FlowTruss
Features

Turn PCAPs into decisions

NDA reads packet captures and produces an interactive map of endpoints and communications so teams can investigate faster, explain risk clearly, and ship report-ready evidence.

Incident triage

Identify new external connections, scanning behavior, and unexpected lateral movement from a single capture.

OT safety review

Isolate OT protocols, spotlight insecure services, and build defensible diagrams for engineering stakeholders.

Change verification

Compare baselines and maintenance windows to prove what changed and produce clean before/after evidence.

See NDA in action (3 min)

A quick walkthrough of ingest, filtering, OT highlights, and exports.

Want hands-on? Launch the live NDA build. Prefer documentation? NDA User Guide.

Ingest captures. Reveal topology.

Drag and drop .pcap/.pcapng (or open an .ndap project). NDA builds a graph of endpoints and communications so you can understand the shape of a network quickly.

  • Load multiple captures and toggle dataset visibility (build dependent).
  • Choose layouts (force-directed, circular, ranked, grid) and preserve structure with pinning and Lock Positions.
  • Investigation-ready UI: top-bar stats, search, and Recent Projects so you can pick up where you left off.
NDA canvas visualizing endpoints and communications as an interactive graph

Layered filtering that scales from quick to precise

Start with quick toggles, refine with protocol/port filters, then use the query language for repeatable investigations. Add time slicing and playback when you need to pinpoint when activity happened.

  • Quick filters to remove noise: Internet/Broadcast toggles, OT-only, insecure highlights, and more.
  • Query language with boolean logic, subnet/range matching, and numeric comparisons (bytes/packets/duration).
  • Time Window and Playback: narrow to an incident window, then animate activity to spot bursts and periodic polling.
NDA interface showing ingest controls, layout options, and filtering tools

Purpose-built for OT visibility and risk

Industrial networks require context. NDA highlights OT protocols and insecure services so engineering and security teams can align quickly.

  • OT protocol focus (for example Modbus, DNP3, S7, CIP, OPC UA) with OT-only views.
  • Spot insecure or legacy traffic quickly and prioritize remediation.
  • Vendor and classification enrichment to speed up asset identification.
NDA OT filter view highlighting industrial protocol traffic
Toolbox

A complete investigation workflow in one interface

Explore, annotate, compare, and export without swapping tools.

Node & flow inspection

Click any endpoint or communication and open the Inspector for details.

  • Identity, classification, timestamps, and traffic metrics.
  • Center on selection and pivot from highlights to evidence.

Canvas annotations

Build diagrams your stakeholders can understand—and act on.

  • Text, shapes, connectors, legends, and images.
  • Icon library for common network and OT devices.

Projects (.ndap)

Save the investigation workspace, not just the capture.

  • Preserves datasets, filters, time window, layouts, and annotations.
  • Read-only project exports for safe sharing (Individual/Enterprise).

Export Hub

Produce consistent deliverables with presets and a unified export queue.

  • Visual exports: PNG / SVG / PDF; data exports like CSV (build dependent).
  • Presets standardize sizing, tiling, layers, and scopes.

Graph Diff (Individual/Enterprise)

Compare snapshots or time windows to highlight additions, removals, and changes.

  • Thresholds reduce noise; overlays focus attention.
  • Export graph_diff.csv for reporting.

Command Center (Individual/Enterprise)

An OT-focused surface for inventory, incidents, insights, workflows, and playbooks.

  • Saved searches help standardize investigations across teams.
  • Some tabs are deployment-dependent by design.

Asset enrichment (Individual/Enterprise)

Bring your inventory into the graph and make it searchable.

  • Import vendor/OUI packs and asset CSVs; meta.* fields become queryable.
  • Optional geo/org enrichment for public IPs (build dependent).

Performance for large captures

Stay responsive when graphs get big.

  • Performance Mode and edge caps, plus time slicing for scope control.
  • Switch render backend (WebGL / Canvas2D) when supported.

Note: Some capabilities are plan- or deployment-dependent (for example Graph Diff, Command Center, multi-canvas, read-only project exports, and enrichment imports). See pricing or contact sales.

Operational workflow

A repeatable investigation motion

NDA keeps teams aligned by turning ad-hoc packet analysis into a clear, repeatable workflow.

  1. Ingest & profile

    Load one or more captures and use layouts to understand baseline topology fast.

  2. Slice & filter

    Remove noise with quick filters, then narrow with ports/protocols, queries, and time slicing.

  3. Inspect & explain

    Use the Inspector to validate details, then annotate the canvas with clear callouts and evidence.

  4. Export & share

    Export visuals and data for reporting, or share .ndap projects for repeatable investigations.