Look deeper.
Find everything.

Deep packet inspection and threat analysis platform for network forensics, threat hunting, and incident response. 59 protocol dissectors. Automated threat hunts. No cloud required.

Download Free View on GitHub
59Protocol Dissectors
7Automated Threat Hunts
500KPackets (Pro)
0Cloud Dependencies

Built for the analyst workflow

From initial triage through structured export, Intreys covers the full investigation lifecycle.

🔎

Deep Packet Inspection

Wireshark-compatible display filters, full TCP/UDP stream reassembly, hex dump inspection, protocol tree dissection, and expert info panels. Virtual scrolling handles 500K+ packet lists.

🎯

Automated Threat Hunting

C2 beacon detection, DNS tunneling, data exfiltration, lateral movement, port scanning, credential theft, and covert channel analysis. Hypothesis-driven hunts with playbook-guided investigation.

🤖

AI-Assisted Analysis

Attack narrative generation with Mermaid diagrams. Local AI via MLX (Apple Silicon) or llama.cpp. Cloud providers supported with privacy controls and cost tracking.

🏭

ICS/SCADA Security

10 industrial protocol dissectors including Modbus, DNP3, S7comm, IEC-104, and OPC UA. Security policy enforcement, dangerous operation detection, and per-host health scoring.

📡

Live Packet Capture

Cross-platform libpcap integration with lock-free ring buffer. Real-time analysis with SSE streaming. PCAP file writing for captured traffic. No external tools required.

📈

MITRE ATT&CK Mapping

Visual ATT&CK matrix with detected techniques. Pyramid of Pain indicator classification. ATT&CK Navigator JSON export for team collaboration.

📦

Export Everywhere

STIX 2.1, MISP, TAXII 2.1, Sigma rules. PDF and DOCX reports. Full JSON and CSV export. YARA rule scanning on extracted artifacts.

🔒

Enterprise Security

Role-based access control, encrypted API key storage, login rate limiting, CSP headers, token blacklisting, audit logging, and Ed25519-signed license verification.

🌐

Threat Intelligence

Online enrichment via AbuseIPDB, VirusTotal, GreyNoise, OTX, Shodan, and URLScan. Threat feed ingestion with local caching for offline use. DGA detection.

59 protocols. Pure Python.

No tshark, Wireshark, or Suricata required. Every dissector is implemented in pure Python.

Ethernet ARP IPv4 IPv6 TCP UDP ICMP DNS HTTP/1.x HTTP/2 TLS/HTTPS QUIC SSH FTP SMTP POP3 IMAP SMB LDAP Kerberos DHCP SNMP NTP SIP Syslog RDP VNC WinRM WebSocket gRPC MySQL PostgreSQL Redis MSSQL Oracle Modbus TCP DNP3 S7comm IEC 60870-5-104 OPC UA BACnet PROFINET CIP/EtherNet/IP GE-SRTP Niagara Fox MQTT CoAP Bluetooth BLE ZigBee Thread 6LoWPAN LoRaWAN OSPF LLDP STP SOCKS Tor IEEE 802.15.4

Simple pricing

Start free. Scale when you need to.

Monthly Yearly Save 17%

Community

Free
Forever
For individual analysts and students
  • 10,000 packets per capture
  • 50 MB file size limit
  • Single user
  • All 59 protocol dissectors
  • Automated threat hunts
  • Basic CSV export
  • Local AI support
Download
7-day free trial

Professional

$29/mo per seat
For security teams and consultancies
  • 500,000 packets per capture
  • 500 MB file size limit
  • Up to 5 users
  • MITRE ATT&CK mapping
  • PDF and DOCX reports
  • STIX, MISP, TAXII, Sigma export
  • YARA rule scanning
  • AI-powered analysis
  • Beacon detection & threat hunting
Buy Professional
No credit card required for trial

Enterprise

$99/mo per seat
For MSSPs and large organizations
  • Unlimited packets
  • 2 GB file size limit
  • Unlimited users
  • ICS/SCADA module
  • Real-time collaboration
  • SIEM integration (Splunk, ELK, Syslog)
  • Campaign analysis & case management
  • Compliance mapping (NIST, PCI, HIPAA)
  • Priority support
Buy Enterprise
or Contact Sales for volume pricing

Get started in 60 seconds

Download the Community edition or clone from GitHub. No signup required.

Download Latest Clone from GitHub

Available for macOS, Linux (Debian, RPM), Windows, and Docker.
Python 3.11+ required for source installation.