FAQ Look deeper. Find everything.

Frequently Asked Questions

Top 50 questions buyers ask before signing up, and top 50 questions users ask after install. Search with Ctrl/Cmd+F.

For buyers (pre-purchase)

1. What does Intreys™ actually do?

Deep packet inspection, threat hunting, and incident response on PCAP files and live captures. 67 protocol dissectors, automated detections, MITRE ATT&CK mapping, AI-assisted analysis, structured export to your downstream tools.

2. Who is it for?

Security analysts, incident responders, threat hunters, MSSPs, ICS/SCADA security teams, network forensics consultancies, and (with the Community tier) students and CTF players.

3. How is it different from Wireshark?

Wireshark is a packet-level inspector; Intreys is a security analysis platform built on top of equivalent dissection. Intreys runs detections, maps to MITRE, generates reports, exports STIX/MISP, integrates with TI providers and AI — without external tools.

4. How is it different from Zeek?

Zeek is a powerful scripting platform that requires policy authoring. Intreys is a turnkey product: opinionated detections out of the box, GUI-driven hunting, and an analyst workflow. The two complement each other — Zeek logs can be ingested.

5. How is it different from a SIEM?

A SIEM ingests logs from many sources and correlates. Intreys focuses on the network layer, full PCAP fidelity, and analyst tooling. Findings forward to your SIEM (Team tier and above).

6. Do I need to be a deep network expert to use it?

No. The defaults give you actionable findings on first run. Power users can drop into DPI / Wireshark filter syntax / hunt builder.

7. Does it work offline?

Yes — Community tier is fully offline. Pro, Team, and Enterprise / MSSP re-validate the license every 7 days but tolerate 14 days offline grace. Air-gapped activation is supported (Enterprise / MSSP).

8. Is the data ever sent to your servers?

No. Captures, findings, IOCs, and analyst notes never leave your machine unless you configure remote AI (off by default) or push to your own SIEM/MISP/TAXII. License re-validation sends only an Ed25519-signed token, fingerprint hash, and timestamp — never product data.

9. Is there a free tier?

Yes — Community tier is free forever, no credit card required. See Community tier.

10. What does Pro cost?

$29/month per seat, or $290/year per seat (save 17%). 7-day free trial, no credit card required.

11. What does Team cost?

$99/month per seat, $990/year per seat. Self-serve via Stripe at intreys.com. Volume discounts at 10+/50+/100+ seats — [email protected] for procurement / PO.

11a. What does Enterprise / MSSP cost?

$499 / mo per deployment (or $4,990 / yr per deployment) through public Stripe checkout under Intreys standard Terms of Use. One license covers a single multi-tenant install with unlimited tenants and users. Includes everything in Team plus multi-tenancy, OIDC + SCIM 2.0 provisioning, tamper-evident audit logging, NIST / PCI / HIPAA compliance mapping, BYOK / CMEK, white-label branding, and on-prem support. SAML 2.0 SSO is available by request as a controlled enterprise preview. Self-checkout does NOT imply any custom contract terms by default — if you need volume pricing, procurement / PO, MSA / DPA / BAA, custom SLA, 24×7 support commitments, on-prem deployment help, government, or MSSP / reseller terms, contact intreys.com/contact-sales or [email protected] for a separate written agreement that layers on top of your subscription.

12. Can I get a demo?

Yes — reach out to [email protected]. Or download Community and try it now.

13. What platforms are supported?

macOS (Apple Silicon & Intel), Windows 10/11, Linux (Debian/Ubuntu, RHEL/Fedora), Docker.

14. What hardware do I need?

Minimum 4 GB RAM, dual-core; recommended 16 GB RAM for Pro / Team / Enterprise / MSSP workloads. Local AI needs 8–16 GB depending on model.

15. Do you offer on-prem deployment?

Intreys is on-prem by default — the desktop app runs entirely on your hardware. For multi-user Team or Enterprise / MSSP deployments, the same binary runs as a server. Air-gapped on-prem deployment is supported on Enterprise / MSSP.

16. Do you offer SaaS?

No. Intreys is a desktop / on-prem product by design. Network-forensics data is too sensitive to centralize.

17. SOC 2 / ISO 27001?

License-server infrastructure: SOC 2 Type 1 in progress. The product itself runs on your hardware so it inherits your controls.

18. Where are you based?

CyberShelt LLC, Wyoming, USA.

19. Are you hiring?

Roadmap-dependent. Watch intreys.com for openings.

23. What's your support SLA?

Community: best-effort, no SLA
Pro: 1 business day response (priority email)
Team: 24-hour priority email SLA
Enterprise / MSSP: priority email support included; 24×7 phone + chat, same-business-day response, and NBD resolution target for P1 are available as an optional add-on under a custom support agreement — contact sales

24. Can I pay annually?

Yes — toggle yearly on the pricing page for a 17% discount on every paid tier.

