AlertMonitor Sensor
Internal scanning and lateral movement detection
What it does
The AlertMonitor Sensor deploys inside your network perimeter to provide visibility no perimeter-facing tool can deliver. It continuously scans east-west traffic, detects lateral movement, and identifies internal reconnaissance — the hallmarks of an attacker already inside. Everything discovered feeds directly into your alert stream, AI-enriched and analyst-reviewed.
Why it matters: 83% of breaches involve lateral movement after initial intrusion. External monitoring will never catch an attacker already inside. The AlertMonitor Sensor gives you the internal visibility to detect threats before they reach critical systems.
Capabilities
- Internal network scanning from inside the perimeter — discovers every host and open port attackers would
- Lateral movement detection — flags abnormal host-to-host connection spikes and unexpected protocol use
- East-west traffic analysis across internal network segments
- Rogue device detection — identifies unauthorized devices the moment they connect
- Honeypot canary token integration — silent tripwires trigger immediately on access
- All findings feed into the AlertMonitor alert pipeline with AI context attached
How it works
The sensor deploys as a lightweight agent on a Windows or Linux host inside your network. It runs continuous internal scans using the same enumeration techniques attackers use — nmap-style discovery, ARP monitoring, SMB probing — but legitimately, under your control. Scan cadence and depth are configurable per client. All findings are normalized and streamed to the AlertMonitor enrichment pipeline before your analyst team reviews them.