Security analytics for every firewall you run

Turn the firewall telemetry you already collect into security you can prove.

ThisFirewall reads the logs your firewalls already produce and turns them into one platform — search, threat hunting, attack stories, OT visibility, segmentation analysis and an audit-ready maturity scorecard. Any firewall. No new sensors. Read-only.

Request a demo Explore the live demo
Live in an afternoon Read-only toward your firewalls Bring your own AI key Your data stays yours
app.thisfirewall.com / overview LIVE17 firewalls
Global activity & threats12 active
13:02:41CRITc2_beaconing 172.17.48.104 → 209.99.190.200 / 120s
13:02:18HIGHioc_match 124.198.131.0/24 → SSL-VPN :10443
13:01:55OTmodbus PLC-3 → HMI-1 · OT→OT · normal
13:01:30INFOnew_geo_login user mandy · VPN · NL
Fleet posture14/17 healthy
12
Open threats
58
Seg. score
L1
OT maturity
Outbound to known-malicious IP
BITN-CGR-FW01 · allowed · St Kitts AS · needs block + EDR
Throughput · 24h
Reads the firewalls you already run · multi-vendor by design
FortiGate live Palo Alto roadmap Cisco ASA / FTD roadmap Sophos roadmap Check Point roadmap pfSense / OPNsense roadmap
How it works

From raw firewall logs to evidence, in five stages.

Firewall logs are millions of lines no human can read. ThisFirewall processes every flow through a fixed, auditable pipeline — until what remains is a clear, named, actionable record.

01

Ingest

Syslog from every firewall, any vendor, into one platform. No agents.

02

Enrich

Every IP, ASN, application, country and identity resolved — locally, in real time.

03

Hunt

21+ behavioural hunts turn noise into named threats — scored, deduplicated, tuned.

04

Illuminate

OT traffic, the IT/OT boundary and dwell time — made visible from the same stream.

05

Prove

A maturity scorecard and compliance evidence your board and auditor will read.

A worked example

What an actionable record looks like.

A real-shape incident, anonymised. Six raw signals correlated into one narrative and one decision.

Attack story · auto-assembled

A quiet workstation was beaconing to St Kitts every two minutes.

A host behind BITN-CGR-FW01 made a near-perfect 120-second outbound connection to a freshly-allocated Caribbean IP — the heartbeat signature of command-and-control. The firewall allowed it. ThisFirewall resolved the destination's owner, correlated four separate signals into one timeline, and surfaced it as a single critical record instead of four orphan alerts.

Verdict: real C2-shape beacon, allowed by policy. Recommended action: block the /21 outbound and deploy EDR on the host. One click to a ticket.
07:32ioc_match — outbound destination on a threat feed (GreenSnow)
07:32c2_beaconing — 120s ± 5s interval, 99% regularity
07:33enrich — destination owner = newly-allocated St Kitts ASN
07:34correlate — 4 signals → 1 record, scored 95
07:34propose — block 209.99.184.0/21 + EDR on host
One platform

Everything your firewalls know, on one pane.

ThisFirewall is a full security-analytics platform, not a point tool. Each capability reads the same enriched stream, so a threat, a flow and a device are always one click apart.

Log Search & Sessions

Every firewall log, searchable in seconds — sessions, flows and identities across the whole fleet.

Threat Hunting

21+ behavioural hunts (beaconing, brute-force, exfil, recon) with scoring, dedup and FP-tuning built in.

Attack Stories

Scattered alerts auto-correlated into one timeline with a verdict and a recommended action.

Egress & Exfil Intel

Learns each application's normal destinations and flags the drift — data leaving where it never has before.

NEW

OT / Industrial Visibility

Modbus, DNP3, S7, OPC-UA and peers classified as first-class — the OT traffic you couldn't see.

NEW

Segmentation Analyzer

The IT↔OT zone matrix, a boundary score, and review-only policy to close the gaps.

NEW

Dwell-time KPI

How long threats ran before detection — the metric your board now asks for, from your own data.

NEW

Maturity Scorecard

Scored against the industry L0–L4 ladder from observed evidence, not a self-assessment.

