Cyber Tool Stack
All tools
IDS/NDROpen source · BSD-3-Clause

Zeek

Community project

An open-source network security monitor (formerly named Bro) that transforms raw traffic into detailed, structured logs of every connection and protocol transaction rather than matching signatures directly. Its scripting language lets analysts build custom detection logic on top of that log stream, and it underlies several commercial NDR products, including Corelight.

Verified Source: 1

Product type
Community project
Deployment
On-premCLI
Organization size
Mid-marketEnterprise
Pricing tier
Free

Capability checklist

IDS/NDR

How Zeek measures up against the full Intrusion Detection & Network Detection and Response taxonomy.

Signature-based detection — not supported
Matches traffic against known attack and exploit signatures.
Behavioral anomaly detection — not supported
Baselines normal traffic patterns to flag deviations without a known signature.
East-west traffic visibility — supported
Sees lateral movement between internal hosts, not just traffic crossing the perimeter.
Packet capture & forensics — supported
Stores full or metadata-level packet history for post-incident investigation.
Threat intelligence integration — supported
Enriches detections with known-bad IPs, domains, and indicators from feeds.
Inline blocking (IPS mode) — not supported
Can actively drop malicious traffic in real time rather than only alert on it.
Encrypted traffic analysis — supported
Flags malicious patterns in encrypted flows without decrypting them.

Alternatives

Other Intrusion Detection & Network Detection and Response tools with overlapping capabilities, sized for similar teams.

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.