Response

From detection to action.

Every alert has a destination. Rockfish publishes enriched, normalized JSON to MQTT, Kafka, and webhooks — feeding SIEMs, SOAR workflows, and OT control planes. No cloud callbacks. No vendor lock-in.

Deep Dive Live Demo
Publishers

Three sinks. One alert shape.

Every detection — SIGMA, OCCAM, behavioral hunt, Suricata IDS rule — is normalized into a single JSON envelope, then published to whatever transport fits your environment. All three publishers run in the same rockfish alert process. No queue, no broker mandatory.

MQTT

The transport of choice for IoT and OT. Light wire format, native TLS, topic-based routing. Suited for environments where alerts feed directly into PLCs, SCADA HMIs, or edge brokers.

  • QoS 0/1/2 with retained-message support
  • TLS 1.2+ with mutual cert auth
  • Per-detection-type topic routing
  • Last Will & Testament for liveness

Kafka

For enterprise pipelines that already terminate in Kafka. Each alert becomes a record with a partition key derived from src_ip, preserving order per asset.

  • SASL/PLAIN, SASL/SCRAM, mTLS
  • Idempotent producer (no dup alerts on retry)
  • Configurable partition strategy
  • Schema-Registry-friendly JSON

Webhooks

For everything else. POST to one or many HTTP endpoints — n8n, Node-RED, FluentBit, PagerDuty, or your own SOAR. Payload identical to MQTT and Kafka.

  • Multiple endpoint URLs (fan-out)
  • HMAC-SHA256 signing per endpoint
  • Retry with exponential backoff
  • Per-endpoint header customization (auth, tenant ID)
Alert Payload

One JSON shape. Everywhere.

Whether it lands in Splunk via Fluent Bit, fires a Slack message via webhook, or steers a PLC via MQTT — it's the same envelope. Severity, score, ATT&CK tactic, recommended action, full forensic context.

rockfish alert — example payload
{ "alert_id": "01HFXQZ8K2V3M9N4P5R6S7T8U9", "timestamp": "2026-04-30T14:32:01.247Z", "detection_type": "sigma", "hunt_type": "beaconing", "severity": 1, // 1=critical, 2=high, 3=med, 4=low "score": 0.94, // model confidence 0..1 "source": { "ip": "10.0.42.118", "hostname": "plc-cell3-04.ot.local", "asset_kind": "plc", "segment": "ot-cell-3" }, "dest": { "ip": "198.51.100.7", "port": 443, "asn": "AS64512 — Example Hosting", "country": "NL" }, "meta": { "alert": "ET MALWARE C2 Beacon — Cobalt Strike-like", "mitre_tactic": "command-and-control", "mitre_id": "T1071.001", "sigma_token": "BEACON_REGULAR_HTTPS_SHORT", "surprisal": 12.4, "recommended_action": "isolate-asset" }, "forensics": { "flow_count": 847, "first_seen": "2026-04-30T11:15:42Z", "last_seen": "2026-04-30T14:31:58Z", "interval_p50_sec": 14.2, "interval_jitter": 0.03, "entropy_toserver": 7.91, "pcr": 0.47 } }
Severity 1–4

Critical / high / med / low — drives downstream routing.

MITRE ATT&CK

Tactic + technique ID on every behavioral alert.

Recommended action

Per-detection action hint your SOAR can act on.

Forensic context

Flow stats, timing, entropy, PCR — everything that drove the score.

Integrations

Plug into what you already run.

Rockfish doesn't replace your SIEM, your SOAR, or your ticketing system. It feeds them.

SIEM

Fluent Bit · Vector · Filebeat

Forward MQTT or webhook output into Splunk, Elastic, QRadar, Sentinel, Chronicle, Wazuh, or any HEC-compatible target.

SOAR & Workflow

n8n · Node-RED · Tines

Trigger workflows on the webhook receiver. Use recommended_action to fork: isolate, throttle, ticket, page.

Ticketing

Jira · ServiceNow · Linear

POST severity-1 alerts straight to a queue. Severity-3+ batched into a daily digest.

Communication

Slack · Teams · PagerDuty

Webhook to chatops or paging. Filter by severity, segment, or detection type at the publisher.

OT Control

Local MQTT broker

Subscribers on the broker drive segmentation enforcement, PLC isolation, or SCADA HMI banners — entirely on-prem.

Custom

Anything that POSTs JSON

If it accepts a webhook, it works. HMAC-signed for verification on the receiver side.

All publishers run offline.

No vendor cloud, no telemetry callback, no remote license check at alert time. The plant's data stays at the plant.

Local MQTT broker

Mosquitto, EMQX, NanoMQ — whatever you've already qualified for the plant network.

Kafka on-prem

Bare-metal, MSK on a private VPC, or a single-broker dev cluster — same wire protocol.

Webhook to localhost

Most workflow runners (n8n, Node-RED) ship as a single binary. POST stays inside the host.

Compliance-aligned for CMMC AU/SI, NERC CIP, and IEC 62443. Audit log of every published alert is retained locally.

Deploy Rockfish NDR in minutes. Single binary. No dependencies. Air-gap native. The plant's data stays at the plant.

We built this for critical infrastructure.

Now we want to prove it.

We are looking for defense contractors, water utilities, power facilities, manufacturing plants, and C3PAOs to deploy Rockfish NDR in a production environment at no cost. Slots are limited.

Requirements are simple: you run it, we support it, you tell us what you think. If that sounds like a fair trade, let's talk.

Request a Pilot Slot