Frequently Asked Questions

1. I am concerned about the data in the files I'm uploading. What happens to any files I upload?

Any files you upload that are not already in NetworkSage's Secflow format will be processed to capture the Secflows and immediately deleted from our infrastructure. This means that your upload will only exist on our infrastructure for (on average) less than a minute. We do this because we recognize that uploaded files (such as PCAPs) can contain sensitive data that should not be retained or shared.

Additionally, we do not process any internal-to-internal (commonly referred to as East-West) traffic from your uploads (with the exception of DNS for naming), as this traffic does not provide us with any value.

2. Will my samples be private?

If you are a paying customer, you have the choice to keep your samples private. This means that no user other than you can view any sample created by you.

3. Which file formats are supported as uploads?

Currently, we support processing PCAP, PCAPNG, and Zeek (conn.log and dns.log) files. However, we can support any file formats that contain the following information:

  • Source and destination IP addresses
  • Destination port
  • Number of source and destination packets
  • Number of source and destination bytes
  • Session start and end time/duration
If you have a format that meets the above criteria (or if you are unsure), please contact us at!

4. What if I can't/don't want to share PCAP files?

The privacy and security of your data is of utmost importance, and we acknowledge that many types of organizations cannot share full packet capture data. If this is prohibiting your using NetworkSage, please contact us at We can build open-source tools that will enable you to keep your full packet capture data local to your environment.

An alternative (and already-supported option) is to install Zeek on your local system, process your PCAP, and share the conn.log and dns.log. This will enable you to avoid sharing any payload information. In the coming days we will share a how-to video that demonstrates this process.

5. I would like to use NetworkSage to create content for my environment without sharing that information publicly. Is this possible?

While currently not possible, this is a use case that we are interested in supporting. If this is absolutely critical to your use, please contact us at!

6. How does NetworkSage differ from other security platforms (sandboxes, SEGs, etc...)?

NetworkSage was built to fill a critical gap that has existed in the security industry for many years. To learn more about this gap and why it existed (until now!), read our blog post. We also have blog posts describing how NetworkSage compares to Sandbox and SEG technologies.

7. Is NetworkSage a detection platform?

NetworkSage is not a detection platform. Instead, we are focused on:

  • understanding network traffic
  • identifying the places where we believe security analysts should be focused (for example, after some detection has occurred)
  • making this underlying information available to every analyst, whether they have a SOC of 1 or 100

One important point is that you are welcome to use data from the platform to build your own detections, but our focus will not be on creating more alerts for specific attacks.

8. Can I interact with NetworkSage via API?

The team is making excellent progress on creating user-friendly APIs to access everything that can be accessed in the UI. Look for an announcement from us in the near future.

9. I think I found a bug. Whom should I contact?

Thank you in advance for helping us to keep our platform as sane and secure as possible! Please contact us at with any information you have.