Sign in Get started
Solutions

One appliance. Framed for the network you run.

The same deep packet inspection, kernel-level enforcement, and audit trail underneath — pointed at the problem your team actually has. Pick the section that matches your network.

Talk to sales Request a demo

4 network verticals v4 + v6 DHCP Option 82 attribution Kernel enforcement Fail-open by design

Telco

Telco carriers

At the subscriber edge, DHCP is where your network meets the customer's device — and it is the layer most carriers have the least visibility into. You need quality of service for a shared resource, protection against DHCP-targeted abuse, the ability to attribute a request back to a subscriber, and a record you can hand a regulator. Shield Pro does all four from one place in the path.

It sits in line, parses every DISCOVER / OFFER / REQUEST / ACK and the DHCPv6 equivalents at the protocol level, and extracts the relay-agent Option 82 Circuit-ID and Remote-ID so a request maps back to the subscriber port it came from. Threshold and rate rules flag DHCP floods, starvation attempts, and coordinated bursts; the throttle action rate-limits a noisy-but-valid client instead of cutting it off, so one misbehaving CPE does not degrade the pool for everyone. Every transaction is recorded in ClickHouse with configurable retention, and every operator and enforcement action is written to an audit log that is retained indefinitely by default.

The pain: "We can see DHCP in a packet capture, but we can't tell you in real time which subscriber segment is misbehaving, and our lease logs roll over before anyone looks at them." Shield Pro keeps the transaction history queryable instead of letting it scroll away, and surfaces the anomaly while it's still happening.

Deep packet inspection

Every DHCPv4 and DHCPv6 field decoded in line, including Option 82 Circuit-ID and Remote-ID for subscriber-level traceability.
Learn more

Kernel-level enforcement

Throttle a noisy client, block an abusive one, or allow trusted infrastructure — enforced inline by the Linux kernel via nftables.
Learn more

Distributed carriers can run the mirrored deployment mode: a lightweight capture agent at each remote site forwards DHCP traffic over TZSP to a central collector for inspection, giving cross-site visibility without placing an enforcement appliance at every location.

Related

Talk to sales (Telco)

Enterprise

Large enterprise

For a large enterprise network the pressure is reliability, control, and security — in that order. The DHCP layer touches every device that joins the network, and for most teams it is a black box: leases get handed out, but nobody can say in real time what is on the wire or act on it without standing up a separate enforcement plane. Shield Pro gives you the visibility and the control from the same appliance, and it is built so your DHCP service never depends on it staying up.

It inspects every transaction live, surfaces anomalies — identity inconsistencies, vendor-class variation, message-type imbalance, burst patterns — for review (with an optional local LLM for analysis), and lets an operator block, deny, throttle, allow, or monitor a client directly from the stream. Enforcement happens inside the Linux kernel; if the inspection service ever stops, the kernel passes DHCP through untouched — fail-open by design. Role-based access (viewer, operator, admin) and an indefinite audit trail give you the control story for the security review.

The pain: "Our DHCP server is a black box and every audit cycle we find devices we didn't know we owned. We need to see them, and we need to act — without betting DHCP uptime on yet another appliance in the path." Shield Pro turns the DHCP layer into a continuous, queryable record and a control point that fails open.

Anomaly detection

An optional local LLM analyses floods, starvation, coordinated attacks, and identity inconsistencies, with plain-language explanations; deterministic threshold and rate rules handle the high-volume cases inline.
Learn more

Kernel-level enforcement

Block, deny, throttle, allow, or monitor a device inline via nftables — no separate enforcement plane, fail-open if the service stops.
Learn more

Start in mirrored mode to evaluate against live traffic with zero risk, then switch to inline enforcement once you trust the detection. A native Model Context Protocol server lets your team triage and act from Claude Code, with writes gated behind an admin token.

Related

Talk to sales (Enterprise)

Enforcement inside the Linux kernel — fail-open by design.

ISP & hosting

ISP & hosting

ISPs and hosting providers face the same DHCP-edge problem as carriers, at a different scale: per-customer visibility, abuse detection, and audit-grade retention. Shield Pro inspects every lease in line, extracts the Option 82 relay-agent fields that attribute a request to the customer it came from, and flags abuse indicators — sudden churn, floods, atypical option fingerprints — as they happen rather than after the complaint ticket.

Transaction history lives in ClickHouse with configurable retention and a custom report builder, so when an abuse report or law-enforcement request lands, correlating it is a query rather than a half-day of engineers diffing packet-capture archives. The audit log of operator and enforcement actions is retained indefinitely by default.

The pain: "When a takedown request comes in we burn two engineers correlating leases against archives. We need the history already indexed and the abuse caught before it becomes a ticket."

Real-time monitoring

Live DHCP stream with regex and compound filtering, plus dashboards and a network map — abuse surfaces as it happens.
Learn more

Analytics & reporting

ClickHouse-backed transaction history with configurable retention and a custom report builder for compliance and abuse correlation.
Learn more

Multi-site providers can centralise visibility with the mirrored TZSP deployment — one collector inspecting traffic forwarded from capture agents at each site.

Related

Talk to sales (ISP)

Education

Education & campus

Campus networks run the most diverse DHCP environment anywhere: BYOD laptops, dorm consoles, lab equipment, and a long tail of one-off academic gear, all churning hardest the week the term starts. The job is two-fold — filter and shape the DHCP traffic on each VLAN, and manage the underlying Netfilter ruleset that does it without hand-editing nftables on a console. Shield Pro is built for both.

It gives the network team a live picture of who is leasing on each segment and which vendor class they present, surfaces anomalies that suggest a misconfigured or abusive device, and lets an operator throttle or block from the same screen. The firewall manager and live flow visualiser show what the kernel ruleset is doing right now — set sizing, per-action rate limits, and the chain a packet took — so managing the firewall layer is a GUI task, not a console session.

The pain: "Every term we onboard thousands of new devices at once. Visibility on day one — and being able to shape the noisy ones without rewriting firewall rules by hand — is the difference between a calm week and a network-ops fire drill."

Real-time monitoring

See every new device the moment it leases, filtered by VLAN, vendor class, and behaviour — no batch reports, no log delay.
Learn more

Analytics & reporting

The flow visualiser and firewall manager turn ruleset management into a GUI task — live chain counters, set sizing, rate limits.
Learn more

Related

Talk to sales (Education)

Not sure which fits?

Most teams pick the closest vertical and we tune the deployment from there. Send a short note and we'll come back within one business day.

Talk to sales Request a demo