Vantage unifies capture, storage, and analysis across your entire infrastructure — from a single analyst's workstation to a globally federated network of thousands of nodes — under one query language, one security model, and zero data movement.
Wireshark, your SIEM, your IDS, your SOAR — they all need packets, but they each manage capture, storage, and access differently. Vantage replaces that fragmentation with a single platform: continuous capture at line rate, exascale storage, and a query language that makes global infrastructure feel like a local session.
Vantage Query controls everything — nodes, clusters, captures, storage, security policies, and compliance reports — from a single session. What works on one node works unchanged across a global federation.
No moving petabytes to a central store. Analysis runs at the edge, on the node where packets were captured. Queries cross regions; raw data never has to.
Security levels 0–20 are enforced at the field level, at capture time — not as a filter layer bolted on top. PII obfuscation, air-gap isolation, and role-based access are first-class properties of every packet store.
Vantage imports your existing Gigamon taps, Cubro probes, and Endace capture appliances as SILOs. You don't replace your hardware — you add intelligence on top of it. Migration to Vantage appliances happens on your timeline, not ours.
Each product is useful standalone today. Together, they form the full Vantage stack.
Multi-user, remote-first packet analysis. Your analysts see the same session, the same markers, the same bookmarks — in real time. Data stays on the capture server; your browser gets the pixels.
Capture server (remote)
└── Lynx daemon
├── Packet index
├── Flow markers
├── Alert overlays
└── Security level 0–20
Browser (local)
└── Pixels only — no raw data
├── Multi-user session
└── Real-time collaboration
Always-on capture daemon for the network edge. Captures at 800 Gbps with DPDK or Napatech, indexes everything continuously, and serves multiple Lynx clients without interrupting capture.
Network interface (line rate)
└── Sentinel daemon
├── DPDK / Napatech / libpcap
├── Continuous indexing
├── BPF filters + macros
└── Quarry write path
Clients
├── Lynx (live view)
├── quarry (query + manage)
└── Admin panel (status)
Exascale packet storage with a virtual filesystem interface. Mount 100 EB of packet history as a local directory. Wireshark, tcpdump, and any POSIX tool just work — on data they could never otherwise touch.
Quarry store (100 EB)
└── quarry / virtual filesystem mount
├── /captures/today/
├── /captures/last-30d/
└── /views/lean-headers/
Any POSIX tool
├── $ wireshark /captures/...
├── $ tcpdump -r /views/...
└── $ jupyter + scapy
Vantage Query and the Virtual Filesystem (quarry) are
the two interfaces to the entire platform. What you learn on a single node
works identically at global scale.
-- Capture on this node
quarry> CAPTURE ALL TRAFFIC
STORE AS "incident-2026"
ENCRYPT LEVEL 12
INDEX WITH six
-- Hunt across it
quarry> FIND FLOWS WHERE
http.status == 200
AND meta.stats.requests > 50
DURING LAST 24h
-- Auto-respond to PII
quarry> ON PACKET WHERE
meta.tuple CONTAINS "creditcard"
DO ENCRYPT LEVEL 18
AND NOTIFY [email protected]
-- Scale to 3,900 nodes:
-- exact same syntax
quarry controls nodes, clusters, captures, storage, security policies,
compliance schedules, and real-time automation — from a single interactive session
or a script. The syntax is identical whether you're managing one node or a global federation.
-- Mount the platform as a filesystem
$ quarry mount --cluster global /net
-- Wireshark opens 100 EB directly
$ wireshark /net/captures/today/eth0.pcap
-- tcpdump on a filtered view
$ tcpdump -r /net/views/lean-headers/
-- Jupyter + Scapy, no download needed
-- from scapy.all import *
-- pkts = rdpcap("/net/views/...")
-- Create a lean analyst view
quarry> CREATE VIEW "analyst-safe" AS
FROM STORAGE "incident-2026"
HEADERS ONLY
DECAP all
ENCRYPT LEVEL 8
quarry mounts any Vantage store as a POSIX directory. Every tool your
team already knows works instantly — on data that never left the capture node.
Views project subsets, strip payloads, and enforce security levels before
any tool touches the data.
Most enterprises have years of investment in Gigamon, Cubro, Endace, and other capture infrastructure. Vantage doesn't ask you to abandon that. It imports your existing appliances as SILOs — first-class nodes in the Vantage fabric — and immediately adds query, security, and analytics capabilities on top of what you already own.
Existing pcap stores, ring buffers, and capture archives become queryable Vantage SILOs immediately. No re-ingestion, no re-indexing of already-written data.
Your analysts keep using Wireshark, your SIEM keeps pulling logs, your IDS keeps alerting. Vantage layers underneath and in between — enriching every tool without replacing any of them.
Replace aging appliances with Vantage nodes as they reach end-of-life. Each new node adds capacity and capability without disrupting anything already running.
Each phase is a complete, production-ready deployment. You don't need Phase 3 to get value from Phase 1.
Standalone deployment on a single server or workstation. Full capture, storage, analysis, and query — no cluster required.
Scale across multiple nodes in a single cluster. Distributed capture, shared storage, cross-node queries — same Vantage Query syntax.
Multi-region, multi-cluster deployment with a central control plane, data sovereignty enforcement, and air-gap support.
Start with a single node today. The same Vantage Query commands you learn in Phase 1 work unchanged in Phase 3. No rewrites. No migration. Just scale.
Every Vantage product runs on jNetWorks — 800 Gbps line-rate packet capture for Java, with zero hot-path allocations, three backends, and full L2–L7 dissection. The same SDK is available to your engineering team to build custom integrations.
We're happy to walk through the architecture, answer technical questions, or tailor a demo to your environment.