Fleet & Compliance

Firmware/KEV exposure, config posture, and audit-ready evidence across every device you run.

See every flow

Know what's actually talking on your network

ThisFirewall classifies every flow your firewall sees — work, OT, remote-access, shadow-AI, risky — and maps the devices behind them. The traffic you've been paying to log finally tells you something.

  • Industrial protocols pulled out of "Other" and named
  • Shadow-AI and shadow-IT surfaced per user and host
  • Per-site, per-client and per-device breakdowns
Traffic by category · 24hlive
Cloud / CDN · 31%
Work · 23%
OT / Industrial · 16%
Remote access · 12%
Shadow AI · 10%
Risky · 8%
Close the boundary

See — and propose — the IT/OT boundary

Tag your interfaces and ThisFirewall builds the zone-to-zone matrix from real traffic, flags every IT↔OT crossing and Internet→OT path, scores the boundary, and drafts review-only firewall policy to close it. Read-only, always.

  • Worst crossings first, scored by exploitability
  • A 0–100 boundary score your auditor understands
  • Review-only CLI — ThisFirewall never touches your firewall
Zone matrix · sessions58 / 100 · C
IT
OT
DMZ
WAN
IT
HIGH
·
ok
OT
HIGH
·
EGR
WAN
vip
CRIT
·
1 critical · 2 high crossings · proposal ready
Measure what matters

The dwell-time number, and the climb to the next level

ThisFirewall measures how long activity ran before you caught it — in the same bands the industry survey uses — and scores your OT maturity against the L0–L4 ladder from what it observes. Evidence, not a questionnaire.

  • Median dwell, longest dwell, weeks/months danger zone
  • A maturity level you've genuinely earned
  • The exact next rung, with the gaps to close
Dwell-time · 90dmedian 6m
Minutes62%
Hours24%
Days9%
Weeks4%
Months1%
L1Visibility & segmentationyou are here
L2Access & profilingnext →
Who it's for

Built for the teams who run real things.

Whether you're a SecOps lead, a plant engineer, an MSP, or the person who has to answer the auditor — ThisFirewall meets you where you are.

SecOps & SOC

One pane across every firewall. Threat records instead of alert floods, with dwell-time you can report.

Plant & OT teams

See the OT traffic and the IT/OT boundary — without a sensor on the line or a touch to the firewall.

MSPs

Multi-client, multi-firewall, one console. Sell OT visibility and posture as a managed service.

Risk & compliance

Maturity and dwell-time evidence mapped to the standards procurement and regulators ask for.

Works with what you run

No rip-and-replace. Point your firewalls at us.

ThisFirewall reads firewall telemetry and enriches it locally. Send syslog, add a read-only API user, and you're live — no new hardware on the network.

FortiGatelive
Palo Altoroadmap
Cisco FTDroadmap
Sophos XGroadmap
Check Pointroadmap
pfSenseroadmap
OPNsenseroadmap
Meraki MXroadmap
WatchGuardroadmap
Syslog / CEFstandard
CISA KEVfeed
Threat feedsbuilt-in
23%
of operators see only about half their OT network
rise in weeks/months attacker dwell time, year on year
89%
expect new OT regulation within five years
#1
control operators name: segmentation — still unbuilt
Source: Fortinet, 2026 State of Operational Technology and Cybersecurity Report (700+ OT leaders). ThisFirewall closes these gaps from the firewalls you already run.
Why ThisFirewall

The platform approach, not another point tool.

Read-only, propose-only

ThisFirewall never writes to your firewalls. Policy suggestions are review-only — you stay in control, always.

No new sensors or agents

It reads the telemetry you already collect. Nothing to deploy on the plant floor, nothing to maintain.

Vendor-neutral by design

Built to read any firewall's logs. Consolidate onto one pane instead of a tool per vendor.

Your data stays yours

Single-tenant deployment available. We don't pool your logs or sell your data — ever.

Where the line is

ThisFirewall reads from the firewall, so it sees the cross-zone traffic that segmentation actually governs — not the intra-VLAN PLC chatter or ICS function-code internals that need a passive in-plant sensor. We tell you that up front. For most operators, serious security analytics from the infrastructure you already own is the right first move — and the one the industry data says is missing.

