Suricata, Supercharged.
A powerful bolt-on toolkit that transforms Suricata into a capable NDR with AI-powered detection and automated response.
Don't replace your stack. Extend it. Rockfish bolts onto your existing Suricata deployment. No rip-and-replace. No vendor lock-in. No SaaS dependency. No hype. Just tools that works.
Bolt-on
Drops into your existing Suricata deployment
Integrates with your SIEM, SOAR, and ticketing systems through n8n
MQTT event bus connects to anything in your stack
Deploys on any commodity hardware — no proprietary appliances
Air-gap ready: fully disconnected operation, no cloud required
No recurring subscription. No SaaS to kiss.
Detect
Suricata integration with full EVE JSON enrichment
Unsupervised ML for signature-free anomaly detection
Encrypted traffic analysis via JA3/JA4 fingerprinting
AI-ready: query network data conversationally via MCP server
Respond
AI-assisted Suricata rule injection on detection
Workflow orchestration with n8n for custom response playbooks
SIEM/SOAR forwarding with fluentbit to Splunk, Sentinel, Shuffle
MQTT event bus for real-time alert distribution
Archive
Full metadata capture including enriched flow.
Arrow Parquet for fast analytical queries at scale.
Store local or push to S3-compatible storage.
Meet regulatory and audit requirements with immutable storage.
Analyze historical data with any Parquet compatible engine.
How It Works
Capture — Suricata passively monitors your network via TAP/SPAN, feeding traffic to Rockfish.
Detect — Rockfish's behavioral engine analyzes enriched metadata to identify lateral movement, C2 beacons, data exfiltration, and anomalies that signatures miss.
Respond — Detection events fire over MQTT to n8n, triggering automated playbooks.
Archive — Every flow is enriched and stored in immutable Parquet format.
Your network. Your insight. Your archive.
Coming Q2 2026. Preview the docs, explore the architecture, or get in touch.
© 2025-2026. Fidelis Machines, LLC. All rights reserved.