The sensor's capabilities include network sensing, attack response, and device management.

Network sensing involves real-time monitoring of network packets. This includes both capturing and analysis of network data. The sensors also monitor syslog traffic from a managed Cisco router.

Captured data is compared against a set of known attack methods and user added definitions that search for patterns of misuse. Patterns range from simple network access to distributed information gathering performed over a period of time. Patterns of misuse are searched in the packet headers and the packet data itself.