25. Can I pay by invoice / PO?

The default Stripe self-checkout for every tier (including Enterprise / MSSP) is card billing under standard Terms of Use. PO / ACH / annual invoicing is available on Team or Enterprise / MSSP under a custom procurement agreement — [email protected].

26. Refund policy?

30-day money-back, no questions asked. After 30 days, pro-rated for unused months.

27. Education / non-profit discount?

50% on Pro for verified educational institutions and registered non-profits. [email protected].

28. Government / DoD pricing?

Custom — contact [email protected]. We support FedRAMP-aligned procurement processes.

29. Is the source open?

Intreys is closed-source commercial software. We publish docs, changelogs, and a public security disclosure policy.

30. What protocols are supported?

67 dissectors across IT, ICS/SCADA, IoT, and infrastructure. See the full list.

31. Will you build a dissector for X?

Roadmap requests welcome at [email protected]. Pro+ users can author plugin stages.

32. Does it support IPv6?

Fully. IPv6 is a first-class citizen across dissection, detection, and reporting.

33. Does it support encrypted traffic?

For TLS, Intreys reads handshake metadata (SNI, JA3/JA3S, certificates) without decryption. With pre-master keys (NSS keylog format) you can decrypt and analyze application data.

34. Can I integrate with Splunk?

Yes — Team and Enterprise / MSSP tiers ship a Splunk HEC forwarder.

35. Can I integrate with ELK?

Yes — Team and Enterprise / MSSP tiers ship ECS-formatted output via Beats / direct.

36. Can I integrate with MISP?

Yes — Pro+ exports MISP-format events; Enterprise / MSSP can sync feeds bi-directionally.

37. Can I integrate with TheHive / Cortex?

Via webhook export (Pro+) and STIX 2.1 ingestion. Direct connector on roadmap.

38. Can I run automated CI / batch analysis?

Yes — Pro+ REST API supports headless upload and result polling. Useful for regression PCAPs in detection-engineering pipelines.

39. What is the largest PCAP you've tested?

Routine: 2 GB / 5M packets. Stress-tested up to 10 GB / 25M packets — works but slow. Pre-trim or chunk above 2 GB.

40. Do you have a Wireshark importer?

Wireshark profiles aren’t imported, but display filter syntax is compatible. Saved hunts and reports are Intreys-native.

41. Real-time live capture — what tier?

All tiers (Community, Pro, Team, Enterprise / MSSP) as of v1.0.0. Same packet/file limits as offline analysis apply at each tier.

42. Is the GUI keyboard-friendly?

Yes. Ctrl/Cmd+K command palette, Ctrl+1…9 view switching, full keyboard nav with arrow keys and tab order.

43. Is it accessible (WCAG)?

40+ ARIA labels, keyboard navigation throughout, dialog roles, and live-region status. Targeting WCAG 2.1 AA. Issues to [email protected].

44. Is there a CLI?

Headless mode runs the same engine without GUI — intreys analyze --pcap path/to.pcap --out report.pdf. Useful for batch / CI.

45. Multi-monitor support?

Yes — views detach into separate windows.

46. Roadmap?

Broader IdP coverage, additional ICS protocols, bigger PCAP support (10+ GB), and more report templates. Watch the changelog.

47. Beta program?

48. Bug bounty?

Public scope is documented in our vulnerability disclosure policy. Recognition is reputational; cash bounties are roadmap-dependent.

49. Where can I learn more?

Start with Getting Started. Read the Changelog for what’s new.

50. Where do I download?

releases.intreys.com/latest — or just click Download on the home page.

For users (post-install)

51. How do I update?

Auto-update is on by default. Manual: Settings → About → Check for updates.

52. Where is my data stored?

See Live capture → data paths. Uses standard per-OS app-data directories.

53. How do I back up my cases?

Copy the data directory. For multi-user environments use the Team / Enterprise / MSSP export-all feature.

54. How do I delete a session?

Right-click the session in the Sessions view, Delete. Captures move to the OS trash; findings are removed from the case.

55. How do I share a session with a teammate?

Pro: Export → Session bundle produces a zip your teammate imports. Team and Enterprise / MSSP: real-time collaboration on a shared case.

56. Can I undo a stage re-run?

Findings are versioned per session. Roll back from Sessions → History.

57. How do I customize the dashboard?

Dashboard → Edit — drag-rearrange tiles, add/remove. Per-user.

58. How do I change the theme?

Dark only in v1.0.0. Light theme on roadmap.

59. How do I increase font size?

Ctrl/Cmd + = to zoom in, Ctrl/Cmd + - to zoom out, Ctrl/Cmd + 0 to reset. Persists per session.

60. How do I export a single packet?

Right-click in DPI → Export packet → PCAP / hex / Python (Scapy).

61. How do I write a Suricata rule?

Drop .rules files into Settings → Detection → Suricata rules. Intreys runs them via the run_suricata stage.