Commercial

Priced for the firewalls you run — not per seat.

Connect a firewall and you're live the same afternoon. Standard tiers deploy on isolated multi-tenant infrastructure; Enterprise runs in its own dedicated environment.

FAQ

The questions operators ask first.

Does ThisFirewall touch or change my firewall?

No. It's read-only toward your firewalls. Policy proposals are review-only CLI you apply yourself, in your own change window.

Do I need new hardware or agents?

No sensors, no agents, no span ports. ThisFirewall ingests the syslog you already send and reads via a read-only API user.

Which firewalls do you support?

FortiGate today, with Palo Alto, Cisco, Sophos, Check Point and pfSense on the roadmap. Standard syslog/CEF works broadly — tell us what you run.

Where does my data live?

On infrastructure we agree with you — including a dedicated, single-tenant instance in your region. Your data stays yours; we don't pool it.

How fast can we be live?

An afternoon for the first firewall: point syslog at ThisFirewall, add a read-only API user, and the dashboards populate from day one.

Can it see inside my ICS protocols?

It sees cross-zone OT traffic at the firewall — what segmentation governs. Deep function-code inspection needs an in-plant sensor; we're honest about that line.

Complimentary · no commitment

Get a free Firewall Exposure Check.

Point one firewall at ThisFirewall for 24 hours — or send us a config export — and we'll return a report: your OT footprint, your IT↔OT segmentation boundary, your dwell-time baseline, and the exposures worth fixing first. Read-only. Yours to keep.

1 Connect one firewall (or upload a config) 2 We analyse 24h of telemetry, read-only 3 You receive a report and a 30-minute walkthrough
Your report includes
  • OT / industrial traffic, classified
  • IT↔OT boundary score and risky crossings
  • Dwell-time baseline versus the industry
  • Top exposures, prioritised to fix
Request the check
Security & trust

Built to be trusted with your security data.

You're handing a platform your firewall telemetry. Here is exactly how we treat it — architecture first, promises second.

Read-only by design

ThisFirewall never changes your firewalls. It ingests the syslog you already send and reads via a read-only API user. Every policy suggestion is review-only CLI you apply yourself.

Your data stays yours

Single-tenant deployment option, hosted in your region. Encrypted in transit and at rest. We never pool your data with other customers and never train models on it.

Compliance-aligned

Engineered to the controls enterprise procurement expects — ISO 27001 and SOC 2 principles, the NZ Privacy Act 2020, and GDPR-ready data handling — so security reviews go smoothly.

Access you control

SSO and role-based access, scoped per client and per site. An immutable audit trail records who saw what, from where — your evidence, on demand.

Bring your own AI key · BYOK

The AI runs on your key — not ours.

Connect your own OpenAI or Anthropic (Claude) account, or point ThisFirewall at a fully local, self-hosted model. Your key, your model, your spend — we never mark up AI tokens and never route your telemetry through our AI accounts. Run a local LLM and your data never leaves your environment at all. And because it's your spend, ThisFirewall is token-minimised by default — response caching, prompt trimming and per-tenant budgets keep usage as low as possible. AI is opt-in, per-feature, and entirely under your control.

OpenAI Anthropic · Claude Local / self-hosted LLM No token markup Token-minimised · cache + budgets Opt-in & per-feature
Bring your own AI key ISO 27001-aligned SOC 2-aligned NZ Privacy Act 2020 GDPR-ready Read-only Encrypted at rest & in transit Single-tenant option Full audit trail
Request a demo

See your own network in a 30-minute demo.

Tell us about your environment and we'll show you your OT footprint, segmentation boundary and dwell-time numbers — from a firewall you already run.

  • No new sensors, agents or hardware
  • Read-only and propose-only toward your firewalls
  • A walkthrough with an engineer, not a sales script
  • A clear per-firewall quote and a pilot you can scope
Prefer email? [email protected] · A Belton IT Nexus product.
We use your details only to respond to this request. No spam, no list-selling.