Skip to main content

How Netography Fusion® Works

Cloud-Native Network Defense Platform for all Your Cloud and On-Prem Traffic

Netography Fusion® is a cloud-native Network Defense Platform (NDP) that provides real-time detection and response to anomalies and threats across hybrid, multi-cloud, and on-prem networks from a single console without deploying sensors, agents, or taps.

Fusion analyzes enriched metadata to help you gain comprehensive visibility in real-time, validate governance, and monitor, detect, and respond to compromises in any environment.

Fusion succeeds where costly appliance-based legacy architectures have failed. Your SecOps, SecDevOps, NetOps, and CloudOps teams will benefit from singular visibility to all their cloud and on-prem traffic, and stop drowning in low-fidelity alerts that don’t deliver actionable insights.

By analyzing network activiaty at cloud scale, Netography Fusion provides critical insight for any organization struggling to gain fast, comprehensive knowledge of what your devices, users, applications, and data are doing.

How Netography Works

How It Works


The 100% SaaS Netography Fusion platform aggregates and normalizes metadata collected from your multi-cloud and on-prem network, including all five major cloud providers (Amazon Web Services, Microsoft Azure, Google Cloud, IBM Cloud, and Oracle Cloud) and the physical and virtual devices you have already deployed (including all forms of flow data: NetFlow, sFlow, and IPFIX).

For those organizations that require an added layer of security before sending their flow data to Fusion, they have the option of deploying NetoFlow Connector software that supports buffering, filtering, downsampling, and an HTTPS connection.

There are no additional components to install. Fusion ingests metadata from your existing tech stack, eliminating the additional cost and complexity of other approaches.


Fusion automatically enriches the metadata with additional context labels and tags, including source autonomous system information, GEO location information, bit rates, packet rates calculations, destination autonomous number and DNS lookups, and next hop information. It also incorporates context labels from Active Directory, asset management, CMDB, EDR, NDR, XDR, and vulnerability management systems, including last user, asset owner, MAC address, asset classification, agent version, group, vulnerability count, and CVSS rating and score.


Fusion detects anomalous and malicious activity with Netography Detection Models (NDMs). You have complete flexibility to customize Fusion’s preconfigured detection models as well as create your own models. Netography’s Detection Engineering team continuously create new NDMs as well as update existing models to detect new threats and variants of existing threats. For greater response effectiveness, multiple teams can utilize a single NDM to launch diverse response workflows, ensuring all teams have access to the same critical alerts.


With Fusion’s tagging and context labeling, your teams can quickly visualize activity by application, location, compliance groups, or any other scheme. They can accelerate response time by quickly pivoting between dashboards to identify and investigate anomalous or malicious activity. They can also utilize the “look back” feature to see up activity for up to a year prior, to understand the scope and duration of the activity.


The Fusion platform enables you to implement a range of response workflows quickly, including within the Fusion platform directly, or via built-in integrations with a range of technology partners, including EDR, NDR, and XDR systems, and SIEM/SOAR platforms. Well-documented RESTful APIs give you the ability to automate workflows with your tech stack as well, and Fusion also supports Terraform to enable you to automate the ability to provide visibility and control for scaling infrastructure.

Netography Query Language®

Netography Query Language® (NQL) is a powerful tool that enables analysts or operators to search enriched flow records by creating and saving custom algorithms. 

You can create custom searches to rapidly analyze, investigate, and respond to anomalous or malicious traffic or incidents. You can also use these custom searches to create automated alerts and remediation workflows to meet your unique requirements.

With NQL you can isolate and analyze specific traffic, geo activity, threat actors, configurations, and more in seconds. It delivers the industry’s most granular and flexible flow record search capability, enabling you to create custom searches and alerts quickly and apply them to new or built-in dashboards.

NQL is the basis for accomplishing many tasks within Netography Fusion. Query examples include:

Search for flows, alerts, or interfaces
Filter statistics and aggregations
Define custom algorithms to alert on

Becoming familiar with NQL will result in getting the most out of Netography Fusion. These generic rules apply regardless of where you leverage the query language:

  • Logic must be unambiguous. e.g., A && B || C will fail. Use parens to prevent ambiguity.
  • IP fields can be searched with CIDR notation if desired.
  • will match
  • Only integer fields can use numerical comparisons. < <= > >=
  • Strings with spaces must be quoted with single quotes.
  • Allowed Boolean operators are: && AND and, || OR or, and !
  • Allowed numerical operators are: == != < <= > >=

Ready for a demo?

See how Netography Fusion works