62. How do I write a YARA rule?

Settings → YARA → Add rule. The yara_scan stage runs them against extracted files.

63. Can I configure auto-quarantine?

No — Intreys is a forensics/analysis tool, not a host EDR. Findings forward to your SIEM/EDR for action.

64. How do I integrate with my JIRA / Linear / ServiceNow?

Webhook export (Pro+). Direct connectors on roadmap. Coordinate at [email protected].

65. How do I configure auto-import from a watched folder?

Settings → Watched folders → Add. Pick a folder; new .pcap/.pcapng files auto-import.

66. Why is my MITRE matrix blank?

Either no detections fired (Community tier doesn’t run map_mitre) or the matrix is filtered. Check the Coverage scope setting.

67. Why no AI narrative?

AI is off by default (force_local). Enable a local model first, then enable auto-narrative under Settings → AI.

68. Why is local AI slow?

CPU inference is intrinsically slow. Use MLX on Apple Silicon, or pick a smaller / more aggressively quantized model (Q4_0 instead of Q5_K_M).

69. Why is remote AI rate-limited?

You’re hitting the provider’s rate limit. Switch to a higher-tier plan with the provider, or use a smaller model.

70. How do I export a finding to my IR ticket?

Right-click finding → Export → Markdown / JSON / Webhook.

71. Can I add custom severity labels?

Pro+: Settings → Detection → Severity overrides.

72. Can I tag findings?

Yes — per-finding free-form tags. Tags are searchable and exportable.

73. How do I find a specific packet by ID?

Cmd/Ctrl+G opens go-to-packet. Type the ID and Enter.

74. How do I find a specific flow?

Flows view (Cmd/Ctrl+8). Filter by IP, port, or label.

75. How do I follow a TCP stream?

Right-click any packet in the stream → Follow stream → ASCII / hex.

76. How do I extract files from HTTP traffic?

Stage 14 (extract_files) does this automatically. View under Artifacts → Files.

77. How do I extract credentials?

Stage 13 surfaces cleartext creds. View under Artifacts → Credentials. Treat with care — this is sensitive output.

78. How do I redact a finding before exporting?

Pro+: select finding → Redact → check fields. Redactions persist with the case.

79. Why does the network map look empty?

If only one host is in the capture, the map renders that single node. Add more captures to grow the map.

80. What is the Pyramid of Pain?

An indicator-classification ladder (David Bianco): hash → IP → domain → host artifact → network artifact → tool → TTP. Higher rungs are harder for adversaries to change. Intreys uses it to score detection signal value.

81. Can I tweak detection thresholds?

Settings → Detection → Thresholds — per-detector tunables.

82. Can I disable a detector entirely?

Yes — toggle each detector on/off in Settings → Detection.

83. Can I add my own IOC list?

Yes — CSV/JSON/STIX in Settings → IOCs → Local feed.

84. Where do crash reports go?

Local only by default. Settings → Diagnostics shows the latest crashes. You can attach them when filing a support ticket.

85. How do I change the listen port?

Settings → General → Port. Default 8765. Restart the app.

86. How do I run on a different host?

Headless mode binds 0.0.0.0:8765 by default. Reverse-proxy through your load balancer.

87. Self-signed cert for the local server — how do I trust it?

The local server uses HTTPS with a self-signed cert in headless mode. Add the cert to your local CA store, or run behind a reverse proxy that terminates TLS.

88. How do I rotate the admin password?

Profile → Change password. Force-rotate all users in Team / Enterprise / MSSP.

89. How do I reset 2FA?

Pro+: 2FA recovery codes are issued at enrollment. Lost codes — admin user can reset another user’s 2FA.

90. How do I lock the app?

Profile → Lock session (or Ctrl/Cmd+L). Re-enter password to resume.

91. Why is the API returning 401?

API key missing or wrong. Pro+: regenerate in Settings → API.

92. Why is SSE streaming not working?

Some corporate proxies break long-lived connections. Whitelist the Intreys port or run direct.

93. Where are logs?

Help → Diagnostics → Open logs folder. Or:

macOS: ~/Library/Logs/Intreys/
Linux: ~/.local/share/intreys/logs/
Windows: %APPDATA%\Intreys\logs\

94. How do I rotate logs?

Auto-rotation at 50 MB / 7 days. Configurable in Settings → Logs.

95. Can I redact PII from logs before sharing?

Yes — Settings → Logs → Sanitize on export redacts IPs, hostnames, emails before bundling.

96. How do I report a security vulnerability?

Vulnerability Disclosure Policy. Email [email protected].

97. How do I file a bug?

support.html. Include diagnostics file.

98. Where can I share feedback?

[email protected].

99. Where can I follow updates?

Changelog, the home page, and (when announced) the Intreys blog.

100. Did I miss something?

Open a support ticket with your question and we’ll improve this FAQ.