOC of 1 or 100

One important point is that you are welcome to use data from the platform to build your own detections, but our focus will not be on creating more alerts for specific attacks. For more information on how to leverage NetworkSage, please check out our Use Cases document.

8. Can I interact with NetworkSage via API?

Yes! We have rich, well-documented functionality that is available predominantly through our APIs. Our docs can be found here.

9. I uploaded a sample to NetworkSage but didn't get any results. What gives?

In order to help everybody be successful as quickly as possible, following are some common issues. If none of these seem to describe your problem, please email us at and/or join our Slack community.

  • Does your sample contain activity from an internal IPv4 address to the Internet? If not, we won't process it.
  • If you are uploading PCAP(NG), does your file say that it was cut short in the middle of a packet? If so, please remove the last packet and try again.
  • If you are uploading Zeek TSV, does your sample contain the expected fields in the proper order?

10. I would like to get more involved. How can I do that?

We have a growing Slack community that allows members of the security community to openly share and discover with others. To access our group, please click here.

11. I think I found a bug. Whom should I contact?

Thank you in advance for helping us to keep our platform as sane and secure as possible! Please contact us at with any information you have.