Netapprove is one binary box (or VM) that ingests off a SPAN port, lands telemetry in an open columnar lake, runs a fleet of ML detectors against it, asks an LLM to triage what survives, and ships actions to your existing infrastructure when the AI is confident.
Netapprove is not an inline appliance. No cables to cut, no routing to change. The sensor receives traffic over a SPAN port or a Network TAP, which copy every packet crossing the core switch and hand it to Netapprove read-only.
The result is a deployment that has no impact on production: if the sensor dies, real traffic keeps flowing, no packet drops, no added latency, no chance the AI will accidentally block legitimate traffic. Every response action goes out through external SOAR adapters (firewall API, switch ACL, RADIUS CoA), never through the sensor itself.
The market splits into rule engines, log warehouses, and a few AI-first tools. Here’s how Netapprove compares on the dimensions that move the needle.
| Capability | Signature IDS / Legacy NDR | SIEM-only | SRAN Netapprove |
|---|---|---|---|
| Detects unknown / zero-day | No, needs a rule | Only if you wrote the query | Yes, AI baseline |
| False positive rate | High (rule pollution) | Whatever your queries return | LLM-triaged, auto-closed |
| Time to first value | Weeks of tuning | Months of onboarding | Hours after SPAN cable |
| Active response built in | No | No (needs SOAR add-on) | 5 adapters, RBAC, audit |
| Explainable per-incident | A rule ID | Whatever you logged | LLM narrative + MITRE tag |
| Storage cost at scale | Vendor-locked | $$$ per GB/day | Open Parquet, your disk |
| Air-gap / on-prem deploy | Usually | Cloud-tilted | First-class |
Bare-metal, VM, or appliance. Debian 13 base. 4 cores / 8 GB RAM is enough for a small site.
SPAN or TAP into one of the monitor NICs. Netapprove never injects packets, 100% passive.
The ensemble warm-starts from sensible priors and re-baselines on your traffic over the first day.
Wire in your firewall, switch, RADIUS, and DNS resolver. Keep adapters in dry-run while you watch.
Per-adapter, per-severity. Roll back any time. Audit log captures every decision.
You don’t. Analyst feedback flows back into the meta-scorer. The model gets smarter with use.
No. The detection layer is exclusively ML and statistical baselines. We optionally enrich with threat intel feeds (KEV, NVD, IP reputation) at scoring time, but those are evidence, not triggers.
Three layers: (1) the ensemble’s meta-scorer suppresses single-signal noise, (2) the LLM reasoner re-reads each surviving alert against the host’s history and auto-closes confirmed-benign ones with a written justification, (3) analyst feedback re-weights the meta-scorer over time.
Netapprove does not break TLS. The 7-layer ensemble derives strong signal from JA4/JA4S fingerprints, certificate posture, beacon timing, packet-size sequences, peer history, and SNI, all of which remain visible regardless of payload encryption.
Triage by default uses the Claude API. For air-gapped or sovereign deployments we support an on-prem reasoner endpoint, the rest of the stack runs entirely on your hardware.
Yes. Every incident, action, and audit record is available as JSON, syslog (CEF / LEEF), and as a Parquet file you can pull with any S3-compatible client.
Conceptually similar, AI-driven NDR + autonomous response. Practically: Netapprove uses an open columnar lake (Parquet + DuckDB) instead of a black-box appliance store, an LLM reasoner that explains every alert, and ships with hardware adapters for the protocols Thai & ASEAN networks actually run (RADIUS CoA, common firewall families, local DNS resolvers). Plus, it’s built and supported in Thailand.
Built-in dashboards for NIST CSF, ISO 27001, and PCI-DSS, all driven by your live telemetry. Evidence packets exportable per control.
